Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Mar 9, 2012

Book review: Asset Protection through Security Awareness


Provided you are not expecting detailed guidance on how to raise security awareness, this book gives reasonable introductory-level coverage of network/ICT security including a few aspects that are barely mentioned in some similar texts.

While the cover blurb refers to providing "a high-level overview of how to protect your company's physical and intangible assets ... [that] explains the best ways to enlist the assistance of your employees as the first line of defense in safeguarding company assets and mitigating security risks", the book is primarily concerned with network/ICT security: human factors and security awareness are covered but not in much depth.

The level of detail varies between and within chapters. "Diplomacy", "Interdepartmental security", "Physical security" and "Computer and network forensics" are not universally covered by network/ICT security books, making these chapters welcome additions. Emphasizing the human aspects of information security balances out the more IT/technical security content, although arguably leaving the technical side a bit light in places (e.g. there is not much about firewalls, and almost nothing about application security). This is not a detailed, highly technical book. The information security guidance is a little naive at times, and occasionally off-base. The style is not unlike a summary-level revision manual for CISSP or a similar information security qualification, laying out what ought to happen without much regard to the practicalities.

As an introductory or intermediate level text, the book is readable and a worthwhile introduction to the topic, if a bit patchy in its coverage and variable in depth. I would definitely recommend additional reading for information security professionals. For advice on doing security awareness, I unreservedly recommend Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program.  David Lacey's Managing the Human Factor in Information Security is strong on the human and cultural aspects of security, while for network/ICT/technical security I would suggest Ross Anderson's Security Engineering and books by CISCO and Microsoft authors. CISSP/CISM study guides such as the Official (ISC)2 Guide to the CISSP CBK and ISACA's CISM Review Manual are good all-rounders for students.

The book costs about US$61 from Amazon.

Regards,
Gary (Gary@isect.com)