This paper lays out the case for managing the human side of information security
just as carefully as the technical side. It is our contention that technological
controls alone simply cannot deliver sufficient information security in practice,
and awareness is the most cost-effective form of security control.
This document is in pdf format. To
view it click here.