Every cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters.
Ross recently pointed out a disappointing result from Edward Snowden’s releases of NSA classified documents: most published analysis has been reportage. No one has done a “deep dive” into the technical aspets of what was released. This would probably still be of technical interest. It astonishes me every day how, despite perceived ongoing radical improvements in technology, things don’t really change that much.
My textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:
Denial of service – Pillage – Subversion
Masquerade – Forgery – Disclosure
This is a work in progress as I figure out some conceptual ideas.
The current fight is about whether we will impose a technological infrastructure which will be exceptionally vulnerable to attackers in order to provide nothing more useful than some very, very short-term advantages to people investigating crimes.
Let me say it differently: We put everyone in danger if we weaken cybersecurity. We only help a few detectives in a few investigations.
I don’t want hackers playing with my home thermostats, my car’s computer, my water or electric utility systems, or financial computers. If we make it convenient for police to reach into our computers, we also make it easy for hackers. This threatens peoples lives directly.
One of my hot buttons is to spot “cyber security principles,” that is, general but pointed observations on how to improve cyber security.
A long-held principle is “Keep it Simple, Stupid.” Thanks to Moore’s Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.
This is an extended, less-edited version of an article appearing in IEEE Security and Privacy in December 2012. This version specifically identifies all of the textbooks I reviewed while looking at information security design principles.
I’m a sucker for basic principles distilled into pithy prescriptions.
A freelance writer, Brian Boyko, has distilled the basic features of graphical user interfaces (GUIs) into four principles: Control, Conveyance, Continuity, and Context. He uses them to structure a well-reasoned though shrill critique of Windows 8.
Every cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters.
My 
I’m a sucker for basic principles distilled into pithy prescriptions.