Is 2010 the year of the plagiarized security book?

Posted on by Ben Rothke

In mid-August, I received a copy of The Security Policy Cookbook: A Guide for IT and Security Professionals.  As someone who has seen his fair share of information security policies and is on the Information Security Policy Expert Panel, my initial thought was that this is not an original work.  

Before I even got to the content, the author notes his acceptance into the Marquis Who’s Who is his bio.  I wrote in What's What with the Who's Who? that Marquis, like most who’s who firms accept nearly everyone who applies, including serial killers.  Most of the who’s who organizations are in it for the money with zero concern for the so-called honorees.  Security professionals looking to advance themselves will find no value in having their names in a who's who, and could in fact be showing their naiveté by promoting their inclusion. 

In the book, various policies are detailed, yet lack a sense of cohesiveness.  It is as the policies were simply thrown together in a haphazard manner, which is indeed evident in this book.  Not the text of the policies are not ineffective, rather the cut and paste approach, which the author did, and advocates, is a surefire way to ensure that information policies won’t work.  Policy creation is just one part of an effective security policy project, and focusing strictly on the text of the policies is simply inadequate. 

Of the books 32 chapters, 20 were direct copies from State of Texas Department of Information Resources (DIR) Guidelines, Checklists & Templates.  This book seems to follow the same course of action How To Become The Worlds No. 1 Hackertook, copy the content without attribution.  For a complete list of the chapters and sources, see the listing at Attrition

The DIR wants their templates to be used for the greater good, but with attribution.  According to their Link Policy, “they shall not misinform users about the origin or ownership of DIR content. Certain information on DIR may be trademarked, service-marked, or otherwise protected as intellectual property. Protected intellectual property must be used in accordance with state and federal laws and must reflect the proper ownership of the intellectual property”. 

The Security Policy Cookbook is proof that we live in an era where content is effortless to obtain.  Googling information security policy with filetype:pdf results in over 17,000 hits.  That is a lot of content in which to freely use.  The corollary is that those who try to claim such content as their own will just as easily be found. 

Many people write books for the fame.  Yet that fame turns into infamy when it is discovered that the author is a plagiarist. 

The Security Policy Cookbook and like it How To Become The Worlds No. 1 Hacker were both self-published, and therefore lack the editorial scrutiny which is to be expected from an established publishing house. 

Richard O’Hanley, Publisher at CRC Press in the IT, Business & Security Group, notes that he has seen plagiarism as a steadily escalating problem. So much so, that they frequently run manuscripts through a plagiarism checker. O’Hanley said “it seems that just as people expect web content to be free, they expect to be able to use it freely as well, without concern for rights and attribution. The ease with which people can cut-and-paste from multiple sources only exacerbates the problem”.

For those that want to write books on security, there is plenty of opportunity and numerous publishing houses that desperately want good content.  Of course, such an approach takes time and effort.  But the industry does reward such efforts.

Attempting to bypass those practices via plagiarism, especially in an industry where ethics and trust are paramount, ultimately begs the question: what was he thinking?.

Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community