Nutshell review - A great read. Entertaining and informative. So well written and very useful at the same time.

I was pretty excited to read Bruce Schneier's Beyond Fear, I have enjoyed hearning him speak and like his blog. I will say that the book could have said what it says with a lot less pages, possibly even an essay. However, there are lots of great stories and a fantastic word picture called "Security Theater". His illustration is that after 9/11 no one knew what to do to combat air terrorism, so they gave the appearance of action by doing things like confiscating nail files. Oh do I agree that much of what we see is security theater!

Bruce has a five step process he tries to illustrate, especially in the second half of the book:

* What assets are you trying to protect?
* What are the risks to these assets? ( I think threats is a more correct word than risks )
* How well does the security solution mitigate those risks?
* What other risks does the security solution cause?
* What trade-offs does the security solution require?

This is a nice implementation of threat vector analysis and he tells great stories. I am not sure the book teaches that much, but it might be a valuable awareness tool for executives.

Beyond Fear is a well-written book on the fundamental concepts and applications of security theory. In the first chapter, he proposes a sequence of five questions that should be asked about any suggested security system.
1. What assets are you trying to protect?
2. What are the risks to those assets?
3. How well does the security solution mitigate the risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?

He spends the rest of the book discussing various aspects of security, and talking about various implementations of security both historical and modern. He finished writing this book in 2003, so there are many references to the 9-11 incidents and the security activities implemented because of them.

The content of this book slightly overlap the content of the author previous book Secrets and Lies: Digital Security in a Networked World but presents the material with a different angle. An angle with the perspective of a security expert that witness security measures taken by governments in reaction of the 9/11 terrorism attack and wants people to understand the absurdity of some of these measures.

It is not technical at all and does not necessitate any particular background to understand and enjoy. The author explains clearly how to make a risk assessment of something that you want to make more secure and then evaluate the cost of the security measures. Only when you have that data, you can evaluate if the added security is worth it.

These explanations are backed up with concrete examples such as evaluating the risk to make purchase with a credit card over the internet. Other examples include the absurdity of securing a lunch in a company refrigerator because the potential loss if having a lunch stolen does not justify securing it. The author also explains that even with technologies that looks very accurate such as facial recognition with an error rate of, let's say, 0.0001 % are totally ineffective when they have to control a huge number of persons like a stadium crowd because even with this accuracy, they would create an unmanageable amount of false positive alerts.

The author also elaborate about why you should question the motivation of a security provider when it is a third party and link this with how people fears can be exploited to introduce invasive, excessively expensive and inefficient security measures. I think that the goal of the author was to make people more critics about security questions and my opinion is that his goal has been successfully achieved.

Most people think that they think rationally about security decisions.

Most don't even know when they're making security decisions.

Fewer know what those decisions really entail.

Only Bruce Schneier knows how to make those decisions sensibly, and he's passing that information along to the world.

I never thought I'd find a security book that made me laugh. Both amusing and informative, I had a hard time putting this one down.

The book was as described (in mint condition) and the delivery was on time. Very satisfied, would use again.

This book is very informative, interesting, and entertaining. I've recommended it to people both within and outside the CS and IT communities w/o reservation.

Rather than reiterating things said in the many positive reviews, I'd like to take issue with one reviewer who says Schneier misuses the term "threat." In particular, this reviewer says "A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset." This definition is both counter to standard English usage and counter to standard usage within the computer security field. Every book on my shelf has roughly the same definition of threat: "Threat: a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability" -- Stallings, Network Security Essentials, p. 5. So a threat is condition or event, not a party. The reviewer seems to confuse threat with potential adversary.

Schneier's terminology is the standard terminology, and he uses it correctly.

I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.

Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.

These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.

I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.

Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.

These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.

The title of the book refers to the steps to take after fear is sensed. To move beyond fear is to understand it, how it affects you and why, and what you can do about it. And that is what the book addresses - what things do we need to secure, from our personal interests, to national interests.

Schneier addresses this in the framework of a five questions to ask about security. Although the process seems crude, it does touch the heart of security issue - what are we trying to protect, why, and what happens if we don't protect it?

