I started this blog to try to help move information security theory and practice forward as both an intellectual discipline and professional practice area. Information security as a discipline is very new, as are the technologies involved and the professional disciplines of computer science, network implementation, and information management upon which information security builds. And computers and networks have evolved rapidly, which has required information security theory and practice to evolve rapidly in an attempt to keep pace.
Because all American statutory, regulatory, and common law is based at least to some extent on experience (and preferably on precedent),information security legal theory is not well-developed. As a result, no settled standards exist for allocating losses and settling disputes when security fails. In many cases nobody really knows how to determine whether someone has been negligent or has failed to meet regulatory requirements; sometimes, it is difficult to determine even what those duties are. Therefore, a legal theory of information security can’t just summarize existing legislation, precedent, and secondary authorities—it must weave together relevant strands of activity and thought.
This is what I want to try to do in this blog, I hope with my readers’ help. I’ve been working on this for some years now, and it’s a fascinating and I hope ultimately useful exercise. I plan to post, as and when I can, on not only current events and issues of interest to information security compliance and risk management, but also on some of the history of this field. I think this history has been neglected, to our disadvantage – we’ve learned a few things already, and it’s worth it to try to remember them, even as we invent new tricks to deal with new problems.