Review: The Psychology of Information Security
Security controls fail when they are designed without regard for the people who must use them. That is the central argument of Leron Zinatullin’s second edition, and it is an argument he builds methodically across 17 chapters that draw from organizational psychology, change management, and usability research.
About the author
Leron Zinatullin is the CISO of Constantinople, a provider of AI-native banking. He’s also a speaker and advisor to startups. He has led large scale, global, high value digital and security transformation projects to improve cost performance and support business strategy.
Inside the book
The book divides roughly in half. The first half covers risk management, communication, decision-making psychology, stakeholder influence, and change management. The second applies that groundwork to policy design, usability, culture, and behavioural change. Chapter 7 closes the first half with the FBI Crisis Negotiation Unit’s behavioural change stairway model to make the point that influence requires investing in listening and rapport before attempting to change behaviour.
Chapter 9 is among the book’s more instructive sections. Zinatullin walks through five ISO 27001 malware-protection controls and constructs fictional employee personas, showing how a control implemented without attention to workflow creates a different category of risk. Each scenario is recognizable.
Chapter 10 draws on interviews with security leaders, which reveal that managers are largely aware of the impact their controls have on behaviour, but that awareness is reactive and driven by complaint volume. Several admitted having no way to measure the effect of security policies on employee performance.
Chapter 11 summarizes research identifying three reasons for non-compliance: employees lack a clear reason to comply, the cost of compliance is too high, or compliance is structurally impossible given the tools provided.
Chapter 16 covers behavioural change in the most applied terms. The COM-B model (capability, opportunity, motivation) functions as a diagnostic tool for identifying which type of intervention fits a given compliance gap. The Fogg Behaviour Model adds a prompt as a third required element. The chapter then covers nudge theory and introduces boosting as a complement: nudges alter choice architecture for fast results; boosting improves decision-making skills for more durable behaviour change. Zinatullin applies the parallel directly: changing one security habit can propagate productive behaviour more broadly across an organization.
The book covers a wide range of frameworks concisely: PESTLE, SWOT, Kotter’s eight steps, Cialdini’s six principles of persuasion, design thinking, the lean startup Build-Measure-Learn cycle, the Five Whys, and systems thinking. Each gets a security application.
Conclusion
The audience for The Psychology of Information Security is security professionals who work across organizational boundaries. Those seeking a starting point for the behavioural science of security, or who need to make an internal case for people-centred policy design, will find it useful. Those looking for technical control guidance will need to look elsewhere.