Essential Cybersecurity Science: Build, Test, and Evaluate Secure Systems

This white book cover has a large, gray rodent in the middle with a blue block beneath it. The title "Essential Cybersecurity Science" is written on the blue block.

Book written by Josiah Dykstra

Book review by Matt Georgy

Review

Essential Cybersecurity Science is a timeless guide for all students and practitioners to improve everyday cybersecurity tasks by applying the scientific method. Written by an author with academic and hands-on credentials, the book is less of a textbook and more of a handbook. The first few chapters provide background, tools, and techniques for experimentation large and small. The next nine chapters dive deeply into different domains, from software assurance to DFIR, to show how science can be applied. A hidden gem is the appendix on recognizing marketing hype and bad claims. The author convinces us that science and experimentation is essential for everyone building expertise in the field, not just academics and career researchers. While The Cybersecurity Canon includes The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, an applied and comprehensive guide to the science of cybersecurity fills a noteworthy gap.

All of us in cybersecurity want to do our jobs as well as possible, and to help people be as secure as possible. One thing that is overlooked and underappreciated is the role of the scientific method in everyday cybersecurity. Essential Cybersecurity Science is a handbook for practitioners and students, not career researchers. It explores how small experiments, done well, can help evaluate and improve the practice of cybersecurity.

Practitioners sometimes view science and experimentation as disconnected from reality. Dykstra says otherwise: “Unfortunately, science has a reputation for being stuffy and cold, and something that only people in white lab coats are excited about. As a cybersecurity practitioner, think of science as a way to explore your curiosity, an opportunity to discover something unexpected, and a tool to improve your work.” There is a tremendous need for more people in cybersecurity to tackle real problems: how to evaluate which next-gen firewall to buy, which crypto algorithm should be used to protect the new widget, and whether training is successful in lowering phishing. The text doesn’t feel or read like a textbook and most people won’t have full courses devoted to the research methods. This is all the more reason why I can’t imagine any student or professional not having it as an essential resource. 

The first three chapters provide a foundation. Not surprising, most of us haven’t thought about doing science since elementary school. It’s not part of our job description. These chapters remind us about the basic scientific method and why it matters to everyday cybersecurity. Chapters 2 and 3 give easy-to-apply hands-on advice for designing and running experimentation, including a “checklist” so you don’t overlook key steps. Anyone in cybersecurity can understand and execute these steps.

Chapter 4-12 focuses on specific domains of cybersecurity. For example, one is about intrusion detection and incident response. These chapters describe examples and techniques for applying science to those specific domains. Dykstra also introduces new concepts in these chapters, like false positives and false negatives. Each includes a real case study and excellent additional resources.

A hidden gem is the appendix on recognizing marketing hype and bad claims. I’ve never seen this anywhere else and showing science done wrong is a compliment to the rest of the book on doing it well. Product and service vendors are a huge part of the cybersecurity ecosystem, so it’s useful to learn how to recognize false claims and manipulative visualizations. It includes a list of pre-written questions that you can use the next time you visit an expo floor or talk with the sales team at a vendor. 

Science clearly stands the test of time, and the book will be relevant for many years to come. While the examples may eventually become outdated or stale, the core content remains highly relevant. Cybersecurity professionals who lack the insights of this book stand a distinct disadvantage and may even produce suboptimal cybersecurity outcomes.

Essential Cybersecurity Science is a required text for cyber operations majors at the U.S. Naval Academy during their mandatory capstone projects [1]. No matter their topic, every student learns the fundamentals of cybersecurity science to be more successful. The school has recognized that this is a necessary skill for cybersecurity professionals and leaders. 

Dykstra is perhaps ideally suited to write this book. With a PhD in computer science, he has conducted and published dozens of peer-reviewed research studies. He also worked for nearly a decade doing cybersecurity research for the government. Better yet, he has worked as a hands-on practitioner doing penetration testing, digital forensics, and malware analysis. That background in seeing theory and practice makes this book relevant and applicable.

Conclusion

I am neither a scientist nor a researcher, but as an experienced senior leader have come to believe that my staff and others across our field must bring more rigor to the discipline of cybersecurity whatever their role. It applies to all environments and work roles and is digestible and applicable no matter how much schooling you’ve had. This can be your guide. Like other Hall of Fame winners such as Zero Trust Networks and Site Reliability Engineering, this book is a compelling nudge to think critically about improving cybersecurity. The only other book in the Canon covering the science of security is The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography but that is a history of secrets. This book, on the other hand, is an applied and comprehensive guide to the science of cybersecurity that fills a noteworthy gap. This book certainly deserves to be in the Cybersecurity Canon’s Hall of Fame. 

References

https://www.usna.edu/CyberDept/Capstone_Projects/index.php

We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so! 

More Books

“Cyber Security Education: Principles and Policies” (2021) edited by Greg Austin, Book Reviewed by Daniel S. Dotson