Managing an information security and privacy awareness and training program
by Rebecca Herold
Published by Auerbach Publications
Second edition 2011
~US$77 from Amazon
Click on the mind map below to explore the book review
Author Rebecca Herold introduces her book very eloquently: “I wrote this book to provide a starting point and an all-in-one resource for information security and privacy education practitioners. I incorporated much of the information and knowledge I obtained while working on my MA in computer science and education as applicable to providing education to adult learners. Additionally, I included the same type of information that I have used and found helpful over the years when creating awareness and training programs ... My goal was to provide a more comprehensive resource of everything involved with managing an information security and privacy training and awareness program than I had been able to find - a reference for practitioners to go to when implementing any part of their education program and get ideas that will help them be successful with their own program.”
The book explains the techniques for raising awareness and training employees on a wide range of information security and privacy topics. The entire ‘lifecycle’ of a security awareness program is covered:
As well as numerous changes throughout the text, the 2011 second edition incorporates a thought-provoking collection of ‘leading practices’ i.e. short papers from ‘some of the most successful information security awareness and training practitioners’ (besides Rebecca!), bringing the book bang up to date with current thinking.
Rebecca Herold (MS MA CISM CISA CISSP FLMI) is extremely well qualified to write about security awareness. With long experience in the field, Rebecca has designed, built and delivered prize-winning security awareness programs, and has authored numerous books and articles. An MA in Computer Science and Education lends weight to her emphasis on providing educational materials to suit adult audiences rather than simply adopting techniques more suited to teaching schoolchildren.
At over 500 pages, this is no lightweight superficial textbook. As noted in the scope section above, the coverage is comprehensive. As an example, the list of potential information security topics runs to 60 items explained in 18 pages, surpassing even our own deliberately broad approach.
The coverage is reasonably even throughout with plenty of meaty content in every section. I can’t think of any substantial improvements.
The book may appear overwhelming to someone just starting out on their information security and privacy awareness program although it is not compulsory to read the entire book cover-to-cover in one sitting (tempting though that may be!). The chapter on ‘Getting started’ is of course a great place to start, with details of how to identify key contacts, review the organization’s existing approach to awareness and training, and a handy road-map that would serve as a good starting point for a high level project plan.
The book is essential reading for more experienced information security professionals, especially those tasked with ‘doing awareness’. Even seasoned security awareness practitioners will learn new things from this book - at least I did and my first edition of the book is certainly well-thumbed.
Rebecca’s writing style is engaging and stimulating, easy to read yet at the same time thought-provoking. The book is chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. When I’m stuck for awareness ideas, I know I’ll almost always find something immediately useful in one or other of the lists: it’s an excellent reference text.
Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references.
This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly.
Disclosure: our CEO wrote one of the ‘leading practice’ papers.
|Home > Book reviews > Managing sec awareness >||
Copyright © 2013 IsecT Ltd.