I stumbled across the book about a year ago (Q2 2009), when during my time working for a client we had a situation where an employee, angry at being made redundant, decided to leak as much information as possible to a competitor. I was asked to help develop a strategy and training course for that client to ensure this situation didn't occur again. Having never developed such a specific course before, I was a little lost until a colleague recommended Brain Contos' book to me.
My initial thought upon picking this book up, was that it might be a bit dated - having been published back in 2007, but I need not have worried despite some of the technologies covered by the book having moved on. There is for example no spear-fishing to be found here or any of the targeting attacks that have developed post 2007. However this is to say the book should be discarded, it should not as the situations and motivations of those who set out to harm, are timeless.
The style of writing is exceptionally straight forward and the writing style is so clear that few people will fail to understand both the threats and the lessons to be learnt from the scenarios presented within the book. Certainly I have found myself referring to this book time and again.
It is hard to highlight exactly what makes this book so valuable, but probably the key information is distilled a number of key areas:
Chapter 2 covers the exactly what it is that motives a trusted employee to become harmful to an organisation. It approaches this subject in a way I've not seen presented, as it covers the psychology of the malcontent, and how such insider threats might been seen - from a personal, business and probably more importantly from an external reputational perspective. All laid out ina way that is easily understood by key decision makers and senior risk owners.
Chapters 3 and 14 covers the area of Enterprise Security Management, an area that is sadly lacking in most organisations today. It explains clearly why such a system is required without shying away from the issues that often put management off from implementing such a valuable tool. However, the author has helpfully put forward clear and concise arguments as to why such information gathering is required for compliance purposed - SOX is explicitly mentioned, but many of the arguments hold true for PCI DSS. The real world examples that make up most of the second half of the book: Here a number of real world case studies are presented, which although tend to be generally horrific in nature all provide valuable lessons to those wishing to avoid such events happening to them.
The final vital section, is rather surprisingly, placed at the end, in an Appendix. Appendix A covers a number of cyber-crime prosecutions, mostly American cases, and cover off many of the situations described in the book. This section is the one I have found gives heart to some senior managers, as they can finally grasp that such insider actions don't have to be faceless crimes. In summation I feel that this book ought to be required reading for all security professional; be they technical or managerial in nature.