Deals on our brands for businesses
Buy new:
$29.99
FREE delivery Saturday, January 10
Ships from: white lilies
Sold by: white lilies
Kindle app logo image

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

QR code to download the Kindle App

Follow the author

Get new release updates & improved recommendations
Adam Shostack
Follow
Something went wrong. Please try your request again later.

The New School of Information Security 1st Edition

by Adam Shostack (Author), Andrew Stewart (Author)
{"desktop_buybox_group_1":[{"displayPrice":"$29.99","priceAmount":29.99,"currencySymbol":"$","integerValue":"29","decimalSeparator":".","fractionalValue":"99","symbolPosition":"left","hasSpace":false,"showFractionalPartIfEmpty":true,"offerListingId":"IUAffPqhwQerYbNetNdvGc83ndttKOVyTp0F1bukXm%2FhHW9eDm3v20YsyZ43c7szj%2FpzpjE61SXRZ1fKfzIDyLurND8BjlBYqSOHxFhWu%2FLjds3IIJI7TyuiMXgog5NMNtgd5%2F7rItNUdqibHqWHWu8Q7IcYiAXRH5sdRWkwSxOFqBkBll%2Bc6qHWGb3Vw8n6","locale":"en-US","buyingOptionType":"NEW","aapiBuyingOptionIndex":0}, {"displayPrice":"$8.68","priceAmount":8.68,"currencySymbol":"$","integerValue":"8","decimalSeparator":".","fractionalValue":"68","symbolPosition":"left","hasSpace":false,"showFractionalPartIfEmpty":true,"offerListingId":"IUAffPqhwQerYbNetNdvGc83ndttKOVynsOsIBsJ3MDMqdcSdXoxHh4pl35MDyk65O8QwTEywYSLsPFKCg%2FxeNnMir71DyhypeNSuyoR1%2F%2B7Oih9sbDiAnxwVgYyX68x3Bcs1mfi7KUG3L22PtNeZ9DvmwRMw1Y26kad2gYFOCs6UHNCZ7xFUmQ8wftuDFk1","locale":"en-US","buyingOptionType":"USED","aapiBuyingOptionIndex":1}]}

Purchase options and add-ons

A thorough overview of the computer security industry offers an objective study of threats to companies and how they can change to confront them effectively, outlining specific and emergent threats, the tools used to assess them, how the security industry needs to evolve to meet security problems, how companies can evaluate their own security programs, future trends, and the issues of liability, user education, and more. (All Users)
Read more
Previous slide of product details
  1. ISBN-10
    0321502787
  2. ISBN-13
    978-0321502780
  3. Edition
    1st
  4. Publisher
    Addison-Wesley Professional
  5. Publication date
    January 1, 2008
  6. Language
    English
  7. Dimensions
    6 x 1 x 9 inches
  8. Print length
    238 pages
Next slide of product details

Customers who bought this item also bought

Page 1 of 1 Start over
Previous set of slides
  1. Threats: What Every Engineer Should Learn From Star Wars
    Adam Shostack
    Paperback
    $15.00
    Get it as soon as Wednesday, Jan 7
    FREE Shipping on orders over $35 shipped by Amazon
    Only 8 left in stock (more on the way).
Next set of slides

Editorial Reviews

About the Author

Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques. Before Microsoft, Adam was involved in a number of successful start-ups focused on vulnerability scanning, privacy, and program analysis. He helped found the CVE, International Financial Cryptography association, and the Privacy Enhancing Technologies workshop. He has been a technical advisor to companies including Counterpane Internet Security and Debix.

 

Andrew Stewart is a Vice President at a US-based investment bank. His work on information security topics has been published in journals such as Computers & Security and Information Security Bulletin. His homepage is homepage.mac.com/andrew_j_stewart

Product details

  • Publisher ‏ : ‎ Addison-Wesley Professional
  • Publication date ‏ : ‎ January 1, 2008
  • Edition ‏ : ‎ 1st
  • Language ‏ : ‎ English
  • Print length ‏ : ‎ 238 pages
  • ISBN-10 ‏ : ‎ 0321502787
  • ISBN-13 ‏ : ‎ 978-0321502780
  • Item Weight ‏ : ‎ 1.28 pounds
  • Dimensions ‏ : ‎ 6 x 1 x 9 inches
  • Customer Reviews:

About the author

Follow authors to get new release updates, plus improved recommendations.
Adam Shostack

Adam Shostack

Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.

