The New School of Information Security by Adam Shostack; Andrew Stewart Publisher: Addison Wesley Professional Pub Date: March 24, 2008 Print ISBN-10: 0-321-50278-7 Print ISBN-13: 978-0-321-50278-0 eText ISBN-10: 0-321-56275-5 eText ISBN-13: 978-0-321-56275-3 Pages: 288 Table of Contents | Index Overview "It is about time that a book like The New School came along The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful Shostack and Stewart teach readers exactly what they need to know I just wish I could have had it when I first started out." David Mortman, CSO-in-Residence Echelon One, former CSO Seibel Systems Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography and why you should, too And why security breach notices are the best thing to ever happen to information security It's about time someone asked the biggest, toughest questions about information security Security experts Adam Shostack and Andrew Stewart don't just answer those questions they offer honest, deeply troubling answers They explain why these critical problems exist and how to solve them Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field Whether you're a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about-and overcoming your most pressing security challenges The New School enables you to take control, while others struggle with non-stop crises Better evidence for better decision-making Why the security data you have doesn't support effective decision-making and what to do about it Beyond security "silos": getting the job done together Why it's so hard to improve security in isolation and how the entire industry can make it happen and evolve Amateurs study cryptography; professionals study economics What IT security leaders can and must learn from other scientific fields A bigger bang for every buck How to re-allocate your scarce resources where they'll do the most good The New School of Information Security by Adam Shostack; Andrew Stewart Publisher: Addison Wesley Professional Pub Date: March 24, 2008 Print ISBN-10: 0-321-50278-7 Print ISBN-13: 978-0-321-50278-0 eText ISBN-10: 0-321-56275-5 eText ISBN-13: 978-0-321-56275-3 Pages: 288 Table of Contents | Index Copyright Preface About the Authors Chapter 1 Observing the World and Asking Why Spam, and Other Problems with Email Hostile Code Security Breaches Identity and the Theft of Identity Should We Just Start Over? The Need for a New School Chapter 2 The Security Industry Where the Security Industry Comes From Orientations and Framing What Does the Security Industry Sell? How Security Is Sold In Conclusion Chapter 3 On Evidence The Trouble with Surveys The Trade Press Vulnerabilities Instrumentation on the Internet Organizations and Companies with Data In Conclusion Chapter 4 The Rise of the Security Breach How Do Companies Lose Data? Disclose Breaches Possible Criticisms of Breach Data Moving from Art to Science Get Involved In Conclusion Chapter 5 Amateurs Study Cryptography; Professionals Study Economics The Economics of Information Security Psychology Sociology In Conclusion Chapter 6 Spending Reasons to Spend on Security Today Non-Reasons to Spend on Security Emerging Reasons to Spend How Much Should a Business Spend on Security? The Psychology of Spending On What to Spend In Conclusion Chapter 7 Life in the New School People Are People Breach Data Is Not Actuarial Data Powerful Externalities The Human Computer Interface and Risk Compensation The Use and Abuse of Language Skills Shortages, Organizational Structure, and Collaboration In Conclusion Chapter 8 A Call to Action Join the New School Embrace the New School Make Money from the New School Final Words Endnotes Chapter 1, "Observing the World and Asking Why" Chapter 2, "The Security Industry" Chapter 3, "On Evidence" Chapter 4, "The Rise of the Security Breach" Chapter 5, "Amateurs Study Cryptography; Professionals Study Economics" Chapter 6, "Spending" Chapter 7, "Life in the New School" Chapter 8, "A Call to Action" Bibliography Index Copyright Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein The views and opinions expressed in this book are wholly those of the authors and do not represent those of their employers or their employers' clients or customers The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests For more information, please contact: U.S Corporate and Government Sales 800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact: International Sales international@pearson.com Visit us on the Web at informit.com/aw Library of Congress Cataloging-in-Publication Data: Shostack, Adam The new school of information security / Adam Shostack and Andrew Stew p cm Includes bibliographical references ISBN 0-321-502787 (hardback : alk paper) 1 Information technology— Security measures Computer security Computer security equipment industry Business —Data processing—Security measures I Stewart, Andrew, 1975- II Title HD30.2.S563 2008 658.4'78—dc22 2007052580 Copyright © 2008 Pearson Education, Inc All rights reserved Printed in the United States of America This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax: (617) 671 3447 ISBN-13: 978-0-321-50278-0 Text printed in the United States on recycled paper at RR Donnelly in Crawfordsville, Indiana First printing March 2008 Editor-in-Chief Karen Gettman Acquisitions Editor Jessica Goldstein Managing Editor Gina Kanouse Project Editor Anne Goebel Copy Editor Gayle Johnson Indexer Cheryl Lenser Publishing Coordinator Andrea Bledsoe Cover Designer Adam Shostack Andrew Stewart Composition Jake McFarland Dedication This book is dedicated to our families Preface "I didn't have time to write you a short letter, so I wrote a long one." —Mark Twain We've taken the time to write a short book, and hope you find it enjoyable and thought-provoking We aim to reorient security practitioners and those around them to a New School that has been taking shape within information security This New School is about looking for evidence and analyzing it with approaches from a wide set of disciplines We'd like to introduce this approach to a wider audience, so we've tried to write this book in a way that anyone can understand what we have to say This isn't a book about firewalls, cryptography, or any particular security technology Rather, it's about how technology interacts with the broader world This perspective has already provided powerful insights into where security succeeds and fails There are many people investing time and effort in this, and they are doing a good deal of interesting research We make no attempt to survey that research in the academic sense We do provide a view of the landscape where the research is ongoing In the same spirit, we sometimes skim past some important complexities because they distract from the main flow of our argument We don't expect the resolution of any of those will change our argument substantially We include endnotes to discuss some of these topics, provide references, and offer side commentary that you might enjoy Following the lead of books such as Engines of Creation and The Ghost Map, we don't include endnote numbers in the text We find those numbers distracting, and we hope you won't need them Some of the topics we discuss in this book are fast-moving This isn't a book about the news Books are a poor place for the news, but we hope that after reading The New School, you'll look at the news differently Over the course of writing this book, we've probably written three times more words than you hold in your hands The book started life as Security Decisions, which would have been a book for managers about managing information security We were inspired by Joan Magretta's lovely little book, What Management Is, which in about 200 pages lays out why people form organizations and hire managers to manage them But security isn't just about organizations or managers It's a broad subject that needed a broader book, speaking to a wider range of audiences As we've experimented with our text, on occasion removing ideas from it, there are a few fascinating books which influenced us and ended up getting no mention—not even in the endnotes We've tried to include them all in the bibliography In the course of writing this book, we talked to a tremendous number of people This book is better for their advice, and our mentions are to thank them, not to imply that they are to blame for blemishes that might remain If we've forgotten anyone, we're sorry Simson Garfinkel and Bruce Schneier both helped with the proposal, without which we'd never have made it here We'd both like to thank Andy Steingruebl, Jean Camp, Michael Howard, Chris Walsh, Michael Farnum, Steve Lipner, and Cat Okita for detailed commentary on the first-draft text But for their feedback, the book would be less clear and full of more awkward constructs Against the advice of reviewers, we've chosen to use classic examples of problems One reviewer went so far as to call them "shopworn." There is a small audience for whom that's true, but a larger one might be exposed to these ideas for the first time We've stuck with the classics because they are classic for a reason: they work Jon Pincus introduced us to the work of Scott Page We'd like to apologize to Dan Geer for reasons that are either obvious or irrelevant Lorrie Cranor provided timely and much appreciated help in the academic literature around security and usability Justin Mason helped Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] magazines, as marketing tactic malware marketing tactics of security industry mathematics, information security and measurements [See security measurements.] measuring software security media (tapes, DVDs), security breaches resulting from military [See U.S military.] Moneyball (Lewis) monoculture 2nd Moore, Geoffrey moral hazard Morris Worm Morris, Robert Jr Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] Nash Equilibrium negative externalities net present value (NPV) network effect New School of Information Security 2nd 3rd actions, changing actuarial data, need for collaboration in externalities, strength of human behavior in objective data analysis of need for sources of orientations, seeking new profiting from reactions, changing risk compensation in teaching, changing methods of terminology, abuse of usability in Nissenbaum, Helen noninvestment in security, role in security spending nonprofit organizations, motivations for security spending notification laws cost of for security breaches NPV (net present value) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] objective data [See also evidence.] analysis of need for 2nd risk aversion and security breaches as criticisms of scientific evaluation of usage of sources of Observe, Orient, Decide, Act (OODA) concept Oluwatosin, Olatunji online crime, ease of OODA (Observe, Orient, Decide, Act) concept organizational structure organizations, security breach polls of orientations seeking new within security industry outsourcing in principal-agent relationships Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] Pareto Principle passwords example (human nature in information security) patches PCI (Payment Card Industry) standards personal data storage, risks of personal information [See identity theft.] perspectives [See orientations.] pharming phishing 2nd point-of-view [See orientations.] police [See law enforcement.] polls [See surveys.] positive externalities pretexting principal-agent relationships prisoner's dilemma products marketing tactics for sold by security industry profiting from New School of Information Security project valuation techniques for security spending "proof by unclaimed reward," as marketing tactic protocols, lack of adoption of proving hypotheses psychology information security and objective data and of security spending publicizing security breaches 2nd cost of reasons for types of organizations publicized Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] questions for security surveys, writing Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] reactions, changing reporting [See publicizing.] reputation, damage to respondents to security surveys return on investment (ROI) reverse valence effect risk aversion objective data and security spending and risk compensation 2nd rock stars ROI (return on investment) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] Sarbanes-Oxley Act (SOX) SB1386 (security breach notification law) Schechter, Stuart scientific evaluation of security breach data scientific evidence [See evidence.] screen locking example seal programs seat belt example (risk compensation) secrecy, information sharing versus Secure Shell (SSH) example (technology adoption cycle) security breaches [See also identity theft.] of CardSystems Solutions 2nd cost of, determining data on, actuarial data versus notification laws concerning as objective data criticisms of scientific evaluation of usage of publicizing 2nd cost of reasons for types of organizations publicized as source of objective data types of security certifications for businesses for individuals security industry challenges faced by elements in marketing tactics of orientations within prisoner's dilemma and products and services sold by security measurements, difficulty of security patches security policies, problems with security products, purchasing security spending cost of, determining emerging reasons for non-reasons for psychology of reasons for on security products what to purchase security surveys, problems with sensors on internet, as evidence source separation of identity service-level contracts, guaranteed uptime services sold by security industry sharing [See information sharing.] signatures of viruses skills shortages skydiving example (risk compensation) smoking example (risk compensation) Snow, John social engineering attacks 2nd social security numbers (SSNs), problems with sociology, information security and software products, role of security spending in software security, measuring SOX (Sarbanes-Oxley Act) spam 2nd speed of disclosure of security breaches spending [See security spending.] SSH (Secure Shell) example (technology adoption cycle) SSNs (social security numbers), problems with standards bodies stock market fraud Stoll, Clifford surveys problems with about security breaches Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] TCO (total cost of ownership) teaching, changing methods of technology adoption, economics of telecommunications companies, uptime guarantees terminology, abuse of testing hypotheses theft prevention TJX, security breach affecting total cost of ownership (TCO) trade press, stories in transaction costs trust creation, role in security spending TRUSTe seal program Turkish gangs, bank fraud case Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] U.S military, influence on security industry U.S veterans, security breach affecting underground hacker community universities in New School of Information Security uptime guarantees usability, security and Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] valence effect vendors [See IT vendors.] venture capitalists, role in security industry veterans, security breach affecting viruses vocabulary in security surveys vulnerabilities, as evidence source vulnerability scanning Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] "wait and see" approach to security spending WEIS (Workshop on the Economics of Information Security) wireless networks example worms 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] Y'nin, Ali (bank fraud case) ... How to re-allocate your scarce resources where they'll do the most good The New School of Information Security by Adam Shostack; Andrew Stewart Publisher: Addison Wesley Professional Pub Date: March 24, 2008 Print ISBN- 10: 0-321-50278-7... Spam, and Other Problems with Email Hostile Code Security Breaches Identity and the Theft of Identity Should We Just Start Over? The Need for a New School Chapter 2 The Security Industry Where the Security Industry Comes From... connection with or arising out of the use of the information or programs contained herein The views and opinions expressed in this book are wholly those of the authors and do not represent those of their employers or their employers' clients or customers