With the growth in social networking and the potential for larger and larger breaches of sensitive data,it is vital for all enterprises to ensure that computer users adhere to corporate policy and project staff design secure systems. Written by a security expert with more than 25 years' experience, this book examines how fundamental staff awareness is to establishing security and addresses such challenges as containing threats, managing politics, developing programs, and getting a business to buy into a security plan. Illustrated with real-world examples throughout, this is a must-have guide for security and IT professionals.
Author(s): David Lacey
Edition: 1
Year: 2009
Language: English
Pages: 384
Managing the Human Factor in Information Security......Page 4
Contents......Page 10
Acknowledgements......Page 20
Foreword......Page 22
Introduction......Page 24
The power is out there . . . somewhere......Page 28
An information-rich world......Page 29
When in doubt, phone a friend......Page 30
The power of the blogosphere......Page 31
Leveraging new ideas......Page 32
Changing the way we live......Page 33
Transforming the political landscape......Page 34
Network effects in business......Page 35
Value in the digital age......Page 36
Hidden value in networks......Page 37
Network innovations create security challenges......Page 39
You’ve been de-perimeterized!......Page 41
The shifting focus of information security......Page 42
The external perspective......Page 44
A new world of openness......Page 45
A new age of collaborative working......Page 46
Collaboration-oriented architecture......Page 47
Business in virtual worlds......Page 48
Democracy . . . but not as we know it......Page 49
Don’t lock down that network......Page 50
The future of network security......Page 51
Can we trust the data?......Page 52
The art of disinformation......Page 54
The future of knowledge......Page 55
The next big security concern......Page 57
Learning from networks......Page 58
Where to focus your efforts......Page 60
The view from the bridge......Page 61
The role of the executive board......Page 62
The new threat of data leakage......Page 63
The perspective of business management......Page 65
The role of the business manager......Page 66
Engaging with business managers......Page 67
The role of the IT function......Page 68
Minding your partners......Page 69
Computer users......Page 70
Learning from stakeholders......Page 71
What lies beneath?......Page 74
Accidents waiting to happen......Page 75
Visibility is the key......Page 76
A lesson from the safety field......Page 77
Everyone makes mistakes......Page 79
The science of error prevention......Page 80
Swiss cheese and security......Page 81
How significant was that event?......Page 82
Events are for the record......Page 83
The immediacy of emergencies......Page 84
When events spiral out of control......Page 85
How the response process changes......Page 86
No two crises are the same......Page 87
One size doesn’t fit all......Page 88
The limits of planning......Page 89
It’s the process, not the plan......Page 90
Why crisis management is hard......Page 91
Skills to manage a crisis......Page 92
The missing piece of the jigsaw......Page 94
Establish the real cause......Page 95
Are you incubating a crisis?......Page 96
Developing a crisis strategy......Page 97
Turning threats into opportunities......Page 98
Boosting market capitalization......Page 99
Anticipating events......Page 100
Anticipating opportunities......Page 101
Designing crisis team structures......Page 102
How many teams?......Page 103
Ideal team dynamics......Page 104
Multi-agency teams......Page 105
The perfect environment......Page 106
The challenge of the virtual environment......Page 107
Exercising the crisis team......Page 108
Learning from incidents......Page 110
East meets West......Page 112
The nature of risks......Page 113
Who invented risk management?......Page 114
We could be so lucky......Page 115
Components of risk......Page 116
Gross or net risk?......Page 117
Don’t lose sight of business......Page 118
How big is your appetite?......Page 119
It’s an emotional thing......Page 120
In the eye of the beholder......Page 121
Living in the past......Page 123
Who created that risk?......Page 124
It’s not my problem......Page 125
Getting your sums right......Page 126
The loaded dice......Page 128
It’s just an illusion......Page 130
Context is king......Page 131
Perception and reality......Page 132
Risk, what risk?......Page 134
Something wicked this way comes......Page 135
The black swan......Page 136
Double jeopardy......Page 137
What type of risk?......Page 138
Lessons from the process industries......Page 139
Lessons from the financial sector......Page 140
Lessons from the insurance field......Page 142
Operational risk......Page 143
Joining up risk management......Page 144
General or specific?......Page 146
Identifying and ranking risks......Page 147
Categories of risks......Page 149
It’s a moving target......Page 150
Comparing and ranking risks......Page 151
Risk management strategies......Page 152
Communicating risk appetite......Page 153
Risk management maturity......Page 154
There’s more to security than risk......Page 155
It’s a decision support tool......Page 156
The perils of risk assessment......Page 157
Learning from risk management......Page 158
An asset or a liability?......Page 160
People are different......Page 161
The rule of four......Page 162
The need to conform......Page 163
The face of the enemy......Page 164
Run silent, run deep......Page 165
Dreamers and charmers......Page 166
The unfashionable hacker......Page 167
Visitors are welcome......Page 169
Signs of disloyalty......Page 171
The whistleblower......Page 172
Stemming the leaks......Page 173
Stamping out corruption......Page 174
Know your staff......Page 175
We know what you did......Page 176
Reading between the lines......Page 178
Liberty or death......Page 180
Personality types......Page 181
