Managing the Human Factor in Information Security

David Lacey is a leading authority on Information Security management with more than 25 years professional experience, gained in senior leadership roles in Royal Dutch/Shell Group, Royal Mail Group and the British Foreign & Commonwealth Office. David is now a freelance director, researcher, writer and a consultant to organisations, venture capitalists and technology companies. He also writes a leading blog on IT Security for Computer Weekly, the largest circulation UK technology magazine.

• Acknowledgements xviiForeword xixIntroduction xxi1 Power to the people 1The power is out there . . . somewhere 1An information-rich world 2When in doubt, phone a friend 3Engage with the public 4The power of the blogosphere 4The future of news 5Leveraging new ideas 5Changing the way we live 6Transforming the political landscape 7Network effects in business 8Being there 9Value in the digital age 9Hidden value in networks 10Network innovations create security challenges 12You’ve been de-perimeterized! 14The collapse of information management 15The shifting focus of information security 15The external perspective 17A new world of openness 18A new age of collaborative working 19Collaboration-oriented architecture 20Business in virtual worlds 21Democracy . . . but not as we know it 22Don’t lock down that network 23The future of network security 24Can we trust the data? 25The art of disinformation 27The future of knowledge 28The next big security concern 30Learning from networks 312 Everyone makes a difference 33Where to focus your efforts 33The view from the bridge 34The role of the executive board 35The new threat of data leakage 36The perspective of business management 38The role of the business manager 39Engaging with business managers 40The role of the IT function 41Minding your partners 42Computer users 43Customers and citizens 44Learning from stakeholders 443 There’s no such thing as an isolated incident 47What lies beneath? 47Accidents waiting to happen 48No system is foolproof 49Visibility is the key 49A lesson from the safety field 50Everyone makes mistakes 52The science of error prevention 53Swiss cheese and security 54How significant was that event? 55Events are for the record 56When an event becomes an incident 57The immediacy of emergencies 57When disaster strikes 58When events spiral out of control 58How the response process changes 59No two crises are the same 60One size doesn’t fit all 61The limits of planning 62Some assets are irreplaceable 63It’s the process, not the plan 63Why crisis management is hard 64Skills to manage a crisis 65Dangerous detail 67The missing piece of the jigsaw 67Establish the real cause 68Are you incubating a crisis? 69When crisis management becomes the problem 70Developing a crisis strategy 70Turning threats into opportunities 71Boosting market capitalization 72Anticipating events 73Anticipating opportunities 74Designing crisis team structures 75How many teams? 76Who takes the lead? 77Ideal team dynamics 77Multi-agency teams 78The perfect environment 79The challenge of the virtual environment 80Protocols for virtual team working 81Exercising the crisis team 81Learning from incidents 834 Zen and the art of risk management 85East meetsWest 85The nature of risks 86Who invented risk management? 87We could be so lucky 88Components of risk 89Gross or net risk? 90Don’t lose sight of business 91How big is your appetite? 92It’s an emotional thing 93In the eye of the beholder 94What risk was that? 96Living in the past 96Who created that risk? 97It’s not my problem 98Size matters 99Getting your sums right 99Some facts are counterintuitive 101The loaded dice 101The answer is 42 103It’s just an illusion 103Context is king 104Perception and reality 105It’s a relative thing 107Risk, what risk? 107Something wicked this way comes 108The black swan 109Double jeopardy 110What type of risk? 111Lessons from the process industries 112Lessons from cost engineering 113Lessons from the financial sector 113Lessons from the insurance field 115The limits of percentage play 116Operational risk 116Joining up risk management 117General or specific? 119Identifying and ranking risks 120Using checklists 122Categories of risks 122It’s a moving target 123Comparing and ranking risks 124Risk management strategies 125Communicating risk appetite 126Risk management maturity 127There’s more to security than risk 128It’s a decision support tool 129The perils of risk assessment 130Learning from risk management 1315 Who can you trust? 133An asset or a liability? 133People are different 134The rule of four 135The need to conform 136Understand your enemies 137The face of the enemy 137Run silent, run deep 138Dreamers and charmers 139The unfashionable hacker 140The psychology of scams 142Visitors are welcome 142Where loyalties lie 144Signs of disloyalty 144The whistleblower 145Stemming the leaks 146Stamping out corruption 147Know your staff 148We know what you did 149Reading between the lines 151Liberty or death 153Personality types 154Personalities and crime 156The dark triad 157Cyberspace is less risky 157Set a thief 159It’s a glamour profession 160There are easier ways 160I just don’t believe it 161Don’t lose that evidence 162They had it coming 163The science of investigation 164The art of interrogation 165Secure by design 167Science and snake oil 167The art of hypnosis 169The power of suggestion 170It’s just an illusion 171It pays to cooperate 172Artificial trust 173Who are you? 173How many identities? 