I just finished the book:
Jacobson, Douglas, and Joseph Idziorek. 2013. Computer security literacy: staying safe in a digital world.
TL:DR version: Excellent book. Plain English, explanations without condescension, practical examples, multiple summaries and suggestions for further reading. Also has a “what to do next” section at the end of the book.
This book claims to be aimed at laypeople and I think Jacobsen and Idziorek succeed. They not only succeed in conveying information on a non-technical level but manage to do while while making the end user feel like an important potential asset to security rather than one more threat for IT staff to defend against.
Enlisting the user’s support in computer security is part of a defense-in-depth approach referred to throughout the book and explained in detail in Chapter 6, Malware Defense in Depth. The authors state there are five factors in an effective defense-in-depth approach:
- data backup
- software patches
- antivirus software
- user education
The book does a good job of user education. It is divided up into 14 chapters that include a bullet point summary at the chapter’s conclusion. The first two chapter provide an overview of computing and the internet. The next group of chapters are dedicated to specific types of threats:
- password attacks
- email security
- web surfing
- online shopping
- wireless internet security
- social networking
- social engineering
- staying safe online (cyberbullying, cyberstalking, etc)
Each chapter lays out threats in plain English and uses many diagrams and charts to help users identify and deal with potential threats. Every chapter is also well sourced and has its own bibliography.
The regular text concludes with a chapter of case studies and a chapter on moving forward with security measures along with a summary of the individual chapters.
While providing an additional summary of chapters after summarizing each chapter seems excessive, it seems to reinforce the learning process.
The authors also do a good job of explaining the tradeoffs between security and convenience and concede that not all data and passwords need to be treated equally. In the authors view how you handle your password for the New York Times does not and should not be the same way you handle login information for your bank.
Because the authors are upfront about tradeoffs and acknowledge benefits as well as risks of online transactions, I think users will be more open to the security measures offered here. I’d really like to see institutional IT staffs embrace the idea that educated users can be effective partners in security. If they will talk to users the way Jacobson and Idziorek talk to their readers, I think everyone will benefit. Everyone except the cybercriminals.
Librarians will probably find this book useful in preparing basic computer trainings or starting conversations with people convinced they’ve won a lottery they never entered.