Information Security Awareness: The Psychology Behind the Technology is a book written for information security managers and organizational leaders. This text focuses on the behaviors of information systems users in an organizational setting and why this is critical to successful information security awareness programs. The ultimate goal of all information security awareness programs from a business perspective is to change the behavior of users, resulting in fewer user-related errors that cause costly and destructive security incidents. Rather than taking a traditional technology-oriented approach the author has taken a unique method by exploring and discussing six key psychological aspects of people's behavior. Specifically the author discusses how these phenomena relate to, and impact, an information security program. The six behavioral-oriented phenomena reviewed in this book are: motivation, attitude, beliefs, personality, morals, and ethics. These six phenomena are the basis for a new psychological-based framework that the author presents in this book known as POSTTM. POSTTM is an acronym for "The Psychology of Security and Technology." Many organizations take the approach of "informing" their user community of their security policies, guidelines, and procedures. This would be described as a descriptive approach, meaning the users are told they must comply because management requires them to. Recent research in organizational psychology and information security awareness postulates that this approach is flawed. The descriptive-based approach does nothing to help the users internalize or justify the organizations requirements, therefore their attitudes and motivations will belacking and ultimately produce undesirable results. A new prescriptive-based approach to information security awareness is presented in the book which leverages the POSTTM constructs. This new approach focuses on users internalizing information security messages and policies.

Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.