The Cybersecurity Canon: The Psychology of Information Security

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Guest Contributor Nicola Burr, Cybersecurity Consultant: The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour (2015) by Leron Zinatullin

Executive Summary

In “The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour,” Leron Zinatullin sets out to discuss various aspects of information security and how human behaviour influences not only our decision making and risk assessment abilities but also our very willingness to comply to company policies, particularly when we consider them an inconvenience.

What’s clear is that each employee has his or her own part to play in building a firm foundation of security. This is made more difficult due to the employee’s own internal motivations and perceptions of risk versus reward.

The text boldly challenges the historical box-checking attitude of policy compliance exemplified by many companies. It draws on interviews with information security professionals and shrewdly applies academic research where relevant. The author intelligently weaves analogies into the narrative in order to translate intangible concepts into the real world, as well as manages to demonstrate the importance of perception when considering the differing viewpoints of information security professionals and users.

Throughout the book, the reader is lead down twin winding paths of human behaviour and information security – the author pointing out where they intersect, where they diverge, where they conflict, where they can learn from each other and how they can pull together successfully in the same direction to enable a strong and effective security culture.

This book is an insightful read, particularly for those working in the information security field, which will question your preconceptions of security and compliance in an ever-evolving threat landscape. I submit it for consideration in The Cybersecurity Canon.

Review

Having always been interested in what makes people tick, I jumped at the chance to read “The Psychology of Information Security” when a colleague recommended it. I have been working as an information security consultant for about five years, three of which I spent as a project manager leading security transformation programmes for a global firm. During this time, I witnessed first-hand the importance of building suitable solutions and managing stakeholders effectively. All too often, security management teams fail to consider the impact (or lack thereof) of attempting to implement new policies across the rest of the company and the burden they place on the everyday business user, which ultimately leads to failure. I was keen for any insight such a book could give me into the minds of users and how to work with them when our goals seem, on the surface, to contradict each other.

The main goal of this book is to gain insight into information security issues related to human behaviour, from both end-users’ and security professionals’ perspectives. It starts with an overview of the complexities of risk management, the value of good communication and the role that governance plays in enabling an information security culture. Moving on, the author begins to poke holes in corporate cultures that focus too much on compliance as a form of box checking, asserting that this kind of “security theatre” does not provide true business benefit or a real understanding of the risk to the business.

Next, we are guided through the contrasting perspectives of staff in varying job roles and perhaps most importantly, through the human decision-making and risk management processes, many of which may appear irrational at first glance. This helps the reader understand the influence that culture and behaviour holds over any kind of change in an organisation, particularly as it relates to keeping its people and property secure. We navigate through the effect of mental exhaustion on security compliance and how security tools can be designed to meet the needs of the user rather than fight for attention away from their day job, into understanding how poor culture and behaviour can be contagious.

Steering through the murky waters of human psychology, we are deftly shown the link between understanding the consequences of our actions, punishment for breaking the rules and unethical behaviour. We now understand the importance of leading by example, exercising willpower and the power of sustaining good habits. Finally, we take a look at the role that motivation plays and how deterrents or rewards can be used to balance an uneven cost-benefit analysis performed by a user tempted to circumvent security. As a useful takeaway, the book concludes by drawing upon insights made throughout, with providing a practical set of recommendations to support the security professional’s decision-making process when designing and implementing security controls as well as communicating these changes successfully within an organisation. When users are well informed, trusted and empowered to act securely, and policies and procedures are designed with them in mind, those seemingly contradictory goals are able to align.

To sum up, by using every day analogies, case studies and real life interviews, the author keeps the book grounded in facts, while also positing a number of ways that the security function could adapt to best meet the demands of both the business and its employees while keeping both of them safe in an ever evolving landscape of cyber threats. Cybersecurity culture is recognised as a fundamental consideration and is investigated thoroughly, from the reasons behind and impact of individual behaviour on said culture through to group dynamics and the resulting contagious actions. Human psychology is drawn upon to help explain how and why users may act in a certain way, and how security specialists can adapt their own behaviour and designs to improve awareness while not detracting from someone’s day job. The book proposes that understanding culture and behaviour is therefore key to the success of any security initiatives.

In my humble opinion, based on my summary of the contents of the book, I believe that “The Psychology of Information Security fits perfectly into the Canon’s Non-Fiction category, as well as the Cyber History and Culture sub-category. It is a fascinating and worthwhile read for anyone working in security who wishes to further understand the motivations of users and how to adapt campaigns to meet their needs and ultimately land security successfully into business as usual. As a result of reading this book, I truly believe that cybersecurity cannot work in harmony with the business until we learn to listen and adapt accordingly to employees’ needs. At the end of the day, the role of security is not to prevent advancement, but should be to enable and protect the business in order to thrive in a digital world inherent with risk.

Nicola is a Cyber Security Manager with five years of experience of technology risk and information security consulting in professional services. She specialises in supporting companies through Cyber Transformation Programmes, with an interest in Cloud Security & Strategy.