Enjoy fast, free delivery, exclusive deals, and award-winning movies & TV shows with Prime
Try Prime and start saving today with fast, free delivery

Kindle
$31.46

Available instantly

Audiobook
$0.00
with membership trial

Paperback
$35.76 - $35.98

$35.98 with 20 percent savings

List Price: $44.99

FREE Returns

FREE delivery Friday, May 17. Order within 20 hrs 20 mins

Select delivery location

In Stock

$$35.98 () Includes selected options. Includes initial monthly payment and selected options. Details

Ships from

Amazon.com

Ships from

Amazon.com

Sold by

Amazon.com

Sold by

Amazon.com

Returns

30-day easy returns

Returns

30-day easy returns

This item can be returned in its original condition for a full refund or replacement within 30 days of receipt.

Read full return policy

Payment

Secure transaction

Payment

Secure transaction

We work hard to protect your security and privacy. Our payment security system encrypts your information during transmission. We don’t share your credit card details with third-party sellers, and we don’t sell your information to others. Learn more

Details

Add a gift receipt for easy returns

Other sellers on Amazon

New & Used (32) from $35.76 & FREE Shipping

Follow the authors

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us 1st Edition

by Eugene Spafford (Author), Leigh Metcalf (Author), Josiah Dykstra (Author)

4.6 35 ratings

See all formats and editions

{"desktop_buybox_group_1":[{"displayPrice":"$35.98","priceAmount":35.98,"currencySymbol":"$","integerValue":"35","decimalSeparator":".","fractionalValue":"98","symbolPosition":"left","hasSpace":false,"showFractionalPartIfEmpty":true,"offerListingId":"1n0cPRea%2BmCtp%2F6VhqIfduHmHSrLn3a8hsE6COwynMW45l8aO%2FkCyV5rWERW2jnAVfrcdGlyBtwC4ivcrOxMrhes9q3CENrS3GK03paHjc4pWHttjVsMb%2FAQZMagtsnAtM7joNKRsFGpq71vbOWWxQ%3D%3D","locale":"en-US","buyingOptionType":"NEW","aapiBuyingOptionIndex":0}]}

Purchase options and add-ons

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn't the user the weakest link?

In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you'll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.
Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren't "best practices" best?
Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader.
Get a high-level exposure to why statistics and figures may mislead as well as enlighten.
Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them.

"You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won't regret it."
--From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Frequently bought together

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

$35.98

Get it as soon as Friday, May 17

In Stock

Ships from and sold by Amazon.com.

+

Cybersecurity First Principles: A Reboot of Strategy and Tactics

$20.99

Get it as soon as Friday, May 17

In Stock

Ships from and sold by Amazon.com.

+

Project Zero Trust: A Story about a Strategy for Aligning Security and the Business

$24.83

Get it as soon as Friday, May 17

In Stock

Ships from and sold by Amazon.com.

Total price:

To see our price, add these items to your cart.

Try again!

Details

Added to Cart

Choose items to buy together.

Rick Howard
66
Paperback
1 offer from $20.99
Scott J. Shapiro
280
Hardcover
72 offers from $6.54
Bruce Schneier
376
Hardcover
61 offers from $10.00
Joe Shelley
81
Paperback
13 offers from $39.35
Rick C. Worley
94
Paperback
1 offer from $23.72
Mike Chapple
70
Paperback
43 offers from $54.15

From the Publisher

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Chapters are interspersed with original hand-drawn illustrations that offer a lighthearted view of various myths to entertain as much as they explain.


Security must fit a myriad of users and situations.	The magic of five 9’s is also an illusion in cybersecurity.	A lock icon does not necessarily mean there is no risk.

Editorial Reviews

Review

"Many security leaders are traditionally in charge of correcting misconceptions just as much as they are in charge of building up solid security practices. We have plenty of resources on practices--but this book is the crucial guide to that essential myth busting."
--Phil Venables, CISO, Google Cloud

"I'm writing this on my phone, over Wi-Fi, in an airplane on my way to Black Hat, one of the world's largest security conferences. The fact that I'm able to do this at all shows how much we've really learned about cybersecurity over the decades. Now it's all collected in one place for everyone to share. Thank the wise authors, and most importantly: GET OFF THEIR LAWN."
--Wendy Nather, Head of Advisory CISOs, Cisco

