Managing the Human Factor in Information Security

With the growth in social networking and the potential for larger and larger breaches of sensitive data,it is vital for all enterprises to ensure that computer users adhere to corporate policy and project staff design secure systems. Written by a security expert with more than 25 years' experience, this book examines how fundamental staff awareness is to establishing security and addresses such challenges as containing threats, managing politics, developing programs, and getting a business to buy into a security plan. Illustrated with real-world examples throughout, this is a must-have guide for security and IT professionals.

Autorentext
David Lacey is a leading authority on Information Security management with more than 25 years professional experience, gained in senior leadership roles in Royal Dutch/Shell Group, Royal Mail Group and the British Foreign & Commonwealth Office. David is now a freelance director, researcher, writer and a consultant to organisations, venture capitalists and technology companies. He also writes a leading blog on IT Security for Computer Weekly, the largest circulation UK technology magazine.

Klappentext

"Computers do not commit crimes. People do." The biggest threat to information security is the "human factor", the influence of people. Even the best people will make mistakes, cause breaches and create security weaknesses that enable criminals to steal, corrupt or manipulate systems and data. The explosion in social networking and mobile computing is intensifying this problem. For the first time, this book brings together theories and methods which will help you to change and harness people's security behaviour. It will help you to:

• Understand and manage major crises and risk
• Appreciate the nature of the insider threat
• Navigate organization culture and politics
• Build better awareness programmes
• Transform user attitudes and behaviour
• Gain Executive Board buy-in
• Design management systems that really work
• Harness the power of your organization Based on the author's own personal experience of working with large, complex organizations, such as Shell and Royal Mail, this book is written by an information security insider and makes essential reading for all information security professionals. "We live in an age where social networks, collaborative working and community development are global and commonplace, redefining the role of information security. David takes a dry-as-dust elephant of a subject and expertly serves it up in edible, even tasty, morsels."
  JP Rangaswami, Managing Director of BT Design "A highly entertaining read that will undoubtedly become essential reading for all security professionals."
  Professor Fred Piper "I'm really interested in reading this book and, frankly, once it's published, I'll be one of the first to buy it."
  Dr. Eugene Schultz, High Tower Software

Inhalt
Acknowledgements xvii

Foreword xix

Introduction xxi

1 Power to the people 1

The power is out there . . . somewhere 1

An information-rich world 2

When in doubt, phone a friend 3

Engage with the public 4

The power of the blogosphere 4

The future of news 5

Leveraging new ideas 5

Changing the way we live 6

Transforming the political landscape 7

Network effects in business 8

Being there 9

Value in the digital age 9

Hidden value in networks 10

Network innovations create security challenges 12

You've been de-perimeterized! 14

The collapse of information management 15

The shifting focus of information security 15

The external perspective 17

A new world of openness 18

A new age of collaborative working 19

Collaboration-oriented architecture 20

Business in virtual worlds 21

Democracy . . . but not as we know it 22

Don't lock down that network 23

The future of network security 24

Can we trust the data? 25

The art of disinformation 27

The future of knowledge 28

The next big security concern 30

Learning from networks 31

2 Everyone makes a difference 33

Where to focus your efforts 33

The view from the bridge 34

The role of the executive board 35

The new threat of data leakage 36

The perspective of business management 38

The role of the business manager 39

Engaging with business managers 40

The role of the IT function 41

Minding your partners 42

Computer users 43

Customers and citizens 44

Learning from stakeholders 44

3 There's no such thing as an isolated incident 47

What lies beneath? 47

Accidents waiting to happen 48

No system is foolproof 49

Visibility is the key 49

A lesson from the safety field 50

Everyone makes mistakes 52

The science of error prevention 53

Swiss cheese and security 54

How significant was that event? 55

Events are for the record 56

When an event becomes an incident 57

The immediacy of emergencies 57

When disaster strikes 58

When events spiral out of control 58

How the response process changes 59

No two crises are the same 60

One size doesn't fit all 61

The limits of planning 62

Some assets are irreplaceable 63

It's the process, not the plan 63

Why crisis management is hard 64

Skills to manage a crisis 65

Dangerous detail 67

The missing piece of the jigsaw 67

Establish the real cause 68

Are you incubating a crisis? 69

When crisis management becomes the problem 70

Developing a crisis strategy 70

Turning threats into opportunities 71

Boosting market capitalization 72

Anticipating events 73

Anticipating opportunities 74

Designing crisis team structures 75

How many teams? 76

Who takes the lead? 77

Ideal team dynamics 77

Multi-agency teams 78

The perfect environment 79

The challenge of the virtual environment 80

Protocols for virtual team working 81

Exercising the crisis team 81

Learning from incidents 83

4 Zen and the art of risk management 85

East meetsWest 85

The nature of risks 86

Who invented risk management? 87

We could be so lucky 88

Components of risk 89

Gross or net risk? 90

Don't lose sight of business 91

How big is your appetite? 92 It's an emotional thing 93<...