Hi everyone and welcome to another post in my favourite blog entry category: Book Reviews. I'm happy to announce that for the first time ever I have actually managed to read a book and write a review of it before its official release (unlike my other reviews where I often review three year old books). I'm talking about Adam Shostack's and Andrew Stewart's new book The New School of Information Security here which will be released tomorrow.
The New School of Information Security is a weird book. From the title of the book you'd think that this is a book about information security for people who have at least some kind of clue about information security. I mean why would people that do not have a clue about information security read a book about reforming and improving the field of information security? Unfortunately this assumption is wrong.
The first time the red flags went up was on page 6 when the authors define and explain phishing. I'm not talking about some very precise definition of phishing that might be valuable in a well-defined discussion among IT professionals here. I'm talking about a definition of phishing I'd give to my parents or my sister. On the following pages, viruses, worms, and vulnerabilities are given the same treatment. Only spam is considered so well-known that it was introduced without any kind of definition and explanation. On page 6 I still thought the target audience of the book are people who have a clue so that shocked me quite a bit. I brushed my concerns aside though and rationalized that this introductory chapter is a typical example of authors who can't decide what audience to write for (a problem I complain a lot about in my book reviews).
Unfortunately the level of discourse did not improve in the next chapters and this started to weird me out. I started to wonder why this book reads like a book I'd recommend to my dad (who does not at all work in IT) to get an idea about IT security. While reading chapter 4 it hit me like lightning. I'm reading a book for pointy-haired bosses. I felt bad at this point because it took me more than 3 chapters to realize this. In my defense I want to say that I've never worked with PHBs before and this is my first (albeit indirect) contact with them outside of Dilbert comics.
Now that I've made this clear let's talk a bit about the content of the book. The book is approximately 240 pages long and divided into 8 chapters. Let me state right away that only 161 pages actually contain real content. Where do the remaining 80 pages go? More on that later. The titles of the 8 chapters are "Observing the World and Asking Why", "The Security Industry", "On Evidence", "The Rise of the Security Breach", "Amateurs study Cryptography : Professionals study Economics", "Spending", "Life in the new School", and "A Call to Action".
The intent of the authors is to show why the current methods of IT security are failing and how to improve the current methods so they do not fail anymore. A laudable goal and after making sure that even the slowest IT Security professional knows what phishing is the authors present their new idea. What is their new idea? It's quite simple. We need better data and better methods to analyze the data. I'm not kidding here. That's it. I'm quoting straight from page 146:
"That approach is the New School: to identify causes of success or failure and use that information to improve."
Who would have thought that, eh? OK, admittedly that's not it completely. The authors also explain how to achieve this goal: interdisciplinary cooperation especially through thinking about IT security problems from an economic point of view. This would actually be pretty interesting. Unfortunately the book falls short in this department too. If you hastily tried to remember a list of economic ideas you learned in Intro to Economics class during your freshmen year a decade ago you'd be perfectly prepared for the depth of the economic discussion in this book. Prisoner dilemma, pareto principle, principal-agent problem, free-loader problem, market for lemons, and so on. It's all there. I only missed the Laffer curve but that was probably too difficult to add to the topic. Now a book that seriously links Economic theories (freshmen year or not) to the IT Security industry would be pretty damn awesome (bonus points for a chapter about vulnerability sale/trade). I'd buy it immediately. In the New School the link is very shallow though. It was basically always like "bla bla, think about XYZ. By the way Economists call this the pareto principle/prisoner's dilemma/..."
One last mystery remains. I mentioned that only 160 of the 240 pages contain real content. Where does the rest go? Some of it is the index and the bibliography but there are approximately 50 pages in a section called Endnotes. This Endnotes section is one of the most ridiculous things I've ever seen in a book. In fact it's the first time I've ever seen something like this in a book. Let me try to explain it. The Endnotes section is where the authors put their unfinished thoughts. In the 50 pages of the Endnotes section the authors walk through the 160 pages of the real content and annotate paragraphs and sentences of their real content with random things. They do this by repeating their original content in bold text and writing their unfinished thoughts in plain text below. Here's an example from page 171.
This is an important source of innovation, and many important security products have come from the open-source world.
Obvious examples include SSH, snort, nmap, and OpenBSD.
So instead of writing the "obvious examples" directly into the original content they repeat the original content in the Endnotes and annotate it there. I do not know who thought this Endnotes section was a good idea. For 50 pages you once more read stuff you already read before plus some random additional thoughts by the authors. Or you don't read it again and skip the Endnotes section after finding a suitably short part to quote on your blog. Like I did.
Alright, let's finish this review. Only the second Addison-Wesley book to ever disappoint me. Strong buy recommendation if you're a PHB. Stay away otherwise.