Search Advanced SearchView Cart   Checkout   
 Location:  Home » Automotive Books » Encryption » The New School of Information Security  
In Association With...
Site Navigation
Home
Discussion Forums
Categories
Tools / Car Care / Parts
Automotive Books
Camaro Books
Corvette Books
Mustang Books
Mopar Books
Related Categories
• Encryption
Security & Encryption
Web Development
Computers & Internet
Subjects
• Privacy
Business & Culture
Computers & Internet
Subjects
Books
• Network Security
Networking
Computers & Internet
Subjects
Books
• Internet
Home Computing
Computers & Internet
Subjects
Books
• Security+
Exams
Certification Central
Computers & Internet
Subjects
• E-commerce
Industries & Professions
Business & Investing
Subjects
Books
• Computer Science
New & Used Textbooks
Custom Stores
Specialty Stores
Books
• Computers & Internet: General
General
Archive
Custom Stores
Specialty Stores
• Business & Investing: Industries & Professions: E-commerce: General
General
Archive
Custom Stores
Specialty Stores
• Qualifying Textbooks
Custom Stores
Specialty Stores
Books
• Hardcover
Binding (binding)
Refinements
Books
• Printed Books
Format (feature_browse-bin)
Refinements
Books
Subcategories
Internet & Education
Online Searching
Web Browsers
Web for Kids
Internet Marketing
Online Banking
Online Trading
Algorithms
Artificial Intelligence
Computer Science
Database Storage & Design
Graphics & Visualization
Networking
Object-Oriented Software Design
Operating Systems
Programming Languages
Software Design & Engineering
All Titles
Arts & Photography
Biographies & Memoirs
Business & Investing
Children's Books
Computers & Internet
Cooking, Food & Wine
Engineering
Entertainment
Gay & Lesbian
Home & Garden
Literature & Fiction
Medicine
Nonfiction
Outdoors & Nature
Parenting & Families
Professional
Reference
Religion & Spirituality
Science
Teens
Travel

The New School of Information Security

The New School of Information Security

zoom enlarge 		Authors: Adam Shostack, Andrew Stewart
Publisher: Addison-Wesley Professional
Category: Book

List Price: $29.99
Buy New: $18.19
You Save: $11.80 (39%)



New (31) from $18.19

Avg. Customer Rating: 4.5 out of 5 stars 8 reviews
Sales Rank: 41825

Media: Hardcover
Edition: 1
Number Of Items: 1
Pages: 288
Shipping Weight (lbs): 1.3
Dimensions (in): 9 x 6.1 x 1.3

ISBN: 0321502787
Dewey Decimal Number: 658.478
EAN: 9780321502780
ASIN: 0321502787

Publication Date: April 5, 2008
Availability: Usually ships in 1-2 business days
Condition: All orders ship same business day via standard shipping (USPS Media Mail) if received by 1 PM CST.
Also Available In:

  • Kindle Edition - New School of Information Security, The
Accessories:

  • Geekonomics: The Real Cost of Insecure Software
  • Software Security Engineering: A Guide for Project Managers (The SEI Series in Software Engineering)
  • The dotCrime Manifesto: How to Stop Internet Crime
Similar Items:

  • Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Security Engineering: A Guide to Building Dependable Distributed Systems
  • Security Data Visualization: Graphical Techniques for Network Analysis
  • Geekonomics: The Real Cost of Insecure Software
  • Crimeware: Understanding New Attacks and Defenses (Symantec Press)
Editorial Reviews:

Product Description
<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”

--David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems

Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.

  • Better evidence for better decision-making
    Why the security data you have doesn’t support effective decision-making--and what to do about it
  • Beyond security “silos”: getting the job done together
    Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve
  • Amateurs study cryptography; professionals study economics
    What IT security leaders can and must learn from other scientific fields
  • A bigger bang for every buck
    How to re-allocate your scarce resources where they’ll do the most good


Customer Reviews:   Read 3 more reviews...

5 out of 5 stars It is High Time for the New School   July 2, 2008
 2 out of 2 found this review helpful

The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.

