Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Ten laws for security
Diehl E., Springer International Publishing, New York, NY, 2016. 281 pp. Type: Book (978-3-319426-39-6)
Date Reviewed: Jun 19 2017

In contrast to many security texts that are focused on interpreting the checklists included in one of the many published security standards (for example, ISO 27002:2005) to assess and improve an organization’s information security program, Ten laws for security approaches security standards using a framework of ten fundamental principles. Depending on your maturity and professional experience, these laws can be applied in increasingly sophisticated situations and design objectives. For someone with limited applied experience, the authors see these laws as a “first-level sanity check” for security strategy, as well as a filter to identify “snake oil vendors.” However, for a more sophisticated security professional, these rules can also serve as guiding principles for the design and assessment of organizational policy for their enterprise-level security systems.

As you might expect, organizationally, the book devotes a chapter to each law. The ten laws are: attackers will always find their way; know the assets to protect; no security through obscurity; trust no one; si vis pacem, para bellum (if you want peace, prepare for war); security is no stronger than its weakest link; you are the weakest link; if you watch the Internet, the Internet is watching you; Quis custodiet ipsos custodes? (Who guards the guardians?); and security is not a product, security is a process.

While the principles espoused by these laws are commonly recognized--in fact, one could argue they are security homilies--this is where the book has the most value. As an example, while it is generally recognized that “security through obscurity” is not an effective strategy, we often don’t consider exactly what is meant by that phrase and the overall context in which it should be considered. To provide context and meaning, each chapter uses a case study methodology to examine the law and its implications: examples, analysis, takeaway, and summary. In addition, each chapter addresses the challenges of the gaps that exist between theory and practice with “The Devil Is in the Detail” sections, drawn from the author’s experience, which analyze what were assumed to be clever hacks that often went wrong.

There are three easily identified audiences for this well-organized and thoughtful discussion of security. First, these laws themselves serve to identify the key issues that could be used as a foundation for the design of an information security audit. Second, an information security team could use these laws to establish a common vision for the goals of an information security program within an organization. Finally, through its use of cases, practical analysis, takeaways, and a detailed bibliography, this book could easily be adopted as a textbook for an upper-division or graduate class in information security management and policy.

Overall, the book is well written and the conversational style used by the author engages the reader in more of a discussion than a tutorial on security standards. Moreover, the book recognizes that managing information security is nuanced and ever changing; as such, the author explains that “security is relative, not absolute,” and to be effective the application of laws must be tempered with judgment, practical experience, and technical knowledge. Moreover, since managing security is never “done,” to that end the author’s website provides a number of additional online resources to keep the discussion begun in the textbook current and ongoing.

Reviewer:  W. T. Neumann Review #: CR145358 (1708-0532)
Bookmark and Share
 
Security and Protection (K.6.5 )
 
 
Security and Protection (C.2.0 ... )
 
 
General (C.2.0 )
 
 
Security and Protection (D.4.6 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy