Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.

We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

— The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven’t read the book yet, since it’s not published yet, but if it’s like the material he posts in his blog, it’s a good thing.

One of his commenters doesn’t get it:

Spam doesn’t represent a threat to an organisation’s information assets – it’s merely an annoyance to the workforce and a drain on IT resources. Statements like this only perpetuate the muddled line of thinking that confuses Information security with IT Security (hint: they’re different!).

Arbitrary lines between job descriptions are part of the problem, especially when people with those different jobs don’t coordinate, as is so often the case. As for spam not being a threat to an organization’s information assets, that’s only so if you define threat in a really narrow manner as for example theft. Spam has caused many people to give up on electronic mail completely, which is a big problem to for example banks that want to be able to communicate with their customers by email. Theft? No. Interference with exchanging information with customers? Yes.

-jsq