The Psychology of Information Security book reviews


I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

“Leron’s book, contributes to a growing momentum within the industry which rightly recognises the  importance of understanding why people do what they do in the role of information security management now and the future. I applaud him drawing on domains outside of the traditional security skills set which is a must if we are to manage risk within the human factor.
Bruce Hallas
Founder at The Analogies Project & Director at Marmaladebox Ltd

“This brief primer provides a great introduction to the challenges of matching staff expectations and security requirements.”
Stephen Bonner
Infosec Hall of Fame member.

The title of this book suggests this text is about resolving conflicts between security compliance and human behaviour.  I like to think of this book as a primer on how to achieve security compliance ‘in the wild’.  This isn’t a long book, but I don’t think a text like this needs to be.

The book begins with some foundations about risk management and security policies that many practitioners will be familiar with.  However, rather than just acknowledging some of the difficulties associated with both, it gives some practical approaches for addressing the problems highlighted.  Some of the techniques discussed are ‘old favourites’ such as SWOT and stakeholder analysis, however Leron also draws on some interesting work from security economics (specifically compliance budgeting) and usability security to make some of his points.  I particularly like the bonus chapters on security analogies.  Although the analogies do have weaknesses in some places (for example: what if we can’t get all the calories we need from salad alone), they are a nice way of engaging people in information security issues.

I think this book is a good investment for those working in the information security industry looking for ideas from the latest research in productive security.   The style of writing, and the anecdotes ensure that practitioners are given lots of bite-sized ideas that they can take away and put into practice right away.
Shamal Faily
Senior Lecturer in Systems Security Engineering
Bournemouth University

This book is a refreshing take on an old subject; it serves as both a fresh way to look at information security risks in your organisation as well as an introduction to risk management if you have just started in the role. Using a broad range of sources from academic to face to face interviews it cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making this book an easy read with some very real practical takeaways.
Thom Langford, Chief Information Security Officer
Publicis Groupe

I found this book an excellent read.  The author combines personal experience, academic research and interviews to provide a different perspective on IT security compliance.  The book moves away from the traditional approach of checklists and strict enforcement of compliance to explain the reasons why people choose, or fail, to comply, and proposes some good higher impact solutions based on modifying behaviours.
Chris Wright, Wright CandA Consulting

I have grown quite enthusiastic about this work. Clear arguments are provided based on accepted science, with these brought together in a strong case for a new approach to security. As such, the views in this book coincide with the fresh wind also found in accountancy of cooperate governance, focusing on the new trend for leadership within security.
ir. H.L. (Maarten) Souw RE, Enterprise Risk and QA Manager, UVW

Leron provides many thought provoking insights on how human behaviour affects risk management. Without understanding the intricacies between these two topics, teams delivering security improvements may not be successful. This is essential reading for anyone seeking to expand their expertise beyond technical risk topics.
Andrew Martin, Director for IT Risk at a global bank

This book takes some of the most fundamental aspects of information security and provides expert insight and solutions that all businesses can learn from. A lot of people struggle to understand the basic concepts and importance of cyber security to their business, but here we read about real-life scenarios and business advice, in a simple yet effective manner, that everyone can relate to.  The book acknowledges the need for people to work together to improve their position and this is exactly what Leron has done to create such a fantastic book. Featuring thoughts and concepts from industry leaders such as Javvad Mailk, Thom Langford and Bruce Schneier. I’d highly recommend this book for any CEO or any executive that wants to understand what security means for their business.
Joe Pettit, Managing Editor at Tripwire

The book provides a concise introduction to the complex topic of the human factor in context of information security. Based on real world examples it provides valuable insights into the relationship of information security, compliance, business economics and decision theory.  Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program.
Daniel Schatz,
Director for Threat & Vulnerability Management
Thomson Reuters

It’s now available on Amazon

Also check out my profile on my publisher’s website.

Correlation vs Causation


Scientists in various fields adopt statistical methods to determine relationships between events and assess the strength of such links. Security professionals performing risk assessments are also interested in determining what events are causing the most impact.

