Authors: Adam Shostack, Andrew Stewart
Publisher: Addison Wesley Professional (www.informit.com/aw)
Published: March 2008
ISBN-10: 0-321-50278-7
ISBN-13: 978-0-321-50278-0
Format: Hard cover, 288 pages
Price: $29.99
A Different Approach to Information Security
Lots of books have been written, and will still continue to be written, about information security. But sometimes you are fortunate enough to come across a book that presents radically different ways of thinking about information security. One such book is appropriately titled "The New School of Information Security." Its two authors are Adam Shostack and Andrew Stewart. Shostack is a member of Microsoft's Security Development Lifecycle strategy team, while Stewart is an information security professional who researches and writes about a range of information security topics for different journals. Stewart is also a Vice President at a US-based investment bank. What sets "The New School of Information Security" apart from other security books is the willingness of its authors to look beyond traditional sources of information in order to address security challenges that all companies and organizations are currently facing. Shostack and Stewart believe that success can be achieved by "learning from other professions, such as economics and psychology, to unlock the problems that stymie the security field." They suggest that "the way forward cannot be found solely in mathematics or technology."
Shostack and Stewart use the term, "New School", to reflect the philosophy that drives their book, namely, that the foundation of the "School" is based on "looking for evidence and analyzing it with approaches from a wide set of disciplines." For instance, in the first chapter of the book, "Observing the World and Asking Why", Shostack and Stewart introduce one of the themes of their book – the use of "economic analysis to increase our understanding of systems and using that understanding to reach better outcomes." This first chapter of the book is available online for reading in PDF format from the Web site of the book's publisher, Addison Wesley Professional (www.informit.com/aw). I suggest that you read this chapter. By doing so, not only will you be able to quickly attain a better understanding of what constitutes this "new school" of information security that the book's authors are proposing, but you will also soon discover whether or not you agree with the school's basic premise that "we can make better decisions by learning from other sciences, such as economics." I personally regard the idea of learning more about security from other disciplines as an exciting concept, and one which holds a lot of promise and potential.
Let's now take a look at the sort of material that's covered in the remaining seven chapters of "The New School of Information Security."
The second chapter is interesting because it discusses the issue of security from a perspective that most of us don't normally take into account, that of the security industry itself and most importantly, how security is sold. Unfortunately, the advertising associated with security products and services has a tendency of suggesting that there is a "security silver bullet" that can magically solve major security problems quickly and simply via technological solutions. But as Shostack and Stewart point out, such advertising as this does a "disservice to the security field because it glosses over complex problems and presents the illusion of a reality in which a panacea exists. It makes you believe you can reach nirvana by using a particular service or installing a particular product."
To enable companies and organizations to come up with security solutions that are most appropriate to them, it is essential that any decisions made are based on reliable evidence. In the third and fourth chapters of their book, Shostack and Stewart, turn the spotlight on this evidence – why it's important, and most crucially, where to find that evidence (in the form of objective data) and how to analyse that data. They explain that the "search for objective data on information security is at the heart of the philosophy of the New School."
In the next chapter, Shostack and Stewart introduce and discuss the concept of the "economics of information security." In brief, this concept states that "many of today's challenges in information security can be understood using the models and language of microeconomics, such as the theory of incentives, network effects, and liability." What that means, from a practical perspective, is that the "motivations of the various parties who interact with a system are often the most significant factor that influences its security." Or put another way, "how people are motivated to behave can be as important as, or often more important than, how the system is designed to behave."
The sixth chapter tackles the topic of security spending. In it, Shostack and Stewart provide answers to three critical questions. Why spend? How much to spend? And spend the money on what? The message from this chapter is straightforward: "good money should not be thrown after bad." In the second last chapter of the book, the philosophy that drives the "New School" of information security" is laid down in more detail by Shostack and Stewart. They define the "New School" as being "neither a product nor a service. It is an approach to the world that embraces the scientific method, new sources of objective data, and new perspectives from diverse fields from which new theories and approaches flow."
The eighth and final chapter is a call to action by the book's authors to change the way that you think about, and attempt to solve, security issues. And one way of doing that is by adopting the "New School" approach. Shostack and Stewart acknowledge that the "risks and unknowns of embracing a new approach can be scary, but here the opportunity costs are slight." They are also quick to re-emphasize that this particular approach does "not mandate the purchase of any particular product or service. All the New School requires is an investment in a way of thinking about problems – to observe the world and ask: why? If time is money, time spent thinking deeply about security challenges can pay large dividends."
Now that we have briefly covered the content of "The New School of Information Security", here are the major benefits that can be derived from reading the book in its entirety:
• Valuable insights into why technology alone cannot solve all the challenges associated with information security.
• How lessons already learnt from the field of economics and other disciplines can potentially be used to come up with solutions for information security problems.
• Advice that can be used now to improve the information security in your company or organization.
• Exposure to both new opportunities and alternative solutions by adopting the "New School" approach when making security decisions.
One of the strengths of this particular book is its high degree of readability. Apart from the attractive writing style itself that has been used, readability has also been enhanced by the refusal of the book's authors to include cumbersome endnote numbers within the body of the text itself. They believe, like me, that those numbers are often distracting and annoying, and can significantly detract from a reader's easy following of the text. But the omission of those numbers does not mean that endnotes themselves have been excluded from the book. In fact, the second last section of "The New School of Information Security" contains an extensive collection of endnotes, around fifty pages in length. This is where readers of the book can find background information and Web references that support the arguments that have been presented and discussed in each of the chapters of the book. The book then concludes with a section that consists of an extensive bibliography. There are two different types of reader who can gain from reading this book. The first group are those IT professionals who work in the security industry itself, while the second group is anyone who is involved in maintaining and improving security within their own company or organization.
In summing up, the book, "The New School of Information Security", does an excellent job of questioning and challenging the conventional wisdom regarding information security that is bandied around today. The value in reading this book is that it has the potential to help companies and organizations make better informed decisions when it comes to different aspects of their information security. And if after reading this review, you are still of the opinion that information security problems can be solved by just "piling on more and more technology", then I urge you to read this book. It is guaranteed to change the way that you think about information security.