Do you ever get tired of hearing the same old regurgitated pap about security from the same old bald, graying old-timers (hmmm, I’d better be careful here)?

Two exciting young talents (well, young from my perspective), Adam Shostack and Andrew Stewart, have published an interesting and challenging manifesto urging information-assurance practitioners to break out of conventional thinking. They argue (and I concur) that we have to use the insights of other disciplines in formulating and implementing our security policies to cope with computer-related crime.

The New School of Information Security is an engagingly written, concise book that's suitable not only for security practitioners but also for non-technical executives and for students. It’s already being used in a course at Carnegie Mellon University and I’m considering it for a course of my own.

Like Bruce Schneier and Ross Anderson, the authors argue strongly for economic analysis of security issues as a fundamentally sound approach to resolving practical questions. The authors discuss the dreadful state of trustworthy, testable information about computer crimes.

They support the view of many practitioners that we cannot depend on quantitative risk management in the absence of reliable data. The problem of ascertainment is that we know from historical observations that some computer security breaches are not discovered until long after they occur, leading to the obvious but unanswered question of how many breaches are never discovered at all. The problem of reporting is that we also know that many discovered breaches are not reported – but again, we don't know what proportions are involved.

Surveys, the authors explain, suffer from well-known weaknesses. Not only are the measurement instruments themselves often flawed (with biased questions and zero attempt to achieve internal validation of the results) but the sampling is non-random. We never know to what extent the people responding are a representative sample of the population to which we apply the findings of the survey. Another problem with surveys is that many are sponsored by commercial organizations and they generally do not release the raw data for independent analysis. The authors strongly argue for such release in future surveys.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.