Shostack + Friends Blog Archive

 

The Evolution of Information Security

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release it.

The core of the article how to evaluate the investments we make in security, today and at low cost, if only we choose to take advantage of it.

The entire article is available here: The Next Wave: Security Science and I’m happy to be able to make my article available as a separate (high quality) PDF: “The Evolution of Information Security

3 comments on "The Evolution of Information Security"

  • Jim Anderson says:

    Adam, thanks for excellent article. I want to craft a more comprehensive response however I do offer my definition of “enterprise information security” given the ludicrous continued use of CIA as the only identity in infosec: “A well informed sense of assurance that the information risks and controls are in balance.” I think this helps drive down passive risk acceptance and it moves assurance about the proper functioning of controls to center stage. What do you think?

  • Adam says:

    Hi Jim,

    Glad you enjoyed the article! I think that definitions are distracting. If we can measure useful things, definitions will emerge from that.

  • Good article. I like the start with Darwin, I’ve been thinking about his work quite a bit. One of things inspiring about his work is refusal to give in to confirmation bias or accept half-baked explanations. He’s just ruthless like a Mathematician in pursuing loose ends and goes after anything that might be inconsistent with the theory.

    Also find him inspiring because there are so many excuses trotted out as to why we can’t do things scientificzlly, why data-sharing and hypothesis testing are for others, but not for us. The field he approach was a mess when he started, and its amazing what refusal to take half-answers can do.

Comments are closed.