Discover more of the author’s books, see similar authors, read book recommendations and more.

Customer reviews

3.6 out of 5 stars
27 global ratings

Customers say

Customers appreciate the book's approach to information security and find it easy to read. They value its esoteric content, with one customer noting how it draws on lessons from sociology and psychology to examine spending patterns. The book receives positive feedback for its research value, with one customer highlighting its 15-page bibliography.

Select to learn more

Information securityReadabilityEsoteric contentResearch value
5 customers mention "Information security"4 positive1 negative

Customers appreciate the book's approach to information security, with one customer highlighting its coverage of security appliances and another noting its focus on producing quantifiable metrics.

"...They also talk about security appliances, vendors, trusted sites that have the branding truste and hacker safe, with some interesting comments on..." Read more

"...Security is one of the most timely and radical books on computer and information security that I've ever read...." Read more

"...also makes some points about the need to disclose and share information security for the benefit of everyone...." Read more

"...security breaches are under-reported and therefore do no advance the discipline (DUGH!);..." Read more

4 customers mention "Readability"4 positive0 negative

Customers find the book easy to read, with one mentioning it reads like a blog.

"...The book is an easy read and make quite an impression. Shostack and Stewart lead the charge towards a more empirical approach to computer security...." Read more

"...The book is a quick read, and it's more of a philosophical treatise than a how-to manual...." Read more

"...It would be a good read for execs who are constantly butting against the " old school"...." Read more

"...The book reads like this blog, everything from Noam Epple and the "Security Absurdity" with the response article Noam Eppel Follow up to Security..." Read more

3 customers mention "Esoteric content"3 positive0 negative

Customers appreciate the esoteric content of the book, which draws on lessons from sociology, introduces economic models, and includes interesting anecdotes on Risk Compensation.

"...The book is a quick read, and it's more of a philosophical treatise than a how-to manual...." Read more

"...larger amount of spending. * Some interesting anecdotes on Risk Compensation, such as a study that shows that anti-lock brakes have done..." Read more

"...This chapter begins by introducing several economic models and explaining how they influence information security...." Read more

3 customers mention "Research value"3 positive0 negative

Customers find the book well-researched, with one customer noting its comprehensive 15-page bibliography, and another mentioning it serves as a great primer for an MBA course.

"...With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New..." Read more

"...There are also fifty pages of end notes and a 15-page bibliography, so there is plenty of items for your continued research...." Read more

"...The book would be a great primer for an MBA course on IT systems and organizational behavior...." Read more

Top reviews from the United States

  • Justin C. Klein Keane
    5.0 out of 5 stars It is High Time for the New School
    Reviewed in the United States on July 2, 2008
    Format: HardcoverVerified Purchase
    The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.

    Chapter 1 begins with a quick look at some prominent problems in the information security landscape today. By looking at spam, malware, identity theft, and computer breaches the authors provide a rough sketch of the current infosec landscape. Given the apparent failure of current approaches to security in the face of these threats the authors rhetorically pose the question of simply starting over and building a new approach from scratch before providing the opening sketch of their New School. The authors advocate the need for a new approach to computer security, the New School. The New School is described as quantifiable, "putting our ideas and beliefs through tests designed to draw out their flaws and limitations." This concept of metrics and empiricism is a common thread throughout the book.

    Chapter 2 describes the "scene," or the state of the computer security industry today. By applying some elementary game theory the authors sketch out some of the dilemmas facing information security today. Then they delve into some of the historic origins of modern computer security. They point out that much of the computer security "conventional wisdom" has grown out of the military's needs for computer security and how that foundation isn't necessarily the best. They also explore the influence of hackers and crackers on the evolution of the industry. Finally they explore the relationship of capitalism and money to the field, including the driving factors of making money and how these have shaped the development of security today. The authors point out that while many good things have come from these various influences, they have also produced some unfortunate side effects that don't necessarily have to be taken for granted. The chapter goes on to examine the economy of the security industry, including the idea of "best practices" (which the authors very roundly decry) as well as turnkey solutions. The authors also point out the difficulty in measuring security products given the lack of objective test data produced in the sector. The chapter concludes with the though that "without proper use of objective data to test our ideas, we can't tell if we are mistaken or misguided in our judgement." They provide further evidence that the industry as a whole isn't often guided by any sort of quantifiable data (thus removing the 'science' from computer science) and that all too often "conventional wisdom" is misguided and sometimes blatantly wrong because it lacks a solid empirical foundation.

