Managing an Information Security and Privacy Awareness and Training Program

In this work, Rebecca Herold deftly lays out a framework that is easy to follow and comprehensive. She has skilfully managed to compile material that would otherwise take a significant amount of research, time and work to collect, and has created tools for the reader that are easily modified and transferred to any industry and indeed any country. Ms. Herold consistently produces high quality written information centered around current and often complex subjects. The kernel of what she offers is the rare ability to present these topics as easy to understand and enjoyable to read. As I live and work in Canada I was concerned that this book may be too centered on American laws and methodologies. I could not have been further off the mark. The methodology meticulously laid out by Ms. Herold could be applied in any country on the planet and ensure that whoever is following its plan is successful in their delivery. In my 17+ years in Information engineering, security and education I have only kept a handful of texts on my bookshelf. This will be one of them.

If your organization is considering a security or privacy awareness program, this book will pay for itself many times over. I am not aware of any other resource that includes this much material about the art and science of awareness and training. Although this book is over 500 pages long, I found it easy to jump to specific chapters to get just the information I needed. The main chapters cover every aspect of program development including: planning, establishing a business case, budgeting, selling management, audience selection, material design and development, implementation, and measurement. Chapter 10 alone - which maps over 50 different awareness topics to various job roles - should save an organization thousands of dollars in program planning. And don't overlook the Appendices. Almost every sample form and worksheet you would need is available as an appendix. The assessment questionnaires alone should save dozens of hours of development. Definitely one of best security awareness investments your organization will ever make.

The author introduces her book very eloquently: "I wrote this book to provide a starting point and an all-in-one resource for information security and privacy education practitioners. I incorporated much of the information and knowledge I obtained while working on my MA in computer science and education as applicable to providing education to adult learners. Additionally, I included the same type of information that I've used and found helpful over the years when creating awareness and training programs ... My goal was to provide a more comprehensive resource of everything involved with managing an information security and privacy training and awareness program than I had been able to find - a reference for practitioners to go to when implementing any part of their education program and get ideas that will help them be successful with their own program." The entire `lifecycle' of a security awareness program is covered from program design (e.g. why awareness is important, legal and regulatory requirements and even `how not to do it') through program delivery and execution (getting started, gaining executive sponsorship and budget, topics to cover, methods of delivery/communications and motivational techniques, incorporating awareness into job responsibilities etc.) to program management (hints about planning, controlling and reporting progress) and program review (how to check that your program remains on-track and effective). The book may appear overwhelming to someone just starting out on their information security and privacy awareness although it is not compulsory to read the entire book cover-to-cover in one sitting (tempting though that may be!). The chapter on `Getting started' is recommended reading, with details of how to identify key contacts, review the organization's existing approach to awareness and training, and a handy road-map that would serve as a good high level project plan. For more experienced information security professionals, and especially those considering or tasked with `doing awareness', this book is a must-read. Even seasoned security awareness practitioners would likely learn new things from this book, at least I did and suspect my copy will become well-thumbed in the months and years ahead. The coverage is reasonably even throughout with plenty of meaty content in every section. The writing style is engaging, quite easy to read yet at the same time stimulating and thought provoking. The book is crammed full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. It really is hard to think of any way the book could have been better - praise indeed if you have read any of my reviews of other security awareness books. This really *is* the definitive guide - a wonderful book for practitioners in our field, one I'm happy to recommend unreservedly.

Managing an Information Security and Privacy Awareness and Training Program is without a doubt the definitive reference on creating an information security awareness program Behind most information security problems are users who are untrained in security or unaware of the security risks. Millions of dollars of firewalls and cryptography can be bypassed by an unaware end-user. Managing an Information Security and Privacy Awareness and Training Program is a tremendous book that can be used as a foundation for an effective and comprehensive information security awareness program. The book contains the fundamental and metrics of why you need an awareness program, and everything you need to set up such a program. The book is filled with good and advice and direction. Chapter 14 contains 143 methods for effective awareness. The other chapters provide equally effective information and advice. At 500 pages, this book contains everything you need to know about creating and setting up an effective awareness program and is highly recommended.