Zen and the Art of Information Security (ISBN 1597491683)

Ideal for naive newcomers to information security:
The book is written for naive computer users with limited prior knowledge of information security. Readers familiar with Ira's previous books (Corporate Espionage and Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day) will probably recognize the style and examples. Ira avoids technical descriptions of information security risks and controls, thereby avoiding the technical jargon common in other infosec books. On the whole, he sticks to non-technical attack methods (such as social engineering) and defenses, with barely a mention of network hacking and malware. The subject matter is essentially the same as Ira's previous books so it could be said that this is another re-hash of those - however, Ira has made a conscious decision to write a more succinct and high-level book to make the topic more accessible to the layman who is less likely to have read the previous books. Given the stated intent to write a short book on such a complex technical subject, the writing is necessarily quite superficial in places, frequently glossing over the realities. Two threads throughout the book are (1) it is necessary to understand security risks and (2) simple security controls are good enough to stop most threats. The Zen in the title appears to refer to martial arts rather than Eastern philosophies, and is used in the context of explaining that there is no need to be a `black belt' information security expert to be effective. There is some merit in the argument, in the same way that basic first aid techniques can help save lives. Personally, however, I wouldn't take the argument so far as to suggest that there is no need for trained professional medics. A few technical inaccuracies caught my eye, some of which I could put down to the book's rather superficial coverage but others appear to be genuine misunderstandings by the author. In several places, the author makes disparaging remarks about script kiddies, fair enough, but he is also dismissive of skilled hackers. I find this attitude troubling since hackers can be worthy adversaries of even the best and most resourceful information security managers. There are far too many incidents to dismiss all hackers out of hand, therefore it would be foolhardy to discount hacking risks. If you have no background in information security, this book makes an interesting introduction to the issues but falls short on useful advice. If you have read the author's previous books, you are unlikely to learn anything new.