ebook img

Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness PDF

209 Pages·2021·8.561 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness

INFORMATION SECURITY AND EMPLOYEE BEHAVIOUR Research conducted over many years suggests that between 60 and 85 per cent of all information security incidents are the result of a lack of knowl- edge and/or understanding amongst an organisation’s own people. And yet the great majority of money spent protecting systems is focused on creat- ing technical defences against often exaggerated external threats. Angus McIlwraith’s book explains how corporate culture affects perceptions of risk and information security, and how this in turn affects employee behaviour. He then provides a pragmatic approach for educating and train- ing employees in information security and explains how different met- rics can be used to assess awareness and behaviour. Information security awareness will always be an ongoing struggle against complacency, prob- lems associated with new systems and technology, and the challenge of other more glamorous and often short-term priorities. Information Security and Employee Behaviour will help you develop the capability and culture that will enable your organisation to avoid or reduce the impact of unwanted secu- rity breaches. This second edition has been thoroughly updated throughout, incorpo- rating other areas like anthropology and other non-technical disciplines which are making an impact on recent developments. It also explores the technology used to deliver communication, education and awareness, par- ticularly in the areas of online delivery and recent developments such as ‘gamifcation’, as well as the ways in which the research, tools, techniques and methodologies relating to the measurement and change of organisa- tional culture have matured. Angus McIlwraith has worked in the feld of Information Security and Business Control for over 35 years. He has for many years held (and broad- cast) the view that Information Security is not making the best use of time and resources by failing to address some fundamental issues. By not doing so, time and money are wasted; in some extreme circumstances, lives are being put at risk unnecessarily. Angus’ professional experience was gained mainly in Financial Services and UK central government. He has worked for Lloyds Bank, American Express, NatWest Bank and Standard Life, as well as working as a consultant to a wide range of international organisations. He has spoken at many conferences, including numerous Information Security Forum (ISF) Congresses, the London-based COMPSEC conference, the Institute of Internal Auditors annual conference and the British Computer Society Information Security Specialist Group (BCS ISSG). Angus was an elected Member of the ruling Council of the ISF for eight years and was a member of the UK-based Banking Information Security Expert Panel (BISEP). He writes regularly for many publications. He held a monthly column in Information Security Management magazine, and provided a monthly piece in Secure Computing magazine for many years. He is an assessor for the NCSC CCP SIRA qualifcation and a member of the committee that refreshed the syllabus for the BCS ISEB Certifcate in Information Security Management Principles (CISMP), and provided and certifed the questions used in the CISMP examinations. He was a critical reader of new course material for the Open University Module Information Security TMXY311. INFORMATION SECURITY AND EMPLOYEE BEHAVIOUR How to Reduce Risk Through Employee Education, Training and Awareness Second Edition Angus McIlwraith Second edition published 2022 by Routledge 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN and by Routledge 605 Third Avenue, New York, NY 10158 Routledge is an imprint of the Taylor & Francis Group, an informa business © 2022 Angus McIlwraith The right of Angus McIlwraith to be identifed as author of this work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988. All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers. Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identifcation and explanation without intent to infringe. First edition published by Gower 2006 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data Names: McIlwraith, Angus, author. Title: Information security and employee behaviour : how to reduce risk through employee education, training and awareness / Angus McIlwraith. Description: Second Edition. | New York : Routledge, 2021. | Revised edition of the author’s Information security and employee behaviour, c2006. | Includes bibliographical references and index. | Identifers: LCCN 2021007627 (print) | LCCN 2021007628 (ebook) | ISBN 9780367243319 (hardback) | ISBN 9781032055916 (paperback) | ISBN 9780429281785 (ebook) Subjects: LCSH: Business enterprises—Computer networks—Security measures. | Information technology—Security measures. | Employees—Training of. Classifcation: LCC HD30.38 .M35 2021 (print) | LCC HD30.38 (ebook) | DDC 658.3/1244—dc23 LC record available at https://lccn.loc.gov/2021007627 LC ebook record available at https://lccn.loc.gov/2021007628 ISBN: 978-0-367-24331-9 (hbk) ISBN: 978-1-032-05591-6 (pbk) ISBN: 978-0-429-28178-5 (ebk) Typeset in Joanna by codeMantra CONTENTS List of illustrations ix Preface xi Introduction 1 What is ‘awareness’? 3 Why awareness? 6 The rationale for security awareness 7 Statistics 7 Standards 10 Organisation for Economic Co-operation and Development 10 Parallel activities 14 Designing out error 14 Training 15 Technical matters 15 Management 17 Summary 20 How idiotic? 20 Piltdown man syndrome 20 Security manager’s assumptions 22 Automated teller machines and stupidity 23 Why do accidents happen? 23 Summary 25 vi CONTENTS Part 1 – A framework for understanding 27 1 Employee risk 29 Perception of risk 29 Chronic – acute 32 Difuse in time and space – focused in time and space 36 Familiar – unfamiliar 37 Psychology of risk or ‘why do people do stupid things?’ 41 Defence mechanisms 42 Confrmation Bias 43 Memory 44 Groupthink 44 User mindsets 45 Schemas 48 The bystander efect 50 Summary 51 2 Security culture 54 What is culture? 55 Corporate health 59 Theory X–Theory Y 63 Conformity v compliance 64 Appetite for risk 67 National culture 68 Cultural examples 69 Investment bank 70 Retail bank 71 Exclusive banks 72 Life insurance 72 Hi-Tech R&D 73 Hi-Tech start-up 74 National security 75 Professionals 75 Security despot 76 Changing a culture 76 Peter Drucker 83 Summary 84 3 How are we perceived? 87 Risk communication 88 Tactics for risk communication 90 Language use and perception 92 Contents vii Vocabulary domains 92 Self-perception and the power of words 93 Jargon and its uses (and abuses) 96 A barrier, not an enabler 97 summary 98 Part 1 summary 99 Part 2 – A framework for implementation 103 4 Practical strategies and techniques 105 A stepped approach 106 Step 1 – managing by fact 107 Step 2 – goals and objectives 110 Step 3 – planning 111 Step 4 – implementation 119 Step 5 – feedback 119 training 120 Training evaluation 122 Training needs assessment 124 Trainer selection and instructional methods 129 Online training 130 Qualifications 132 Guerrilla techniques 134 Get a big friend (or champion) 135 Make friends with HR 135 Work with your local auditors 136 Piggyback, hijack and cadge 136 Other corporate initiatives 137 summary 137 5 Measuring awareness 139 the perils of metrics and monitoring 139 Guide to good metrics 141 Measuring tools and techniques 143 Survey design 143 Establishing goals 144 Determining target populations 144 Survey and sample bias 145 Survey technique selection 146 Survey analysis 150 How to choose your survey method 152 viii CONTENTS Questionnaire design 153 Rules of thumb 153 Question choice 155 Question order 157 Answer order and completeness 158 Question topology and terminology 158 Stupid questions 160 Questionnaire layout 161 Test 161 Summary 162 6 Delivery media and graphic design 163 Design principles 164 Colour 165 Choosing your delivery media 166 Intranets and other browsable media 167 Anatomy of a web page 168 Screen-based text 170 Navigation and searching 172 Screen legibility 173 Other channels 174 Video 174 Posters 175 Good locations 176 Booklets 177 Fan leafets 177 Paper newsletters 178 Collateral 178 Events (roadshows, briefngs and seminars) 179 Media efectiveness 180 Summary 183 Conclusions 185 Bibliography 189 Index 193 ILLUSTRATIONS Figures 0.1 Policy and standards hierarchy 18 2.1 Leadership focus 81 2.2 Summary Radar chart 82 3.1 Carbuncle/distribution model 98 4.1 The fve-step approach 106 4.2 Force feld diagram 116 4.3 Smilesheet 123 6.1 Generic web page 169 6.2 Security poster 176 Tables 1.1 Risk perception 33 5.1 Survey techniques strengths and weaknesses 151 6.1 Media-type comparison 181

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.