"This book is astounding. A true tour de force--which I have never said about any other book. Inverting the viewpoint is a stroke of genius. This is going to be on my grabbable-at-any-time shelf. What I learned, recalled, and was refreshed on with technically astute agnosticism cannot be measured; just appreciated as a profound historical compilation of security practice and theory. Bravo!"
--Winn Schwartaul, Founder and Chief Visionary Officer, The Security Awareness Company

"I am happy to endorse the central idea of this book--that cybersecurity is rife with myths that are themselves part of the problem. The brain wants to understand, the world grows ever more complicated, and the sum of the two is myth-making. As the authors say, even if some understanding is true at some time, with enough change what was true becomes a myth soon enough. As such, an acquired immunity to myths is a valuable skill for the cybersecurity practitioner if no other. The paramount goal of all security engineering is No Silent Failure, but myths perpetuate if not create silent failure. Why? Because a state of security is the absence of unmitigable surprise and you cannot mitigate what you don't know is going on. Myths blind us to reality. Ignorance of them is not bliss. This book is a vaccine."
--Dan Geer, CISO, In-Q-Tel

"This is a fun read for all levels. I like their rapid fire delivery and the general light they cast on so many diverse myths. This book will change the cybersecurity industry for the better."
--Michael Sikorski, Author of Practical Malware Analysis & CTO, Unit 42 at Palo Alto Networks

About the Author

Eugene H. Spafford, PhD, is a professor in Computer Science at Purdue University. In his 35-year career, Spaf has been honored with every major award in cybersecurity. Leigh Metcalf, PhD, is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute's cybersecurity-focused CERT® division. Josiah Dykstra, PhD, is a cybersecurity practitioner, researcher, author, and speaker. He is the owner of Designer Security and has worked at the US National Security Agency for 18 years.

Product details

Publisher ‏ : ‎ Addison-Wesley Professional; 1st edition (January 23, 2023)
Language ‏ : ‎ English
Paperback ‏ : ‎ 416 pages
ISBN-10 ‏ : ‎ 0137929234
ISBN-13 ‏ : ‎ 978-0137929238
Item Weight ‏ : ‎ 1.54 pounds
Dimensions ‏ : ‎ 7 x 0.78 x 9 inches

Best Sellers Rank: #107,923 in Books (See Top 100 in Books)
- #9 in Computer Networking (Books)
- #71 in Computer Network Security
- #2,036 in Unknown

Customer Reviews:
4.6 35 ratings

Brief content visible, double tap to read full content.

Full content visible, double tap to read brief content.

Videos

Help others learn more about this product by uploading a video!

Upload your video

About the authors

Follow authors to get new release updates, plus improved recommendations.

Josiah Dykstra
Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.
Josiah Dykstra is a seasoned cybersecurity practitioner, researcher, author, and speaker. He is a senior leader in the U.S. Department of Defense and the owner of Designer Security, LLC. Dr. Dykstra holds a Ph.D. in computer science and is interested in cybersecurity science, especially where humans intersect with technology. He has studied stress in hacking, action bias in incident response, and the economics of cyber threat intelligence.
Dr. Dykstra is a frequent author and speaker, including Black Hat and RSA Conference. He received the CyberCorps® Scholarship for Service (SFS) fellowship and is one of six people in the SFS Hall of Fame. In 2017, he received the Presidential Early Career Award for Scientists and Engineers (PECASE) from then President Barack Obama. Dr. Dykstra is a Fellow of the American Academy of Forensic Sciences and a Distinguished Member of the Association for Computing Machinery (ACM). He is the author of numerous research papers, the book Essential Cybersecurity Science (O'Reilly Media, 2016), and co-author of Cybersecurity Myths and Misconceptions (Pearson, 2023).
See more on the author's page
Eugene Spafford
Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.
Eugene H. Spafford is a professor of Computer Sciences at Purdue University. He is also the founder and Executive Director Emeritus of the Center for Education and Research in Information Assurance and Security. He has been working in computing as a student, researcher, consultant, and professor for 44 years. Some of his work is at the foundation of current security practice, including intrusion detection, incident response, firewalls, integrity management, and forensic investigation. His most recent work has been in cyber security policy, forensics, and future threats. He has also been a pioneer in education, including starting and heading the oldest degree-granting cybersecurity program.
Dr. Spafford has been recognized with significant honors from various organizations. These include being elected as a Fellow of the American Academy of Arts and Sciences (AAA&S), and the Association for the Advancement of Science (AAAS); a Life Fellow of the ACM, the IEEE, and the (ISC)2; a Life Distinguished Fellow of the ISSA; and a member of the Cyber Security Hall of Fame — the only person to ever hold all these distinctions. In 2012 he was named one of Purdue's inaugural Morrill Professors — the university's highest award for the combination of scholarship, teaching, and service. In 2016, he received the State of Indiana's highest civilian honor by being named as a Sagamore of the Wabash.
Among many other activities, he is vice-chair of ACM Publications Ethics & Plagiarism Committee, is editor-in-chief of the journal Computers & Security, serves on the Board of Directors of the Computing Research Association, and as a member of the National Security Advisory Board for Sandia Laboratories.
See more on the author's page
Leigh Metcalf
Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.
Discover more of the author’s books, see similar authors, read author blogs and more
See more on the author's page

