Cyber Security Policy Guidebook, a Wiley publication, April 2012.
Lead of five authors.
This book is a taxonomy and thesaurus of current cybersecurity policy issues, including a thorough description of each issue and a corresponding list of pros and cons with respect to identified stances on each issue. It documents policy alternatives for the sake of clarity with respect to policy alone, and dives into organizational implementation issues. Without using technical jargon, the book emphasizes the importance of critical and analytical thinking when making policy decisions. It also equips the reader with descriptions of the impact of specific policy choices, both positive and negative.
Measuring Systems Security, December 2011.
PhD Thesis in System Security Metrics.
System security metrics have evolved side by side with the advent of cyber security tools and techniques. They have been derived from the techniques rather than specified as system requirements. This dissertation surveys the evolution and state of the practice of system security metrics from both a technical and historical perspective. The survey leads to the conclusion that currently accepted methodology for measuring system security has no empirical basis. This research provides new criterion with which to evaluate security metrics, and proposes a new methodology for security theory attribute construction (“STAC”). The STAC framework has been applied to case studies in Cloud Computing and Mobile Communications. Specific research in a variety of system security topics is recommended to reinforce these results, and provide theoretical foundation for more effective tools and techniques for systems security engineering.
CyberForensics, a Springer publication, September 2010.
Editor of book and author of introductory chapter.
Through real-life case studies the chapters introduce the reader to the field of cybersecurity, starting with corporate investigation, and progressing to analyze the issues in more detail. Taking us from accounting cyberforensics to unraveling the complexities of malware, the contributors explain the tools and techniques they use in a manner that allows us to map their methodology into a more generic understanding of what a cybersecurity investigation really is. Above all, Cyberforensics shows that there is a cohesive set of concepts that binds cybersecurity investigators to a shared vision. These core ideas are now gaining importance as a body of knowledge that cyberforensics professionals agree should be a prerequisite to the professional practice of information security.
Enterprise Security for the Executive:
Setting the Tone at the Top
a Praeger publication, December 2009.
This book describes the state of today's cyber security management practices and provides a recommended approach for any executive who is motivated to create and support an information security function.
The approach is requirements-driven and illustrated through a series of true security horror stories.
It emphasizes executive tone at the top and consensus on strategy to drive change across the enterprise.
Enterprise Information Security and Privacy, an Artech House publication, March 2009.
Co-editor of book and author of chapter on Information Classification.
This is a collection of articles on Information Security and Privacy issues relevant to large enterprises.
Stepping Through the InfoSec Program,
an Information Systems Audit and Control Association (ISACA) publication, November 2007.
This is a textbook designed to provide Information Security Managers and other IT Professionals an introduction to the profession and how Information Security is accomplished within organizations.
Stepping Through the IS Audit, Second Edition,
an Information Systems Audit and Control Association (ISACA) publication, December 2004.
This book is targeted at Information Systems Professionals undergoing an IT Audit. It describes what to expect and how to prepare for the experience.
First Edition was published in 1998.