The Psychology of Information Security book reviews

51enjkmw1ll-_sx322_bo1204203200_

I wrote about my book  in the previous post. Here I would like to share what others have to say about it.

So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK

This is an easy-to-read, accessible and simple introduction to information security.  The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject.  Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

Read the rest of this entry »

Advertisements

Presenting at the IT & Security Forum

ITSF

I was invited to speak at the IT & Security Forum in Kazan, Russia. The conference spanned over three days and combined technical and non-technical talks, round table discussions and vendor presentations.

I spoke about the friction between security and productivity in the Oil & Gas sector. The participants shared their issues, after which we discussed potential solutions.

It was great to see that security managers in the audience recognised the potential negative impact to the business of poorly implemented security policies and controls and that they are willing to tackle such challenges.


Talking to PhD students about cyber security

presentI recently had the pleasure to help organise and host PhD students from Royal Holloway, University of London (RHUL), who spent a day at my company interacting with the team in order to gain industry insights.

This day-long event included presentations by the students, their lecturers, our partners and consultants.

During one of these presentations, I shared some of my own experiences as an information security consultant, in which I talked about my role and area of expertise. I also discussed current security challenges and provided some career advice.

Several round table discussions provided everybody with much needed food for thought. We covered topics like security monitoring, threat intelligence, information protection in digital health and the role of the C-suite.

We received positive responses from the professors – the students enjoyed the presentations and learned a lot from the interactions during the day.


Security in an Agile World – NextSec event

Santander have kindly agreed to host our next workshop event in their London offices on the 14th October. View the event flyer here.

Hear from leaders in Digital Innovation and Information Security on:
– The balance of Security and Innovation: The Cyber Threat and Opportunity
– Phishing and Social Media
– The Importance of Communication in Security

Speakers
– Edward Metzger, Head of Innovation, Santander
– Matt Bottomley, Senior Manager, Cyber Risk, Lloyds Banking Group
– Christine Maxwell, Head of Digital Security, Governance and Operational Excellence, BP

Networking and Careers Session
– Opportunity to network with junior professionals, students in Information Security and Technology
– Post event drinks and canapés reception
– Information Security careers stands from Santander, EY and KPMG will be at the event

Date: Wednesday 14th October 2015

Register now


Secure by design

V4tS8p5F_C0

Have you seen security controls being implemented just to comply with legal and regulatory requirements? Just like this fence. I’m sure it will pass all the audits: it is functioning as designed, it blocks the path (at least on paper) and it has a bright yellow colour just as specified in the documentation. But is it fit for purpose?

It turns out that many security problems arise from this eager drive to comply: if the regulator needs a fence – it will be added!

Sometimes controls are introduced later, when the project is well passed the design stage. It might be the case that they just don’t align with the real world anymore.

n0saycKzykM

Safety measures, unfortunately, are no exception. The solution may be poorly designed, but more often, safety requirements are included later on with the implementation not fit for purpose.

IbHF452Usk0tuLB7kjBazs

Same holds for privacy as well. Privacy professionals encourage to adopt the Privacy by Design principle. Is it considered on the image below?

2Tx1qKFQzfoB5nli4NoEG4


Information Security E-Learning Part 2

ID-100188595

In my previous post I discussed free online courses in information security. Here  I would like to share a few more resources.

Read the rest of this entry »


Cake and Security

There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you…. to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.

Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.

In our day-to-day lives we prefer to do “cake” tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts…. you know, taking a little bite here and there. It’s “only for today”, “no biggie”… This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few “salad” controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day… who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.

reward

And one day we realise that it’s not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partner’s words of wisdom, is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.

“You have got to eat more salad and lay off the cakes!”

To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files or that the encrypted pen drive is not compatible with the client’s Mac.

So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our “security diet”?

They could aim at making security more like a cake – effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-tasting salad altogether. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.

Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch-potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.

unpleasant but necessary measures

The whole company needs to know that security is important for achieving its goals -not as something that gets in the way-, just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.

We need to realise that we contribute to security; and we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.

The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists to come up with better tasting ones.