Chapter 1 begins with a quick look at some prominent problems in the information security landscape today. By looking at spam, malware, identity theft, and computer breaches the authors provide a rough sketch of the current infosec landscape. Given the apparent failure of current approaches to security in the face of these threats the authors rhetorically pose the question of simply starting over and building a new approach from scratch before providing the opening sketch of their New School. The authors advocate the need for a new approach to computer security, the New School. The New School is described as quantifiable, "putting our ideas and beliefs through tests designed to draw out their flaws and limitations." This concept of metrics and empiricism is a common thread throughout the book.

Chapter 2 describes the "scene," or the state of the computer security industry today. By applying some elementary game theory the authors sketch out some of the dilemmas facing information security today. Then they delve into some of the historic origins of modern computer security. They point out that much of the computer security "conventional wisdom" has grown out of the military's needs for computer security and how that foundation isn't necessarily the best. They also explore the influence of hackers and crackers on the evolution of the industry. Finally they explore the relationship of capitalism and money to the field, including the driving factors of making money and how these have shaped the development of security today. The authors point out that while many good things have come from these various influences, they have also produced some unfortunate side effects that don't necessarily have to be taken for granted. The chapter goes on to examine the economy of the security industry, including the idea of "best practices" (which the authors very roundly decry) as well as turnkey solutions. The authors also point out the difficulty in measuring security products given the lack of objective test data produced in the sector. The chapter concludes with the though that "without proper use of objective data to test our ideas, we can't tell if we are mistaken or misguided in our judgement." They provide further evidence that the industry as a whole isn't often guided by any sort of quantifiable data (thus removing the 'science' from computer science) and that all too often "conventional wisdom" is misguided and sometimes blatantly wrong because it lacks a solid empirical foundation.

Chapter 3 looks at some of the underpinnings of gathering solid scientific evidence with which to test the ideas of the New School. Without good evidence, they point out, it is nearly impossible to make accurate decisions. The authors point out the problems with much of the evidence used to support common claims in computer security, including surveys, and show the bias present in much of the survey data used to justify security decision making. The chapter goes on to lament the lack of an objective trade press in the industry and then delves into the vulnerability discovery lifecycle that drives much of computer security. The authors examine how vulnerabilities are discovered, how vendors often ignore flaws in their products in their rush to market, and the fact that there are sometimes problems with using vulnerability reports as solid metrics for security. The chapter then goes on to examine how data about security can be collected, either by hobbyists or individuals. Ultimately, the authors lament the fact that much of the data collected about security isn't shared with the community and thus it becomes nearly impossible to make better decisions. The lack of objective, available data makes it extremely difficult for us to draw reliable conclusions based on trends or quantify the current state of security.

Chapter 4 looks at security breaches and specifically argues for the benefits of breach notification as one of the best ways to produce quantifiable metrics in security. The authors point out that breach notification rarely has long term consequences to a companies stock price or customer loyalty and the benefit of breach data would be invaluable to researchers. The authors argue that breach notification is a key component to the outlook of the New School. In joining the New School organizations have to learn "to focus on observation and objective measurement." They argue that only by doing so can we move information security from an art to a science. They say that while "it is true that computer security consists of a fog of moving parts...complex problems do get solved. Investigators bring a broad set of analytic techniques ranging from explanatory psychology...to complex economic models." At this point in the book the authors begin to introduce another key component of the New School, that is the need for integration of other fields of study into computer security. The authors argue that by utilizing approaches and theories developed in the fields of psychology, economics, sociology, and other academic areas our understanding of information security can be broadened and greatly enhanced. They always come back to ideas of empiricism, however, stating that "the core aspect of scientific research - the ability to gather objective data against which to test hypotheses - has been largely missing from information security." The authors emphasize that not only does data need to be collected, it must also be shared in order to aid in our understanding of the data.

