The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour
By Leron Zinatullin and Peter Silverleaf
5/5
()
About this ebook
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour considers information security from the seemingly opposing viewpoints of security professionals and end users to find the balance between security and productivity. It provides recommendations on aligning a security programme with wider organisational objectives, successfully managing change and improving security culture.
Leron Zinatullin
Leron Zinatullin (zinatullin.com) is an experienced risk consultant specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors. He has an MSc in information security from University College London, where he focused on the human aspects of information security. His research was related to modelling conflicts between security compliance and human behaviour.
Related to The Psychology of Information Security
Titles in the series (7)
Build a Security Culture Rating: 0 out of 5 stars0 ratingsWeb Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsReviewing IT in Due Diligence: Are you buying an IT asset or liability Rating: 0 out of 5 stars0 ratingsTwo-Factor Authentication Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Fundamentals of Assurance for Lean Projects Rating: 0 out of 5 stars0 ratings
Related ebooks
The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsAssessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5The Language of Cybersecurity Rating: 5 out of 5 stars5/5Cyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5How to Define and Build an Effective Cyber Threat Intelligence Capability Rating: 4 out of 5 stars4/5Infosec Management Fundamentals Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsUse of Cyber Threat Intelligence in Security Operation Center Rating: 0 out of 5 stars0 ratingsCyber Security Awareness for CEOs and Management Rating: 2 out of 5 stars2/57 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/5Managing Cybersecurity Risk: How Directors and Corporate Officers Can Protect their Businesses Rating: 5 out of 5 stars5/5Computer Forensics: A Pocket Guide Rating: 4 out of 5 stars4/5Build a Security Culture Rating: 0 out of 5 stars0 ratingsComputer Incident Response and Forensics Team Management: Conducting a Successful Incident Response Rating: 4 out of 5 stars4/5Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsInformation Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5IT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsInformation Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data Rating: 5 out of 5 stars5/5Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsThe Little Book of Cybersecurity Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Application Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Mindset: Cultivating a Culture of Vigilance Rating: 0 out of 5 stars0 ratingsBuilding an Intelligence-Led Security Program Rating: 5 out of 5 stars5/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsBeginner's Guide to Information Security Rating: 0 out of 5 stars0 ratingsHow Cyber Security Can Protect Your Business: A guide for all stakeholders Rating: 0 out of 5 stars0 ratingsCISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratings
Security For You
Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsDark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsThe Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5
Reviews for The Psychology of Information Security
2 ratings1 review
- Rating: 5 out of 5 stars5/5This Book is a very pragmatic and an excellent read. Very easy to understand, and I will recommend it to friends.
Simon Peter
Book preview
The Psychology of Information Security - Leron Zinatullin
The Psychology of Information Security
Resolving conflicts between security compliance and human behaviour
The Psychology of Information Security
Resolving conflicts between
security compliance and human
behaviour
LERON ZINATULLIN
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher, and are in no way reflective of the author’s employer, nor is it affiliated with the author’s employer in any way. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licenses issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernance.co.uk
© Leron Zinatullin 2016
The author has asserted the rights of the author under the Copyright, Designs, and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2016 by IT Governance Publishing
ISBN 978-1-84928-791-3
FOREWORD
So often information security is viewed as a technical discipline – a world of firewalls, antivirus software, access controls and encryption; an opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and, most of all, secrecy.
Leron takes a practical, pragmatic and no-holds-barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation, and, most of all, how we can create a security environment which helps people feel free to actually do their job.
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK
PREFACE
In his book How to Win Friends and Influence People, Dale Carnegie tells a story about George B. Johnston of Enid, Oklahoma. Mr Johnston was responsible for safety at an engineering company. Among other duties he had to ensure that employees were wearing their hard hats while on the job. His common strategy was to spot people who didn’t follow this policy, approach them, quote the regulation and insist on compliance. He succeeded in having them abide by the rules, but only temporarily: employees usually removed their hats as soon as he left.
He decided to try something new. Instead of referring to them with a lot of authority, he tried to be genuinely interested in the workers’ comfort. He wanted to know if the hats were uncomfortable enough to prevent people from wearing them.
Also, instead of simply insisting on following the policy, he mentioned to the employees that it was important to wear hard hats, because they were designed to prevent injuries and this was in their best interest. As a result, this not only increased compliance, but also mitigated resentment towards the regulation.
Information security professionals are faced with a similar problem. They have to ensure that a company is adequately addressing information security risks, but they also have to communicate the value of security appropriately in order to be successful.
On the one hand, not putting security controls in place may result in significant losses for an organisation. On the other hand, badly implemented security mechanisms may obstruct employees’ productivity and result in a poor security culture.
Security professionals and users may share different views on security-related activities. In order to ensure that users in the organisation comply with policies, security professionals should also consider employees’ behaviour.
The main goal of this book is to gain insight into information security issues related to human behaviour, from both end-users’ and security professionals’ perspectives. It aims to provide a set of recommendations to support the security professional’s decision-making process when implementing controls and communicating these changes within an organisation. To achieve this, a number of interviews were conducted with UK-based security professionals from various sectors, including financial services, advertising, media, energy and technology. Their views, along with further relevant research, were incorporated into the book, in order to provide a holistic overview of the problem and propose a solution.
ABOUT THE AUTHOR
Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improving cost performance and supporting business strategy.
He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.
He has an MSc in Information Security from University College London, where he focused on the human aspects of information security. His research was related to modelling conflicts between security compliance and human behaviour.
Website: zinatullin.com
Twitter: @le_rond
ACKNOWLEDGEMENTS
I would like to thank the many people who helped me with this book; those who provided support, talked things over, offered comments and assisted in the editing.
CONTENTS
Chapter 1: Introduction to Information Security
Chapter 2: Risk Management
Chapter 3: The Complexity of Risk Management
Chapter 4: Stakeholders and Communication
Chapter 5: Information Security Governance
Chapter 6: Problems with Policies
Chapter 7: How Security Managers Make Decisions
Chapter 8: How Users Make Decisions
There is no clear reason to comply
The cost of compliance is too high
There is an inability to comply
Chapter 9: Security and Usability
Chapter 10: Security Culture
Chapter 11: The Psychology of Compliance
Chapter 12: Conclusion - Changing the Approach to Security
Design
Culture
Supervision and sanctioning
Appendix: Analogies
Analogy 1: Cake and Security
Analogy 2: Poker and Security
Sources
ITG Resources
CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY
Information security encompasses many aspects of business, including financial controls, human resources and protection of the physical environment, as well as health and safety measures. But who are