Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Information security book reviews

   

The books reviewed below have contributed in some measure to our knowledge and research for the NoticeBored security awareness materials.*

NoticeBored information security bookstore Recommended reading

Courtesy of Amazon*, we run a digital bookstore offering our favorite information security books.  Please press your nose against the virtual shop window to find something exciting for your bookshelf, or read the book reviews below for our hot tips.

Read the review

Managing an Information Security
and Privacy Awareness
and Training Program One of our all-time favorites

Rebecca Herold has written a real winner, a security awareness textbook packed with helpful advice and great ideas for awareness professionals.  Read our book review for more on the new second edition.

 

 

Read the book reviewInformation Security Governance Recommended reading

As with Krag’s metrics book (see below), Information Security Governance confidently covers challenging material on a subject that many find hard to even describe, let alone understand.  The effort needed to read and learn from this book pays off through a better appreciation of both the theoretical background and the practical steps needed to design, develop, implement and manage - or govern - information security at the strategic level.

Read the book reviewInformation Security Management Metrics Recommended reading

Read this book by Krag Brotby to find out how to choose and use appropriate metrics that will help direct and improve your management of information security risks.  Though it takes some effort to understand the relatively advanced concepts presented, it’s worth it if the knowledge and comprehension you gain helps you select a shortlist of metrics that actually help your security program, and perhaps drop those that are merely cluttering up your management dashboard.

 

 

 

Read the reviewNo Tech Hacking

Johnny Long’s book on social engineering and site intrusion may not be exactly revolutionary but it is certainly readable - well apart from some of the photos anyway.  Billed as “A guide to social engineering, dumpster diving and shoulder surfing”, Johnny meanders through the field, explaining techniques that seem obvious or basic, yet we know they are powerful in the right hands.

 

Read our reviewManaging the Human Factor in Information Security Recommended reading

David Lacey’s book offers excellent value and is highly recommend for all information security professionals, particularly CISOs and Information Security Managers who are not entirely comfortable with the social elements of information security, and for information security MSc students who want to boost their understanding in this area.  The book is particularly valuable also for information security awareness and training professionals who necessarily deal with human factors on a daily basis, and need to understand how best to work with and influence their organizational cultures.  Read our book review for more.

Read the reviewScrappy Information Security

Billed as a plain English account of information security for everyone, we thought this might be a useful general purpose information security awareness book ... but no, as it turns out this is not one we’d recommend.  Find out why we are so negative about it in our frank, no-holds-barred review.

 

ITIL v3 security book reviewInformation security Management with ITIL v3

The ITIL security book has been thoroughly revised and updated for ITIL v3 and is now much more closely aligned with ISO27k.  Review here.

 

Read the reviewHandbook of Research on Social and Organizational Liabilities in Information Security

Gary Hinson contributed a chapter on security awareness to this new academic reference book edited by Manish Gupta and Raj Sharman.

 

 

Read the review

The Art of Intrusion - the real stories behind the exploits of hackers, intruders & deceivers

Recommended reading Kevin Mitnick’s second book may be a few years old now but we thought it appropriate to publish a review in connection with the NoticeBored module on social engineering, not least because it now costs less than US$12 from Amazon.

Read the review

Building an information security awareness program

Little nuggets of advice on designing an effective approach to security awareness are buried away in Mark Desman’s book but they take some finding.  Whether you have the energy and persistence to work through the poor English is your choice.

 

Click to read the review

PCI DSS - a practical guide to implementation

If you are an experienced information security professional or project manager tasked with your first PCI DSS implementation, this new book from IT Governance (coupled with PCI DSS itself and various other sources of guidance) will be a worthwhile starting point and companion on your journey to compliance.  It is good value and easy to read, providing many pragmatic tips.  Read our book review for more.

 

 

 

Read the book review

Phishing - cutting the identity theft line

Phishing is simply about someone sending out emails inviting you to ‘update your details’, right?  Well, yes ... and no.  There’s rather more to it than that.  Authors Rachael Lininger and Russell Dean Vines lift the covers on a seedy underworld where criminal hackers combine social engineering with malware.

 

 

Read the reviewInformation Security Incident Management - a methodology

Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs such a comprehensive, well-structured incident management process.  Smaller, more agile organizations may still learn something useful but it would not be easy to apply this design to a typical cut-down slimline incident management process.

See our book reviewComputer Security
for the Home and Small Office

This is a self-help IT security book aimed at those who work from a Small Office/Home Office (SOHO). Written by The Register’s Associate Editor, it should be no surprise that the book challenges accepted norms such as Microsoft Windows, Office and Internet Explorer.  A worthwhile security awareness text for a general if rather IT-literate audience.

 

Read the reviewLessons Learned in Software Testing

Recommended reading We found this gem while researching the awareness module on application security.  Through a series of nearly 300 “lessons”, the authors share their accumulated wisdom about how to test application systems - not so much which buttons to press but more how to establish and manage a test team, plan the work and dynamically adjust the testing process according to the findings and external pressures.

Read the book review

Corporate Espionage

To complete our look at Ira Winkler work, we’ve reviewed his first book.  It is very similar to, and every bit as engaging as, Spies Among Us, albeit slightly more raw.  If your managers need a bit of a wake up call to appreciate the need for information security controls, this could be it.

