Book Review: Against The Gods – The Remarkable Story Of Risk

To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren’t. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.

Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author’s viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.

Book Review: Understanding UNIX/Linux Programming

I’ve posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.

Book Review: Security Metrics

My Amazon review of Andrew Jaquith’s Security Metrics: Replacing Fear, Uncertainty, and Doubt has been posted. I wasn’t as enthusiastic about it as many others, and in my review, I explain why. Nevertheless, I found the thorough discussion of security metrics useful enough to give the book three stars. Managers charged with running an effective information security program should check it out.

Book Review: The Psychology of Information Security Awareness

I’ve just posted a review of Timothy P. Layton’s Information Security Awareness: The Psychology Behind the Technology on Amazon. There is a worthwhile premise within, but the book misses the mark by failing to build on it in any meaningful manner. You won’t miss much if you read the “Coles Notes” version of this one.

Book Review: The New School of Information Security

One of the more interesting information security books I have read recently is The New School of Information Security by Adam Shostack and Andrew Stewart. You can read my four star Amazon review of the book. It is a quick, enjoyable read and definitely recommended.

Follow

Get every new post delivered to your Inbox.