Rowena Sinclair, Auckland University of Technology, New Zealand
rsinclai@aut.ac.nz

Sinclair, R. (2006, October), Book Review: Information Technology Security & Risk Management. Bulletin of Applied Computing and Information Technology Vol. 4, Issue 2. ISSN 1176-4120. Retrieved from

Slay, J. & Koronios, A. (2006). Information Technology Security & Risk Management.. Milton, Qld, Australia: John Wiley & Sons (355 pages).

The increasing interconnectivity of businesses today resulted in the OECD producing guidelines in 2002 for the security of information systems and networks. As business information systems become part of the security environment the OECD considers that there is a need for a ‘culture of security’. This should encompass an awareness of not only the risks that are prevalent within information systems but also an understanding of how these risks can be managed. An approach to security must encompass all participants within the information systems.

Authors internationally are recognising the need for books that explains both the risks involved in different technological systems and how to manage these risks. This is a book review of one of these books - Information Technology Security & Risk Management by Slay and Koronios.

As the title suggests this book focuses on information technology systems in particular: networks, databases, electronic commerce and mobile commerce. It recognises that some business managers may have a limited understanding in the complexities of information technology as well as a limited knowledge of the systems that can provide effective security. The authors do not assume a prior knowledge of some of the complex technologies, but rather provide an overview of the fundamentals of these technologies.

The book does a thorough job in identifying the risks to both information technology systems and the environment in which these systems operate. This environment includes the ethical, legal and regulatory issues involved in information security and the physical security of these systems, one being, the protection against fire and natural disasters. This is of particular relevance today with the extreme weather patterns seen in various parts of the world.

An embedded structure that links to risk management could have ensured a more logical flow through the book from risk identification to the management of those risks for each of the information technologies identified. This would have permitted legal issues to be covered in just one chapter rather than the current three i.e. chapters three, eight and eleven. This could have added value to the use of the book for instructional purposes.

The excellent diagrams throughout the book provide clarity to the underlying concepts. However, these could be improved through the use of colour. Colour would focus attention and delineate more clearly some of the different concepts incorporated into diagrams.

Deciding the audience for this book requires some consideration as there are some lost opportunities as to target audiences. The use of Australian examples for such an international topic limits its applicability somewhat beyond the boundaries of Australia. Whilst it is stated that the book is aimed at undergraduate students in information technology, the audience could also have encompassed business managers who need to be aware of risks. In the current business environment there is an increased focus on corporate governance and the book could take advantage of this, particularly in chapter one, by highlighting the need for governance structures to minimise business risks.

Overall, the book offers some quite useful insights into security risks and the management of these risks in information technology systems. It allows the reader to engage with the topics covered, and gain practical knowledge. The clarity of the text would be further enhanced through improvements in the layout and presentation of the book.