    Chapter 3 looks at some of the underpinnings of gathering solid scientific evidence with which to test the ideas of the New School. Without good evidence, they point out, it is nearly impossible to make accurate decisions. The authors point out the problems with much of the evidence used to support common claims in computer security, including surveys, and show the bias present in much of the survey data used to justify security decision making. The chapter goes on to lament the lack of an objective trade press in the industry and then delves into the vulnerability discovery lifecycle that drives much of computer security. The authors examine how vulnerabilities are discovered, how vendors often ignore flaws in their products in their rush to market, and the fact that there are sometimes problems with using vulnerability reports as solid metrics for security. The chapter then goes on to examine how data about security can be collected, either by hobbyists or individuals. Ultimately, the authors lament the fact that much of the data collected about security isn't shared with the community and thus it becomes nearly impossible to make better decisions. The lack of objective, available data makes it extremely difficult for us to draw reliable conclusions based on trends or quantify the current state of security.

    Chapter 4 looks at security breaches and specifically argues for the benefits of breach notification as one of the best ways to produce quantifiable metrics in security. The authors point out that breach notification rarely has long term consequences to a companies stock price or customer loyalty and the benefit of breach data would be invaluable to researchers. The authors argue that breach notification is a key component to the outlook of the New School. In joining the New School organizations have to learn "to focus on observation and objective measurement." They argue that only by doing so can we move information security from an art to a science. They say that while "it is true that computer security consists of a fog of moving parts...complex problems do get solved. Investigators bring a broad set of analytic techniques ranging from explanatory psychology...to complex economic models." At this point in the book the authors begin to introduce another key component of the New School, that is the need for integration of other fields of study into computer security. The authors argue that by utilizing approaches and theories developed in the fields of psychology, economics, sociology, and other academic areas our understanding of information security can be broadened and greatly enhanced. They always come back to ideas of empiricism, however, stating that "the core aspect of scientific research - the ability to gather objective data against which to test hypotheses - has been largely missing from information security." The authors emphasize that not only does data need to be collected, it must also be shared in order to aid in our understanding of the data.

    Chapter 5 begins to draw upon outside fields of academia to enhance the New School. This chapter begins by introducing several economic models and explaining how they influence information security. While economic approaches to security are nothing new (risk mitigation, calculations of value and exposure equaling risk, etc.) the New School argues that "because computers are inevitably employed within a larger world, information security as a discipline must embrace lessons from a far wider field." The authors argue that economic models don't only have to be applied at a macro level to computer security, but can also be applied to more compartmentalized security problems (such as getting users to select good passwords). They also examine the success potential of certain security products based on economic analysis. The chapter goes on to discuss how lessons from psychology can be incorporated into our security decision making and to help us understand computer security more fully. Finally the chapter draws on lessons from sociology and shows how they too can inform our understanding of security.

    Chapter 6 focuses on spending. The chapter is devoted to examining how organizations spend their money on information security and why. Like the earlier chapters, this one applies the New School approach to attempt to analyze spending habits and challenges many of the foundational logic that supports common security spending plans. The chapter draws on lessons from economics and psychology to examine the patterns of spending and suggests some ways in which we can improve our spending on security. Ultimately the authors argue that we understand the factors that should influence spending and focus our efforts on the most quantifiably effective expenditures of money.

    Chapter 7, or Life in the New School, discusses many of the challenges facing the New School. These range from the lack of quality data to the dearth of a standardized security vocabulary. This chapter mainly points out the challenges that lie ahead and the many ways that a new approach can help overcome them.

    Chapter 8 is a blanket call to join the New School along with instructions for how to begin. The authors argue that New School proponents should collect good data, analyze that data and seek new perspectives. They point out that the New School draws from a diverse body of academic knowledge and advocates synthesizing work from other academic area into the New School approach. Ultimately the New School challenges us to change how we think about information security. Not only should we question the "conventional wisdom" we take for granted, but we should also seek out new hypothesis and ways to test them in order to expand our understanding of computer security as a whole.

