Book Review: Secure by Choice – Sarah Aalborg

This book explores how our brains work and how this shapes our perception and evaluation of risk. Aalborg explains how to use this understanding to build effective security systems.

Who is this book for?

Although the subtitle is “The Security Professional’s Guide to Human Biases in GRC” (Governance, Risk, Compliance), the audience is not narrowly defined – perhaps deliberately. While many examples focus on information security, the principles can be applied to a wide range of security contexts. The foreword by Perry Carpenter offers clarity: “Whether you’re a seasoned CISO, a security awareness professional, or someone just beginning to explore the human side of security, you’ll find valuable insights.”

Why should a security professional read this book?

Aalborg observes that approaches to IT security often focus heavily on technical aspects such as secure coding, network protections, and system hardening. While essential, she argues, these are not the root cause of most incidents. “It all starts with people’s actions – or lack thereof.”

She highlights the staggering number of decisions a person makes each day –around 35,000 – pointing out that many are made subconsciously and are influenced by human biases, some of them irrational. Her aim is to give readers a practical understanding of how to factor an understanding of these biases into security strategies. As Perry Carpenter remarks: “She doesn’t just theorise about behaviour – she provides a practical bridge between behavioural science and real-world security implementation. She helps us understand why people make the security decisions they do, and, more importantly, how we can work with human nature rather than against it.”

What I like about this book

The book is full of fascinating explanations of how the brain works and how this applies to GRC. Those quirks we thought were personal turn out to be universal – and Aalborg illustrates them with engaging stories and real-world examples of how to integrate this knowledge into security strategies.

What I’d like to change

It’s not easy to quickly grasp the book’s scope by glancing at the contents. The chapter list uses figurative titles such as “Taming the Paper Tiger” without explanatory subtitles. I personally prefer a more descriptive table of contents or roadmap to help the reader understand what’s ahead.

Aalborg mainly addresses readers working in corporate environments, and some advice – such as conducting multi-person workshops – assumes access to time, resources, and willing participants.

The summaries of biases appear throughout the book on black-bordered pages, which I found visually jarring (they reminded me of obituary notices!). A different design choice might have been more suitable.

In summary

Read Secure by Choice if you’re a security professional interested in understanding how the brain works and how human biases influence decision-making – and if you want to integrate that knowledge into your security approach. This book is useful for those who like practical recommendations, are ready to improve their strategies, and have the time and resources to put these ideas into practice. Aalborg offers clear, thought-provoking insights that bridge psychology and security, making it a valuable guide for those wanting to work with human nature rather than against it.

Andrea Berkoff

Editor