The New School of Information Security

3.8 avg rating
( 54 ratings by Goodreads )
 
9780321502780: The New School of Information Security
View all copies of this ISBN edition:
 
 

<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”

--David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems

 

Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.

  • Better evidence for better decision-making
    Why the security data you have doesn’t support effective decision-making--and what to do about it
  • Beyond security “silos”: getting the job done together
    Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve
  • Amateurs study cryptography; professionals study economics
    What IT security leaders can and must learn from other scientific fields
  • A bigger bang for every buck
    How to re-allocate your scarce resources where they’ll do the most good

"synopsis" may belong to another edition of this title.

About the Author:

Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques. Before Microsoft, Adam was involved in a number of successful start-ups focused on vulnerability scanning, privacy, and program analysis. He helped found the CVE, International Financial Cryptography association, and the Privacy Enhancing Technologies workshop. He has been a technical advisor to companies including Counterpane Internet Security and Debix.

 

Andrew Stewart is a Vice President at a US-based investment bank. His work on information security topics has been published in journals such as Computers & Security and Information Security Bulletin. His homepage is homepage.mac.com/andrew_j_stewart

Excerpt. Reprinted by permission. All rights reserved.:

The New School of Information Security

Preface

"I didn't have time to write you a short letter, so I wrote a long one."—Mark Twain

We've taken the time to write a short book, and hope you find it enjoyable and thought-provoking. We aim to reorient security practitioners and those around them to a New School that has been taking shape within information security. This New School is about looking for evidence and analyzing it with approaches from a wide set of disciplines. We'd like to introduce this approach to a wider audience, so we've tried to write so that anyone can understand what we have to say.

This isn't a book about firewalls, cryptography, or any particular security technology. Rather, it's about how technology interacts with the broader world. This perspective has already provided powerful insights into where security succeeds and fails. There are many people investing time and effort in this, and they are doing a good deal of interesting research. We make no attempt to survey that research in the academic sense. We do provide a view of the landscape where the research is ongoing. In the same spirit, we sometimes skim past some important complexities because they distract from the main flow of our argument. We don't expect the resolution of any of those will change our argument substantially. We include endnotes to discuss some of these topics, provide references, and offer side commentary that you might enjoy. Following the lead of books such as Engines of Creation and The Ghost Map, we don't include endnote numbers in the text. We find those numbers distracting, and we hope you won't need them.

Some of the topics we discuss in this book are fast-moving. This isn't a book about the news. Books are a poor place for the news, but we hope that after reading The New School, you'll look at the news differently.

Over the course of writing this book, we've probably written three times more words than you hold in your hands. The book started life as Security Decisions, which would have been a book for managers about managing information security. We were inspired by Joan Magretta's lovely little book What Management Is, which in about 200 pages lays out why people form organizations and hire managers to manage them. But security isn't just about organizations or managers. It's a broad subject that needed a broader book, speaking to a wider range of audiences.

As we've experimented with our text, on occasion removing ideas from it, there are a few fascinating books which influenced us and ended up getting no mention—not even in the endnotes. We've tried to include them all in the bibliography.

In the course of writing this book, we talked to a tremendous number of people. This book is better for their advice, and our mentions are to thank them, not to imply that they are to blame for blemishes that might remain. If we've forgotten anyone, we're sorry.

Simson Garfinkel and Bruce Schneier both helped with the proposal, without which we'd never have made it here. We'd both like to thank Andy Steingruebl, Jean Camp, Michael Howard, Chris Walsh, Michael Farnum, Steve Lipner, and Cat Okita for detailed commentary on the first-draft text. But for their feedback, the book would be less clear and full of more awkward constructs. Against the advice of reviewers, we've chosen to use classic examples of problems. One reviewer went so far as to call them "shopworn." There is a small audience for whom that's true, but a larger one might be exposed to these ideas for the first time. We've stuck with the classics because they are classic for a reason: they work. Jon Pincus introduced us to the work of Scott Page. We'd like to apologize to Dan Geer for reasons that are either obvious or irrelevant. Lorrie Cranor provided timely and much appreciated help in the academic literature around security and usability. Justin Mason helped correct some of the sections on spam. Steven Landsburg helped us with some economic questions.

We'd also like to thank the entire community contributing to the Workshop on Economics and Information Security for their work in showing how to apply another science in broad and deep ways to the challenges that face us all in security.

It's tempting in a first book to thank everyone you've ever worked with. This is doubly the case when the book is about the approaches we bring to the world. Our coworkers, managers, and the people we have worked with have taught us each tremendous amounts, and those lessons have been distilled into this book.

