Thanks to my travel to USENIX Security this week I managed to read two great non-technial security books.
Amazon.com just posted my four star review of Managing Cybersecurity Resources. From the review:
Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation decisions by properly defining terms, concepts, and models. The only problem I have with MCR is the reason I subtracted one star: its recommended strategy, cost-benefit analysis, relies upon estimated probabilities of loss and cost savings that are unavailable to practically every security manager. Without these figures, constructing cost-benefit equations as recommended by MCR is impossible in practice. Nevertheless, I still strongly recommend reading this unique and powerful book.
I heavily cite passages in Managing Cybersecurity Resources because the book makes a lot of good points. I call this more of a "book report" instead of a "review" because I recorded thoughts that I want to carry into future debates. The book has plenty to say on "security ROI" (hint: it's cost savings / loss avoidance, just like I said earlier).
They also posted my five star review of Security Metrics. From the review:
I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.
Speaking of USENIX, I managed to speak with my number one wise man, Marcus Ranum. He called my Black Hat posts "too optimistic." Heh. I also managed to speak with my number two wise man, Dan Geer. He was kind enough to sign my copy of Security Metrics (along with author Andy Jaquith and Mike Rothman, who lent us his Sharpie. Nice to meet you Mike!)