Author: Leron Zinatullin
In this book the author explains the human side of IT Security. By linking the behavior of the target group (the people in the organization) to the desired outcomes (an information-safer environment) the IT security consultant has to bring this about.
But that requires knowing what the situation is, what the employees’ world is, what they view as their goals. And what they experience as being onerous.
Research shows that there are three objections to information-safe work by the employees:
- There is no clear reason to comply with the IT security rules
- The cost of fulfilling it is too high
- There is an inability to comply with the rules
The author doesn’t claim that this list is exhaustive. The author does not go much further than the fact that you have to solve this with empathy for desired usability. How you do that is by communicating intensely with the target group. Unfortunately, the author proposes a classical scheme of communication, completely bilateral, one on one, instead of a communication in a network of people, many to many.
According to him, the goal of working on the information security culture is to show the employees that it can be an easy way of working. One of the explanations of a weak culture in this area is the “broken windows theory”: if a window falls in a neighborhood, the whole neighborhood will have to deal with a negative influence. But the theory would also work the other way around, and showing the good example is worthwhile.
Then the author talks about the psychology of compliance with the rules: this includes external and internal factors. The external factors include reward, punishment, competition. The internal factors include giving meaning, pleasure and interest. There are interactions between both groups of motivations, strengthening or weakening. In addition, other factors are decisive, such as autonomy, etc.
In the last chapter, the author gives a first glance at how changing the approach to security.