The Information Security Practice Principles Are for You

The Information Security Practice Principles (the Principles) came out of Indiana University’s Center for Applied Cybersecurity Research (CACR), where organizations come when they have information security questions about technologies, networks, and organizational structures that are unconventional, complex, or unexplored. Our policy, process, and technical experts work from these Principles when there aren’t yet proven “best practices” in order to make security that works.

Best practices guides, checklists, policies, and standards pervade nearly every part of information-security practice. Some are well thought out and well written; others…well, less so. By understanding the principles upon which all security operates, you can effectively evaluate those guides, lists, policies, and standards (or create new ones, if needed) because you’ll have the fundamental baseline from which all of security can be understood.

The Principles project is the result of our research¹ and the collective 30-plus years of experience between the three of us, who set out to make “thinking about information security from first principles”² accessible to everyone. Thinking, intelligent people can take these seven principles, which have stood the test of time, (yes, we cite Sun Tzu), and apply them to any information security problem involving any organization or technology, now or yet to come. And remember, first principles apply to everything: so when you find yourself asking, “Does Comprehensivity apply to x,” or, “Should we consider Minimization when we build y,” the answer is yes.

But more fundamentally, the Principles offer a balance between aspirational (and therefore unobtainable) “perfect security,” and the pragmatic need to get things done. Although the Principles set the ideal, they also are designed to guide you toward that ideal in a way that is actually doable. Rather than just say “be a good person,” the Principles model after The Golden Rule (“treat others as you would want to be treated”). Just stating the goal is not enough; the Principles show you how to get there.

This is why working from first principles is so important: it’s the skill set that doesn’t age into irrelevancy. It’s the skill set that tells us what to do when someone drops a network-connected refrigerator, scientific instrument, or drone onto my lap that I’ve never seen before. It’s the skillset that allows us to analyze and understand security policy, technological controls, and physical security, and gives everyone up and down the organization a lingua franca for discussing security.

Each chapter in this book walks you through one of the seven Information Security Practice Principles—Comprehensivity, Opportunity, Rigor, Minimization, Compartmentation, Fault Tolerance, and Proportionality—providing an overview of how they apply in both technical and human/policy contexts, along with their interactions with other principles. We’ve also included links to additional resources at the end of this book that you might find helpful.

A final note about word choice. The Principles are an attempt to consolidate a huge range of information security sources into seven discrete concepts, so naturally some principles will be very similar to concepts you are already familiar with, but under different names. Although this proximity might make the different naming frustrating, we would emphasize that the Principles are designed to help communicate these concepts across the wide-ranging disciplines that need to appreciate cybersecurity concerns. Although you might prefer to refer to a given principle under a different name, utilizing the Principles as a shared language will help you communicate those concepts across fields and to a much broader audience.