ISACA Journal
Volume 2, 2,016 

Book Reviews 

Build a Security Culture 

Kai Roer | Reviewed by Maria Patricia Prandini, CISA, CRISC 

An information security culture is determined by how employees behave, interact and respond to protect information assets in an organization. But human behavior is complex and often unpredictable. Many attacks that take advantage of human vulnerabilities could have been prevented by an appropriate framework that deals with these types of threats. The development of this framework represents a real challenge to information security professionals and enterprise management, but it is essential to minimize risk.

“The ideas, customs and social behaviors of a particular people or group that helps them be free from threat and danger” is how the author of Build a Security Culture, Kai Roer, defines a security culture. Using clear, concise language, Roer explains how culture is mostly learned, even for basic things such as walking, speaking or interacting.

In just eight chapters, this book addresses security culture from the social science and technology perspectives. The book successfully shows the cultural factors that are involved in organizational information security, using psychology and group behavior to point out the root of many successful—but preventable—attacks.

After introducing the subject by using real-life examples and accurate analogies, the book describes how the three components of a security culture—technology, policies/rules and people/competences— should be aligned to build a security culture. Roer explains that security awareness, although critical, is only a part of security culture and not enough to change a culture.

The book also presents how to involve other areas of the organization, e.g., human resources, marketing and management, when a security culture is being built. The book explains the importance of group and social interactions. Build a Security Culture also explores how to measure a security culture and how existing data can be used as a baseline to determine if the culture is really favoring information security.

The author presents his model of a security culture framework, explaining how its methodology helps in organization development and in maintaining a security culture. Roer states that building and maintaining a security culture should be like any other process, i.e., continuous, planned, controlled and audited. The book concludes with the author sharing his insights on the need for the information security professionals to understand how people react, behave and interact to build a security culture.

Creating and maintaining a security culture could be a frustrating task. Human behavior is sometimes unpredictable and complex. Information security professionals are rarely prepared to confront these situations.

They could be eager to develop secure applications or configure high-tech sophisticated devices, but explaining how people follow social or cultural rules is often challenging and difficult to predict or even understand.

But Build a Security Culture could ease this task. This book effectively highlights the human factors that are needed to build and maintain a security culture. However, as the author states, simply going through the book will not make the reader an expert. It will, however, put readers on the right path to keep learning about the diverse components that need to work together to create a security culture.

Editor’s Note

Build a Security Culture is available from the ISACA Bookstore. For information, visit, email or telephone +1.847.660.5650.

Reviewed by Maria Patricia Prandini, CISA, CRISC, who has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the past president of the ISACA Buenos Aires (Argentina) Chapter.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.