InfoSec has always preached the triad of “people, process, and technology” as essential for good, effective security. My experience in the industry has been that technology always comes first, followed by process when we can manage it, and people when we get around to them. The main role people play in information security tends to be that of a problem waiting to happen, an insider threat, a negligent user, or just an annoyance to be automated out of existence as best we can. This book is my attempt to invert that, to put people in the center of information security programs and practices. Sometimes people will be threats, but more often they will be the untapped resources with the solutions to many of security’s current challenges.