When analysing historical data, however, they should remember that correlation doesn’t always imply causation. When patterns of events look similar, it may lead you to believe that one event causes the other. But as demonstrated by the chart above, it is highly unlikely that seeing Nicolas Cage on TV causes people to jump into the pool (although it may in some cases).

This and other spurious correlations can be found on this website, with an option to create your own.



Presenting on cyber security at UCL


The UCLU Technology Society invited me to deliver a talk on information security to UCL students. Together with my colleague, I discussed various aspects of information security focusing on both technical and non-technical topics.

We talked about Advanced Persistent Threats and common misconceptions people have about them. When referring to protection measures, I emphasised the importance of considering human aspects of security. I described typical causes of a poor security culture in companies, along with providing some recommendations on improving it.

I concluded the evening with a discussion on managing and communicating the necessary changes within the organisation and the skills required to successfully do that.

The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour


In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:

  • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
  • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
  • Give advice on aligning a security programme with wider organisational objectives.
  • Manage and communicate these changes within an organisation.

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

It’s now available for pre-order on the UK, EU or US websites.

Security in an Agile World – NextSec event


Santander have kindly agreed to host our next workshop event in their London offices on the 14th October. View the event flyer here.

Hear from leaders in Digital Innovation and Information Security on:
– The balance of Security and Innovation: The Cyber Threat and Opportunity
– Phishing and Social Media
– The Importance of Communication in Security

– Edward Metzger, Head of Innovation, Santander
– Matt Bottomley, Senior Manager, Cyber Risk, Lloyds Banking Group
– Christine Maxwell, Head of Digital Security, Governance and Operational Excellence, BP

Networking and Careers Session
– Opportunity to network with junior professionals, students in Information Security and Technology
– Post event drinks and canapés reception
– Information Security careers stands from Santander, EY and KPMG will be at the event

Date: Wednesday 14th October 2015

Register now

Online Safety and Security


We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?


  1. Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
  2. Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
  3. Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.


We offer a one-stop-shop for end-to-end protection of online identity and reputation for you and your children.

A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.

Acting as a cyber bodyguard, it is available 24/7 and dramatically reduces the risk of being affected by cybercrime .


We work with highly-skilled professionals in the field of law, cyber security, technology, information privacy, digital marketing, psychology and law enforcement to ensure you get all you need in one place to safety secure online

Get in touch to get a free personalised online security and privacy risk assessment today.

Service Free Plus Premium
Security and privacy self-assessment V V V
Basic online profile analysis V V V
Online traceability analysis V V V
General online privacy and security guidelines V V V
Personalised risk assessment V V
Advanced online profile analysis V V
Personalized recommendations and steps for reducing, mitigating or transferring risk V V
Mobile application for controlling and monitoring of applications’ activity V V
Technology solution for online privacy and security V V
Penetration testing V
Assessment for family members (up to 5) V
Cyberbullying protection for children V
Geolocation assessment V
24/7 support V
Periodical assessment and detailed recommendations V
Physical security assessment V
Connected cars security V
Smart home security V

Image courtesy ofwinnond /

Cyber Wargaming Workshop


I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.

Day 1
Course Objectives
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?

  •         Teams
  •         Interaction
  •         Moves

Module 2 Cyber Fundamentals

  •         Practical Risk Management
  •         Problems with risk management
  •         Human aspects of security
  •         Conversion of physical and information security
  •         Attacker types and motivations
  •         Security Incident management
  •         Security incident handling and response
  •         Crisis management and business continuity
  •         Cyber security trends to consider

Module 3: Introducing a Case Study

  •         Company and organisational structure
  •         Processes and architecture
  •         Issues

Module 4 Case study exercises

  •         Case study exercise 1: Risk Management
  •         Case study exercise 2: Infrastructure and Application Security

Day 2
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:

  •         How organisations responded from a business perspective
  •         How organisations responded to the attacks technically
  •         How affected organisations were by the scenario
  •         How they shared information amongst relevant parties

Feedback to the participants
Course wrap up

Image courtesy zirconicusso /


Get every new post delivered to your Inbox.

Join 28 other followers