I am not inclined towards book reviews, and my thoughts on user education tend to be somewhat fatalistic (I'm a big fan of Robert Heinlein's quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig") but here goes...
I just finished reading Michael Santarcangelo's book, "Into the Breach", a small volume, heavily footnoted, with a unique view of information security. Michael, the "Security Catalyst", offers a pragmatic approach to security which focuses on many of the overlooked aspects of security programs- little details, like the people who have to make it work, and the impact of the "security process" in those people's ability to do their jobs.
Michael's approach is actually a bit conspiratorial, based on getting support from the trenches with crazy ideas- ideas revealed in quotes like these:
"Make it easy for people to do the right thing"
"Efforts can be evaluated with a simple question: Is this going to make it easier for people to do their jobs?"
But he isn't naive about it, Michael recognizes that:
"Keep in mind that when an executive or outsider asks questions about how people do their jobs, the answers given may not be accurate"
"What people do when no one else is watching ultimately decides when and how technology is going to be used and information protected"
Of course, there are no easy answers, and there really has to be a desire and commitment to really improve- if all a company wants to do is fill some checkboxes, nothing will help. I tend to be a little cynical, so I wonder how many companies really want to change, but those that do would be well served to consider Michael's advice.
Besides the book, Michael has a lot going on, he has done his own podcast and does the Security Roundtable Podcast with Martin McKeay, he hosts the Security Catalyst Community, and now Catalyst on Tour (where he packs the family into their RV and tours the country for his consulting and speaking engagements). He takes the Catalyst moniker seriously, so if you get a chance to meet him, talk to him and see where the conversation leads.
Jack
