A few weeks ago I came across an excellent book from 1977 entitled An Anatomy of Risk by William Rowe, Sr. (ISBN: 0471019941).  This book provides a thorough technical summary of the state of the art in risk analysis through the mid-1970s.  This includes some of the ground breaking work on risk perception, risk assessment for nuclear power, risk communication, etc.  I believe that this book is one of the first authoritative texts on quantitative risk analysis ever published.  However, since the book was written at a time when risk analysis was a relatively new academic discipline, it was not intended for undergraduate audiences looking to learn the basics of risk.  For me, I intend to use this text as my gateway to the classic research works on risk analysis.

An Anatomy of Risk was previously reviewed by a number of scholars as cited below.  Note that in most cases you must have a subscription to view the actual review.  I also noted the tone of the review on a five-tier scale (SCATHING, UNFAVORABLE, NEUTRAL, FAVORABLE, PRAISING).

• A PRAISING review by P. K. M’Pherson in Cybernetics and Systems, Vol. 8, Nos. 3 & 4, pp. 352-354 (1977) (permalink)
• A FAVORABLE review by L. E.Hill in Technology and Culture, Vol. 19, No. 4, pp. 788-790 (1978) (permalink)
• A PRAISING review by A. R. Unwin in The Journal of the Operational Research Society, Vol. 29, No. 8, pp. 825-826 (1978) (permalink)
• A FAVORABLE review in ACM SIGSIM Simulation Digest, Vol. 10, No. 4, p. 70 (1979) (permalink)
• A SCATHING review by R. G. Easterling in Technometrics, Vol. 22, No. 2, pp. 278-279 (1980) (permalink)
• A FAVORABLE review by M. L. Randolph in Ecology, Vol. 62, No. 4, pp. 1133-1134 (1981) (permalink)

On balance, I would say that the overall take on Dr. Rowe’s book was FAVORABLE++.  I personally recommend that all emerging risk researchers add this title to their Christmas book wish list.

An Anatomy of Risk is no longer available NEW, and can only be purchased used via a used book outlet such as Alibris.com (see here).

Send article as PDF to

Mr. Michael Erbschloe’s book Physical Security for IT is a new text designed to assist IT security professionals in designing security plans to protect IT assets against physical attacks and disruptive events. This book, in my view, is an attempt to remind IT security that physical attacks can be as dangerous, if not more dangerous, than those cyber attacks initiated by viruses writers, hackers, etc.  In the preface of this book, the author asserts that:

Even though the skill level required to hack systems and write viruses is becoming widespread, the skill required to wield an ax, hammer, or fire hose and do thousands of dollars in damage is even more widespread.

In the first part of this book, the author describes the security context considered throughout this book.  The Protector is assumed to be an IT security manager, whether an employee of a government agency or small/medium/large business, that is interested in preserving the confidentiality, integrity, and availability of the organization’s information systems.  The Threats in this book include disgruntled and angry employees, activists and corporate foes, vandals, saboteurs, thieves and spies, domestic terrorists, international terrorists, natural disasters, and random incidents not categorized by any of the preceding threat types.  The Assets (or object of contention) of concern, as the title of the book suggests, are all physical aspects of an organizations IT system, to include the computers themselves, network hardware, cables, power, etc.

The remainder of the book takes the reader through the process of establishing a IT physical security function within an organization, developing an IT physical security plan, developing and documenting methods and procedures, and auditing and testing these procedures.  The later chapters of the book describe the role of incident response teams, proposes a training program for organizational employees, and examines (albeit in a rather brief and uninteresting way) the role of national planning documents (e.g., national strategies, legislation) in shaping the future of physical security.

From my perspective, I am upset by just how little treatment is afforded in most textbooks to the physical protection of IT assets. After all, while it may appear sexy to attempt the compromise of a specific system via a cyber attack, it is far easier to just destroy the system with a hammer, especially if the perpetrator is an insider or individual willing to break-in to a facility and carry out the deed.  I have personally participated in the vulnerability assessment of a few “critical” facilities, and found that despite having wonderful tools for detecting cyber intrusion, virus checkers, firewalls, etc., the IT infrastructure is still vulnerable if the only means of physical protection is a simple door lock affixed to a worn half-light glass door with aged hinges.  Add to that a weak CCTV system and lax security policies (e.g., not locking the door) and you find yourself with a system as well protected against malicious attacks as a naked man in a field during a thunderstorm is protected against lighting.  A discussion of the role of physical security for IT should be part of any course on security risk management centered on information systems, if even relegated to a single lecture.  That said, Physical IT for Security at the very least offers IT professionals some added insight to protect their assets against all hazards, physical and cyber alike.

All in all, Physical Security for IT reads like a Physical Security for IT Dummies book, which actually is a good thing given that its purpose is strictly to equip IT security professionals with a template for designing a physical security plan from start to finish, maintenance and testing included.  The book is very well organized, very easy to read, and is very low stress.  For instance, a dedicated security professional would not have a problem digesting the book in about 1-2 hours.  If I were teaching a class in IT security, I would at least list this book as optional, though in practice I would probably have students buy this book along with some other established text focusing on the cyber end of the security problem.  But keep in mind that the focus of this book is on making progress toward security, not on providing tools to inform resource allocation decisions based on risk.  So from that point of view, the book is very prescriptive about what should be done to protect an IT system, but does not provide much insight into whether the investment in security can justified in terms of benefits relative to costs.

