Business Continuity And The Pandemic Threat

Author: Robert A. Clark

With this book the author, Robert A. Clark, draws attention to an important issue that is on the border between BCM and Risk Management, but what is traditionally attributed to BCM, namely the pandemic threat. This threat is relevant because statistically it has manifested itself every 30 years on average over the last 300 years.

The book is divided into two parts: ‘Part I: Understanding the Threat’ and ‘Part II: Preparing for the Inevitable’

Part I talks extensively about micro-organisms, what a pandemic really is, dangers of germs in the hands of criminals and terrorists, a brief history of the most important known pandemics, and the danger of hospital bacteria (anti microbial resistance of AMR). In two separate chapters, he elaborates on the cases of SARS and the Spanish Flu of 1918-1919, which continue throughout the book as the classic examples. He concludes part I with a comparison between the two cases that are still extremes: the Spanish flu with 50,000,000 deaths and SARS with a good 1000 deaths and ‘only’ 8,000 infections worldwide.

Part II deals with the approach to pandemics. He starts from two positions: preparation and response. He talks about what can be done on a world, national, organizational and individual level. What is important in Part II is, in my opinion, the attention he gives to the important points for a pandemic plan. He does this however, without giving a concrete pandemic plan or template. This, however, he makes good by referring in the appendices to a website where a template can be found: But it does not stay there. He also describes what to do with it if there is no pandemic: practice and validate. He gives an overview of a number of types of exercises, ranging from very simple to very complex and extensive.

A limited part of the attention for the characteristics of a pandemic plan go to supply chain.

Meanwhile it was noted that the template is no longer available on the website. An example of a pandemic plan (in Dutch) can be found on this website: ‘’

The Psychology Of Information Security – Resolving conflicts between security compliance and human behavior

Author: Leron Zinatullin

In this book the author explains the human side of IT Security. By linking the behavior of the target group (the people in the organization) to the desired outcomes (an information-safer environment) the IT security consultant has to bring this about.

But that requires knowing what the situation is, what the employees’ world is, what they view as their goals. And what they experience as being onerous.

Research shows that there are three objections to information-safe work by the employees:

  • There is no clear reason to comply with the IT security rules
  • The cost of fulfilling it is too high
  • There is an inability to comply with the rules

The author doesn’t claim that this list is exhaustive. The author does not go much further than the fact that you have to solve this with empathy for desired usability. How you do that is by communicating intensely with the target group. Unfortunately, the author proposes a classical scheme of communication, completely bilateral, one on one, instead of a communication in a network of people, many to many.

According to him, the goal of working on the information security culture is to show the employees that it can be an easy way of working. One of the explanations of a weak culture in this area is the “broken windows theory”: if a window falls in a neighborhood, the whole neighborhood will have to deal with a negative influence. But the theory would also work the other way around, and showing the good example is worthwhile.

Then the author talks about the psychology of compliance with the rules: this includes external and internal factors. The external factors include reward, punishment, competition. The internal factors include giving meaning, pleasure and interest. There are interactions between both groups of motivations, strengthening or weakening. In addition, other factors are decisive, such as autonomy, etc.

In the last chapter, the author gives a first glance at how changing the approach to security.