Information Security Awareness
The psychology behind the technology
by Timothy P. Layton Sr.
Published by AuthorHouse, 2005
~US$37 from Amazon
Click on the mind map to explore the book review
The book’s title and the author’s biography led me to expect a review of the application of human psychology to information security awareness, specifically. In fact, the author concentrates almost entirely on psychology, the bulk of the words being used to outline a selection of psychological theories that might have some bearing on information security, and to an even lesser extent on information security awareness. The relevance of most points to security awareness is rather tentative and is mostly left to the reader to infer.
The book is quite theoretical or academic in style, with 72 formally-cited references at the rear. It reads rather like an MSc or PhD thesis with more than half of the book being dedicated, in effect, to a review of the scientific literature and a brief introduction to the theories espoused by a number of more-or-less eminent psychologists. There are many technical/scientific terms, some of which (such as phenomenological, deontological and teleological) are not properly explained or introduced for lay readers who should perhaps keep a dictionary close to hand.
Despite being an avid reader and a scientist by training, I found this a very difficult book to read due to the writing style. Practically every paragraph seems to have at least one grammatical error, some of which (such as misuse of apostrophes, tautologies and mixed singular/plural word forms) are consistent throughout the book. Some sentences are convoluted beyond comprehension (e.g. “I do not believe it is unreasonable to believe that if people are able to internalize why they shouldn’t do something, then the majority of people would not take inappropriate actions.” on page 18). This, coupled with excessive repetition of certain clauses (“as it relates to” being one of the worst offenders), distracted me from the meaning which is a shame because there is some merit in the content (see below).
There is only one figure in the book, and a rather pointless one at that - an array of six partially-interlinked boxes containing “Attitude”, “Morals”, Ethics”, “Motivation”, “Beliefs” and “Personality” (the six ‘psychological constructs’ comprising POSTTM - see below) within a larger box labeled “Behavior”. At one point in the introduction, the author mentions the “POSTTM pyramid”. I can only guess at what that means.
Curiously, the style of chapter 7 and perhaps the first half of chapter 8 contrast markedly with the rest of the book. Those parts (covering morals and ethics) are lucid and clearly written with few of the grammatical and style problems elsewhere, despite their greater academic content. Even the subsection headings are different, typographically. It is as if the remainder of the book was written to supplement this core piece of writing. Perhaps this section was more thoroughly peer-reviewed?
AuthorHouse is a self-publishing company which may be a clue to the book’s inconsistent and at times awkward writing style. It is conceivable that the book was not thoroughly edited by an experienced independent person, except maybe for chapter 7.
I have previously noted the academic nature of the book. That is not in itself a problem but means that security awareness practitioners may find the book short of useful, pragmatic content. It might have helped if the examples used to illustrate certain points were more directly or obviously relevant to information security awareness. The author’s experience with the SANS courses should surely have provided suitable material?
The author is clearly passionate about “POSTTM ... a psychology-based framework that [he] developed to help enable information security managers.” The term POST TM is repeated relentlessly throughout the book. Unfortunately, the ‘psychology-based framework’ itself is not well described, nor is it clear how the framework would help information security managers. In only a few cases does the author make a serious attempt to express counter-arguments for the theories he outlines, and I can’t recall reading any explanation of the experimental basis for the theories. Take for instance Pavlov’s classic work on behavioral conditioning . Pavlov gets but a brief mention, without even a single reference to the scientific papers describing his experiments with dogs which led to the well-known theory.
“POSTTM” comes up throughout the book but nowhere is it fully described. On reflection, chapters 5, 6 and 7 cover the six ‘psychological constructs’ within POSTTM (as noted above), with the previous chapters setting the scene and the latter chapters closing the book. In the style of a thriller, the book builds a mystique about POSTTM and thereby leads one to expect a climactic denouement but the expectation remains somehow unsatisfied. Perhaps this is intentional given a statement at the end of the introduction: “The most pure goal is not to solve, but to understand -- because if one understands, the solution is a natural evolution”.
The essential premise of the book is that individuals are more likely to behave in a certain manner if they internalize (understand and accept) the reasons why they are being asked to behave in that manner, rather than simply being instructed to do so by management’s policy edicts. Fair enough. This begs the question, though, of how one should get employees to internalize information security.
The author’s focus on the individual’s perspective is clear throughout, with little if any reference to the influence of broader group dynamics and organizational or even national cultures. People are not only influenced by their internal motivations, attitudes etc. but also by those of their peers, superiors and others, as well as having an influence in the reverse direction. This is a single example of a rational counter argument that is not explicitly discussed - I’m sure there are others.
The book has merit in the sense of introducing a variety of psychological theories that may be sound and may have some bearing on information security awareness. It falls short on pragmatism, however. There are numerous mentions of the difficulty of measuring behavioral traits, hinting at the need for management to develop suitable metrics. I feel it would have been more helpful to explore management’s options in this regard. It is notoriously difficult to develop meaningful security metrics: the author has missed a golden opportunity here.
Overall, I’m glad I persisted in reading the whole book. The argument to include moral and ethical considerations in security awareness is convincingly made in chapter 7. Other parts deserve more thought in order to draw out practical lessons for security awareness practitioners.
|Home > Books > Info Sec Awareness >||
Copyright © 2012 IsecT Ltd.