Cybersecurity Myths and Misconceptions

“Many security leaders are traditionally in charge of correcting misconceptions just as much as they are in charge of building up solid security practices. We have plenty of resources on practices–but this book is the crucial guide to that essential myth busting.”–Phil Venables, CISO, Google Cloud

“I’m writing this on my phone, over Wi-Fi, in an airplane on my way to Black Hat, one of the world’s largest security conferences. The fact that I’m able to do this at all shows how much we’ve really learned about cybersecurity over the decades. Now it’s all collected in one place for everyone to share. Thank the wise authors, and most importantly: GET OFF THEIR LAWN.”–Wendy Nather, Head of Advisory CISOs, Cisco

“This book is astounding. A true tour de force–which I have never said about any other book. Inverting the viewpoint is a stroke of genius. This is going to be on my grabbable-at-any-time shelf. What I learned, recalled, and was refreshed on with technically astute agnosticism cannot be measured; just appreciated as a profound historical compilation of security practice and theory. Bravo!”–Winn Schwartaul, Founder and Chief Visionary Officer, The Security Awareness Company

“I am happy to endorse the central idea of this book–that cybersecurity is rife with myths that are themselves part of the problem. The brain wants to understand, the world grows ever more complicated, and the sum of the two is myth-making. As the authors say, even if some understanding is true at some time, with enough change what was true becomes a myth soon enough. As such, an acquired immunity to myths is a valuable skill for the cybersecurity practitioner if no other. The paramount goal of all security engineering is No Silent Failure, but myths perpetuate if not create silent failure. Why? Because a state of security is the absence of unmitigable surprise and you cannot mitigate what you don’t know is going on. Myths blind us to reality. Ignorance of them is not bliss. This book is a vaccine.”–Dan Geer, CISO, In-Q-Tel

“This is a fun read for all levels. I like their rapid fire delivery and the general light they cast on so many diverse myths. This book will change the cybersecurity industry for the better.”–Michael Sikorski, Author of Practical Malware Analysis & CTO, Unit 42 at Palo Alto Networks

Eugene H. Spafford, PhD, is a professor in Computer Science at Purdue University. In his 35-year career, Spaf has been honored with every major award in cybersecurity.

Leigh Metcalf, PhD, is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute’s cybersecurity-focused CERT® division.

Josiah Dykstra, PhD, is a cybersecurity practitioner, researcher, author, and speaker. He is the owner of Designer Security and has worked at the US National Security Agency for 18 years.