Information Security Awareness
The Psychology Behind the Technology
by
Book Cover & Preview Text
yes"> Psychology is roughly defined as a science that deals with the mental processes and behaviors of people. Information security and information security awareness is not exempt for psychological influences. These influences can be manifested internally to the organization as well as externally. The user’s of an organization’s information systems is referenced in this book as anyone who is authorized to utilize and access these systems. A system is typically defined as the collection of information technology assets such as network architecture, computer systems, applications, and software. These users are often referenced as “people” within the text as well. A number of psychological terms are utilized throughout this book. As they are introduced, a short explanation will be provided to help aid the readers understanding of the term or phrase. A construct is an event or phenomena that cannot be directly measured (e.g., feelings, personality, emotions, etc.) but which is theoretically based or in inferred from empirical evidence. These dynamic constructs are seemingly intangible and will continue to be pursued by scientists, psychologists, and researchers in the future. In the Introduction of the book, the POSTTM framework was briefly introduced. The constructs that comprise the POSTTM framework cannot be directly measured therefore psychologists and researchers must utilize tools, instruments, and methods to create theories and analysis based upon empirical evidence or by other means. For example, it is impossible to directly measure an individual’s motivation or attitude. So, we must use scales and other tools that aid us in understanding elements that may impact the targeted construct. Understanding how and why psychology impacts information security is critical because information security awareness is about behavior, and Psychology is the science of people’s behavior and mental processes. These mental processes are the antecedents to a person’s behavior. This book is not a how-to guide for designing and building an information security awareness program. I have already written that training course for The SANS Institute as discussed in the “About the Author” section located at the back of this book. This text will help the management team of an organization frame up and understand how important and critical people are in relation to their information security program. This book will provide information security managers with the basic knowledge to understand and interpret six key psychological phenomena that comprise the POSTTM framework. This framework ultimately gives organizations a unique advantage by enabling a better understanding of their user’s actions and behaviors. Introducing the POSTTM Framework I developed the POSTTM framework after spending two years reading the body of literature on information security and writing the Information Security Awareness Train-the-Trainer program for the SANS Institute. The benefits from understanding these phenomena extend well beyond the information security program. Management has no purpose without a team. To have a qualified team moving in the same direction is something that all successful organizations aspire to accomplish. Understanding people within an organizational setting from a psychological perspective gives management an advantage over most other competitors because they are able to introduce and implement key business concepts at a faster pace and with a higher degree of success. The POSTTM framework is a platform that has the potential to deliver the knowledge and results through a customized set of psychology-based metrics. It could be thought of as a psychological-based tool that will aid an organization in developing a set of customized snap-in metrics to any existing or new information security awareness program. As part of all traditional information security awareness programs, a set of metrics must be developed in order to report the status of the program to management and enable the information security awareness team to make the most appropriate adjustments. Traditional metrics typically include things such as the number of incidents reported, security-related calls to the help desk, level of attendance to mandatory security awareness meetings, security-related audit report findings, failed login attempts, downtime as it relates to security events, legal fees as it relates to losses, compliance with legal, regulatory and statutory requirements, etc. The actual metrics will vary and depend specifically on the organization. All of these metrics are outcome-based and do not take into account the behavioral and psychological aspects of “why” these events occurred in the first place. While these metrics are very important and I consider them essential, I argue that organizations must start including the types of metrics in their information security awareness programs as outlined in the POST
Formats
Book Details
About the Book
“Information Security Awareness: The Psychology Behind the Technology” is a book written for information security managers and organizational leaders. This text focuses on the behaviors of information systems users in an organizational setting and why this is critical to successful information security awareness programs. This book examines the link between employee behavior and companies'' safeguard policies and establishes that psychology is a key to lowering information security risks.
The ultimate goal of all information security awareness programs from a business perspective is to change the behavior of users, resulting in fewer user-related errors that cause costly and destructive security incidents.
Rather than taking a traditional technology-oriented approach the author has taken a unique method by exploring and discussing six key psychological aspects of people’s behavior. Specifically, the author discusses how these phenomena relate to, and impact, an information security program. The six behavioral-oriented phenomena reviewed in this book are: motivation, attitude, beliefs, personality, morals, and ethics. These six phenomena are the basis for “The Psychology of Security and Technology” or POSTTM, a new framework he has created.
Many organizations take the approach of “informing” their user community of their security policies, guidelines, and procedures. This would be described as a descriptive approach, meaning the users are told they must comply because management requires them to. Recent research in organizational psychology and information security awareness postulates that this approach is flawed. The descriptive-based approach does nothing to help the users internalize or justify the organizations requirements, therefore their attitudes and motivations will be lacking and ultimately produce undesirable results.
A new prescriptive-based approach to information security awareness is presented in the book which leverages the POSTTM constructs. This new approach focuses on users internalizing information security messages and policies. The prescriptive approach leverages a person’s internal drivers, which, if leveraged properly leads to a desirable outcome for the organization.
The author purports the POSTTM framework is the foundation for a new set of information security awareness metrics. A series of newly developed psychological-based metrics could better target users and enable management by providing them with information they may not of otherwise had access to in the past. The POSTTM framework will yield new information that most organizations have never considered within the context of information security before.
This book will help organizational stakeholders put the POSTTM constructs into context of an information security awareness strategy. By doing this, progressive organizations will position themselves for a more effective information security awareness program, ultimately resulting in fewer security-related incidents.
About the Author
Tim Layton has twenty years of experience in the information technology and information security field. Tim is the author of "Information Security Awareness: The Psychology Behind the Technology" ISBN: 1-4208-5632-4, a book written for information security management on the importance of users accepting and internalizing corporate and organizational security policies. This book examines the link between employee behavior and companies'' safeguard policies and establishes that psychology is a key to lowering information security risks.
Prior to this current book, Tim authored The SANS Institute’s “Security Awareness Train-the-Trainer” curriculum. The SANS Institute is a highly trusted source for information security training and certification around the world. The Security Awareness Train-the-Trainer curriculum is an intense course designed to help information security managers learn how to effectively design, build, and manage a security awareness program from the ground up.
Recently, Tim authored a comprehensive 120 page management and technical report detailing the modifications and revisions to the ISO/IEC 17799:2005 standard. The standard is a complex 128 page document and Tim systematically accounts for and details the changes and updates to the standard for managers and practitioners. The report and information on additional writing projects is available at the author’s web site at www.timlayton.com.
Tim was the founder of two information technology and information security firms during the 1990''s. Currently, Tim travels on an international basis for a Fortune 50 financial institution identifying and analyzing information security risks in a wide array of industries. Tim developed a series of information security tools and business processes that are utilized internationally for identifying and evaluating information security risks. He has a comprehensive knowledge of the laws, regulations, and standards relating to information security.
Tim Layton earned a bachelor''s degree in business administration graduating magna cum laude before continuing on to earn a Master of Business Administration (MBA). He is pursuing a Doctor of Philosophy in Industrial/Organizational Psychology.
In addition to his academic background and successes Tim holds numerous information technology and security certifications such as the CISSP (Certified Information Systems Security Professional), SANS GIAC (Global Information Assurance Certification), as well as several other vendor related certifications.