« Weekly Summary of the "DHS Daily Open Source Infrastructure Report" | Main | Bundling Security with the OS »

22 August 2009

Should the CISSP CBK be improved to place greater emphasis on “human factors” in information security? Definitely Yes!

Should the CISSP CBK be expanded to cover "human factors" in security? [1]

Add “Human Factors” No.[2]


Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain.  On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®.  In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.

 I found the discussion interesting in that I have, from the very beginning, found that human factors are a significant component to all aspects of security and teach same when preparing my students for the CISSP® exam.  However, almost to a student, I am challenged as to why the emphasis when the varying study materials, place little if any emphasis upon human factors.  As an instructor Rob and I do not have access to the exam materials and cannot write exam questions unless we give up our teaching; an understandable restriction by (ISC)²®.

 None-the-less, the human factor is significant and the materials made available by (ISC)²® make no mention of them.  As I examine each of the ten domains, there is no mention, or even a hint that I can detect in them, of human factors to include their sub-topics as articulated in the description for the “Official (ISC)²® Guide to the CISSP® CBK®”; which, by the way, is the only location that I can find the secondary level mentioned in public.  Yes, I know that if I fill out a questionnaire and submit it, that I will get much more; but that is deceitful as I am not a candidate.  What is a dedicated constituent to do, speculate?

 While anyone can effectively argue that the “Information Security and Risk Management” domain contains numerous indirect references to the human factor I find it difficult to infer same in any of the other nine. 

 It is my position that each of the ten CBK® domains should make it clear at the secondary level that “human factors” are a significant component.



[1] Gary Hinson, 9 August 2009

[2] Rob Slade, 10 August 2009

Posted by on 22 August 2009 at 05:56 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, Ethics, IT Security, Legal, Network Security, Operations Security, Privacy, Risk, Software Development |

| |

Comments