Cyber Security Book Review
Bill Alderson
Researching Zero-Day Prevention Strategies for Robust, Resilient Enterprises from High Stakes Lessons-Learned Experience
Book Review: Psychosocial Dynamics of Cyber Security
What led me to this book: I was searching for a psychological understanding of why organization leadership does not act on Cybersecurity threats until:
1.) Hit by Ransomware and desperate. 2.) Hit with regulatory data compromise fines. 3.) Operations stopped due to a cyber-attack. 4.) Resulting in their being top of the news.
In other words, until disaster strikes them directly. Despite their peers hit with disastrous results, complacency prevents serious action, until one of the three catastrophic events occur, and they are in the news. One would think that a near miss might spur senior leadership to re-evaluate their security effectiveness.
I found this book edited by four leading professionals and thirty-two experienced practical contributors in various disciplines of behavioral psychology and cybersecurity to assist in my quest for answers to why a lack of action occurs in so many organizations experiencing real or near data loss.
Although the work does not address the issue of why actions are not undertaken by leadership in direct response to security situational awareness or a near miss, it does bring functional Industrial and Organizational (I/O) Psychology best practices to light in a practical manner addressing the concepts of security performance improvements.
Numerous frameworks are discussed with diagram figures and tables providing practical insight and ideas to contrast with the busy world of oft dysfunctional reality. Evolving threats and technology drive new priorities and technical requirements at rapid rates outstripping effective management.
A whitepaper I published 25 years ago, People Practices, and Paradigms on managing large networks reminds me that same technology team management issues continue today for security team management.
People Practices and Paradigms, Wheel of Collaboration, by Bill Alderson (c) 1995
The similar diagram below is from the Pwc Cyber Security Risk Management Model.
Pwc Cyber Security Risk Management Model
Goes to show technology management continues to be challenging, I added a Security Team to the Wheel of Collaboration diagram soon after publication. We built collaborative teams from technology departments to address the complexities of large computer networks. Today, we must manage across these same departments to attain a coordinated security defense with respect to individual department to achieve full organizational effectiveness.
The book discusses cybersecurity performance, processes, people placement, SOC teams, training of both users and security analysts. Of note is discussion of the evolution of the CISO role. Sad was the lessening of technical detail experience as a primary criterion in favor of more budget ROI management and congenial factors.
I would like to see an ROI analysis of why data compromise is at an all time high, while the number of people and spending on security tools from the biggest vendors busts budgets without making a dent in the problem as evidenced in every morning newspaper and evening newscast.
I continue searching for psychological reasons security leadership seems to do less when faced with evidence of greater compromise. I and many others would appreciate a cogent analysis of why we are failing so miserably to prevent data compromise.
My personal thought is that the higher level of management, i.e., CIO, CISO, CEO with political contributions of both Trump and Biden handling the issue – it seems to get worse the greater the distance from the technologist.
Insider threat psychology and counterproductive work behavior are mentioned and external threat actors sparking creative responses to hacking with the security community.
You will find many practical criteria for selecting security roles such as critical thinking, troubleshooting, resilience, and persistence characteristics when applying human capital. Continuous learning and adapting are central qualities as the security environment pushes change.
Much content on creating more meaningful work for additional personnel experiencing quite high turnover rates. Many security solutions focus on "boiling the ocean", are tedious and time consuming failing to provide satisfying work.
Key takeaway: Cyber leadership competencies and traits are discussed at length as organizations create and build cyber into their firms.
Technology investment discussions are balanced with understanding that security competency and capability is more cultivated than taught.
The whole of the book works to build a credible organization to address cybersecurity. As with most academic discussions, this book provides excellent notes and reference to other works to inspire self-discovery and research.
A great addition to this excellent groundbreaking work would be the psychological reasons we keep failing to keep data secure. As this is intrinsically focused on larger organizations, it would be excellent if they were to write a chapter on how smaller organizations might apply the methods.
I wrote a 46 page detailed SolarWinds Breach Report that offers a more technical assessment in a link below: (academics and non-profits email me for a free copy)
You may also join me in a Free Webinar at various dates.
Cybersecurity Analyst | Reverse Engineering and Malware Analysis Enthusiast
3 年Thanks for the book review and indication, it is very interesting.
CISSP and IT/SEC Professor, NVCC and Strayer University
3 年Much of both perspectives have merit but don't forget that where humans are involved = psychology factors in, period.
Technical leader & coach delivering innovative solutions through collaborative teamwork ★ IT Leader ★ Creative, Deliberate, Servant Leader
3 年I find it interesting, your search for psychological reasons behind data breaches when I believe a past article, "Diverse Thinking Solves Complex Problems - Pentagon 911 Root Cause", covers so much of the reasoning for why organizations are security stunted in one paragraph. Observation; psychology only plays a role when politics is heavy. As succinctly stated in a previous article: "At the Pentagon motivation was high at the time to accurately mitigate problems as nobody was on the hot seat for that disaster's responsibility in the IT management team. On the darker side, other high stakes troubleshooting endeavors have proven that some very powerful people do not wish some problems to be diagnosed accurately, desiring rather to hide the root cause of problems because of who manages, or what pet projects or favored vendors might be implicated. I have been asked more times than I care to admit to spin an otherwise irrefutable definitive diagnosis to protect its implication. If there is any reasonable doubt, it too is reported allowing them to formulate their own conclusions. No need to fear an accurate definitive irrefutable diagnosis - unless you don't want the true root cause! " Simply stated the less politically charged environment the more psycho-social-emotional-financial balance and therefore stable and secure an organization. Unfortunately, human nature plays such a heavy role preventing us from getting to utopia, nirvana, heaven or other perfection platitude. In line with the six thinking hats: White Hat – Facts, Neutral, Objective Information Red Hat – Emotions, Hunches, Intuition, Gut Feelings Black Hat – Critic, Analyst, Logical, Negative? Yellow Hat – Sunshine, Optimism, Positive Green Hat – Creative, Growth, Possibilities, Ideas??? Blue Hat – Cool, Agenda, Process, Organize, Overview, Decision The more thinking hats a person uses the more effective the solution. Fact, the best leaders bring in people to fill in their knowledge & ability gaps. Unfortunately, witnessed in past corporate experiences politics impacts the ability to use the six thinking hats effectively and heavily impacts security. The challenge, companies are heavily impacted by politics, yes wo/men, who are economically and ultimately politically motivated to climb the proverbial ladder of success, throwing out cross checks, where differing hat are marginalized or removed due to conflicting ideologies. The psychology of it all, people's desire to be perceived as successes, some more than others, most chasing the easiest path to "success" while putting in the least amount of effort. Financial standing seems to be the biggest indicator or success. What is your price to "spin" it in favor of the politically motivated? There is the the psychology.