Personalities and crime......Page 183
Cyberspace is less risky......Page 184
Set a thief......Page 186
There are easier ways......Page 187
I just don’t believe it......Page 188
Don’t lose that evidence......Page 189
They had it coming......Page 190
The science of investigation......Page 191
The art of interrogation......Page 192
Science and snake oil......Page 194
The art of hypnosis......Page 196
The power of suggestion......Page 197
It’s just an illusion......Page 198
It pays to cooperate......Page 199
Who are you?......Page 200
How many identities?......Page 202
Laws of identity......Page 203
Learning from people......Page 205
When worlds collide......Page 208
What is organization culture?......Page 209
Organizations are different......Page 211
Tackling ‘localitis’......Page 213
Small is beautiful......Page 214
In search of professionalism......Page 215
Developing careers......Page 217
Skills for information security......Page 218
Information skills......Page 219
Survival skills......Page 221
Navigating the political minefield......Page 222
Square pegs and round holes......Page 223
What’s in a name?......Page 224
Managing relationships......Page 226
Exceeding expectations......Page 227
Nasty or nice......Page 228
In search of a healthy security culture......Page 229
In search of a security mindset......Page 231
Who influences decisions?......Page 232
Dealing with diversity......Page 233
Don’t take yes for an answer......Page 234
Learning from organization culture and politics......Page 235
Requirements for change......Page 238
Understanding the problem......Page 239
Asking the right questions......Page 240
The art of questionnaire design......Page 241
Hitting the spot......Page 242
Campaigns that work......Page 243
Adapting to the audience......Page 244
Memorable messages......Page 245
Let’s play a game......Page 247
The power of three......Page 248
Creating an impact......Page 249
What’s in a word?......Page 251
Benefits not features......Page 252
Using professional support......Page 253
The art of technical writing......Page 254
Marketing experts......Page 255
Brand managers......Page 256
The power of the external perspective......Page 257
Managing the media......Page 258
Behavioural psychologists......Page 259
Blogging for security......Page 260
Measuring your success......Page 261
Learning to conduct campaigns......Page 262
Changing mindsets......Page 264
Reward beats punishment......Page 265
Changing attitudes......Page 267
Scenario planning......Page 268
Successful uses of scenarios......Page 269
Dangers of scenario planning......Page 270
Images speak louder......Page 271
The balance of consequences......Page 272
Environments shape behaviour......Page 275
Enforcing the rules of the network......Page 277
The art of on-line persuasion......Page 278
Learning to change behaviour......Page 279
Countering security fatigue......Page 282
Money isn’t everything......Page 283
Aligning with investment appraisal criteria......Page 284
Translating benefits into financial terms......Page 285
Achieving a decisive result......Page 286
Key elements of a good business case......Page 287
Identifying and assessing benefits......Page 288
Reducing project risks......Page 290
Mastering the pitch......Page 291
Learning how to make the business case......Page 293
Why systems fail......Page 296
What makes a good vision?......Page 297
Defining your mission......Page 299
Building the strategy......Page 301
Critical success factors for effective governance......Page 302
Don’t reinvent the wheel......Page 303
Take a top down approach......Page 304
Take a strategic approach......Page 305
Ask the bigger question......Page 306
Risk assessment or prescriptive controls?......Page 307
In a class of their own......Page 309
Not all labels are the same......Page 310
Guidance for technology and people......Page 311
Designing long-lasting frameworks......Page 312
Applying the fourth dimension......Page 313
Do we have to do that?......Page 314
Steal with caution......Page 316
The golden triangle......Page 317
Managing risks across outsourced supply chains......Page 318
Models, frameworks and architectures......Page 319
Why we need architecture......Page 320
The folly of enterprise security architectures......Page 321
Real-world security architecture......Page 322
The 5Ws (and one H)......Page 323
Occam’s Razor......Page 324
Trust architectures......Page 325
Jericho Forum principles......Page 326
Collaboration-oriented architecture......Page 327
Capability maturity models......Page 328
The power of metrics......Page 329
Closing the loop......Page 330
It’s more than ease of use......Page 332
The failure of designs......Page 333
Ergonomic methods......Page 334
Learning to design systems that work......Page 335
Surviving in a hostile world......Page 338
Mobilizing the workforce......Page 339
Finding a lever......Page 340
The art of systems thinking......Page 341
Triggering a tipping point......Page 342
Identifying key influencers......Page 343
Understanding fashion......Page 345
The power of context......Page 346
The bigger me......Page 347
The power of the herd......Page 348
The wisdom of crowds......Page 349
Unlimited resources – the power of open source......Page 350
Let the network to do the work......Page 351
Why is everything getting more complex?......Page 352
Simple can’t control complex......Page 354
Designing freedom......Page 356
A process-free world......Page 357
The power of expressive systems......Page 358
Why innovation is important......Page 359
What is innovation?......Page 360
Just one idea is enough......Page 362
Yes, you can......Page 363
Outside the box......Page 364
Turning ideas into action......Page 366
Steps to innovation heaven......Page 367
The road ahead......Page 368
Mapping the future......Page 369
Learning to harness the power of the organization......Page 371
In conclusion......Page 374
Bibliography......Page 380
Index......Page 384