Scrappy Information Security:

The Easy Way to Keep the
CyberWolves at Bay

Author: Michael Seese

ISBN: 978-1-600005-132-6

Publisher: Happy About (2009)

194 pages

Price: ~US$18 from Amazon

Scope and intended audience

The book is promoted as a guide to information security essentials for “everyone” (meaning, it seems, ordinary IT users, not IT professionals) in plain English. I take that to mean a basic, entry-level and largely non-technical book about the protection of information in all its forms, accessible and of interest to the general population. [Read on to find out what it actually delivers.]

Breadth and depth of coverage

The book covers a decent range of commonplace physical, technical and administrative issues around IT security and to some extent the wider aspects of information security (the 6 pages on social engineering, for example, are worthwhile). However, organizations tend to have rather more information security concerns and controls than home IT users (lots of legal, regulatory and standards compliance issues, for instance, and a raft of security policies and procedures), not all of which are mentioned or well covered.

On a notional ‘depth scale’ ranging from 0% (barely skims the surface) to 100% (PhD material), the content is about 25% with a few higher peaks in certain areas and a few lows. Identity theft, for instance, which is surely a topical and important subject for non-technical Internet users to understand, merits just over one page of coverage - 371 words according to the author. Bridges and routers get the preceding four pages. This is quite inconsistent with the needs of the stated audience.

Chapter 5 is out of place. It offers basic advice not to “everyone” but to those responsible for information security awareness or training activities. It’s as if the author wrote some notes for himself to guide his research and writing, and then threw them into the book to pad out a few pages.

Writing style and readability

The style is chatty and informal throughout. The author has included a number of rather obscure references to American culture in an attempt at humor but not being American, most fall completely flat on me. I guess it’s just a taste thing. [I suspect even the word “scrappy” means something different to the author and publisher than it does to me: where I come from, scrappy implies messy, shoddy and generally low quality - frankly, you could drop the first letter for most usage.]

The insets marked “What it Means” use analogies, it appears, that are presumably intended to illustrate or explain the surrounding points. Most are obscure and, despite understanding the context, some are stretched so far as to leave me perplexed. What drunk-driving has to do with host hardening I still have no idea.

My main beef, though, is with the disproportionate amount of “technobabble” in the book. It’s even identified as such. After the author’s and reviewers’ notes pushing this as a non-technical guide, I was surprise to find it covering TCP/IP headers, packet spoofing and so forth in the technical security section: why ordinary users would be expected to know or be interested in such details puzzles me. The physical security section talks about security controls appropriate to a corporate IT facility: it seems rather unlikely that most home users would seriously consider fire suppression and CCTV coverage (other than webcams perhaps, which are not mentioned), let alone access cards - in other words, the content of the book appears to be aimed at office workers, not home users after all. I guess IT people might appreciate the notes on host hardening and DMZs, but the depth, breadth and quality of coverage in such technical matters is way below what would be needed to harden hosts or design/install/manage DMZs.

Quality and integrity

In terms of fitness for purpose, Scrappy Information Security falls wide of the mark. It simply does not fulfill the promise of being a plain English guide to information security for everyone. The printing quality is adequate and I am pleased to see the footnotes with hyperlinks (mostly) to the reference sources.

In relation to its completeness and accuracy, there are some minor but annoying technical errors and, more importantly, significant omissions. Of the classic CIA triad at the core of information security, integrity and availability issues are barely mentioned, while privacy and some other confidentiality concerns (such as industrial espionage) are just skimmed. Security aspects of desktop/home software development such as securing spreadsheets and software testing are not mentioned. The only advice I noticed about backups consists of less than a page, for some obscure reason inserted into the section on phishing. “Patchy IT security” would have been a more accurate title.

Conclusion

Despite the glowing endorsements by some well-known industry figures in the preface and marketing blurb, I wouldn’t recommend this book to its intended audience: there is too much inappropriate and unnecessary technical content. I also wouldn’t recommend it for IT or information security professionals: it is far too superficial. I’m afraid it’s hard to think who else might benefit from the book: Generation Y teens, maybe, or are we up to Generation Z now? All in all, it’s a disappointing purchase. I seriously wonder whether the endorsers read the same book as me.