Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers

David Lacey has written on an area, which is increasingly of concern to all who have to manage staff in the information security environment. At last, a book that examines the role of the human has been published and not one that is wholly about the machine.

Of course, we all have very different ideas and interpretations of the role of the human in security and the author is to be commended for his introductory explanations of his own ideas before launching into his thesis. There are also widely different views of what information needs to be secured and how this is achieved by the machine's facilities. When that is discussed at length, we need to look at the humans who make up the organisation. They have the obvious frailties that shape their attitude and their reaction to any organisation's security policy. The author is at pains to advise his readers on the way to make both management and their staff aware of the problems. This is done by presenting the first chapters of the book on the human's weakness and an analysis of typical, scenarios. He asks for example, whether staff really assist a business or are indeed a hindrance to its strategies in connection with the safeguarding of information.

Discussion is also included about the present‐day culture and some of the means employed to sell these ideas to both managers and staff. How about a security awareness programme and indeed a similar wake‐up call for managers by forcing them too to attend relevant courses?

In the last chapters, we learn how the author himself sees the way forward when he advocates the combination of both the system network and the business's organisation in Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers.

The book appears to be superficial in many respects but even so contains much useful material, which will assist managers in winning over their staffs, and managers to come to terms with the real problems of information security. More books on this subject are obviously needed if these problems are to be tackled effectively.