 

Read the book review

The Insider - a true story

The Insider is built around an extensive collection of real-life security incidents involving both insiders and outsiders.  The book is essentially a collection of in-depth news reports, peppered with a few brief notes from anonymous corporate evaluations of a network traffic analysis tool.  The lack of meaningful analysis detracts from the books value.

 

Read the book reviewZen and the
Art of Information Security

 If you have no background in information security, this book would make an interesting if rather superficial introduction to the issues.  It falls short on useful, sound advice.  If you have read Ira Winkler’s previous books, you are unlikely to learn anything new but you’ll be entertained nonetheless. 

 

 

 

Read the book reviewRead the book review

IDEO on innovation

We enjoyed reading and reviewing two non-security books for once.  IDEO’s creative techniques for innovative product design have worthwhile application in designing effective security awareness programs and indeed other products and services.

 

 

 

 

Read the book reviewNet Crimes & Misdemeanors - Outmaneuvering Web spammers, stalkers, and con artists

Net Crimes explores the dangers of the online world covering a broad assortment of Internet security issues, with useful descriptions and helpful advice for all Web users.  This is a good security awareness book for anyone who is relatively new to the net, combining realistic threat descriptions with pragmatic security advice.

Read the book reviewInsider Threat - protecting the enterprise from sabotage, spying, and theft

“Insider threat and corporate espionage rely on the fact that it is sometimes better to live in denial and be happy than to know the truth and have to deal with it.”  This book reveals the ugly truth and outlines some of the control measures you should take to minimize the risks. Deny it no longer!

 

Read the book reviewKnow Your Enemy - learning about security threats

Good technical content The Honeynet Project is a fascinating project researching hacker techniques by, in effect, inviting hackers to do their stuff on specially-configured network machines that capture the details.  This well-written technical book details how honeypot systems are configured in honeynets, and how hacker activities are analyzed.

 

 

Read the book reviewGoogle Hacking for penetration testers

We love Google! Johnny Long’s first book, the professional Google hacker’s instruction manual, is an information security manager’s horror story.  Page after page reveals creative uses of the worlds biggest and best search engine to find security vulnerabilities and breaches on websites and web applications.  By all means read our review but think twice about reading the book (or now the 2nd edition) if you are a security professional of a nervous disposition.  Sleepless nights are more or less guaranteed.

Read the book review

 

Computer Security 20 Things Every Employee Should Know - The Employee Handbook for Securing the Workplace

Good value At just US$8 a copy, this neat little booklet summarizing computer security for ordinary employees could usefully support a structured security awareness program or security induction course, but do not rely on it alone.  Read our book review.

 

Read the book reviewEnemy at the Water Cooler Real-life Stories of Insider Threats and Enterprise Security Management Countermeasures

Ignore the main title – look at the subtitle.  This book is little more than a sales pitch for Enterprise Security Management systems, or more specifically the ESM sold by the author’s company.  The link to “insider threats” is tenuous at best and in the most part is merely used as an excuse to hype the wonders of ESM.  Read our unflattering review here.

Read the book reviewIT Governance:  A manager’s guide to data security and BS 7799 / ISO 17799

Despite the subtitle, this third edition by Alan Calder and Steve Watkins is arguably more of a practitioners’ guide to the implementation of ISO/IEC 17799.  The introductory chapters do indeed cover IT governance but the bulk of the book concentrates on information security management.  Read our book review for more ...

 

Read the book reviewThe CISO Handbook

Good stuff! Another good read we are happy to recommend - this one offers sage advice for anyone tasked by management with ‘fixing information security’.  It highlights the program management aspects of building and running an effective security improvement program rather than the content of the individual security projects.

 

 

Read the book reviewSpies Among Us

Excellent! Read our review of this valuable and recommended book.  The case studies on actual social engineering penetration tests are exactly the kind of thing that might wake up complacent managers who believe their organizations are somehow immune to the social engineers.

 

 

 

Read the book reviewSpreadsheet Check & Control

Very worthwhile We really value this book.  If you write spreadsheets, especially if spreadsheets to calculate and report important business information, study this book carefully.  It may save you a fortune.  Click here for the review, or if you have decided already, click here to buy it from Amazon (~$26).

.

 

 

Read the book reviewIT Governance

“The most important predictor of top governance performance was the percentage of managers in leadership positions who could accurately describe their enterprise’s IT governance.”  ’Nuff said.  Read our book review.

 

Read the book reviewYou Are a Loser

Read our brief review of this interesting little book of case studies on information security breaches to find out how it can help your security awareness program.

 

 

Read the book reviewThe Art of Deception

Excellent! Kevin Mitnick’s first book remains a source of inspiration for the NoticeBored awareness materials on social engineering

 

 

Read the book reviewInformation Security Awareness

We have published a detailed review of this book by Tim Layton.  The book’s subtitle “The psychology behind the technology” reflects the assertion that information security is as much to do with how people behave when making choices about security as about the technical controls employed.  We agree with the assertion, but read the critique to find out what we made of Tim’s book.

 

* NB: as well as the virtual bookstore, most of our book reviews include links to purchase the books from Amazon.  We earn a little commission on these, “little” being the operative word unfortunately but this diminutive income does at least occasionally allow us to purchase, read and review yet more books.  If you begrudge us our meager earnings in return for the book reviews, feel free to visit Amazon or your favorite book seller independently of our bookstore and embedded links.  See if we care. 

Home > Books >

Copyright © 2012  IsecT Ltd.