The New School of Information Security,
A. Shostack, and A. Stewart

Upper Saddle River:Addison-Wesley, 2008.
ISBN 978-0-321-50278-0. 19.79(USD) 19.50(USD).

Reviewed by  Richard Austin   May 23, 2008 

It seems that air travel is one of those "unbearable necessities" of modern life with its associated delays and idle times. The two books in this review are excellent candidates for "airplane books" to fill those empty hours and possible learn something along the way.

Many people feel that there is something fundamentally wrong with the way we approach information security and harbor doubts as to whether our current security programs are really optimal in providing maximum benefit for the investments made. This book explores this sense of "wrongness" and suggests a path forward.

At the conclusion of the introduction, the authors summarize the core tenets of the New School in three simple bullets:

  • Learn new approaches from professions such as psychology and economics
  • Share objective data and findings
  • Embrace the scientific method for solving security problems
  • The remainder of the book is devoted to fleshing out the support for why these ideas will make a difference in how we view and practice information security.

    The first chapter is a brief overview of the security situation and covers the usual suspects of SPAM, malware, security breaches and identity theft. They articulate what will become a consistent theme - we need real, empirical data to underpin our decisions and investments when dealing with security problems.

    The second chapter administers a pretty sound drubbing to the security industry but tempers it with the observation that we've really got the security industry we want (the security industry sells what we want to buy). It finishes with the note that the antidote to the world of anecdotes, threat reports and best practices is really objective data to support our decisions.

    The third chapter is appropriately titled "On Evidence" and discusses problems with collecting objective data ranging from the almost universal secrecy surrounding security incidents to the perplexing problem of measuring how many incidents were prevented by security measures (as they point out on p. 44, "success is often silent, invisible or boring").

    Chapter 4 explores the one area where objective data is available - the security breach. Since organizations are increasing required by legal mandates to report both the occurrence and severity of data breaches, the authors suggest that this is the best objective source of information we have on the state of computer security.

    The fifth chapter shifts gears a bit with the provocative title "Amateurs Study Cryptography; Professionals Study Economics". Its main thrust is that information security is in many cases becoming quite insular and narrowly focused on technology. Lessons drawn from fields such as economics (understanding the incentives that influence behavior, concepts such as externalities, etc), and psychology (e.g., how people estimate and respond to perceptions of risk) can offer helpful insights in addressing important components of the information security problem.

    The sixth chapter on "Spending" offers some notable insights such as "Spending is where decisions become concrete" (p. 105) which underlines the point that organizations invest in what they believe to be important. The issue lies in what really underlies that belief (real loss prevention or just "security theater"). Security awareness training comes in for its share of criticism as "security theater" with some excellent observations such as the fact that breaking security policy usually makes things work easier and better (though only temporarily) and that policies are often written in clean, abstract language that seems far removed from the behaviors they should guide.

    Chapter 7, "Life in the New School", summarizes the thrust of the book around the points presented in the introduction and is followed in the final chapter with a "Call to Action" as three points: "Gather Good Data", "Analyze Good Data" and "Seek New Perspectives".

    I do have some quibbles with the book - the authors chose to forego footnotes and references in the interest of not breaking up the presentation but this approach requires the reader to flip back and forth between the text and the 50 pages of end notes to see if there is more detail on particular points.

    The authors also try to resurrect the old hacker/cracker distinction. Your humble correspondent has enough grey hair to remember when hacking was the honorable profession of figuring out how a piece of software (or hardware as far as that goes) worked and then making it do things beyond where it was intended to bravely go but this distinction has been lost in popular culture, and it's time to let it go.

    However, such quibbles aside, this is a worthwhile book that points out that we do need to make changes in the way we do information security. While I'm not sure that it necessarily qualifies as a "new school", the ideas of using empirical data, evaluating approaches through observation and experiment and looking outside our own field for useful concepts are good directions in our search for the way forward.

    It's an accepted truism that security is mostly about risk management and given the number of papers at various security conferences suggesting that we need to more closely align our risk management practices with those in the financial community, it might come as a surprise that those risk management practices might not be quite as much of an exemplar as we thought.

    Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an itinerant university instructor and cybersecurity consultant. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu