The Psychology of Information Security book reviews


I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

“Leron’s book, contributes to a growing momentum within the industry which rightly recognises the  importance of understanding why people do what they do in the role of information security management now and the future. I applaud him drawing on domains outside of the traditional security skills set which is a must if we are to manage risk within the human factor.
Bruce Hallas
Founder at The Analogies Project & Director at Marmaladebox Ltd

“This brief primer provides a great introduction to the challenges of matching staff expectations and security requirements.”
Stephen Bonner
Infosec Hall of Fame member.

The title of this book suggests this text is about resolving conflicts between security compliance and human behaviour.  I like to think of this book as a primer on how to achieve security compliance ‘in the wild’.  This isn’t a long book, but I don’t think a text like this needs to be.

The book begins with some foundations about risk management and security policies that many practitioners will be familiar with.  However, rather than just acknowledging some of the difficulties associated with both, it gives some practical approaches for addressing the problems highlighted.  Some of the techniques discussed are ‘old favourites’ such as SWOT and stakeholder analysis, however Leron also draws on some interesting work from security economics (specifically compliance budgeting) and usability security to make some of his points.  I particularly like the bonus chapters on security analogies.  Although the analogies do have weaknesses in some places (for example: what if we can’t get all the calories we need from salad alone), they are a nice way of engaging people in information security issues.

I think this book is a good investment for those working in the information security industry looking for ideas from the latest research in productive security.   The style of writing, and the anecdotes ensure that practitioners are given lots of bite-sized ideas that they can take away and put into practice right away.
Shamal Faily
Senior Lecturer in Systems Security Engineering
Bournemouth University

This book is a refreshing take on an old subject; it serves as both a fresh way to look at information security risks in your organisation as well as an introduction to risk management if you have just started in the role. Using a broad range of sources from academic to face to face interviews it cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making this book an easy read with some very real practical takeaways.
Thom Langford, Chief Information Security Officer
Publicis Groupe

I found this book an excellent read.  The author combines personal experience, academic research and interviews to provide a different perspective on IT security compliance.  The book moves away from the traditional approach of checklists and strict enforcement of compliance to explain the reasons why people choose, or fail, to comply, and proposes some good higher impact solutions based on modifying behaviours.
Chris Wright, Wright CandA Consulting

I have grown quite enthusiastic about this work. Clear arguments are provided based on accepted science, with these brought together in a strong case for a new approach to security. As such, the views in this book coincide with the fresh wind also found in accountancy of cooperate governance, focusing on the new trend for leadership within security.
ir. H.L. (Maarten) Souw RE, Enterprise Risk and QA Manager, UVW

Leron provides many thought provoking insights on how human behaviour affects risk management. Without understanding the intricacies between these two topics, teams delivering security improvements may not be successful. This is essential reading for anyone seeking to expand their expertise beyond technical risk topics.
Andrew Martin, Director for IT Risk at a global bank

This book takes some of the most fundamental aspects of information security and provides expert insight and solutions that all businesses can learn from. A lot of people struggle to understand the basic concepts and importance of cyber security to their business, but here we read about real-life scenarios and business advice, in a simple yet effective manner, that everyone can relate to.  The book acknowledges the need for people to work together to improve their position and this is exactly what Leron has done to create such a fantastic book. Featuring thoughts and concepts from industry leaders such as Javvad Mailk, Thom Langford and Bruce Schneier. I’d highly recommend this book for any CEO or any executive that wants to understand what security means for their business.
Joe Pettit, Managing Editor at Tripwire

“All Information Security professionals of any standing are, whether they know it or not, psychologists. Whether directly with regard to Social Engineering or as part of their efforts in creating an essential security ethos that is so often immensely difficult to embed within corporations of any level of complexity. It was thus with great delight that I read through this new text, which should now become a worthy addition to the library of all those who wish to underpin their understanding of their chosen profession.

The mind sets of departments driven by profit and loss must be understood before making any attempt at progressing ‘security’ beyond firewalls and passwords into becoming a fundamental consideration in the decision making process of any company; the author has now laid the ground work for this to be achieved. Through interviews and academic research widely applicable lessons have been defined to assist the reader in negotiating what can be a tortuous process in delivering a truly embedded security culture. For those fortunate enough to have attended one of his presentations the attention to detail and the fluidity of expression has been readily transposed into his published writing.

The text is succinct and to the point, the length is both necessary and sufficient, the price is insignificant, in short just buy it!”

Kevin McCarthy, MSc (dist.) CISSP ISO27001:2013 LA/LI C|EH CCSK ITILv3 PRINCE2 Security consultant

“I’ll have to admit up front that I am slightly biased as I’ve known Leron for many years and have always been impressed with his hard work and attention to detail. But this isn’t a LinkedIn recommendation.

Leron sent me a pre-release of the book to have a read and offer feedback. Usually, I enjoy pulling the the proverbial red pen and sending back a ton of views, opinions and memes.

However, I found Leron to have put some serious effort into this book and it covers a lot of the fundamentals of information security. A welcome inclusion were external references from other industries. While these sorts of references can sometimes make a book feel like academic research – Leron has done well to make the inclusions relevant and easy to understand.”

Javvad Malik, Security advocate and blogger

The book provides a concise introduction to the complex topic of the human factor in context of information security. Based on real world examples it provides valuable insights into the relationship of information security, compliance, business economics and decision theory.  Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program.
Daniel Schatz,
Director for Threat & Vulnerability Management
Thomson Reuters

You can also check out the review by the Professional Security Magazine and my profile on my publisher’s website.

It’s now available on Amazon


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s