The Psychology of Information Security – Get 10% Off

book.PNG

IT Governance Publishing kindly provided a 10% discount on my book. Simply use voucher code SPY10 on my publisher’s website.

Offer ends 30 November 2016.

 


I’ve been interviewed by Javvad Malik about my career in InfoSec

I’ve been interviewed by Javvad Malik about my career in Information Security. He published the interview on his website

The difference between Leron and anyone else that has ever asked for advice is his willingness to learn and take on board as much knowledge as possible and then apply it. In a few short years, not only was Leron able to complete his MSc, but he landed a job (while turning down other offers), spoke at events, and wrote a book. Achieving more in 3 years than most people do in 10.

So, the roles are now reversed. I needed to catch up with Leron and pick his brains about his journey and see what I could learn from him.
Read the full story


The Psychology of Information Security book reviews

51enjkmw1ll-_sx322_bo1204203200_

I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

Read the rest of this entry »


Talking to PhD students about cyber security

presentI recently had the pleasure to help organise and host PhD students from Royal Holloway, University of London (RHUL), who spent a day at my company interacting with the team in order to gain industry insights.

This day-long event included presentations by the students, their lecturers, our partners and consultants.

During one of these presentations, I shared some of my own experiences as an information security consultant, in which I talked about my role and area of expertise. I also discussed current security challenges and provided some career advice.

Several round table discussions provided everybody with much needed food for thought. We covered topics like security monitoring, threat intelligence, information protection in digital health and the role of the C-suite.

We received positive responses from the professors – the students enjoyed the presentations and learned a lot from the interactions during the day.


Presenting on cyber security at UCL

ucldark_0.jpg

The UCLU Technology Society invited me to deliver a talk on information security to UCL students. Together with my colleague, I discussed various aspects of information security focusing on both technical and non-technical topics.

We talked about Advanced Persistent Threats and common misconceptions people have about them. When referring to protection measures, I emphasised the importance of considering human aspects of security. I described typical causes of a poor security culture in companies, along with providing some recommendations on improving it.

I concluded the evening with a discussion on managing and communicating the necessary changes within the organisation and the skills required to successfully do that.


The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour

ITGP

In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:

  • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
  • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
  • Give advice on aligning a security programme with wider organisational objectives.
  • Manage and communicate these changes within an organisation.

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

It’s now available for pre-order on the UK, EU or US websites.


Information Security E-Learning Part 2

ID-100188595

In my previous post I discussed free online courses in information security. Here  I would like to share a few more resources.

Hardware Security

“In this course, we will study security and trust from the hardware perspective. Upon completing the course, students will understand the vulnerabilities in current digital system design flow and the physical attacks to these systems. They will learn that security starts from hardware design and be familiar with the tools and skills to build secure and trusted hardware.”

Software Security

“This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them — such as buffer overflows, SQL injection, and session hijacking — and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a “build security in” mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.”

Usable Security

“This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, and apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system.”

Internet History, Technology, and Security

“The impact of technology and networks on our lives, culture, and society continues to increase. The very fact that you can take this course from anywhere in the world requires a technological infrastructure that was designed, engineered, and built over the past sixty years. To function in an information-centric world, we need to understand the workings of network technology. This course will open up the Internet and show you how it was created, who created it and how it works. Along the way we will meet many of the innovators who developed the Internet and Web technologies that we use today.”

Malicious Software and its Underground Economy: Two Sides to Every Story

“Cybercrime has become both more widespread and harder to battle. Researchers and anecdotal experience show that the cybercrime scene is becoming increasingly organized and consolidated, with strong links also to traditional criminal networks. Modern attacks are indeed stealthy and often profit oriented.

Malicious software (malware) is the traditional way in which cybercriminals infect user and enterprise hosts to gain access to their private, financial, and intellectual property data. Once stolen, such information can enable more sophisticated attacks, generate illegal revenue, and allow for cyber-espionage.

By mixing a practical, hands-on approach with the theory and techniques behind the scene, the course discusses the current academic and underground research in the field, trying to answer the foremost question about malware and underground economy, namely, “Should we care?”.

Students will learn how traditional and mobile malware work, how they are analyzed and detected, peering through the underground ecosystem that drives this profitable but illegal business. Understanding how malware operates is of paramount importance to form knowledgeable experts, teachers, researchers, and practitioners able to fight back. Besides, it allows us to gather intimate knowledge of the systems and the threats, which is a necessary step to successfully devise novel, effective, and practical mitigation techniques.”

Building an Information Risk Management Toolkit

“In this course, you will explore several structured, risk management approaches that guide information security decision-making. Course topics include: developing and maintaining risk assessments (RA); developing and maintaining risk management plans (RM); regulatory and legal compliance issues affecting risk plans; developing a control framework for mitigating risks; risk transfer; business continuity and disaster recovery planning from the information security perspective.”

Image courtesy of cooldesign/ FreeDigitalPhotos.net