Tag Archives: Security

Royal Holloway University of London adopts my book for their MSc Information Security programme

One of the UK’s leading research-intensive universities has selected the second edition of The Psychology of Information Security to be included in their flagship Information Security programme as part of their ongoing collaboration with industry professionals.

“We incorporated The Psychology of Information Security into our MSc in Information Security, where it has become part of the essential reading for the Human Aspects of Security and Privacy module. Over time, it has proven to be a valuable anchor text within the curriculum, helping to frame discussions around the human dimensions of cybersecurity in a structured and coherent way.

Students consistently appreciate the perspectives it offers, particularly its ability to bridge academic research with real-world industry practice. It not only provides a clear roadmap through a complex and wide-ranging topic, but also encourages a broad understanding of the psychological principles underpinning everyday security challenges.”

Dr Konstantinos Mersinas, PhD, CISSP

Associate Professor, Information Security Group, Royal Holloway, University of London

Visiting Professor, Keio University Tokyo, Japan 特別 招聘 准教授   慶応 大学 東京 日本

Director of Distance Learning MSc Programme in Information Security

Vice Chair, INCS-CoE (International Cyber Security Center of Excellence)

More

Adapting to EU regulatory changes: navigating compliance and building resilience

I had the privilege of joining a panel discussion on the rapidly evolving regulatory landscape and its impact on businesses worldwide. With cyber threats, operational disruptions, and AI risks on the rise, governments are strengthening regulations to drive security, resilience and accountability across industries.

In Europe, major frameworks like DORA (Digital Operational Resilience Act), NIS2 (Network and Information Security Directive) and the EU AI Act are reshaping how organisations approach cybersecurity, operational resilience, and responsible AI governance. But this shift isn’t limited to the EU – regulatory scrutiny is increasing globally, from the U.S. to APAC, with frameworks reinforcing risk management, third-party oversight and AI transparency.

A huge thank you to my fellow panelists and engaged audience members for an insightful discussion.

Continuous control monitoring

NISTIR 7756 Contextual Description of the CAESARS System

Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of the effectiveness of security controls.

A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing policies in line with a security framework (e.g. NIST CSF).

A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.

These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.

More

Cyber security lessons from across the industries

I have been fortunate to help and collaborate with a wide variety of organisations during my cyber security career to date. These companies range from large multinationals that are household names to small tech startups that you probably haven’t even heard of.

Although the regulatory landscape, security maturity and key risks often vary dramatically between industries, there are common themes that both an upstart FinTech and an energy giant can benefit from.

Being able to see what works, for example, in the world of Operational Technology and apply some of the learnings to an insurance company and vice versa can bring a fresh perspective and result in unique solutions that can be easily overlooked in traditional sector-specific paradigms. Identifying these synergies and collaboration opportunities between organisations of different sizes, industries, cultures and technological stacks has allowed me to better understand specific issues, challenge the conventional thinking and tailor my advice to fit the overall strategy of a given organisation for best results.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

More