Managing the Human Factor
in Information Security:

How to win over staff and
influence business managers

Author: David Lacey

ISBN: 978-0-470-72199-5

Publisher: Wiley (2009)

374 pages

Price: ~US$43 from Amazon

Scope and intended audience

This book concerns the influence of people in protecting information assets. As such, although not explicitly stated in the text, it appears to be aimed primarily at information security managers and other infosec professionals.

As the author himself puts it in the introduction, “This book aims to identify and make sense of the wide range of human an organizational challenges that we face in managing security in today’s networked world. It provides helpful advice on how to manage incidents and risks, design and sell management systems, promote security awareness, change attitudes and behavior, and how to leverage the power of social networks to get the best out [of] the organization.”

Author’s credentials

David Lacey is a greybeard, an experienced security guru. He has worked in information security for more than two decades for the Royal Dutch/Shell Group, the Royal Mail/The Post Office Group and the UK Foreign and Commonwealth Office and is now consulting. He was a founder member of the Jericho Forum, and essentially wrote the first version of BS7799 that was based his Shell security manual. He uses situations at these organizations as examples to illustrate most of the points he makes in the book. The illustrations are insightful and worthwhile, but sometimes I wished for examples from other organizations and perhaps even counter-examples: if David ever writes a second edition, I for one would love to contribute some of my work experiences and I’m convinced the book would have benefited from a wider range of inputs from additional experienced authors. That said, it is a admirable feat for one person to have written such a comprehensive treatise alone.

Breadth and depth of coverage

‘Managing the human factors’ scores highly on both breadth and depth. It covers a surprisingly wide range of topics relating to the human aspects of information security, mostly from management and operational perspectives, with some governance points relating to the organization of the information security management function. The book has depth too, while remaining generally pragmatic rather than theoretic or academic in style. It does not dip far into the science of human behavior, for example. It is not a psychology textbook.

Writing style and readability

The book is well written without the annoying style or grammatical idiosyncrasies that some other authors express. It is quite lengthy but that is largely due to the breadth and depth of coverage, in other words it is not just padding. I estimate the book to have around 150,000 words with rather few diagrams.

Each chapter concludes with an excellent summary of the key points covered - not just the semi-automated content extraction or regurgitation that we often read elsewhere but a thoughtful and succinct consolidation of the main issues. These sections are titled ‘Learning from ...’ with good reason: these are indeed the learning points, and equally serve as a reminder of the content of each chapter when the reader takes the book back off the shelf later.

Quality and integrity

I can’t find any serious errors in the book, and the author’s credentials speak for themselves. It is certainly up to date, covering social networking topics for instance.

The book might have benefited from more discussion of psychology, perhaps exploring the intriguing psychological profile of the “typical” hacker or fraudster (if there is such a beast) and the underground social networks used by the hacker and criminal communities, at least in the sense of ‘know your enemy’. Appreciating the motivations and ethical values of such adversaries informs information security risk assessments, and to some extent guides the prioritization of certain classes of information security control.

Personally, I’m not entirely convinced by the ‘deperimiterization’ arguments presented by the Jericho Forum and summarized by the author, while to me this aspect seems only marginally relevant to human factors. However, the author’s passion for the topic comes across well and on balance I think I should reconsider the Jericho Forum’s position.

Conclusion

‘Managing the human factor’ offers excellent value for money. I highly recommend it for all information security professionals, particularly CISOs and Information Security Managers who are not entirely comfortable with the social elements of information security, and for information security MSc students who want to boost their understanding in this area. The book is particularly valuable also for information security awareness and training professionals who necessarily deal with human factors on a daily basis, and need to understand how best to work with and influence their organizational cultures.