Should
the CISSP CBK be expanded to cover "human factors" in security?
Add “Human
Factors” No.
Clearly,
human factors are a major component to information security and Gary Hinson presents
effective arguments that they should be established as an additional
domain. On the other hand, Rob Slade
makes an effective argument that the human factors are a significant component
of each of the current ten domains primarily based on his experience teaching
the CBK® to CISSP® aspirants for (ISC)²®.
In full disclosure, I also teach the CBK® to CISSP® aspirants, but not
for (ISC)²®, but at a local college.
I found
the discussion interesting in that I have, from the very beginning, found that
human factors are a significant component to all aspects of security and teach
same when preparing my students for the CISSP® exam. However, almost to a student, I am challenged
as to why the emphasis when the varying study materials, place little if any
emphasis upon human factors. As an
instructor Rob and I do not have access to the exam materials and cannot write
exam questions unless we give up our teaching; an understandable restriction by
(ISC)²®.
None-the-less,
the human factor is significant and the materials made available by (ISC)²®
make no mention of them. As I examine
each of the ten domains, there is no mention, or even a hint that I can detect
in them, of human factors to include their sub-topics as articulated in the
description for the “Official
(ISC)²® Guide to the CISSP® CBK®”; which, by the way, is the only location
that I can find the secondary level mentioned in public. Yes, I know that if I fill out a questionnaire
and submit it, that I will get much more; but that is deceitful as I am not a
candidate. What is a dedicated
constituent to do, speculate?
While
anyone can effectively argue that the “Information Security and Risk Management”
domain contains numerous indirect references to the human factor I find it
difficult to infer same in any of the other nine.
It is my position that each of the
ten CBK® domains should make it clear at the secondary level that “human
factors” are a significant component.