Review: The New School of Information Security


by Adam Shostack and Andrew Stewart. Publisher: Addison-Wesley Professional, March 26, 2008, Pages in Print Edition: 288


Hi everyone and welcome to another post in my favourite blog entry category: Book Reviews. I'm happy to announce that for the first time ever I have actually managed to read a book and write a review of it before its official release (unlike my other reviews where I often review three year old books). I'm talking about Adam Shostack's and Andrew Stewart's new book The New School of Information Security here which will be released tomorrow.

The New School of Information Security is a weird book. From the title of the book you'd think that this is a book about information security for people who have at least some kind of clue about information security. I mean why would people that do not have a clue about information security read a book about reforming and improving the field of information security? Unfortunately this assumption is wrong.

The first time the red flags went up was on page 6 when the authors define and explain phishing. I'm not talking about some very precise definition of phishing that might be valuable in a well-defined discussion among IT professionals here. I'm talking about a definition of phishing I'd give to my parents or my sister. On the following pages, viruses, worms, and vulnerabilities are given the same treatment. Only spam is considered so well-known that it was introduced without any kind of definition and explanation. On page 6 I still thought the target audience of the book are people who have a clue so that shocked me quite a bit. I brushed my concerns aside though and rationalized that this introductory chapter is a typical example of authors who can't decide what audience to write for (a problem I complain a lot about in my book reviews).

Unfortunately the level of discourse did not improve in the next chapters and this started to weird me out. I started to wonder why this book reads like a book I'd recommend to my dad (who does not at all work in IT) to get an idea about IT security. While reading chapter 4 it hit me like lightning. I'm reading a book for pointy-haired bosses. I felt bad at this point because it took me more than 3 chapters to realize this. In my defense I want to say that I've never worked with PHBs before and this is my first (albeit indirect) contact with them outside of Dilbert comics.

Now that I've made this clear let's talk a bit about the content of the book. The book is approximately 240 pages long and divided into 8 chapters. Let me state right away that only 161 pages actually contain real content. Where do the remaining 80 pages go? More on that later. The titles of the 8 chapters are "Observing the World and Asking Why", "The Security Industry", "On Evidence", "The Rise of the Security Breach", "Amateurs study Cryptography : Professionals study Economics", "Spending", "Life in the new School", and "A Call to Action".

The intent of the authors is to show why the current methods of IT security are failing and how to improve the current methods so they do not fail anymore. A laudable goal and after making sure that even the slowest IT Security professional knows what phishing is the authors present their new idea. What is their new idea? It's quite simple. We need better data and better methods to analyze the data. I'm not kidding here. That's it. I'm quoting straight from page 146:

"That approach is the New School: to identify causes of success or failure and..

Read more: