Reading is fundamental and it's one of the few pastimes available to everyone right now that can act as a diversion and bring a little pleasure to daily life. The choices of what to read when it comes to security and privacy related books can be overwhelming, with decades of excellent work available, from technical and instructional books to historical accounts, biographies, and fiction. We asked folks in a variety of roles and with a broad range of experiences from across the security community to give use their reccommendations, and we've compiled them here for your enjoyment.
Engineering a Safer World, by Nancy Leveson
Usually when asked for a book recommendation, I either go with a book on cognition (like Gary Klein's The Power of Intuition), or with a scifi/fantasy novel (Max Gladstone's Empress of Forever); but today I'm going old-school. Nancy Leveson is the pioneer of the world of complex systems safety, and security in the Internet era is really a subdomain of that. This is a dense book, because it's really a textbook; but its chapters stand alone, and it's required reading for my entire organization, so I give it to y'all as a recommendation. - Andy Ellis, CSO, Akamai
Attacking Network Protocols, by James Forshaw
When my friend James Foreshaw asked me to write the foreword to his first book, I was floored. Here was one of the most brilliant minds in security telling me that I had played an important enough role in his life, in his career, that I was the only person he could think of to write it. All I had done, in my mind, was beg my smart friend to please look at the new bug bounties I had created at Microsoft - because even though he’d never looked into hacking IE or defeating Windows mitigations before, only .NET framework, I knew James had it in him to find more. And he did. He made history. I got to call him while shivering outside building 27 to tell him that he was the first recipient of Microsoft’s $100,000 bug bounty. The bounty that would launch a thousand more. This book to me represents friendship, and believing in the potential we see in each other, which is far weightier in this world than the sum of the wonderful words on the pages of any book. - Katie Moussouris, CEO, Luta Security
The Masters of Deception: The Gang That Ruled Cyberspace, by Michele Slatalla and Joshua Quittner
When I was growing up, one of my favorite books about hackers was Masters of Deception about the legendary crew from New York City, MOD, and their feud with the Legion of Doom (LOD). There are many subtle nods to MOD in other popular hacker media such as the classic 1996 movie Hackers, which takes place in NYC. While the book only lightly touches on X.25 hacking techniques, you can always learn a little more in Phrack. Both this book and MOD are important stories in hacker history. - Dino Dai Zovi, head of security, Cash App at Square
How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard & Richard Seiersen
Hubbard and Seiersen break down cybersecurity risk in a way that every cybersecurity person should understand. They take advanced concepts, and discuss them in a way that is relatable and applicable to any organization. One of the elements of the book I find most effective is how it dispels myths related to risk calculations and sample sizes needed to make good risk decisions. — Marcus J. Carey, enterprise architect, ReliaQuest, and co-author of Tribe of Hackers: Cybersecurity Advice From the Best Hackers in the World
The Weather Experiment: The Pioneers Who Sought to See the Future, by Peter Moore
This book is a fascinating history of the very gradual process of understanding the weather. The shape of a hurricane is obvious today because of satellites, but was worked out by people writing each other letters containing observations. The existence of weather offices was highly political, and at times defunded for the offense of offering to predict the weather. There's an interesting relationship to cybersecurity, in that it took quite some time to even figure out what was worth observing, and much more time to start to collect, correlate and understand it all. The benefit of all that work wasn't visible at the start. I don't think that we know the shape of a hurricane yet, and our fits and starts at collecting and sharing knowledge might not be capturing the right things, or making it available to the right people. -- Adam Shostack, consultant, and author of Threat Modeling: Designing for Security, co-author of The New School of Information Security
The Code Book, by Simon Singh
Spycraft: The Secret History of the CIA's Spytechs, From Communism to Al-Qaeda, by Robert Wallace, H. Keith Melton, Henry R. Schlesinger
Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time, by Sami Saydjari
Security Engineering:A Guide to Building Dependable Distributed Systems, by Ross Anderson
I would say a “must read” is The Code Book. This not only gives history of cryptography but insights into the context of security overall. I recommend my students read Spycraft by Wallace, Melton, and Schlesinger. It isn’t specifically related to cyber, but I tell them to think about the mindset of “No one would ever spend what it would take to break our security” and whether that is a wise position to take. I also can recommend Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time by Sami Saydjari. It is a real tour-de-force on understanding what goes into building a system with security in mind. Second to the Saydjari book (and a bit older) is Security Engineering by Ross Anderson. -- Gene Spafford, Professor of computer science, Purdue University, founder of Center for Education and Research in Information Assurance and Security (CERIAS), co-author of Practical Unix and Internet Security
The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich
While an older title, I still regard this book as one of the true legendary works that breaks down both the philosophy of intrusion detection, as well as the tactical elements of architecture, configuration, and operational monitoring. Many books have been written on this topic since (some by the same author), but at the time of its release, there had never been anything remotely close to the level of detail, technical specificity, and accuracy Richard Bejtlich poured into this resource. His experience over many years doing this work shows immediately, and I referred to this book numerous times while in the trenches of a number of organizations' networks. Even today, it's highly recommended as a great background on the subject, especially for newer security analysts, engineers, and architects. - Dave Shackleford, owner of Voodoo Security
The Gift of Fear and Other Survival Signals That Parotect Us From Violence, by Gavin De Becker
One of my favorite books about security that is focused on people and behavior rather than computers, but no less useful. Gavin De Becker uses this book to define a list of PINs, or Pre-Incident Indicators, that you can be cognizant of in order to potentially see a bad situation before it happens. While it can be a hard read at times, using real life stories to help backdrop the knowledge in the book, the content can be used to both recognize and mitigate threats often seen in cyberspace as well. — Nick Steele, senior R&D engineer, Duo Labs
The Cuckoo’s Egg, by Clifford Stoll
Published in 1989, The Cuckoo’s Egg is a first-hand account of Stoll’s search for a hacker who infiltrated the Lawrence Berkeley National Laboratory. Long before APTs were classified and monitored, Stoll, who is an astronomer by trade, describes the detective-like methods he used to find the hackers. This story turns into a wild tale of cyber espionage involving the United States intelligence agencies and the KGB. - Vanessa Sauter, senior strategy analyst at Cobalt.io
The Mastermind, by Evan Ratliff
It's the wild true story of Paul Le Roux, a brilliant programmer who went from running a shady network of websites for ordering pharmaceuticals online, to being an international crime kingpin. He had dealings everywhere from the Philippines to Somalia to North Korea, running hard drugs and guns and ordering hits on those who fell out of his favor. Oh, and he may also have written the TrueCrypt file-encryption software that for years was widely used for normal, legitimate purposes. His use of encrypted systems to protect himself and his henchmen demonstrates the futile stupidity of government efforts to ban strong encryption in the name of fighting crime. Criminals already have access to such tools, and smart ones like Le Roux can even roll their own. And, as his eventual downfall illustrates, even crypto-savvy criminals can still be caught. - Riana Pfefferkorn, associate director of surveillance and cybersecurity, Stanford Center for Internet and Society
Intelligence-Driven Incident Response, by Scott J. Roberts and Rebekah Brown
If you want to transition from whack-a-mole detection and response to a strategic incident response program that is fueled by threat intelligence, then this is the book for you. The authors guide you through aligning your incident response and threat intelligence capabilities through the "F3EAD" process: Find, Fix, Finish, Exploit, Analyze, Disseminate. There is also a chapter dedicated to the strategic components of a threat intelligence program, which will help you demonstrate value to your executives and might even justify some budget for your security program. Also, Scott and Rebekah are lovely people and great members of our community. - Rick Holland, CISO and VP, Digital Shadows
The Smart Girl's Guide to Privacy, by Violet Blue
Both my kids were required to read it when they turned 13 and were allowed to create social media accounts. I understand why the book is gender-specific, but I wish there was a version that wasn't. Most of the information in it is good general advice for anyone putting themselves out there on the Internet. Having "girl" in the title makes it a bit more difficult to sell boys (and men) on reading it as well. — Adrian Sanabria, Advocate at Thinkst Applied Research
Neuromancer, by William Gibson
I think I was a freshman or sophomore in high school when a friend handed me Neuromancer. As an introverted kid with an interest in electronics, a not-exactly-above-the-board dial-in to a VAX and a separate SLIP link (look it up kids), as well as copies of 1984 and Animal Farm on my desk, I was fairly well primed to dive into the dizzying prose of William Gibson's Neuromancer. Art imitates life, as the exploits of Case and Molly in this early vision of cyberspace inspired me to become even more deeply interested in what is now called cybersecurity. I followed up reading the novel with t-files pulled from FTP sites and HPCVA boards before search engines worked, and later met kindred spirits online that have become my colleagues, my friends, and my family of choice some 25 years later.
Thankfully, we avoided turning into a deeply unequal, drug-addled corporatocracy where shady organizations deploy AI's on staggering collections of data to manipulate the populace at large (ahem). Gibson's dystopia did have one glimmer of hope: no cell phones. Even if the technology predictions are slightly off, the remarkable level of prescience exhibited by his world-building and the retro-futuristic vibes make Gibson's work essential reading decades later.
NB: I had the opportunity over 15 years ago to talk to Mr. Gibson on the phone as he asked for a realistic hacking scenario for a friend's work. I don't remember if I had the chance to thank him for inspiring my entry into a subculture and my career, but he has my gratitude. -- Adam O’Donnell, Ph.D., principal engineer, Cisco
Atomic Habits, An Easy & Proven Way to Build Good Habits & Break Bad Ones, by James Clear
I have struggled to lose weight and keep it off for years. None of the traditional weight loss programs work for me. No matter what personal training system, diet fad or intervention, I continued to gain weight for years – until one day. I learned about a device called Shapa. It is a smart scale without numbers. It is designed to take away that negative feeling most people get when they step on a scale and replace it with a color, missions and positive encouragement designed to motivate you to change habits over time – genius. I am now losing weight, without the guilt, negative self-talk and feeling like the program is under my control and designed to make me feel good about myself.
There is a sheer connection between bad habits that enable weight gain and bad physical health and similar bad habits, negative thinking that enables bad cyber health and habits. For both typically the first solution is information via awareness and making the “nonconscious, conscious”. The difference is security teams tend not to think they need to motivate people towards better cyber wellness, but talk over them, down to them or force them to change behavior. This works in the short-term and helps meet compliance requirements but doesn’t encourage the encoding necessary to ensure the mistake isn’t repeated.
This book perfectly reflects the core principles in my current role as CEO of RevolutionCyber. Using behavioral science, my organization builds personalized and intuitive security awareness programs designed to inform, engage and inspire employees to change their behavior in ways that help protect their organizations. Atomic Habits speaks to a person’s actions and behaviors, offering engaging exercises that step-by-step can guide a person to not only discard old habits but learn new, good ones too. The system outlined in this book is a universal one – it can be used in any situation in life. It is the perfect book for security leaders and security awareness professionals to utilize as a tool for building cyber security cultural change and ensuring results in their current program. - Juliet Okafor, JD, CEO, RevolutionCyber
Data Story: Explain Data and Inspire Action Through Story, by Nancy Duarte
When I look over my bookcase for ones that I would recommend I can’t help but land on this one. Security professionals are very good at their core competencies. The issue that arises is with the ability of many security practitioners to communicate effectively. What Duarte’s book does is help the reader to do a far better job of wrapping a narrative around data sets for an audience. Data Story steps the reader through the process of humanizing the data so that it can become more relatable for the audience while adding the element of data visualization. By helping the reader become better at telling a story with their data this vastly improves a security professional's chances at being understood and having their message heard. An excellent book for anyone looking to improve their skills as a presenter overall. - Dave Lewis, advisory CISO, Duo
Little Brother, by Cory Doctorow
Cory Doctorow writes about four teenagers in San Francisco detained and interrogated by DHS after a terrorist attack on the Bay Bridge and BART. They are eventually released, but they are told their movements and actions will be monitored, which they see as a violation of their civil rights. It’s a YA novel, but the discussion of mass surveillance, cryptography (via a key signing party), and social activism is one that we all need to think about. The industry grapples with the quandary that just because technology can do something doesn’t mean we should do it—and this book illustrates how far things can go. The book is allegedly used as training material for NSA recruits to illustrate how people view surveillance, which is pretty awesome, if true. — Fahmida Y Rashid
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, by Joseph Menn
When I first heard that Joe was working on a book about the cDc, my initial reaction was: How on earth is he going to track down all those people, let alone get them to tell their stories on the record? Oh, me of little faith. Not only did he get nearly all of the cDc members to talk, he turned what could have been a by-the-numbers historical biography into a vibrant, vital tale of how a small group of curious, clever, and creative people that helped kickstart a revolution that’s still unfolding nearly 40 years later. Many of the people who helped shape the hacker culture that developed in the 1980s and 1990s came from the cDc or other affiliated groups, and their influence has extended from Lubbock, Texas, to Silicon Valley to Capitol Hill, the Pentagon, and the White House. Joe succeeds in conveying the cDc’s mischievous spirit and sense of humor and describing the members’ considerable accomplishments without turning the book into a hagiography. No mean feat, that. - Dennis Fisher