Adam would like to thank (in roughly chronological order) cypherpunks Eric Hughes, Steve Bellovin, Ian Goldberg, and others too numerous to name, for fascinating discussions over the years, Ron Kikinis, coworkers at Fidelity, Netect (Marc Camm, David Chaloner, Scott Blake, and Paul Blondin), Zero-Knowledge Systems (Austin and Hamnett Hill, Adam Back, Stefan Brands, and the entire Evil Genius team), my partners at Reflective, and the Security Engineering and Community team at Microsoft, especially Eric Bidstrup and Steve Lipner. In addition, everyone who I've written papers with for publication has taught me a lot: Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Bruce Schneier, Ian Goldberg, Austin Hill, Crispin Cowan, and Steve Beattie. Lastly, I would like to thank my co-bloggers at the Emergent Chaos Jazz Combo blog, for regularly surprising me and occasionally even playing in tune, as well as the readers who've commented and challenged us.

Andrew would like to thank Neil Todd and Phil Venables for their help and guidance at the beginning of my career. I would also like to thank Jerry Brady, Rob Webb, Mike Ackerman, George Sherman, and Brent Potter. Please note that my mentioning these people does not mean that they endorse (or even agree with) the ideas in this book.

Finally, we'd both like to acknowledge Jessica Goldstein, who took a chance on the book; Romny French; our copy editor, Gayle Johnson, and our project editor, Anne Goebel.


© Copyright Pearson Education. All rights reserved.

"About this title" may belong to another edition of this title.

Other Popular Editions of the Same Title

9780321814906: The New School of Information Security

Featured Edition

ISBN 10:  0321814908 ISBN 13:  9780321814906
Publisher: Addison-Wesley Professional, 2008
Softcover

Top Search Results from the AbeBooks Marketplace

1.

Shostack, Adam
Published by Addison-Wesley Professional (2008)
ISBN 10: 0321502787 ISBN 13: 9780321502780
New Hardcover Quantity Available: 1
Seller:
Book Deals
(Lewiston, NY, U.S.A.)

Book Description Addison-Wesley Professional, 2008. Hardcover. Condition: BRAND NEW. Seller Inventory # 0321502787_abe_bn

More information about this seller | Contact this seller

Buy New
US$ 37.93
Convert currency

Add to Basket

Shipping: FREE
Within U.S.A.
Destination, rates & speeds

2.

Adam Shostack, Andrew Stewart
Published by Addison-Wesley Professional (2008)
ISBN 10: 0321502787 ISBN 13: 9780321502780
New Hardcover Quantity Available: 1
Seller:
Ergodebooks
(RICHMOND, TX, U.S.A.)

Book Description Addison-Wesley Professional, 2008. Hardcover. Condition: New. 1. Seller Inventory # DADAX0321502787

More information about this seller | Contact this seller

Buy New
US$ 34.97
Convert currency

Add to Basket

Shipping: US$ 2.99
Within U.S.A.
Destination, rates & speeds

3.

Adam Shostack
Published by Addison-Wesley Professional
ISBN 10: 0321502787 ISBN 13: 9780321502780
New Quantity Available: 1
Seller:
GoldBooks
(Denver, CO, U.S.A.)

Book Description Addison-Wesley Professional. Condition: new. Seller Inventory # baby0321502787

More information about this seller | Contact this seller

Buy New
US$ 41.13
Convert currency

Add to Basket

Shipping: FREE
Within U.S.A.
Destination, rates & speeds

4.

Shostack, Adam; Stewart, Andrew
Published by Addison-Wesley Professional (2008)
ISBN 10: 0321502787 ISBN 13: 9780321502780
New Hardcover Quantity Available: 1
Seller:
Irish Booksellers
(Portland, ME, U.S.A.)

Book Description Addison-Wesley Professional, 2008. Condition: New. book. Seller Inventory # M0321502787

More information about this seller | Contact this seller

Buy New
US$ 37.62
Convert currency

Add to Basket

Shipping: US$ 15.00
Within U.S.A.
Destination, rates & speeds

5.

Shostack, Adam; Stewart, Andrew
ISBN 10: 0321502787 ISBN 13: 9780321502780
New Quantity Available: 1
Seller:
BennettBooksLtd
(San Diego, CA, U.S.A.)

Book Description Condition: New. New. Seller Inventory # M-0321502787

More information about this seller | Contact this seller

Buy New
US$ 85.10
Convert currency

Add to Basket

Shipping: US$ 4.95
Within U.S.A.
Destination, rates & speeds