Customer reviews

4.6 out of 5

35 global ratings

1 star

0%

How customer reviews and ratings work

Reviews with images

See all photos

Sort reviews by

Top reviews from the United States

There was a problem filtering reviews right now. Please try again later.

Violet Sullivan

Unraveling the Truths of Cybersecurity: A Guide to Myth-Busting and Practical Wisdom

Reviewed in the United States on June 9, 2023

Verified Purchase

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us" is an illuminating masterpiece penned by three cybersecurity pioneers: Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra. This remarkable book unravels the hidden dangers, faulty assumptions, and cognitive biases that plague the field of cybersecurity, providing readers with expert guidance on avoiding and overcoming these common misconceptions.

In a world where cybersecurity is increasingly critical, it is vital to challenge and debunk the myths that hinder progress and compromise security efforts. The authors delve deep into the web of falsehoods that permeate the industry, addressing misconceptions from the frontlines to the boardroom. By presenting real-world examples and drawing from their vast experience, they empower readers to recognize and overcome these myths, ultimately building more secure products, businesses, and practices.

One of the key insights the authors bring forth is the fallacy of considering users as the weakest link in cybersecurity. Through their compelling arguments, they shed light on the complex dynamics involved and the shared responsibility that exists between users, developers, researchers, and leaders. This fresh perspective challenges conventional wisdom and highlights the need for a holistic approach to cybersecurity.

"Cybersecurity Myths and Misconceptions" stands out for its pragmatic and actionable advice. The book not only identifies common misconceptions but also provides practical strategies and recommended mitigations for combating them. From analogies and security tools to the pitfalls of faulty assumptions and misguided "best practices," the authors leave no stone unturned. Each myth is carefully examined, empowering readers to make informed decisions and enhance their cybersecurity defenses.

The authors' ability to bridge the gap between technical concepts and everyday understanding is commendable. They effectively communicate complex ideas, making the book accessible to readers with varying levels of expertise. By weaving in real-life cybersecurity events, the authors make the material engaging, relatable, and thought-provoking.

"Cybersecurity Myths and Misconceptions" is not just a book; it is a guide for navigating the treacherous landscape of cybersecurity. Its comprehensive coverage, insightful analysis, and practical advice make it an essential resource for cybersecurity professionals, leaders, developers, researchers, and even those new to the field. It equips readers with the skills to identify emerging myths, avoid future pitfalls, and contribute to a safer digital world.

Spafford, Metcalf, and Dykstra have come together to create a seminal work that challenges conventional thinking, enhances understanding, and paves the way for a more secure cyber landscape. Whether you are seeking to deepen your knowledge or simply gain a high-level exposure to cybersecurity concepts, "Cybersecurity Myths and Misconceptions" is a must-read.

Prepare to embark on a transformative journey and emerge armed with the knowledge to dismantle the falsehoods that threaten our digital realm.

Helpful

Bill E

Outstanding Read: Well Worth It For Anyone Who Wants to Understand Cybersecurity

Reviewed in the United States on September 15, 2023

Verified Purchase

Terrific book for any director who wants to learn more about constructively overseeing cybersecurity, while providing space & resources for the CISO and team to effectively do their job. In a clear and entertaining way, Spafford, Metcalf, & Dykstra use plain English to demystify technical jargon and prevalent myths. I learned a ton not only about cyber, but also about risk management in general, as well as the range of human biases we all bring to the table. One of my favorite chapters explained confusion matrices, false positives, false negatives, and the danger of a low signal:noise ratio [Chicken Little Risk] in cyber defense. Well worth your time.

Helpful

DennisD

This book summarizes practical knowledge that it took me 50 years to learn firsthand.

