Introduction
The author introduces her book very eloquently: “I wrote this book to provide a starting point and an all-in-one resource for information security and privacy education practitioners. I incorporated much
of the information and knowledge I obtained while working on my MA in computer science and education as applicable to providing education to adult learners. Additionally, I included the same type of information
that I’ve used and found helpful over the years when creating awareness and training programs ... My goal was to provide a more comprehensive resource of everything involved with managing an information
security and privacy training and awareness program than I had been able to find - a reference for practitioners to go to when implementing any part of their education program and get ideas that will help them be
successful with their own program.”
Scope
The book covers awareness and training on information security and privacy topics. Privacy is one aspect of information security but is specifically mentioned in the title as it is quite prominent throughout the
text. It is appropriate because regulations such as HIPAA emphasize the need for privacy training and awareness.
The entire ‘lifecycle’ of a security awareness program is covered:
Program design e.g. why awareness is important, legal and regulatory requirements (with a strong US bias) and even ‘how not to do it’; Program delivery and execution - getting started, gaining executive sponsorship and budget, topics to cover, methods of delivery/communications and motivational techniques,
incorporating awareness into job responsibilities etc.; Program management - hints about planning, controlling and reporting progress; Program review - further hints about how to check that your program remains on-track and effective.
About the author
Rebecca Herold (MS MA CISM CISA CISSP FLMI) is well qualified to write about security awareness. With over 15 years experience in the field, Rebecca has designed, built and delivered prize-winning security
awareness programs, and has authored other several books and articles. An MA in Computer Science and Education lends weight to her emphasis on providing educational materials to suit adult audiences rather than
simply using techniques normally used to teach schoolchildren.
Depth and breadth
At over 500 pages, this is no lightweight textbook. As noted in the scope section above, the coverage is comprehensive. Just for examples, the list of potential information security topics runs to 59 items
explained in 21 pages, surpassing even NoticeBored’s deliberately broad approach, and the list of 20 audiences is far more granular than NoticeBored’s three.
The coverage is reasonably even throughout with plenty of meaty content in every section. It really is hard to think of any improvements.
Usefulness
The book may appear overwhelming to someone just starting out on their information security and privacy awareness although it is not compulsory to read the entire book cover-to-cover in one sitting (tempting though
that may be!). The chapter on ‘Getting started’ is recommended reading, with details of how to identify key contacts, review the organization’s existing approach to awareness and training, and
a handy road-map that would serve as a good high level project plan.
For more experienced information security professionals, and especially those considering or tasked with ‘doing awareness’, this book is a must-read. Even seasoned security awareness practitioners
would likely learn new things from this book, at least I did and suspect my copy will become well-thumbed in the months and years ahead.
Style
The writing style is engaging, quite easy to read yet at the same time stimulating and thought provoking. The book is crammed full of good ideas, not just theoretical concepts but solid practical advice that can
be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points.
Conclusion
At last! A textbook on security awareness to recommend without reservation. This is the definitive guide - a wonderful book for practitioners in our field. Thank you Rebecca.
|
