The Psychology of Information Security

Ensure the success of your security programme by understanding users' motivations

“This book cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making it an easy read with some very real practical takeaways.”

Thom Langford, Chief Information Security Officer at Publicis Groupe

“Based on real world examples the book provides valuable insights into the relationship of information security, compliance, business economics and decision theory. Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program.”

Daniel Schatz, Director for Threat & Vulnerability Management at Thomson Reuters

In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

Product description

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

Contents

Chapter 1: Introduction to information security

Chapter 2: Risk management

Chapter 3: The complexity of risk management

Chapter 4: Stakeholders and communication

Chapter 5: Information security governance

Chapter 6: Problems with policies

Chapter 7: How security managers make decisions

Chapter 8: How users make decisions

Chapter 9: Security and usability

Chapter 10: Security culture

Chapter 11: The psychology of compliance

Chapter 12: Conclusion - Changing the approach to security

Appendix: Analogies

About the author

Leron Zinatullin (zinatullin.com) is an experienced risk consultant specialising in cyber security strategy, management and delivery.