Managing the Human Factor in Information Security: How to win over staff and influence business managers
by David Lacey

Wiley 2009.
ISBN 978-0-470-72199-5 . USD 46.59

Reviewed by  Richard Austin   3/17/2010 

Information security tomes are popping up like mushrooms these days, and it takes something special to make one stand out among the other toadstools in the field. What attracted your humble correspondent to this one was a quote on the back cover: "Computers do not commit crimes. People do". That's a bit of wisdom that should be heard and heeded by a profession steeped in firewalls, intrusion detection, federated identity, encryption and all the other technological trappings that tend to fill our working days. Not that the technological things don't matter but if there's any lesson we can draw from the major breaches/security incidents/bad things that litter the trade press, it's that people, and their behavior, manage to trump most any of the technical controls we put in place. This implies that our security efforts must focus just as much on the people that operate and use a system as on the system itself.

Examining what this dual focus really means is the task that Lacey set himself in the 11 chapters of this book. In the first chapter, "Power to the people", Lacey looks at what networking has really meant to power and value as it broke down barriers and made information flows easier to establish while complicating our information security lives almost beyond belief. He warns that the "classic" methods of locking down flows, erecting barriers, etc, are unlikely to be effective and challenges the reader to think of network solutions for what is really a network problem.

The second chapter, "Everyone makes a difference", opens with the observation that while "everybody is responsible for security", you have to start somewhere and, by the way, just where should that "somewhere" be? Lacey's conclusion is that you really have to start everywhere by understanding each stakeholder's needs and contributions to "security". The security professional then tailors their interactions with each set of stakeholders based on their needs and sphere of action. For example, boards operate in the world of big risks and impacts while a customer wants a simple, easy-to-use interaction that is "secure" and doesn't require much effort on their part. Boards can effect large swathes of the organization while a customer can only really affect their own behavior.

The third chapter, "There's no such thing as an isolated incident", takes a hard look at how to deal with situations gone wrong. There's a lot of wisdom in these few pages but one particularly notable point deals with the idea that there is often just as much to be learned from minor incidents and near misses as there is from a major crisis. By investigating and analyzing the root causes behind these lesser misfortunes, we may identify major crises while still in the incubation stage and spot those glaring defects in how we plan to confront a crisis when it occurs.

Chapter 4 opens with the catchy title of "Zen and the art of risk management" and gives solid advice on this sometimes mystifying process. A particular gem is the sage observation that "Risk management is a measuring stick, not a decision making process" (p. 132).

Chapter 5 confronts the thorny issue of trust ("Who can you trust?") and the threat of insider abuse. In organizational cultures where "Our people are our greatest asset" is a commonly heard mantra, it is sometimes difficult to think about one (or more) of those people being crooks and plan effectively for how to deter, identify or catch them.

Chapter 6 confronts an issue that has doomed many security efforts, "Managing organization culture and politics". It identifies many of the reasons why "best laid plans" often go awry and offers guidance on how to align your efforts with the prevailing culture.

The next three chapters ("Designing effective awareness programs", "Transforming organization attitudes and behavior" and "Gaining executive and business buy-in") delve into the processes for effectively modifying peoples' behavior in an organizational setting.

Chapter 10, "Designing security systems that work", begins to sum up the content of the book by examining how to put it all into practice and pull together a system that can work and survive in the real world. I might suggest that this chapter actually be read first as it shows how all the threads covered in the other chapters fit together into the whole of a successful security program.

The final chapter, "Harnessing the power of the organization", reflects somewhat the message of Chapter 1 but in the context of your own organization. In other words, your own organization is also a network and working within that concept will leverage its strength and resilience to enhance your own security program.

Lacey does a great job of covering the "other half" of information security - the people half - with wit, clarity and charm. Rather than cataloging and lamenting the various ways that people can foul up the best-laid security plan, he draws on his extensive experience to show how we can work within those limits and foibles to develop security programs that work and can survive contact with the real world.

In a bit of a change, this is a book that will most benefit the technical security professional who will likely have often been frustrated when a solid, technical plan fails to get approval or is trumped by human behavior in deployment. Following the sage advice in this book will enable them to start to look at people as less of an obstacle and more of a resource (or even partner) in achieving their security goals.

Before beginning life as an itinerant university instructor and security consultant, Richard Austin spent some 30+ years in enterprise IT in roles ranging from software developer to security architect. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu