Book Review Highlights Human‑Centric Failures in Security Controls
What Happened — Help Net Security reviewed The Psychology of Information Security by Leron Zinatullin, a CISO‑level treatise that argues most security controls break because they ignore the people who must use them. The book blends organizational psychology, change‑management theory, and ISO 27001‑focused case studies to show how mis‑aligned policies create new risk vectors.
Why It Matters for TPRM —
- Human‑behavior flaws can undermine even technically sound third‑party controls.
- Vendors that overlook usability and motivation may expose clients to compliance gaps and data‑loss risk.
- The book offers concrete frameworks (COM‑B, Fogg, nudges, boosting) that can be incorporated into third‑party risk assessments.
Who Is Affected — Financial services, SaaS providers, consulting firms, and any organization that relies on third‑party security policies.
Recommended Actions —
- Incorporate behavioral‑risk criteria into vendor questionnaires (e.g., COM‑B capability, opportunity, motivation).
- Request evidence of usability testing or employee‑feedback loops for critical controls.
- Align third‑party policy reviews with change‑management best practices (Kotter, Lean Startup).
Technical Notes — The book does not describe a specific vulnerability or exploit; it focuses on the systemic risk of poorly designed controls, citing ISO 27001 malware‑protection controls as examples. Source: Help Net Security Review