    The book is an easy read and make quite an impression. Shostack and Stewart lead the charge towards a more empirical approach to computer security. The field has matured enough that we should begin treating it seriously, and in order to do so we need to be able to speak authoritatively about issues. The voodoo of conventional wisdom is no longer good enough when making recommendations as experts. We need to be able to point to solid evidence to justify security strategies and implementations. We also need to be able to look at quantifiable data when evaluating new products and tools. Ultimately I see the field moving in this direction and I give kudos to Shostack and Steward for issuing this clarion call to an industry that will hopefully take their message to heart.
    15 people found this helpful
    Helpful
     Report
  • Don Franke
    4.0 out of 5 stars Good information security primer
    Reviewed in the United States on April 6, 2009
    Format: HardcoverVerified Purchase
    While much of may read as a primer to an information security professional, there were some very interesting nuggets that could be found throughout this book, such as:

    * "How people are motivated to behave can be as important as, or often more important than, how the system, is designed to behave." The impact emotions have on making the right decisions when it comes to evaluating risk. An example of this is the observation that the number of car accidents far exceeds the number of terrorist attacks, yet the latter garners a disproportionately larger amount of spending.
    * Some interesting anecdotes on Risk Compensation, such as a study that shows that anti-lock brakes have done little to reduce the number of car accidents because people tend to drive more recklessly, assuming ABS will protect them. Conversely, in cities where safety measures such as crosswalks and speed bumps have been removed, the number of accidents has actually decreased, since people are forced to drive more carefully.
    * Comments on how users don't appreciate the impact their infected PC has on the world. They could be unsuspectingly feeding a botnet that is attacking their own power grid.

    Chapter 1: Observing the World and Asking Why
    An introduction to the need for good information security (with some good crime examples and statistics), the different types of attack, and the growing threat.

    Chapter 2: The Security Industry
    Discusses the "prisoner's dilemma" and mild game theory. Also some interesting thoughts on our perception of a threat and the actual threat, and some of the psychological motivators behind how security is sold.

    Chapter 3: On Evidence
    The challenge of gathering objective data from evidence, surveys and statistics, and how the trade press may skew the facts depending on the business situation.

    Chapter 4: The Rise of the Security Breach
    Companies are very reluctant to admit mistakes (or breaches) but are being forced to more and more for the sake of public welfare, thanks in large part to California Senate Bill 1386 leading the way.

    Chapter 5: Amateurs Study Cryptography, Professional Study Economics
    Can't professionals also study cryptography? Discusses the cost and poor application implementation and low adoption rate, how typical users personally deal with information security, and the pros and cons of DRM.

    Chapter 6: Spending
    The various factors that go into how companies determine how much to spend on security, including fiscal and psychological ones, and the emerging reasons to spend on information security.

    Chapter 7: Life in the New School
    Training users does not help users behave more securely, perhaps due to the psychology of risk compensation. This chapter also makes some points about the need to disclose and share information security for the benefit of everyone.

    Chapter 8: A Call to Action
    A review of the previous seven chapters, which are recommendations to approach information security in a new way, with a fresh perspective, and to make it your goal to help society by sharing and teaching what you know.

    There are also fifty pages of end notes and a 15-page bibliography, so there is plenty of items for your continued research. The book seems well researched and inspired by someone who really cares about the subject. There was some slight bias in the book also, unfortunately, such as fee-based security organizations are cliques and elitist. But overall, I thought it was a well-paced and informative book, and should be picked up by seasoned security professionals and just those entering the field.
    One person found this helpful
    Helpful
     Report
  • Paul
    3.0 out of 5 stars Not much new for me, maybe for others..
    Reviewed in the United States on February 26, 2013
    Format: PaperbackVerified Purchase
    Was hoping for some amazing insights from this book, but instead just confirm my thinking was in line with the authors. Maybe I'm not typical of the target readership, maybe things have advanced since 2008. It would be a good read for execs who are constantly butting against the " old school". Recommended if you are still performing checklist security or continuing to throw products at the problem under the auspices of "defence in depth".
    One person found this helpful
    Helpful
     Report

Top reviews from other countries

  • InfoSecMatt
    1.0 out of 5 stars Intellectually idle
    Reviewed in the United Kingdom on January 8, 2009
    Format: HardcoverVerified Purchase
    This is a very frustrating book. The authors go on about academic rigour and then simply fail to deliver. They criticise current security practises, but then fail to say what should be done to change them.

    Here are a couple of quotes "Opportunities to better understand security by learning from sociology have barely been explored." Then the chapter ends! Surely if you are going to try and create a 'New School' you need to lay out how your new ideas work?

    "A second problem is that security policies are typically written in a very clean, simple language that speaks about high-level, theoretical ideas such as "threats" and "risks"."

    Well - if you are going to have a pop at current practises then you badly need to provide an example of what you are proposing to use in its place.

    In summary, this book reads like a poor undergraduate essay. I cannot recommend it.
    Report