I particularly like his idea of brittle versus flexible security. When a brittle security system fails, you asset is screwed. A (poor) example would be burying your money in your back yard. If this is compromised (someone finds it), then you loose all your money, and that's the end of it. Compare this to a baking account. If someone robs the bank, or fraudulently takes your money, the bank is obliged to get you your money back. (So maybe you should bury your bank account number and password in yuor back yard!)

Although much of the discussion is on the level of national security, he also has gems of wisdom like suggesting that you leave the bathroom light on while you're away to deter burglars. And he points out yuor identity is more likely to be stolen from your discarded papers than from someone stealing your info on the internet.

I really appreciate the last part of the book where he lists the most-likely causes of death among Americans. What I got from that was not that I should avoid international airports, or dig a fallout shelter, but simply that I should make sure that I and my family are securely buckled up when we drive. Now that's putting 9/11 into perspective.

The title of the book refers to the steps to take after fear is sensed. To move beyond fear is to understand it, how it affects you and why, and what you can do about it. And that is what the book addresses - what things do we need to secure, from our personal interests, to national interests.

Schneier addresses this in the framework of a five questions to ask about security. Although the process seems crude, it does touch the heart of security issue - what are we trying to protect, why, and what happens if we don't protect it?

I particularly like his idea of brittle versus flexible security. When a brittle security system fails, you asset is screwed. A (poor) example would be burying your money in your back yard. If this is compromised (someone finds it), then you loose all your money, and that's the end of it. Compare this to a baking account. If someone robs the bank, or fraudulently takes your money, the bank is obliged to get you your money back. (So maybe you should bury your bank account number and password in yuor back yard!)

Although much of the discussion is on the level of national security, he also has gems of wisdom like suggesting that you leave the bathroom light on while you're away to deter burglars. And he points out yuor identity is more likely to be stolen from your discarded papers than from someone stealing your info on the internet.

I really appreciate the last part of the book where he lists the most-likely causes of death among Americans. What I got from that was not that I should avoid international airports, or dig a fallout shelter, but simply that I should make sure that I and my family are securely buckled up when we drive. Now that's putting 9/11 into perspective.

You know, folks, I've a hunch that this book might be applicable, in regards to the "bureaucratically dreamt of", "news-agency talked about", "popularly assumed-of", however "real" phenomenon, particularly: "Homeland security".

I'll admit, I have not yet read Schneier's work, this one. (As I recall, another technician mentioned Schneier; a stop-by at a web-site followed; then,wound up adding this to "my little? wish list")

I figure, I know "a sure thing", when I see it, expressed in written form.

Schneier is a trustworthy author.

So, while I have not yet read it, yet this book - Schneier's - gets "the 5-all-good mark-of-confidence, permanent and for-real real," even in terms of forward, reasoned anticipation, about the applicability of Schneier's expressions, in regards to: digital-systems work, and "general security".

Concluded: It's a book, wholly worth your time.

In the wake of the 9/11 terrorist attacks there have been many changes to how national security is handled. Many of these changes have directly impacted our civil liberties or freedoms as United States citizens. Our elected officials and government organizations push these sweeping changes with a "sky is falling" mantra and claims that only by limiting freedoms and expanding the authority of law enforcement and government agencies can security be assured.

Bruce Schneier's book- Beyond Fear- helps those citizens understand how these trade-offs really work and to see that freedom and security are not necessarily opposite sides of the coin. Schneier uses language that anyone can understand and excellent examples to illustrate how to assess the risks and determine whether a given security measure will help- or possibly even do more harm than good.

One of my favorite chapters is Chapter 2- Security Trade-Offs Are Subjective. He gives example after example of how what seems like a risk to one person is no risk at all to another person and how, often, one's fear of that risk is not supported by logic. For example, he states "commercial airplanes are perceived as riskier than automobiles, because the controls are in someone else's hands- even though they're much safer per passenger mile."

In this post 9/11 era there have been many changes in the name of security. People need to read this book to understand just what sort of security they are trading their freedom for.

(...)