Reviewed in the United States on March 24, 2023

Verified Purchase

This book is a gem and I highly recommend it. Cybersecurity is a relatively new field continuously built upon the work of giants like Becky Bace, Bob Courtney, et. al., and the authors respectfully acknowledge that. A few of us had the honor to learn cybersecurity firsthand from them. Spaf and his co-authors have distilled the essence of what is true and worth knowing, and what is false and worth forgetting, and how best to use that knowledge to protect digital assets on a playing field where the goalposts move every day. Efficiency is doing things right. Effectiveness is doing the right things. Cybersecurity is both. The book is an enjoyable read, cites references for further reading, and is appropriate for both novices and experts alike. We each know parts of the story. This book tells much, if not most all of the story.

3 people found this helpful

Helpful

Laura L. B.

Informative and Engaging

Reviewed in the United States on October 21, 2023

Verified Purchase

This book will appeal to both seasoned cyber security experts and those new to the subject. It covers a lot of important security topics, aptly covers several myths, and is written in an engaging and easy-to-read style. I am buying copies for family and friends as holiday gifts.

Helpful

Ben Rothke

Great book for the veteran infosec pro and also for those new to the field

Reviewed in the United States on May 4, 2023

Fear, uncertainty, and doubt (FUD) manifest itself in many ways. It is often used in marketing to spread false information and fear to sell a product. Information technology, in general, and information security specifically, lends itself to significant FUD. This can occur when a company fears missing out on a technology trend due to a Gartner Magic Quadrant or is being sold a bill of goods from a hardware or software provider selling snake oil.

All this FUD can lead to industry myths that often take a life of their own. And dispelling these myths can be a significant endeavor for information security professionals. In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us (Addison-Wesley), authors Drs. Eugene Spafford, Leigh Metcalf, and Josiah Dykstra have written a fascinating book to clarify myth from reality.

While the function of the book is to dispel the myths, it also serves as an excellent introduction to computer security. The authors bring significant experience to every chapter. Dr. Gene Spafford, better known as Spaf, a professor of computer science at Purdue University, is one of the most influential people in computer security. Metcalf is a senior network security research analyst at Carnegie Mellon University, while Dykstra is a Senior Fellow at the National Security Agency.

The book will be like a walk down memory lane for those who have been in information security for a while. Lots of buzzwords and hype from the past are discussed and dispelled. For the information security newbie, it serves as an excellent introductory text.

For those interviewing information security staff at all levels, each of the myths and misconceptions written about can be used as launching questions during a technical interview. Discussing a myth and misconception is a great open-ended question that lends itself to a fruitful interview, where you can truly discern the candidate’s understanding of information security.

Here are three of the more interesting myths and misconceptions I found insightful:

Sharing more cyber threat intel will make things better – It is not about the volume of sharing; it is about better sharing, as threat intelligence takes many forms. Massive information dumps don't help anyone. But sharing specific knowledge to help a defender know which attacker behavior to look for, and the so what if it is discovered – that sharing is invaluable.

Believe and fear every hacking demo you see – there is a misconception that every demonstration or academic finding will result in widespread use.

For example, security researchers dropped a bombshell at Black Hat 2019 that the Boeing Dreamliner is susceptible to hacking. Only one-third of all CVEs are ever seen in live environments, and of those, only 5% have known exploits.

As to dealing with CVEs, this is getting harder. Ben Edwards of the Cyentia Institute said at the RSA conference last week that vulnerabilities are significantly increasing, and it won't be much longer until there are over 1,000 CVEs issued weekly.

There is a shortage of cybersecurity talent – there is a lot of FUD stating that there are millions of available information security jobs. According to some estimates, their numbers would indicate that 1% of the US population is needed to work in information security to ameliorate the shortage.

Much of the so-called shortage is due to firms unwilling to pay market rates for information security professionals. Firms that pay market rates find the lack is not necessarily so terrible.

The authors use a variation of one of Spaf's analogies, that instead of worrying about how to produce more firefighters. Perhaps we should put some effort into reducing the construction of buildings from gasoline-soaked balsa wood. Sage advice, indeed.

Cybersecurity Myths and Misconceptions is a fascinating and engaging read. For the experienced professional, it will validate many things and have you laughing about some of the things from the past. For the not-so-experienced security professional, this will make you smarter and more valuable to your organization. It's a great read from some of the most intelligent people in the industry.

The title may make readers think this is just Snopes in print debunking myths. But it is much more than that. It shows the reader, in explicit detail, what it takes to do this thing called information security. There's a lot of great information here, and I could end this review by saying that it's no myth, but I won't.

One person found this helpful

Helpful

Return this item for free

Follow the authors

Image Unavailable