Security De-Engineering: Solving the Problems in Information Risk Management, 1st Edition (Paperback) book cover

Security De-Engineering

Solving the Problems in Information Risk Management, 1st Edition

By Ian Tibble

Auerbach Publications

332 pages

Purchasing Options:$ = USD
Paperback: 9781439868348
pub: 2011-12-13
SAVE ~$16.79
Hardback: 9781138440388
pub: 2017-07-27
SAVE ~$41.00

FREE Standard Shipping!


As hacker organizations surpass drug cartels in terms of revenue generation, it is clear that the good guys are doing something wrong in information security. Providing a simple foundational remedy for our security ills, Security De-Engineering: Solving the Problems in Information Risk Management is a definitive guide to the current problems impacting corporate information risk management. It explains what the problems are, how and why they have manifested, and outlines powerful solutions.

Ian Tibble delves into more than a decade of experience working with close to 100 different Fortune 500s and multinationals to explain how a gradual erosion of skills has placed corporate information assets on a disastrous collision course with automated malware attacks and manual intrusions. Presenting a complete journal of hacking feats and how corporate networks can be compromised, the book covers the most critical aspects of corporate risk information risk management.

  • Outlines six detrimental security changes that have occurred in the past decade
  • Examines automated vulnerability scanners and rationalizes the differences between their perceived and actual value
  • Considers security products—including intrusion detection, security incident event management, and identity management

The book provides a rare glimpse at the untold stories of what goes on behind the closed doors of private corporations. It details the tools and products that are used, typical behavioral traits, and the two types of security experts that have existed since the mid-nineties—the hackers and the consultants that came later. Answering some of the most pressing questions about network penetration testing and cloud computing security, this book provides you with the understanding and tools needed to tackle today’s risk management issues as well as those on the horizon.


This is a passionate call to arms to recognise the contribution of engineering to business. In highlighting what the author believes is a diminishing role of qualified engineers, he lights the lighthouse beacon in the hope that business can thereby avoid crashing into the rocks of avoidable incident and financial loss.

—Written by Wendy Goucher, Information security consultant, writing on

Read the full review at:

Table of Contents


Whom Do You Blame?

The Buck Stops at the Top?

Managers and Their Loyal Secretaries

Information Security Spending—Driving Factors in the Wild

Do Top-Level Managers Care About Information Security?

Ignoring the Signs


The Hackers

Hat Colors and Ethics

"Hacker" Defined

Zen and the Art of Remote Assessment

The Hacker through the Looking Glass

Communication, Hyper-Casual Fridays, and "Maturity"

Hacker Cries Wolf

Unmuzzled Hackers and Facebook


Checklists and Standards Evangelists

Platform Security in HELL

CASE Survival Guidelines

CASEs and Network Security

Security Teams and Incident Investigation

Vulnerability/Malware Announcements

This Land Is Our Land

Common CASE Assertions



How Security Changed Post 2000

Migrating South: Osmosis of Analysis Functions to Operations Teams

Rise of Automated Vulnerability Scanner

Rise of Checklist

Incident Response and Management—According to Best Practices

"Best Practices" in Security Service Provision

Tip of the Iceberg—Audit Driven Security Strategy


Automated Vulnerability Scanners

Law of Diminishing Enthusiasm

False Positive Testing Revelations

Great Autoscanning Lottery

Judgment Day

Automation and Web Application Vulnerability Assessment

Web Application Security Source Code Testing


Eternal Yawn: Careers in Information Security

Information Security and Strange Attractors

Specialization in Security

Instant Manager

Technical Track


Penetration Testing—Old and New

Testing Restrictions

Restriction 1: Source IP Address

Restriction 2: Testing IP Address Range(s)

Restriction 3: Exploits Testing

Penetration Testing—The Bigger Picture


Love of Clouds and Incidents—Vain Search for Validation

Love of Incidents

Love of Clouds



Intrusion Detection

Tuning/Initial Costs

Belt and Suspenders?

DoS the NIDS

Hidden Costs

Return on Investment

Network Intrusion Prevention Systems


A Final Note

Other Products

Identity Management

Security Information Event Management Solutions



One Professional Accreditation Program to Bind Them All

C-Levels Do Not Trust Us

Infosec Vocational Classifications

Requirements of an Infosec Manager

Requirements of Security Analyst

Regaining Trust: Theoretical Infosec Accreditation Structure



About the Author

Ian Tibble was an IT specialist with IBM Global Services before entering into the security arena. His experience of more than 11 years in information security allowed him to gain practical risk management expertise from both an architectural IT and a business analysis aspect. His experience in Infosec has been with service providers Trusecure (now Verizon) and PricewaterhouseCoopers, and also with end users in logistics, banking, and insurance. He has been engaged with security service delivery projects with close to 100 Fortune 500 companies and multinational financial institutions in Asia (Indonesia, Singapore, Malaysia, Taiwan, Hong Kong, and Australia) and Europe.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General