In the wake of the 9/11 terrorist attacks there have been many changes to how national security is handled. Many of these changes have directly impacted our civil liberties or freedoms as United States citizens. Our elected officials and government organizations push these sweeping changes with a "sky is falling" mantra and claims that only by limiting freedoms and expanding the authority of law enforcement and government agencies can security be assured.

Bruce Schneier's book- Beyond Fear- helps those citizens understand how these trade-offs really work and to see that freedom and security are not necessarily opposite sides of the coin. Schneier uses language that anyone can understand and excellent examples to illustrate how to assess the risks and determine whether a given security measure will help- or possibly even do more harm than good.

One of my favorite chapters is Chapter 2- Security Trade-Offs Are Subjective. He gives example after example of how what seems like a risk to one person is no risk at all to another person and how, often, one's fear of that risk is not supported by logic. For example, he states "commercial airplanes are perceived as riskier than automobiles, because the controls are in someone else's hands- even though they're much safer per passenger mile."

In this post 9/11 era there have been many changes in the name of security. People need to read this book to understand just what sort of security they are trading their freedom for.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

As a healthcare fraud consultant, I found this book very helpful. Healthcare insurers and plans are often at a loss when it comes to securing their systems. Here are three of the things I thought were particularly helpful:

1) Security is only as strong as the weakest link. If a crook can enroll as a provider without providing any credentials and can bill using a list of patients stolen from another provider, then all the computer network security in the world is not going to help you.

2) Class breaks allow a perpetrator to attack several systems with the same ease as he can attack one system. The standardization required under HIPAA is going to make it easier for us to use fraud fighting algorithms developed for one plan to find fraud in another plan, but it will also make it easier for criminals to use the same exact scam in multiple places.

3) Automation allows attackers to make a huge number of attacks with about the same effort as one attack. The payoff for each attack can be very low, since the cost is low. If I set up a booth at the mall offering free chiropractic exams, I can collect insurance information for hundreds of patients in a weekend. I can bill weekly services for each of those people, while I move to a new location to collect more insurance data. Automation also means that only one attacker has to be smart, while the rest can just use his software or methods to carry out the fraud.

When one of the smartest security people writes one of the most readable books on the topic, this required 10 stars. Alas, I can only give 5.

This book is so good; I bought a copy for my supervisor.

I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.

Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.

These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.

Bruce Schneier is a well known security expert and author of one of my favorite technical books of all time, Applied Cryptography. This latest book, Beyond Fear, is written for a popular audience and mostly discusses security measures taken by the US since 9/11.

While Bruce is thoughtful, clear, and provides excellent examples to back up his points, this book really could have used better editing. To me, it feels like a three chapters were spun out into an entire book by repeating the same points and same examples over and over again.

I still think this book is worth buying. The first 3-4 chapters alone are worthwhile. Spending some time thinking about the security the way Bruce thinks about it -- always from a cost/benefit standpoint -- is worthwhile. But, as I was, you might get a little frustrated by the poor editing.

Not quite what I'd expected. I'd read & enjoyed 'Secrets & Lies', and I thought this would be more of the same. This book is really a discussion about what actions have been taken post 9/11, and in parts it's a criticism of the overreaction that there has been.

However, its not overtly political, and gives dozens (perhaps a 100) practical worked examples of good & bad, effective & ineffective, responses to security issues, whether it be physical, electronic etc.

There is a 5-step process which I found useful to apply to everyday situations; and (in highly abbreviated form) these are : what are you trying to protect; what are the risks; risk mitigation; risks caused by the solution; trade-offs

The core message is : "as both individuals and a society, we can make choices about our security", and this book helps you understand how to make those informed decisions.

I have read a number of the Pro and Con reviews. I think it is important to take a good look at the title of the book, and use that as a guide to a buying decision. This book is not an in-depth cookbook of technical approaches to combat hackers, but rather a sensible way of looking at the issues that contribute to an aura of security, the appearance of security, and actually being secure. I really liked the whole premise, because we are such an image conscience, and sound-bite oriented society that it can become quite difficult to deliver a thought-provoking treatise on a topic that many think they know so much about.

My only negative comment would be that it got a little slow at the end, for me. Maybe I was just tired that night or something.

He cites a few excellent examples of places or instances where someone did something that they honestly felt would contribute to increased security, when the actual effect turned out to be the opposite. If I may draw a crude comparison: if you appreciated some of the observations, and perhaps even the writing style and presentation in Hammer and Champy's "Reengineering the Corporation", then you will like and appreciate this volume. The way Mr. Schneier presents information, and the way he introduces you to perceived vs. actual may strike you as being similar. (No offense meant to either author - I enjoyed both)

Happy trails.

I thought this book would tell me something I didn't know. It didn't. I thought it would be interesting enough to keep me awake and wanting to read it. It wasn't. I thought Bruce Schnier was a big thinker and agressive. He isn't; he's overly cautious and careful with his words out of his own "fear" of insulting somebody. I thought he would take a stand on the issues. He didn't. I thought he understood security in the post-9/11 world. He doesn't. In fact, this book was written like 9/11 never happened and as if our terrorist enemies are mindless idiots.

If you want a good overview of the strategic issues facing cyber security and homeland security, read Dan Verton's Black Ice. That offers a far better understanding and overview of what's going right and what's going wrong in homeland security and cyber security, because Verton isn't afraid. Scnhier hasn't found a way to go beyond his own fear.

_Beyond Fear_ is a good book, and I'd put it into the "should read" but not "must read" category for people working in security (as opposed to _Secrets and Lies_, which I put into the "must read" category). There's little new or profound in the book, which is essentially an elaboration with examples on the five-step process of analyzing and evaluating security systems given on pp. 14-15 of the book:

1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security system mitigate those risks?
4. What other risks does the security system cause?
5. What costs and trade-offs does the security solution impose?

In the process, Schneier provides many interesting examples. This is an excellent book on security for the layman. But it is definitely a book targeted at a popular audience. There are no footnotes or references, and Schneier occasionally tosses off remarks or asides that are questionable, if not false.

There are two significant flaws in the book:

1. It exaggerates the subjectivity of a security evaluation. On p. 17, chapter two is titled "Security Trade-offs are Subjective." But it's not the trade-off itself that is subjective. It's not the risk assessment that is subjective. It is people's non-instrumental desires (basic desires) or
values that are subjective.

Schneier writes (p. 17) that "Different people have different senses of what constitutes a threat"--but some are right and some are wrong. His distinction between perceived and actual risk shows that the important one is actual risk, not perceived risk. Actual risk is objective, not subjective. Schneier continues "or what level of risk is acceptable." That can certainly have a subjective component, but even subjective components can conflict with each other and be internally inconsistent, indicating a problem in the evaluation.

The final sentence of the chapter contradicts the chapter title: "Because we do not understand the risks, we make bad security trade-offs." (p. 31) If the trade-offs were subjective, there would be no such thing as a bad trade-off, only a trade-off perceived to be bad by someone.

Later in the book Schneier contradicts the strong subjectivity claim (e.g., p. 249: "Massive surveillance systems are *never* worth it." (emphasis added)) I don't think he seriously meant to make the strong claim--I think it's just careless/imprecise writing. p. 259 seems to get it pretty much right, but he should really have found a philosopher to review this book--that a problem is intractable doesn't mean that the answer is subjective, nor does the fact that subjective interests enter into the picture mean that the answer, given those interests, is subjective.

2. The book argues for an exaggerated egalitarianism--that anybody, regardless of background, training, or intelligence, can do security analysis. At the same time, the book touches on some of the evidence that ordinary judgments are inaccurate, and that people are notoriously bad at estimating and comparing risks due to the natural use of heuristics like vividness, recency, etc. (the classic Kahnemann and Tversy book, _Judgment Under Uncertainty_, summarizes some of this evidence).
It would be grossly mistaken to think that Joe Schmoe off the street is going to be capable of designing (or evaluating) the effectiveness of a complex security system, versus people with appropriate training and experience--just as mistaken as hiring people with no computer knowledge to build and maintain your IT infrastructure.
Again, like in point 1, Schneier says things which contradict the strong hypothesis he seems to argue for, for example when he writes that wealthy people want doctors who treat others, not just standing by on 24/7 on-call for those wealthy people, because they want doctors who are experienced.
And I think this is a good comparison--the position Schneier *should* be arguing for is that we should take responsibility for our own security in the same way that we should take responsibility for our own health. We still need to rely on experts, but we should take an active role in consulting with them and evaluating what they tell us, especially since (just as in health care and medicine) there are people who know what they are talking about and those who are snake oil salesmen.

