Author Rebecca Herold introduces her book very eloquently: “I wrote this book to provide a starting point and an all-in-one resource for information security and privacy education practitioners. I incorporated much of the information and knowledge I obtained while working on my MA in computer science and education as applicable to providing education to adult learners. Additionally, I included the same type of information that I have used and found helpful over the years when creating awareness and training programs ... My goal was to provide a more comprehensive resource of everything involved with managing an information security and privacy training and awareness program than I had been able to find - a reference for practitioners to go to when implementing any part of their education program and get ideas that will help them be successful with their own program.”
The book explains the techniques for raising awareness and training employees on a wide range of information security and privacy topics. The entire ‘lifecycle’ of a security awareness program is covered:
- Program initiation - gaining executive sponsorship and support for the value of, and necessity for, a security and privacy awareness program (e.g. to satisfy legislative and regulatory compliance obligations);
- Program design, delivery and execution - identifying target groups and topics to cover, methods of delivery/communications including motivational techniques, sources of awareness materials etc.;
- Program management and review - hints about planning, controlling and evaluating an ongoing (rolling, continuous) security and privacy awareness program, ensuring that it remains on-track and effective.
As well as numerous changes throughout the text, the 2011 second edition incorporates a thought-provoking collection of ‘leading practices’ i.e. short papers from ‘some of the most successful information security awareness and training practitioners’ (besides Rebecca!), bringing the book bang up to date with current thinking.
Rebecca is extremely well qualified to write about security awareness. With long experience in the field, Rebecca has designed, built and delivered prize-winning security awareness programs, and has authored numerous books and articles. An MA in Computer Science and Education lends weight to her emphasis on providing educational materials to suit adult audiences rather than simply adopting techniques more suited to teaching schoolchildren.
At over 500 pages, this is no lightweight superficial textbook. The coverage is comprehensive. For example, the list of potential information security topics runs to 60 items explained in 18 pages.
The coverage is reasonably even throughout with plenty of meaty content in every section. I can’t think of any substantial improvements.
The book may appear overwhelming to someone just starting out on their information security and privacy awareness program. The chapter on ‘Getting started’ is of course a great place to start, with details of how to identify key contacts, review the organization’s existing approach to awareness and training, and a handy road-map that would serve as a good starting point for a high level project plan. The book is essential reading for more experienced information security professionals, especially those tasked with ‘doing awareness’. Even seasoned security awareness practitioners will learn new things from this book - at least I did and my first edition of the book is certainly well-thumbed.
Rebecca’s writing style is engaging and stimulating, easy to read yet at the same time thought-provoking. The book is chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. When I’m stuck for awareness ideas, I know I’ll almost always find something immediately useful in one or other of the lists: it’s an excellent reference text.
Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references.
This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, I recommend it unreservedly.
Disclaimer: I wrote one of the 'leading practices' papers for the book.