"Information Security Management", Gurpreet Dhillon, 2001,
%A Gurpreet Dhillon
%C 1331 E. Chocolate Ave., Hershey PA 17033-1117
%I Idea Group Publishing
%O U$69.95 800-345-4332 fax: 717-533-8661 cust@...
%P 184 p.
%T "Information Security Management: Global Challenges in the New
This is a collection of essays by different authors. The preface,
however, states that the intention was to bring together diverse views
and yet to "build an argument." What the argument, or central thesis,
of the work is, has not been stated.
Chapter one is supposed to set forth the new challenges to information
security, but ends up telling us, at great length, that "the times
they are a-changin." (Extracting further information from the
academic-speak is not made any easier by the many grammatical oddities
and awkward constructions.) Policy is central to security, and so it
is no surprise to see it as the topic of chapter two. What is
astounding is the fact that so much is wrong with this paper that it
is hard to know where to start. Everything seems to be backwards. It
is stated that an audit should be done as the prelude to policy
development, by how can you conduct an audit with no policy to measure
compliance against? Again, the essay says that the procedures in
place will form the policy, whereas it should be the policy that
guides development of procedures. A simplistic discussion of ethics
makes up chapter three. There really isn't any analysis: after a few
facile presentations of both sides of a variety of issues the author
just asserts that X is or is not moral. Chapter four is supposed to
argue that ethical policies build trust and trust promotes e-commerce,
but instead actually just lists a number of random security topics. A
look at "cyber terrorism," in chapter five, seems to consist only of
listing Web sites for known terrorist organizations. Prescription
fraud is never rigorously defined, so it is hard to say whether the
technical measures proposed in chapter six are relevant or not.
Chapter seven tells us (surprise, surprise) that disaster recovery
planning is often done inadequately, or left undone. A discussion of
development models, in chapter eight, seems to be so abstract that it
is of no digital use. Internet and e-business security touches on
some miscellaneous subjects in chapter nine. The author obviously
thinks Compliance Monitoring for Anomaly Detection (CMAD, with some
kind of trademark symbol appended to it) is vitally important, but
chapter ten's explanation seems to just describe another type of
statistical change measurement. Chapter eleven vaguely discusses some
of the security issues involved with the use of agent or mobile
software. The final chapter lists some "motherhood" security
One of the interesting, and disturbing, aspects of the book is that
each paper is accompanied by a bibliography of sources, but almost
none of the standard security reference works in the various fields
addressed are cited. How can you discuss, for example, computer
ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works?
Compilation works tend to be hard to pin down, and to vary in quality
and usefulness. This work has a remarkable consistency, in that the
items included are all vague, uninteresting to the professional, and
unhelpful to the practitioner.
copyright Robert M. Slade, 2002 BKINSCMN.RVW 20020628
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Just about every computer on the market today runs UNIX, except
the Mac (and nobody cares about it). - Bill Joy, 6/21/85