Author: Leron Zinatullin
ISBN No: 9781849287906
Review date: 28/11/2023
No of pages: 115
Publisher: IT Governance (ITGP)
Year of publication: 05/02/2016
Psychology of Information Security - Resolving conflicts between security compliance and human behaviour
Security should be about useability; because security should be there to make employees’ life easier, not harder. That’s the welcome argument in a new book on the psychology of information security, by Leron Zinatullin.
This is a short and sweet book that you can whizz through in an hour, whether to top up what you know about information security – and security management generally – or to provoke yourself into some thinking.
It’s to the author’s credit that he covers such a lot of ground and could easily have come up with a book two or three times as long, that would have in fact made it harder for the reader to benefit from it. The book opens with risk management – and aspects familiar to security people beyond the information side; such as SWOT analysis; and PEST analysis (political-economic-social-technological). Sprinkled through the book are interviews with managers, typically from banks and other businesses, that readers may find particularly welcome. For instance, Zinatullin devotes a chapter to ‘stakeholders and communication’: “The earlier people are involved in a security project, the easier it is to obtain their support.” It’s far from enough to have security policies and tools; your teams, who are mainly not from security, have to hear about the benefits – and maybe hear multiple times before staff act.
The core of the book is the chapter ‘how security managers make decisions’, full of useful insights; such as, several admit how hard it is to assess the impact of security controls on user behaviour. If you don’t have a way to measure it, you don’t know. Zinatullin goes on to study common reasons why general IT users won’t comply with security policies: because they aren’t given a clear reason to, the cost of complying is too high (in time, for instance), or the users just can’t comply if they want to get their work done. In other words, employees may find ‘workarounds’ that breach security, rather than do malicious things.
I would raise a couple of quibbles. One is that sometimes the author spoke of ‘security managers’ and other times ‘information security managers’, and I was not sure if he was using the two terms inter-changeably. The two however are not the same; as a security manager may have physical site security on his plate, while an infosec manager has only that specialism. And on the matter of writing style the book sometimes felt a bit too much like the dissertation it seems to have been based on. That said, the argument is rooted in workplaces and how things actually get done (or not); offering for instance the view that security professionals might have to challenge a status quo, and ask why things are done in a particular way.
Quibbles, as I say, because the book is sound, offering such things as the ISO 27001 standard as a starting point for developing a security policy (because those assets to be secured may be people and hardware, besides intangibles such as services). And a reminder that compliance – such as a risk register only looked at once a year when it’s ticked off again – is not an end in itself. Zinatullin closes by arguing for a changed approach to security; campaigning, ‘not to teach tricks, but to create a new culture which is accepted and understood by everyone’. He’s a contributor to The Analogies Project – https://theanalogiesproject.org.