BKMHFIIS.RVW 20120216 "Managing the Human Factor in Information Security", David Lacey, 2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99 %A David Lacey %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2009 %G 978-0-470-72199-5 0-470-72199-5 %I John Wiley & Sons, Inc. %O U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0470721995/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20 %O Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 374 p. %T "Managing the Human Factor in Information Security" The preface states that the intent of the book is to identify and explain the range of human, organizational, and social challenges when trying to manage security in the current information and communications environment. It is hoped this material will help manage incidents, risks, and design, and assist with promoting security systems to employees and management. A subsidiary aim is to leverage the use of social networking. Some aspects of security are mentioned among the indiscriminate stories in chapter one. Chapter two has more tales, with emphasis on risks, and different people you encounter. Generic incident response and business continuity material is in chapter three. When you know the risk management literature, you can see where the arguments in chapter four come from. (Yes, Donn, we know quantitative risk analysis is impossible.) The trouble is, Lacey makes all of them, and therefore comes to no conclusion. Chapter five has some points to make about different types of people, and dealing with them. Unfortunately, it's hard to extract the useful bits from the larding of stories and verbiage. (Given the haphazard nature of the content, making practical application would be even more difficult.) Aspects of corporate culture are discussed, in an unstructured fashion, in chapter six. Chapter seven notes a number of factors that have appeared in successful security awareness programs, but doesn't fulfill the promise of helping the reader design them. Chapter eight is about changing organizational attitudes, so it's an (equally random) extension of chapter six. It also adds some more items on training programs. Chapter nine is about building business cases. Generic advice on creating systems is provided in chapter ten. Some even broader advice on management is in chapter eleven. A collection of some points from throughout the book forms a "conclusion." There are good points in the book. There are points that would be good in one situation, and bad in another. There is little structure in the work to help you find useful material. There are stories about people, but not a survey of human factors. Lacey uses lots of aphorisms throughout the text. I am reminded of the proverb that if you can tell good advice from bad advice, you don't need any advice. copyright, Robert M. Slade 2012 BKMHFIIS.RVW 20120216