This is the Safari online edition of the printed book.

<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”

--David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems

Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.

• Better evidence for better decision-making
  Why the security data you have doesn’t support effective decision-making--and what to do about it

• Beyond security “silos”: getting the job done together
  Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve

• Amateurs study cryptography; professionals study economics
  What IT security leaders can and must learn from other scientific fields

• A bigger bang for every buck
  How to re-allocate your scarce resources where they’ll do the most good

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 15 Ratings

Get to the point already - 2008-10-29
Reviewer Rating:
A wise man once said to give a great presentation, start with a great opening that catches the audience attention, close with a reminder of the useful tips you have shared and keep the opening and closing as close to one another as possible.

I think that is what the authors need to work on. I carried this book with me on multiple plane flights and read it and read it again and again and to be honest, I can't follow it. I agree that Security Professionals need to change the way they think about security, I really do. But this just goes on and on and on and never seems to get to the point.

So, three times I opened this book, three times I failed, I confess I may never understand what the New School of Information Security is.

I do have a bit of advice for anyone considering buying this book, go to a bookstore and open it up and read for a bit. I am told the mojo is in chapter 4, but decide for yourself, pick a chapter read it, if you get a take away you can use, buy the book.

Highly Recommended for All - 2008-08-22
Reviewer Rating:
I really enjoyed this book. Should you buy it and read it? Yes. I think there's no better evidence for your purchase than the fact that many smart people have already provided you with a quality review in which they've nitpicked various pieces and parts while still rating the book a 4 or 5. To me that shows not just enthusiasm for the content, but some level of "ownership" of the information on the part of the reviewers. A desire to take this work and build on it, have some intellectual ownership over it, if you will. That, if you ask me, should be a compelling reason to give this book a read.

It's also worth noting that much of the previous criticisms reflect the desire of the reviewer to have complete information around the subject of information security, information that *nobody* has yet. It's faulting the authors for not writing a book that reveals all of life's great mysteries. For me, it's enough for the authors to point us in a general direction while admitting that there are no easy answers.

Should read if ... - 2008-08-13
Reviewer Rating:
Nutshell review - This book should be read if you are in any kind of management position related to information security. It presents some thought provoking ideas to help you think about information security in a different way from the norm. Does it have all the answers? No. Will it help you think about answers? Yes, I think so.

School of Knowledge - 2009-01-13
Reviewer Rating:
It is great to read a security book that is written by people who "Get It", when it comes to sloppy, lazy, "been there & done that" security professionals. How long has the INFOSEC industry been yelling "the sky is falling" with testimony from the Devil himself? This book explains when the security path was established, who wrote the instruction manual and where we stopped paying attention. Our Fortran fathers handed us some awesome tools for building a great tower of knowledge, we lost the instruction book and the tools and are deep into building a doghouse instead of that tower. This book brings light onto the fact that we need to shift focus and regroup.

Adam Shostack and Andrew Stewart step away from the doomsayers and show the reader that it is not too late to get our security troubles under control. Money is not the answer to all the problems we face, we just need to recognize the real issues from the fluff issues. This book should be on every security managers desk, right next to their stapler and Rubix Cube.

Good information security primer - 2009-04-06
Reviewer Rating:
While much of may read as a primer to an information security professional, there were some very interesting nuggets that could be found throughout this book, such as:

* "How people are motivated to behave can be as important as, or often more important than, how the system, is designed to behave." The impact emotions have on making the right decisions when it comes to evaluating risk. An example of this is the observation that the number of car accidents far exceeds the number of terrorist attacks, yet the latter garners a disproportionately larger amount of spending.
* Some interesting anecdotes on Risk Compensation, such as a study that shows that anti-lock brakes have done little to reduce the number of car accidents because people tend to drive more recklessly, assuming ABS will protect them. Conversely, in cities where safety measures such as crosswalks and speed bumps have been removed, the number of accidents has actually decreased, since people are forced to drive more carefully.
* Comments on how users don't appreciate the impact their infected PC has on the world. They could be unsuspectingly feeding a botnet that is attacking their own power grid.

Chapter 1: Observing the World and Asking Why
An introduction to the need for good information security (with some good crime examples and statistics), the different types of attack, and the growing threat.

Chapter 2: The Security Industry
Discusses the "prisoner's dilemma" and mild game theory. Also some interesting thoughts on our perception of a threat and the actual threat, and some of the psychological motivators behind how security is sold.

Chapter 3: On Evidence
The challenge of gathering objective data from evidence, surveys and statistics, and how the trade press may skew the facts depending on the business situation.

Chapter 4: The Rise of the Security Breach
Companies are very reluctant to admit mistakes (or breaches) but are being forced to more and more for the sake of public welfare, thanks in large part to California Senate Bill 1386 leading the way.

Chapter 5: Amateurs Study Cryptography, Professional Study Economics
Can't professionals also study cryptography? Discusses the cost and poor application implementation and low adoption rate, how typical users personally deal with information security, and the pros and cons of DRM.

Chapter 6: Spending
The various factors that go into how companies determine how much to spend on security, including fiscal and psychological ones, and the emerging reasons to spend on information security.

Chapter 7: Life in the New School
Training users does not help users behave more securely, perhaps due to the psychology of risk compensation. This chapter also makes some points about the need to disclose and share information security for the benefit of everyone.

Chapter 8: A Call to Action
A review of the previous seven chapters, which are recommendations to approach information security in a new way, with a fresh perspective, and to make it your goal to help society by sharing and teaching what you know.

There are also fifty pages of end notes and a 15-page bibliography, so there is plenty of items for your continued research. The book seems well researched and inspired by someone who really cares about the subject. There was some slight bias in the book also, unfortunately, such as fee-based security organizations are cliques and elitist. But overall, I thought it was a well-paced and informative book, and should be picked up by seasoned security professionals and just those entering the field.

Browse Similar Topics

Top Level Categories:
Networking
Security

Sub-Categories:
Networking > Security
Security > Networking