Chapter 5 begins to draw upon outside fields of academia to enhance the New School. This chapter begins by introducing several economic models and explaining how they influence information security. While economic approaches to security are nothing new (risk mitigation, calculations of value and exposure equaling risk, etc.) the New School argues that "because computers are inevitably employed within a larger world, information security as a discipline must embrace lessons from a far wider field." The authors argue that economic models don't only have to be applied at a macro level to computer security, but can also be applied to more compartmentalized security problems (such as getting users to select good passwords). They also examine the success potential of certain security products based on economic analysis. The chapter goes on to discuss how lessons from psychology can be incorporated into our security decision making and to help us understand computer security more fully. Finally the chapter draws on lessons from sociology and shows how they too can inform our understanding of security.

Chapter 6 focuses on spending. The chapter is devoted to examining how organizations spend their money on information security and why. Like the earlier chapters, this one applies the New School approach to attempt to analyze spending habits and challenges many of the foundational logic that supports common security spending plans. The chapter draws on lessons from economics and psychology to examine the patterns of spending and suggests some ways in which we can improve our spending on security. Ultimately the authors argue that we understand the factors that should influence spending and focus our efforts on the most quantifiably effective expenditures of money.

Chapter 7, or Life in the New School, discusses many of the challenges facing the New School. These range from the lack of quality data to the dearth of a standardized security vocabulary. This chapter mainly points out the challenges that lie ahead and the many ways that a new approach can help overcome them.

Chapter 8 is a blanket call to join the New School along with instructions for how to begin. The authors argue that New School proponents should collect good data, analyze that data and seek new perspectives. They point out that the New School draws from a diverse body of academic knowledge and advocates synthesizing work from other academic area into the New School approach. Ultimately the New School challenges us to change how we think about information security. Not only should we question the "conventional wisdom" we take for granted, but we should also seek out new hypothesis and ways to test them in order to expand our understanding of computer security as a whole.

The book is an easy read and make quite an impression. Shostack and Stewart lead the charge towards a more empirical approach to computer security. The field has matured enough that we should begin treating it seriously, and in order to do so we need to be able to speak authoritatively about issues. The voodoo of conventional wisdom is no longer good enough when making recommendations as experts. We need to be able to point to solid evidence to justify security strategies and implementations. We also need to be able to look at quantifiable data when evaluating new products and tools. Ultimately I see the field moving in this direction and I give kudos to Shostack and Steward for issuing this clarion call to an industry that will hopefully take their message to heart.


5 out of 5 stars Kicking Down Institutional Walls   June 16, 2008
 3 out of 3 found this review helpful

By: Jeffrey W. Bennett, ISP, Author of: ISP Certification-The Industrial Security Professional Exam Manual and Under the Lontar Palm

This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.

While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.

Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.

The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.

The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.





4 out of 5 stars Recommended reading for information security practitioners   June 14, 2008
 5 out of 5 found this review helpful

As an information security professional, I enjoyed reading this book. The authors present a somewhat compelling case for a scientific approach to information security that emphasizes decision making based on empirical evidence, public disclosure of breach data as a means of gathering that evidence, and the application of methods and concepts from other disciplines such as economics, psychology, and sociology to information security problems.

In the first part of the book, the authors attempt to make the case that information security as a discipline is failing. High profile examples of various forms of computer crime, spam, phishing, malware, data breaches, and identity theft are cited as evidence. While the material makes for interesting reading, it falls somewhat short of making a convincing argument that the bad guys are winning the war on all fronts. I would have liked to see more solid evidence that the current approaches are not working. Has anti-virus technology truly failed to stem the tide of malware? Are there any statistics on that? What about anti-spam measures? Surely, not everything that the security industry has been up to until now has been a waste of time?

The current state of the security industry is examined next. Some criticism of the security industry is certainly warranted. The proliferation of questionable products which are more marketing hype than substance is a phenomenon that has parallels in other domains as well. One need only look at the world of high-end audio, where ridiculously expensive snake-oil products are sold to eager buyers who convince themselves that they can hear the difference in sound quality that these products purportedly afford them. However, this observation does not justify the wholesale rejection of all security products on the market and the security practices they facilitate. Just as technology alone cannot solve most real-world security problems, neither can most security failures be blamed on technology alone.

Several potential sources of empirical data are evaluated in the third and fourth chapter. Surveys are largely dismissed as flawed. The value of data from trade publications is questioned due to issues of timeliness and relevance to individual organizations. Software vulnerability data is given a little more respect, although the challenge to drawing meaningful conclusions from it remains largely unsolved. Instrumentation on the Internet in the form of honeypots and other security sensors is described as a promising source of evidence. In a similar vein, breach data locked up within the confines of individual organizations would constitute a veritable goldmine if shared freely, and this is expanded upon in the following chapter. The authors conclude with the observation that while objective evidence is very difficult to come by, the search for it must become the central focus for the "new school".

The fifth chapter is an interesting illustration of the explanatory power that a multi-disciplinary approach can bring to the problems of information security. Economic theory is used to elucidate the reasons for the proliferation of insecure software, the resistance to adoption of many security technologies and the failure to stop spam. Concepts from psychology are applied to the problems of patching software vulnerabilities and the management of security risks. The sociological problem of gender bias and lack of ethnic diversity within the computer security community is explored in terms of its exclusionary effect on new insights and fresh ways of thinking about information security.

Information security spending is analyzed in chapter six. Several emerging business drivers, such as creating customer trust and the benefits of security capabilities on IT operations efficiency, are described and may be of interest to readers faced with the challenge of selling security within their own organizations. Traditional approaches to security spending are discussed and sometimes rightfully criticized. An interesting recommendation is made: based on a study by Gordon and Loeb at the University of Maryland, the optimal amount to spend on the protection of an asset is 37% of the expected loss. Psychological factors influencing spending decisions are examined. The cost-effectiveness of employee security awareness and training is questioned, as is the return on investment from the development of a comprehensive security policy framework. This chapter is likely to be the most controversial one in the eyes of many security practitioners who are not technologists.

If I have been somewhat skeptical of the early parts of the book, I wholeheartedly agree with the overall message in the final two chapters. It is certainly worthwhile to explore new directions in information security, and a scientific, multi-disciplinary approach holds much promise for the future. The "new school" mind-set can only be a positive influence on the industry and I would not hesitate to recommend this book to anyone in the information security profession.



4 out of 5 stars New School better than Old School   May 28, 2008
 4 out of 4 found this review helpful

I think Adam and Andrew did some good work on the book. I just finished The New School of Information Security the other day. I was happy to recognize the names of a couple of the reviewers, and I could picture them making some of the comments when a 'reviewer' was referred to in the text. I think the book will be an eye-opener for a lot of folks in the professional world. I think I am somewhat lucky in the fact that most systems administrators and security people I know already think in the "New School". I think this is perhaps due to the fact most of us are in Academia.

Also, I liked the style of End Notes. This is the first book in a very long time that I have actually read through the end notes instead of just referring back to them at some other point. Also, the lack of in-text citation really did help the book flow smoothly.

Although not all this information may be new to everyone, I think a lot of people could benefit from this book. If anything, it will provide those in the industry with the view of how we in academia tend to view things. The book was written in a very easy to read manner and flowed rather well. I don't think anyone would have a problem chewing through this book in 3 or 4 days given the time, and those 3 or 4 days are completely worth it.



5 out of 5 stars A Must-Read Book on a Proper IT Outlook   May 14, 2008
 10 out of 10 found this review helpful

The New School's thesis is straightforward: publish data and use that data to approach IT security questions with a more scientific mindset, utilizing other academic disciplines such as economics and psychology to aid in solving problems.

The book would be a great primer for an MBA course on IT systems and organizational behavior. I suspect that so much of what causes secrecy around breaches in business organizations are the overblown fears of MBAs of customers fleeing. Shostack and Stewart do a good job calming those fears, and showing how disclosure really helps all parties move toward better security.

The book is a quick read, and it's more of a philosophical treatise than a how-to manual. For that reason I think it would be beneficial for anyone in IT or an organization's management to read it, as the book speaks to both parties.

I should disclose that I've known Adam Shostack for years, I do not know Andrew Stewart.

Powered by Associate-O-Matic