[ISN] "Building an Information Security Awareness Program" book review

From: InfoSec News (isn@private)
Date: Tue Oct 21 2003 - 03:10:16 PDT

  • Next message: InfoSec News: "[ISN] Temple getting tough"

    Forwarded from: Gary Hinson <Gary@private>
    
    "Building an Information Security Awareness Program", Mark B. Desman, 2002,
    0-8493-0116-5, $49.95
    %A Mark B. Desman
    %D 2002
    %G 0-8493-0116-5
    %I Auerbach Publications
    %O US $49.95
    %O
    http://www.amazon.com/exec/obidos/ASIN/0849301165/wwwnoticeborc-20/104-17224
    61-4775128
    %P 251 pp.
    %T "Building an Information Security Awareness Program"
    
    Having read the cover blurb about this being a cookbook with step-by-step
    methods and techniques, I bought “Building an Information Security Awareness
    Program” with high hopes of learning some practical tips for planning and
    running a security awareness program.  Unfortunately, I struggled to find
    anything of much value.
    
    There are two main reasons that led me to this conclusion.  Firstly, the
    book focuses primarily on information security rather than security
    awareness per se.  The book is written in the sense of giving sage advice to
    someone who has recently joined a fairly large company as Chief Information
    Security Officer rather than Head of Information Security Awareness.  A
    selection of awareness topics are covered, of course, but it is almost as if
    these aspects have been added on to the main text about information
    security.  One could argue that somebody new to security awareness might not
    have the grounding in information security and would need to learn more.
    The coverage in this book is so unstructured and incomplete, however, that
    it cannot honestly be recommended as a primer either on information security
    or on security awareness.
    
    Secondly, and by far the biggest barrier to understanding, is the author’s
    consistently bad writing style.  Others have described it as “chatty” -
    excessively wordy and turgid are closer to the truth.  Grammatical and
    punctuation errors do not help.  There are sentences on virtually every page
    that are so convoluted and obscure that all meaning is lost.  This is
    somewhat ironic given the author’s insistence that security awareness
    materials should be written “for 9th graders”.  The text often meanders into
    side topics and then loses its way in the detail.  A good editor should have
    pruned these asides ‘back to the green wood’ in order to maintain the flow
    of the text.  Indeed, it is entirely possible that the editor’s red pen has
    already trimmed out a lot of dead branches, but I kept wishing that more
    savage cuts had been made.  The author clearly has strong feelings about
    certain pet hates.  He attacks concepts such as organizational culture, for
    example, in cynical language (“idealistic mumbo jumbo” is one choice
    phrase!).  Highly biased coverage of statistics in Chapter 18, probably the
    worst chapter in the book, completely undermines the author’s otherwise good
    points about the need to measure an awareness program.
    
    That said, the book will remain on my bookshelf because of the useful
    chapter summaries and a handful of good ideas that surfaced from the text.
    I liked the suggestion to interview managers to explore their security
    priorities, thereby drawing them into the awareness program.  Gathering and
    sifting through pre-existing security awareness materials seems well
    worthwhile.  As an ex-auditor, I appreciated the emphasis on working with
    the auditors to address their information security concerns.  So there we
    are, the book’s best parts covered in three short sentences.  If only the
    author had been so succinct.
    
    Gary Hinson, CEO, IsecT Ltd.
    Telephone +44 1306 731 770
    EMAIL  Gary@private
    Websites  www.IsecT.com  &  www.NoticeBored.com
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 21 2003 - 10:49:00 PDT