175Laws of identity 176Learning from people 1786 Managing organization culture and politics 181When worlds collide 181What is organization culture? 182Organizations are different 184Organizing for security 186Tackling ‘localitis’ 186Small is beautiful 187In search of professionalism 188Developing careers 190Skills for information security 191Information skills 192Survival skills 194Navigating the political minefield 195Square pegs and round holes 196What’s in a name? 197Managing relationships 199Exceeding expectations 200Nasty or nice 201In search of a healthy security culture 202In search of a security mindset 204Who influences decisions? 205Dealing with diversity 206Don’t take yes for an answer 207Learning from organization culture and politics 2087 Designing effective awareness programs 211Requirements for change 211Understanding the problem 212Asking the right questions 213The art of questionnaire design 214Hitting the spot 215Campaigns that work 216Adapting to the audience 217Memorable messages 218Let’s play a game 220The power of three 221Creating an impact 222What’s in a word? 224Benefits not features 225Using professional support 226The art of technical writing 227Marketing experts 228Brand managers 229Creative teams 230The power of the external perspective 230Managing the media 231Behavioural psychologists 232Blogging for security 233Measuring your success 234Learning to conduct campaigns 2358 Transforming organization attitudes and behaviour 237Changing mindsets 237Reward beats punishment 238Changing attitudes 240Scenario planning 241Successful uses of scenarios 242Dangers of scenario planning 243Images speak louder 244A novel approach 245The balance of consequences 245The power of attribution 248Environments shape behaviour 248Enforcing the rules of the network 250Encouraging business ethics 251The art of on-line persuasion 251Learning to change behaviour 2529 Gaining executive board and business buy-in 255Countering security fatigue 255Money isn’t everything 256What makes a good business case? 257Aligning with investment appraisal criteria 257Translating benefits into financial terms 258Aligning with IT strategy 259Achieving a decisive result 259Key elements of a good business case 260Assembling the business case 261Identifying and assessing benefits 261Something from nothing 263Reducing project risks 263Framing your recommendations 264Mastering the pitch 264Learning how to make the business case 26610 Designing security systems that work 269Why systems fail 269Setting the vision 270What makes a good vision? 270Defining your mission 272Building the strategy 274Critical success factors for effective governance 275The smart approach to governance 276Don’t reinvent the wheel 276Look for precedents from other fields 277Take a top down approach 277Start small, then extend 278Take a strategic approach 278Ask the bigger question 279Identify and assess options 280Risk assessment or prescriptive controls? 280In a class of their own 282Not all labels are the same 283Guidance for technology and people 284Designing long-lasting frameworks 285Applying the fourth dimension 286Do we have to do that? 287Steal with caution 289The golden triangle 290Managing risks across outsourced supply chains 291Models, frameworks and architectures 292Why we need architecture 293The folly of enterprise security architectures 294Real-world security architecture 295The 5Ws (and one H) 296Occam’s Razor 297Trust architectures 298Secure by design 299Jericho Forum principles 299Collaboration-oriented architecture 300Forwards not backwards 301Capability maturity models 301The power of metrics 302Closing the loop 303The importance of ergonomics 305It’s more than ease of use 305The failure of designs 306Ergonomic methods 307A nudge in the right direction 308Learning to design systems that work 30811 Harnessing the power of the organization 311The power of networks 311Surviving in a hostile world 311Mobilizing the workforce 312Work smarter, not harder 313Finding a lever 313The art of systems thinking 314Creating virtuous circles 315Triggering a tipping point 315Identifying key influencers 316In search of charisma 318Understanding fashion 318The power of context 319The bigger me 320The power of the herd 321The wisdom of crowds 322Unlimited resources – the power of open source 323Unlimited purchasing power 324Let the network to do the work 324Why is everything getting more complex? 325Getting to grips with complexity 327Simple can’t control complex 327Designing freedom 329A process-free world 330The power of expressive systems 331Emergent behaviour 332Why innovation is important 332What is innovation? 333What inspires people to create? 335Just one idea is enough 335The art of creative thinking 336Yes, you can 336Outside the box 337Innovation environments 339Turning ideas into action 339Steps to innovation heaven 340The road ahead 341Mapping the future 342Learning to harness the power of the organization 344In conclusion 347Bibliography 353Index 357

"For a big book-in size and in ambition- it's most readable." (Professional Security, September 2010) "I found the book enjoyable and easy to read. It is very informative, and gives good references." (Infosecurity, June 2009) "... an engaging read." (Information Age, May 2009)