If Bruce Schneier has acquired a habit, it is the ability to take the same old material and rehash it into different books, year after year. My guess is that, next year, he'll use another slightly different angle and try to sell you the same basic information.

What I find truly onerous about his books is the condescending tone that Schneier adopts when addressing the reader.

Recently I spoke with a PhD, from Brown, who performed decades of research in number theory. He recommended "Cryptography in C and C++," by Michael Welschenbach. He also said "I don't know why people think Applied Cryptography is such a good book. He [Schneier] doesn't seem to understand the mathematics very well." Pick up Applied Cryptography sometime and compare it side-by-side with Welschenbach's book. You'll see what that PhD was talking about.

"Beyond Fear" is a good book, but don't turn to it for proper definitions of security terms. Steer clear of this book's misuse of the words "threat" and "risk." While I appreciate Schneier's overall discussion of security issues, I expect a book aimed at the layman to be more accurate.

Schneier introduces the term "threat" on p. 20 with this example: "Most people don't give any thought to securing their lunch in the company refrigerator. Even though there's a threat of theft, its not a significant risk because attacks are rare and the potential loss just isn't a big deal. A rampant lunch thief in the company changes the equation; the threat remains the same, but the risk of theft increases." That's wrong; let's start with definitions (mine, based on intel experience -- not the author's).

A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset which could lead to exploitation. Risk is the possibility of suffering harm or loss. It's a measure of danger. All of these terms were defined years ago by military intel and law enforcement types, especially those doing counter-terrorism.

In the lunchroom example, nobody initially "secures" their lunch, even though their "assets" are held in a "vulnerable" (unlocked, unguarded) refrigerator. Why? There's no "threat" -- people have the capability to steal lunches but nobody has evil intentions. "Risk" of losing one's lunch is close to zero. Now, add the "rampant lunch thief." The threat is NOT "the same"; a threat now exists for the first time. The risk equation changes -- risk of loss is much higher. (Countermeasures like a guard can reduce the vulnerability and bring risk of loss closer to the original low level.)

Another example of fuzzy thinking appears on p. 50. "Just because your home hasn't been broken into in decades doesn't mean that it's secure." Says who? If the threat the entire time was zero, the house was always perfectly secure. Vulnerabilities are but one part of the risk equation, which is Risk = Threat X Vulnerability X Cost of Asset. If any factor is zero, risk is zero.

One quick final example appears on p. 238: "The problem lies in the fact that the threat -- the potential damage -- is enormous." Wrong! A threat is an agent, or party, who wants to and can inflict damage. "Threat" in this sentence should be "cost," meaning the replacement value of the assets at risk.

A hint to the source of these errors appears on p. 82: "examining an asset and trying to imagine all the possible threats against that asset is sometimes called 'threat analysis' or 'risk analysis.' (The terms are not well defined in the security business, and they tend to be used interchangeably.)" Which security business? Counter-terrorism and intel folks know threat analysis is performed against groups with capabilities and intentions to harm American assets. Risk analysis calculates the potential for loss given a certain threat, an asset's vulnerabilities, and the value of that asset. It's the digital security community that's obscuring the definitions.

I loved "Secrets and Lies," and every time I see the author speak I learn something new. Am I off base with this review? You be the judge. I still gave it 4 stars, since the book's vignettes are informative and its scope impressive. Given the large number of reviewers I expected someone to challenge the author's terminology. Yes, this is semantics, but shouldn't a book by an expert set the record straight? I don't think my expectations are unrealistic, either; Schneier is a previously published "thought leader," and he deserves to be held to the highest possible standards.

