Amateurs Study Cryptography; Professionals Study Economics

by on April 28, 2008 · 15 comments

What a delightful chapter title in Adam Shostack’s and Andrew Stewart’s new book, The New School of Information Security. Adam is a guy I’ve known for a lot of years now – somehow. He always seems to pop up in the places I go – both physically (at conferences and such) – and intellectually. He blogs at Emergent Chaos and maintains a list of his interesting papers and presentations on his personal homepage.

Adam and his co-author have produced a readable, compact tour of the information security field as it stands today – or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.

 Shostack and Stewart helpfully review the stable of plagues on computing, communication, and remote commerce: spam, phishing, viruses, identity theft, and such. Likewise, they introduce the cast of characters in the security field, all of whom seem to be feeling along in the dark together.

Why are the lights off? Lack of data, they argue. Most information security decisions are taken in the absence of good information. The authors perceptively describe the substitutes for information, like following trends, clinging to established brands, or chasing after studies produced by or for security vendors.

The authors revel in the breach data that has been made available to them thanks to disclosure laws like California’s SB 1386. A libertarian purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.

In the most delightful chapter in the book (I’ve used it as the title of this post), Shostack and Stewart go through the some of the most interesting problems in information security. Technical problems are what they are. Economics, sociology, psychology, and the like are the disciplines that will actually frame the solutions for information security problems.

In subsequent chapters, Shostack and Stewart examine security spending and advocate for the “New School” approach to security. I would summarize theirs as a call for rigor, which is lacking today. It’s ironic that the world of information lacks for data about its own workings, and thus lacks sound decision-making methods, but there you go.

The book is a little heavy on “New School” talk. If the name doesn’t stick, Shostack and Stewart risk looking like they failed to start a trend. But it’s a trend that must take hold if information security is going to be a sound discipline and industry. I’m better aware for reading The New School of Information Security that info sec is very much in its infancy. The nurturing Shostack and Stewart recommend will help it grow.

  • http://enigmafoundry.wordpress.com/2008/04/12/jerry-brito-getting-upset-at-e_f-comments/ e_f

    The authors revel in the breach data that has been made available to them thanks to disclosure laws like California’s SB 1386. A libertarian purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.

    That’s hardly a happenstance-the law is doing what it was intended to do. The correct term for that is: Good Design.

  • http://enigmafoundry.wordpress.com eee_eff

    The authors revel in the breach data that has been made available to them thanks to disclosure laws like California’s SB 1386. A libertarian purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.

    That’s hardly a happenstance-the law is doing what it was intended to do. The correct term for that is: Good Design.

  • Jim Harper

    Interesting point, e_f, but what was SB 1386 intended to do, and how well has it achieved that goal? Please point to any evidence you can muster for either question.

  • Jim Harper

    Interesting point, e_f, but what was SB 1386 intended to do, and how well has it achieved that goal? Please point to any evidence you can muster for either question.

  • http://www.emergentchaos.com Adam

    Thanks for the great review Jim!

    To the point being discussed in the comments, my understanding of 1386 (and this is explicit in the preamble of the law) is that it was intended to allow people at risk of identity theft to protect themselves. The transparency it delivers is an unexpected consequence. As I’m sure readers of this blog are aware, designing such a mechanism is quite tricky, and anticipating all of the consequences is even harder.

  • http://www.emergentchaos.com Adam

    Thanks for the great review Jim!

    To the point being discussed in the comments, my understanding of 1386 (and this is explicit in the preamble of the law) is that it was intended to allow people at risk of identity theft to protect themselves. The transparency it delivers is an unexpected consequence. As I’m sure readers of this blog are aware, designing such a mechanism is quite tricky, and anticipating all of the consequences is even harder.

  • http://modestadventurer.com Traveller_Adventure

    Very very interesting post..I like this one. gotta bookmark this one.

    Cheers,
    Buat Duit Dengan Blog

  • http://modestadventurer.com Traveller_Adventure

    Very very interesting post..I like this one. gotta bookmark this one.

    Cheers,
    Buat Duit Dengan Blog

  • http://sain-web.com Traveller

    Very very interesting post..I like this one. gotta bookmark this one.

    Cheers,
    Buat Duit Dengan Blog

  • Pingback: no no 8800 thermicon hair removal system reviews

  • Pingback: no no hair removal scams

  • Pingback: vakantiehuis belgie kopen

  • Pingback: premier league football

  • Pingback: prix de l'immobilier

  • Pingback: twitter.com/NHCPS

Previous post:

Next post: