You are previewing The New School of Information Security.
O'Reilly logo
The New School of Information Security

Book Description

“It is about time that a book like The New Schoolcame along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”

--David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems

Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.

  • Better evidence for better decision-making
    Why the security data you have doesn’t support effective decision-making--and what to do about it

  • Beyond security “silos”: getting the job done together
    Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve

  • Amateurs study cryptography; professionals study economics
    What IT security leaders can and must learn from other scientific fields

  • A bigger bang for every buck
    How to re-allocate your scarce resources where they’ll do the most good

  • Table of Contents

    1. Copyright
      1. Dedication
    2. Preface
    3. About the Authors
    4. 1. Observing the World and Asking Why
      1. Spam, and Other Problems with Email
      2. Hostile Code
      3. Security Breaches
      4. Identity and the Theft of Identity
      5. Should We Just Start Over?
      6. The Need for a New School
    5. 2. The Security Industry
      1. Where the Security Industry Comes From
      2. Orientations and Framing
      3. What Does the Security Industry Sell?
      4. How Security Is Sold
      5. In Conclusion
    6. 3. On Evidence
      1. The Trouble with Surveys
      2. The Trade Press
      3. Vulnerabilities
      4. Instrumentation on the Internet
      5. Organizations and Companies with Data
      6. In Conclusion
    7. 4. The Rise of the Security Breach
      1. How Do Companies Lose Data?
      2. Disclose Breaches
      3. Possible Criticisms of Breach Data
      4. Moving from Art to Science
      5. Get Involved
      6. In Conclusion
    8. 5. Amateurs Study Cryptography; Professionals Study Economics
      1. The Economics of Information Security
        1. Why Do Some Security Technologies Fail?
        2. Why Does Insecure Software Dominate the Market?
        3. Why Can’t We Stop Spam?
      2. Psychology
      3. Sociology
      4. In Conclusion
    9. 6. Spending
      1. Reasons to Spend on Security Today
      2. Non-Reasons to Spend on Security
      3. Emerging Reasons to Spend
      4. How Much Should a Business Spend on Security?
      5. The Psychology of Spending
      6. On What to Spend
      7. In Conclusion
    10. 7. Life in the New School
      1. People Are People
      2. Breach Data Is Not Actuarial Data
      3. Powerful Externalities
      4. The Human Computer Interface and Risk Compensation
      5. The Use and Abuse of Language
      6. Skills Shortages, Organizational Structure, and Collaboration
      7. In Conclusion
    11. 8. A Call to Action
      1. Join the New School
        1. Gather Good Data
        2. Analyze Good Data
        3. Seek New Perspectives
      2. Embrace the New School
        1. Change How You Teach (and Learn)
        2. Change How You Act
        3. Change How You React
      3. Make Money from the New School
      4. Final Words
    12. Endnotes
      1. Chapter 1, “Observing the World and Asking Why”
        1. Spam, and Other Problems with Email
        2. Hostile Code
        3. Security Breaches
        4. Identity and the Theft of Identity
        5. Should We Just Start Over?
      2. Chapter 2, “The Security Industry”
        1. Where the Security Industry Comes From
        2. Orientations and Framing
        3. What Does the Security Industry Sell?
        4. How Security Is Sold
        5. In Conclusion
      3. Chapter 3, “On Evidence”
        1. The Trouble with Surveys
        2. The Trade Press
        3. Vulnerabilities
        4. Instrumentation on the Internet
        5. Organizations and Companies with Data
      4. Chapter 4, “The Rise of the Security Breach”
        1. How Do Companies Lose Data?
        2. Disclose Breaches
        3. Possible Criticisms of Breach Data
        4. Get Involved
        5. In Conclusion
      5. Chapter 5, “Amateurs Study Cryptography; Professionals Study Economics”
        1. The Economics of Information Security
        2. Why Do Some Security Technologies Fail?
        3. Why Does Insecure Software Dominate the Market?
        4. Why Can’t We Stop Spam?
        5. Psychology
        6. Sociology
      6. Chapter 6, “Spending”
        1. Reasons to Spend on Security Today
        2. Non-Reasons to Spend on Security
        3. Emerging Reasons to Spend
        4. How Much Should a Business Spend on Security?
        5. The Psychology of Spending
        6. On What to Spend
      7. Chapter 7, “Life in the New School”
        1. People Are People
        2. Breach Data Is Not Actuarial Data
        3. The Human Computer Interface and Risk Compensation
        4. The Use and Abuse of Language
        5. Skills Shortages, Organizational Structure, and Collaboration
      8. Chapter 8, “A Call to Action”
        1. Embrace the New School
    13. Bibliography