REVIEW: "Principles of Information Security", Michael E. Whitman/Herbert J. Mattord

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jun 30, 2004.

  1. BKPRINSC.RVW 20040531

    "Principles of Information Security", Michael E. Whitman/Herbert J.
    Mattord, 2003, 0-619-06318-1
    %A Michael E. Whitman
    %A Herbert J. Mattord
    %C 25 Thomson Place, Boston, MA 02210
    %D 2003
    %G 0-619-06318-1
    %I Thomson Learning Inc.
    %O U$67.95/C$93.17
    %P 532 p.
    %T "Principles of Information Security"

    The introduction, in chapter one, seems to be a compilation of
    security views from a variety of sources. While this could be
    interesting for the experienced professional, the lack of structure
    and guidance is likely to confuse the beginning student, the audience
    at which the book is aimed. Each chapter starts with a fictional
    scenario: the stories do very little to add to the understanding of
    the topic. Review questions and exercises at the end of the chapters
    are generally either simplistic or open-ended. Chapter two lists
    various types of threats and attacks: classifications and groupings
    are unclear and are likely to lead students into erroneous assumptions
    about the different exploits. Most of the textual material on legal
    and ethical issues, in chapter three, deals with (primarily old) US
    laws. Actually, a substantial portion of the chapter is given over to
    screenshots of numerous computer related agencies and organizations.
    Risk management is broken into two chapters, four, which gives a
    pedestrian but not bad overview of analysis and assessment, and five,
    which is another unstructured amalgam of topics, some of which should
    have been covered in four. Chapter six is a wandering discussion of
    policy, spending a lot of space listing the NIST (US National
    Institutes of Standards and Technology) guides. Business continuity
    planning, in chapter seven, concentrates on incident response, and has
    an odd mention of the involvement of law enforcement. Chapter eight
    lists network security tools and also has simplistic coverage of
    cryptography, extended with an appendix that gets the mathematics of
    asymmetric encryption mostly right, but the implementation seriously
    wrong. Physical security is dealt with reasonably well in chapter
    nine, although the fire suppression content may be confusing. Generic
    project planning advice is in chapter ten. Chapter eleven's review of
    personnel security lists job titles, security related certifications,
    and some general principles. Security maintenance, in chapter twelve,
    is limited to patch and change management as well as risk re-
    assessment advice that probably should have been included with chapter

    An introductory security text need not contain the depth, or even
    breadth, of a reference for professionals. However, this one could
    use a lot more structure in the presentation of the content, and more
    than a little care with facts and implications.

    copyright Robert M. Slade, 2004 BKPRINSC.RVW 20040531


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Security Educ.:
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Jun 30, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.