Information Security Awareness: The Psychology Behind the Technology is a book written for information security managers and organizational leaders. This text focuses on the behaviors of information systems users in an organizational setting and why this is critical to successful information security awareness programs. The ultimate goal of all information security awareness programs from a business perspective is to change the behavior of users, resulting in fewer user-related errors that cause costly and destructive security incidents. Rather than taking a traditional technology-oriented approach the author has taken a unique method by exploring and discussing six key psychological aspects of people's behavior. Specifically the author discusses how these phenomena relate to, and impact, an information security program. The six behavioral-oriented phenomena reviewed in this book are: motivation, attitude, beliefs, personality, morals, and ethics. These six phenomena are the basis for a new psychological-based framework that the author presents in this book known as POSTTM. POSTTM is an acronym for "The Psychology of Security and Technology". Many organizations take the approach of "informing" their user community of their security policies, guidelines, and procedures. This would be described as a descriptive approach, meaning the users are told they must comply because management requires them to. Recent research in organizational psychology and information security awareness postulates that this approach is flawed. The descriptive-based approach does nothing to help the users internalize or justify the organizations requirements, therefore their attitudes and motivations will be lacking and ultimately produce undesirable results. A new prescriptive-based approach to information security awareness is presented in the book which leverages the POSTTM constructs. This new approach focuses on users internalizing information security messages and policies.
Book Description
Product Details
Would you like to update product info or give feedback on images?
|
Customer Reviews
|
Share your thoughts with other customers:
|
||||||||||||||||||||||
|
Most Helpful Customer Reviews
2 of 2 people found the following review helpful:
3.0 out of 5 stars
Reads like an academic thesis,
By
This review is from: Information Security Awareness (Hardcover)
The book's title and the author's biography led me to expect a review of the application of human psychology to information security awareness, specifically. In fact, the author concentrates almost entirely on psychology.
The book reads rather like an MSc or PhD thesis. There are many technical/scientific terms, some of which are not properly explained or introduced. Despite being an avid reader and a scientist by training, I found this a very difficult book to read due to the writing style. Practically every paragraph seems to have at least one grammatical error. Some sentences are convoluted beyond comprehension (e.g. "I do not believe it is unreasonable to believe that if people are able to internalize why they shouldn't do something, then the majority of people would not take inappropriate actions." on page 18). This, coupled with excessive repetition of certain clauses, distracted me from the meaning which is a shame because there is some merit in the content. Curiously, the style of chapter 7 and perhaps the first half of chapter 8 contrast markedly with the rest of the book. Those parts are lucid and clearly written with few of the grammatical and style problems elsewhere, despite their greater academic content. The essential premise of the book is that individuals are more likely to behave in a secure manner if they internalize (understand and accept) the reasons why they are being asked to behave in that manner, rather than simply being instructed to do so by management's policy edicts. The book has merit in a theoretical sense. It introduced a variety of psychological theories that may be sound and may have some bearing on information security awareness. It falls short on pragmatism, however. Overall, I'm glad I persisted in reading the whole book. The argument to include moral and ethical considerations in security awareness is convincingly made in chapter 7. Other parts deserve more thought in order to draw out lessons for security awareness practitioners. [Footnote: take a look at Rebecca Herold's book Managing an Information Security and Privacy Awareness and Training Program, Second Edition, and David Lacey's Managing the Human Factor in Information Security: How to win over staff and influence business managers as well.]
1 of 1 people found the following review helpful:
1.0 out of 5 stars
Important Topic - Terrible Delivery,
By NW Prof "IT Professor" (Boise, Idaho USA) - See all my reviews
This review is from: Information Security Awareness (Hardcover)
I've never written a negative review before, but I am so appalled at this work, I had to do so. The premise is that employees will adhere to a security policy if they believe in it is worthwhile, but this is such a poorly written and repetitive text, the message never comes through, if there in fact was one beyond the promise in the title. Clearly a self-publised effort, the author has never heard of possessive nouns and grammar checkers. He repeats himself endlessly, using first person, and a pseudo-academic style. He quotes or mis-quotes numerous sources on motivation and other topics from psychology, but it is doubtful he read more than the abstracts as the references are taken out of context or fail to support any ideas of his own. Apparently, this author's goal is to impress techies with big words and persuade them to hire him to implement their security programs. As a techie and an academic, I'd advise using the money saved on not buying this book to having a lunch meeting with pizza and lay out the "what's in it for me" impact of why employees should comply. Failing to comply is about lost time, lost information, lost image in the marketplace, and potentially, lost jobs.
2.0 out of 5 stars
Fails to live up to its promise,
By
This review is from: Information Security Awareness (Hardcover)
Information Security Awareness: The Psychology Behind the Technology is a book aimed at a very particular audience and will likely fail to meet the average reader's expectations. Those looking for a comprehensive and practical reference to information security awareness will not find it here (for that, I recommend Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program). What the book does offer is the outline of a new approach to the subject that merits further study.
The author's basic premise can be summed up in one short paragraph. The problem all information security awareness programs seek to solve is that of permanently modifying user behavior in some prescribed way. The traditional "descriptive" approach has been to inform the users of the desired behavior (as specified in a security policy) and hope for the best. Common sense, as well as a large body of research in psychology, suggests that this approach is largely ineffective. In order to effect a lasting change in the users' patterns of behavior, a "prescriptive" approach is needed. Users must believe in the message in order to act on it. The majority of the book's 134 pages is devoted to exploring concepts, theories and research from psychology and philosophy in order to better understand the internal drivers of user behavior. The six major concepts discussed are motivation, attitude, beliefs, personality, morals and ethics. Several competing motivational theories are described in chapter five. Attitude, personality and beliefs are discussed in chapter six. Ethics as a branch of philosophy and the theories of moral development are addressed in chapter seven. Lacking a background in psychology, I found it difficult to get much meaning out of this material. For a book aimed at an audience unfamiliar with the subject, the discussion falls short in terms of clarity and focus. Frequently, the reader is likely to question the relevance of the material to information security awareness and wonder how it would apply in practice. At the end, I was left with the unsatisfying feeling of having caught a faint glimpse of a promising new idea that the author wasn't able to do much with. The potential is there, but the book does not deliver.
Share your thoughts with other customers: Create your own review
|
|
Tags Customers Associate with This Product(What's this?)Click on a tag to find related items, discussions, and people.
|
Sell a Digital Version of This Book in the Kindle Store
If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store.
Learn more
