Book Review: Cyber Security Culture

Subtitle: Countering Cyber Threat through Organizational Learning and Training
Author: Peter Trim and David Upton

As we should all know by now, and I have comment on many times in this blog, good Information Assurance or Cyber Security involves getting the people / process / technology balance right. I will tentatively suggest that the people / process element is in essence the culture (please use the comments field below if you disagree) – and I’d suggest this book is about how to get the people / process right (which combines personal and corporate learning). The book has some brief technical interludes, but more to explain a concept, rather than part of the culture.

I’ve had the pleasure with several conversations over the years with Peter Trim, one of the authors, via both a research project (iGRC) and the Information Assurance Advisory Council. One of the first things that struck me about the book was the writing style: it’s written in an easy reading conversation style, just as if you were talking to Peter. The other core style of the books is an academic literature review: nearly all of the comments and observations are fully backed up with references to research papers, books, journal articles and web articles – with the key paragraphs quoted to make for easy reading.

For me Chapter 5, “Methods of Conceptualizing Interdependencies that No One Person Fully Understands” was the most interesting, and is becoming a recurring theme. It is something I have been paying quite a bit of attention to in my own research activities for Nexor, as it seems to me the internet of things, home area networks (including your car and smart meter), Defence sensor networks, and industrial control systems all fall into this category: too complex for any one person to understand. The challenge is how to conceptualise these systems & interdependencies so that in the advent of a cyber attack, correct decisions can be made about protecting and defending the systems in the absence of a full set of knowledge – a topic the book covers well.

It then embraces, how do you embed the business reaction and lessons learnt into organisational learning, so that you can make even better decisions next time. Not easy, but a key part of a leaning organisation.

Well worth a read, but a bit on the expensive side.

What good books on Cyber Security Culture have you read – please let me know via the comments box below?

Chapter Headings

  1. Introduction and Background to the Research
  2. Social Engineering
  3. Organizational Issues Related to Critical Information Infrastructure Protection
  4. Protecting Critical Information Infrastructure: Issues and Considerations
  5. Critical Information Infrastructure: Methods of Conceptualizing Interdependencies that No One Person Fully Understands
  6. Insights in Organizational Learning
  7. Critical Information Infrastructure Roadmap
  8. The Learning Organization and Managing Change
  9. Devising and Effective Counter Threat Strategy

Sadly, yes Organization does have a ‘z’ in it, the books is written in American, not English.


Trim, Peter R., and David Upton. Cyber security culture : counteracting cyber threats through organizational learning and training. Gower Pub., 2013.   ISBN: 9781409456940