Send article as PDF to

Many, if not most, upper-level undergraduate and first-year graduate engineering students are familiar with the famous text entitled Advanced Engineering Mathematics by Erwin Kreyszig (now in its ninth edition).  If you are not familiar with this book and you desire a single source for the body of practical mathematical concepts that enable engineering analysis, then I strongly advise that you become acquainted with “Kreyszig.”  This book covers the practical elements of calculus, differential equations, linear algebra, numerical analysis, optimization, and probability and statistics, all in 1248 pages!  I will forever keep this book handy.

Recently I encountered a book that, in my mind, rivals Kreyszig in terms of comprehensiveness and thoroughness.  The title is Actuarial Mathematics by Bowers, Gerber, Hickman, Jones, and Nesbitt (second edition, ISBN: 0938959468).  But unlike the Kreyszig text, Actuarial Mathematics is all about the mathematics of risk.  Topics covered in this book include probability models, survivorship functions, insurance pricing, regression, and so on.  Though the title may sound dry, this book is sufficiently lively in tone to keep my mind occupied during an otherwise boring meeting.  This book is absolutely amazing, and for that reason I call it the “Kreyszig of Risk.”  But I would argue that the text advocates mathematical practice that, despite being the accepted standard of practice in the world of professional actuaries, is primitive relative to modern uncertainty modeling approaches (e.g., probability boxes).  I think there is potential for quite a lot of research work focused on applying modern mathematical theory to actuarial problems.

Now despite its mathematical allure, Actuarial Mathematics does not help security risk professionals do their job any better given their inherent relucatance to quantify things without supporting data.  But this did not stop me from buying the book and enjoying every minute of it.  Actually, I believe (as of late) that there is much for a security risk professional to learn from other disciplines where risk analysis is routinely used (e.g., political risk assessment, actuarial science).  So picking this book up for me was my first attempt at understanding the requisite mathematical body of knowledge to become an actuary (see the American Academy of Actuaries website for more information on what an actuary does and what it takes to become one).

Send article as PDF to

Citation: Purpura, P. P. (2007). Terrorism and Homeland Security: An Introduction with Applications.  Butterworth-Heinemann (Elsevier).  ISBN: 978-0-7506-7843-8.

Here we have what appears to be an undergraduate text centered on this idea of homeland security.  It seems that the target readership for this book are HLS novices, so from that point of view the text covers a nice swath of homeland security issues and recent milestones (legislation, strategies, etc.).  But I think the book would come off as being quite lame to those in the homeland security community who know a thing or two about what it is, what is should be, and where it is (really) headed.  This book is truly an introductory text aimed at exposing the reader to different aspects of the homeland security, but without going into any real depth save for whatever an instructor decides to do with the billion discussion questions scattered throughout each chapter.

But don’t get me wrong – this book has a lot of neat qualities.  First off, this text, in a single volume, contains all the neat graphics and images related to risk and homeland security put out by various offices of the federal government over the past 10 years or so.  It also has a lot of public domain pictures of soldiers, Chertoff, first responders, bad-guys, and so forth.  So, if you need a one-stop resource for homeland security graphics, this book provides just that.

Each chapter is filled with a number of “critical thinking” exercises that ask simple questions like “if you were a terrorist, what would you do” or “do you think the government is doing a good job” or ”what is your opinion of the terrorism insurance act.”  I suppose these questions were designed to prompt discussion, but I fear that unless the students/readers have sufficient background knowledge to form an informed opinion, these discussions may have the potential to do more harm than good.  A trained facilitator is really needed for these discussion questions to produce beneficial insight, that is, unless the student is willing to go off on his own to obtain sufficient background knowledge to truly understand the issues.  Each chapter also contains interesting application exercises that ask the reader/student to pretend as if they were a terrorist, first responder, POTUS, or whomever, and then roleplay in a prescribed situation.  I like these alot, but just as with the critical thinking questions, a knowledgeable facilitator must be present to make sure the students don’t go off on obnoxious tangents.

The book offers a nice glossary of terms, but as any risk professional knows in this field, there is no common lexicon for homeland security.  So, from where did the author grab these definitions?  Perhaps they are in the body of the text, and even if they are it would be nice to see the references in the glossary.  But I do like the definition of vulnerability as it emphasizes its connection to whom is the vulnerability analysis focused on, even if it is not sourced.

What is missing from the book is a discussion of the new National Response Framework (NRF), which supersedes the National Response Plan.  But this is to be forgiven since the book was published before the NRF.  But where it the talk about some of the current and past DHS initiatives, to include the Buffer Zone Protection Plan program, UASI grants, and so on?  Well, perhaps these programs are too “in the weeds” for this book given its focus on all DHS and not just infrastructure protection.

So, would I use this book in any of my classes? No.  But I might flip through it to find leads to supporting materials, to locate the reference of a neat image on risk or picture of an actor on the homeland security stage, and maybe to identify all the legislation and executive orders that make this whole homeland security thing what it is today.  But the book is lacking in depth on a number of key issues, such as managing public risks to loss of private infrastructure, precautionary approaches to security decision making versus those based on benefit-cost analysis, the nature of competition among states for federal funding and the oddities of how the federal government goes about doing it, how money passes from one stakeholder to the next, and so on.  If I were to run a course on homeland security, I would probably have the students actually read all those good-looking US strategy documents that we paid big $$$ for and provide them with a credible point and counter-point taken from the academic literature for each of these issues to serve as a starting point for class discussion.

Oh, and as an aside, the author (PP Purpura) has written several book on security and loss prevention, some for multiple editions.  This is a good indicator of author credibility.  However, I can’t seem to locate any of his “numerous articles published in journals” save for one he wrote on prison inmate amenities for the Journal of Correctional Education in 1978.

Send article as PDF to