Bruce Schneier is a genius at making complex ideas sound sane and simple.

There is no melodrama in this book, just good old fashion wisdom.

Bruce is a much welcome voice in a crazy world.

"Anyone who tries to entice you with promises of absolute security or safety is pandering to your fears" (pg 277).

This whole book is filled with common-sense and not-so-common-sense thinking. I had the opportunity to see Schneier speak at Toorcon 2003 in San Diego and I can tell you this guy not only knows as much as anyone about security, he also talks *like a normal person*. He's not arrogant, he doesn't throw in gratuitous latin terms, he just makes a very clear point with extremely strong logic to back it up.

That's what this book is: a handbook on how to logically sift through all the garbage that's trickling down to us via the US media and our govt. Does the FBI need expanded snooping powers? Not according to Schneier, who backs that up with facts regarding 9-11 that tell us the right govt agencies *had* the info, they just couldn't analyze it all. So giving up a bunch of our privacy for the FBI to get more info doesn't make much sense in combating terrorism.

This is just one example in dozens. You may not even agree (I've met a few FBI people and they ALWAYS say they need more power/info), but reading this book allows you to pull the emotion out of security-based decisions, whether they are about home alarm systems or airport security lines.

For people who aren't familiar with Schneier, he is basically a semi-legend in the information security field for his cryptography, writing and speaking. His last book, "Secrets & Lies", broadened the scope of his writing from crypto to general infosec. Now he has broadened his focus even further to include the physical world (beyond the server room). To be honest he doesn't really even bring up computers directly that often, and when he does he usually tells us that they aren't nearly as good at making security decisions as people. Seasoned infosec people won't be surprised by any of the logic or conclusions in this book, but it's still worth a read because Schneier has obviously spent a lot of his brain's cycles thinking about security in general and we can all benefit from his conclusions.

Schneier has won my respect with this book. It proves that not only does he get the security details (the crypto), he gets the "big picture", even when the big picture has nothing to do with computing (eg muggings). It is rare to find this in one company, let alone one person.

Executive summary: Timely and well written. Buy it.

Bruce has a great ability to "keep it real" - which is why his books are so readable and down to earth. With a background in cryptography, Bruce has broadened his scope to become one of the broadest-thinkers in security today - no mean feat by any measure.

One of the reasons I tell my corporate consulting clients to "Read Bruce's books" is because he's able to put things into the overall context in a way that is uplifting rather than depressing or overwhelming. For example, I consider "Secrets and Lies" (and now "Beyond Fear") to be essential bookshelf material for anyone who has to deal with security. When people are starting in security and ask me where to begin, it's with these books. Absorbing them, and the concepts behind them, is a good way of avoiding the pitfalls in this complex field.

For the non-security-professional, this book is also a terrific read. Read it more like it's a spy novel, sit back, and enjoy it. Movie script-writers? If you're going to write a script that touches on computer security: read this book.

mjr.

This new book of Bruce's covers a lot of practical aspects to security that is particularly relevant in a security-obsessed society. It's important to make sure when you do something that's supposed to increase security that it actually work. This is the most important, really. If it's not going to work, why bother. Discussing security in general terms explains why some counter-intuitive measures are good security. It also shows why security measures that are broadly based but weak can be better than ones that are targeted but strong.

In a world where we are constantly bombarded with information about how to be safer, what things are dangerous, what to do in case of X, it is pleasant and surprising to see a book that tells you how to make decisions like these yourself.

Pleasantly apolitical, Schneier presents a concrete way to evaluate various decisions about security. Should you install an alarm system in your home? Should airline pilots be armed? While different in scope, the process of answering these questions is the same and presented in easy-to-understand language. This is not a book for "security experts" it is a book for all of us.

When you are finished reading the book, you are armed with the tools to make decisions about your own security and to evaluate the ideas presented by policy-makers. More importantly, you have the tools to rationally describe why potential policies would make things less secure rather than more secure.

This book is a valuable, perhaps necessary, resource for everyone. If you've ever worried about a particular threat and wondered what you could do, read this book.