Book Review by W. Hutchinson (January, 2025)

Author: Terry R. Merz and Lawrence E. Shaw
Publisher: The Institution of Engineering and Technology (November 5, 2024)
ISBN-10 : 1839536675
ISBN-978-1839536670

Firstly, this book is written by professionals for professionals. It is a comprehensive overview of phishing defined by the authors in their Glossary of Terms as “A type of cyberattack that uses disguised email or other forms of communication to trick recipients into revealing personal information”. It is a phenomenon that is on the increase and, hence, security personnel and, in fact, all of us should be aware of it. This book with its 288 pages of text provides the reader with an in-depth analysis of this subject.

It is not for casual users, although chapters can be read individually, for example, Chapter 2 ‘The user and context’. This chapter gives a concise breakdown of social engineering and the means of contact and its psychological impact on the user. This is where this book stands out amongst others; it has a large consideration of the impact of the technology on humans. As such, it combines people and technology in a very skilful and, I think, unique way. Of course, it uses acronyms (although they are all defined in a list) quite a lot. It seems technical books cannot rid themselves of this, but that is another discussion.

The chapters have a comprehensive series of topics that show the full range of attack types as well as mitigation techniques. The first chapter introduces the types of phishing, a breakdown of an attack, some previous mitigation techniques, the impact of Artificial Intelligence (AI), and elements of concern with QR codes. It breaks down the anatomy of phishing attacks. As previously stated, the next chapter moves on to the human element and their impact on the user.

In this chapter, the uniqueness (to me) of this book really surfaces. I think I can sum it up with a phrase used within it: “anthropomorphized technology”. Anthropomorphic technology is technology that is designed to be human-like, and anthropomorphism is the tendency to assign human characteristics to non-human things. I had to look both of these up but knew what they meant. I think this emphasis is why this text is different from many others. I have read many that describe holistic or ‘systemic’ explanations but tend to emphasise either the human system or the physical/procedural aspects of a system. This book combines the two and that is its greatest strength. It does not do it at a superficial level but instead captures the complexity of combining the impact and procedural processes at many levels. The individual level (both the attacker and the attacked) are exposed and the importance to mitigation and organisational procedure levels is shown. The book shows the many facets of the ‘humanisation’ of software such as user interface design and chatbots, for example, that simulate human behaviours and the responses. The ethical dimension is also covered.

I will attempt to briefly cover the next eight chapters to show the scope of each. The next chapter examines the failure to regulate threats and vulnerabilities. It begins with a whole list of risks and actions that can be taken against them. It goes into human-computer interaction, predictive coding (you will need to read this over! It was quite complex to me, at least) interface design. It has extensive information on AI and human/computer interface design. Intense stuff!

Chapter 5 examines the assessment of phishing risk; it examines the framework behind this. Again, human factors are examined. Trends in phishing risk management outlining available tools are discussed. Again, it goes back to AI and its use in phishing attacks. It does outline technological countermeasures as well.

Chapter 6 delves into the organisation itself and its ability to handle this risk. It tells the reader there is no ‘silver bullet’. It outlines the design of actions and policies to mitigate the risk. There are a number of suggestions on managing the risk within organisation.

Chapter 7 is an interesting inspection of the ‘training versus the experience’ solution to the cybersecurity problem. It has an extensive overview of the solution to the training problem and suggests a merging of the two aspects. This tends to be sensible way for any such complex, fast-changing organisational problem. Cooperation is normally the most efficacious solution, but not always.

Chapter 8 introduces the social media environment which, because of its almost universal use by almost all individuals, is an obvious source of threat. It covers social media used in the organisation as well. It examines privacy, reputation management, customer engagement, and a myriad of other issues.

Chapter 9 expands on the technological solutions mentioned. It suggests AI and M (Machine Learning).

Chapter 10 introduces some useful case studies.

Chapter 11, the final chapter, offers suggestions about the human in the loop (a constant theme), the need for a comprehensive strategy. The requirement for the organisation to be committed to this, and a recommendation to use AI and ML, is also discussed.
It ends with a very helpful Glossary of Terms and the Index.

Obviously, I have not covered all the aspects of this book in this review, but to summarise, this text is a well-written technical analysis of phishing; both human and technological aspects are brought together to produce a volume of value to practitioners, researchers, students, and to those who wish to examine this security phenomenon at a deep level. I would recommend it, if you are in one of those groups. It is not often that a book of this type is readable, covers all the elements, is focused, and also comprehensible to a range of readers.