Anyone who has spent time in the information security industry knows what while there is good data around; there is a lot to be desired in terms of empirical and measurable information security data. There’s too much marketing hype, combined with firms who often don’t know how to make sense out of their own data.
In Essential Cybersecurity Science: Build, Test, and Evaluate Secure Systems (O'Reilly Media 978-1491920947), author Dr. Josiah Dykstra has written an excellent book that attempts to rescue information security data from FUD, and bring it to the realm of good, scientific data.
Wikipedia defines the scientific method as is a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry is commonly based on empirical or measurable evidence subject to specific principles of reasoning. Dykstra provides a reference in which the information security professional can start their journey on using the scientific method on their data.
This title joins similarly recent valuable books on the topic such as Measuring and Managing Information Risk: A FAIR Approach by Dr. Jack Freund and Jack Jones, and Data-Driven Security: Analysis, Visualization and Dashboards by Jay Jacobs and Bob Rudis, which focus on empirical data, not the made up type.
The book has value for nearly everyone within information security; from the CISO, to system administrators, software developers, auditors, forensic investigator and everyone in between. Since data is so pervasive, misusing it has the potential to detail meaningful security discussions.
The book shows the reader how to investigate information security problems and conduct information security experiments using a formal scientific method. As a discipline, the field of cybersecurity science requires real-world knowledge in order to get to the depths of how to effectively design and deploy secure systems.
An important point the book emphasizes in nearly every chapter is the importance of asking good questions. Dykstra notes that formulating a good question may sound easy, but it can often be harder than it sounds.
Anyone who would attempt to apply the scientific method to all of information security at one time would find it to be a fruitless and impossible endeavor. The book dedicates a number of chapters to specifics topics in which to apply the method. This includes software assurance, intrusion detection and incident response, cryptography and more.
While Dykstra has a PhD, you don’t have to be a scientist to put the ideas in the book into action. He details how to create your own cybersecurity experiments, via creating a hypothesis, testing and analyzation; which can be used to validate your data. When done correctly, this is an invaluable approach to create meaningful security metrics. When those metrics have to be presented to senior management, it’s an indispensable tool in which to defend your findings.
The book has a chapter on visualization, which I found particularly interesting. Visualization and information security go well together since it has so much data to work with, in addition to having patterns and anomalies that need to be identified. Dykstra identifies a few cautionary areas when dealing with visualization, including important issues such as dealing with those who are color blind, and country specific color issues. An interesting example he provides is with use of red; which in China is associated with good luck; while in the US can symbolize danger.
While spending 150 pages on how to effectively use the scientific method, the book includes an appendix on understanding bad science, scientific claims, and marketing hype. Dykstra writes that understanding this is important, as even data that is created within the context of the scientific method is not necessarily foolproof.
At 166 pages, the book is a great introduction to the topic. What it covers in breadth it lacks in depth, and it’s hoped the author will follow-up with a much more detailed and comprehensive book.
Essential Cybersecurity Science lives up to its title and is indeed an essential reference. Those looking enhance their information security program with defensible data and metrics will certainly find this book a useful reference.