In the final part of the book I cover three themes: politics, management and assurance. Given that we now have some idea how to provide protection, the three big questions are: what are you allowed to do? How do you go about organizing it? And how do you know when you're done?

Since 9/11, we've seen the growth of a security-industrial complex that has consumed billions of dollars and caused great inconvenience to the public, for often negligible gains in actual protection. Politicians scare up the vote, and vendors help them with systems that are best described as 'security theater'. This gives rise to many difficult political issues for the security engineer. Are our societies vulnerable to terrorism because we overreact, and if so, how can we avoid becoming part of the problem rather than part of the solution? Can we find ways to make more rational decisions about allocating protective resources, or at least stop security arguments being used to bolster bad policy? And how do these issues interact with the more traditional security policy issues we already worried about in the 1990s, such as surveillance, wiretapping, the rules of digital evidence, censorship, export control and privacy law?

Our next chapter is about management. This has become a dirty word in the information security world; there are endless vapid articles written in managementese which manage to say nothing at great length. But management issues are important: organisational and economic incentives ...