At last, here is a fine, eminently readable (almost chatty), practical, and broad book on computer security for auditors, administrators, managers, and even those who teach introductory business courses in the subject. Although such readers may find little of value in the 100+ pages that the authors devote to matters (such as TEMPEST and the “Orange Book”) that are of concern only to those who must abide by United States Department of Defense (DoD) regulations, the remainder of the book is well worth its price. While it contains almost no material on specific systems and software products, the book does contain a great deal of generally useful, fundamental guidance on

• justifying security measures,

• the history of computer security,

• access control and identification and authentication,

• viruses, worms, and other “wildlife,”

• administration,

• cryptography, and

• network security.

The substantive discussions are preceded by a helpful chapter that expounds critical definitions and are followed by appendices on initialisms (which the authors miscall “acronyms”) and sources for further study. The latter are especially appropriate because the book always avoids painful detail.

Most of the book’s flaws occur in its DoD-related sections. Trying to keep up with fast-paced changes as they occurred no doubt led to use of the present tense to refer on page 40 to the applicability of a directive whose rescission is chronicled on page 42; similarly, page 36 gives one impression of the National Security Agency’s endorsement of the Data Encryption Standard, but page 187 gives a different impression that takes more recent events into account. The introduction of the “star property” on page 77 can make no sense without its justification, for which the authors merely refer the reader to an appendix listing other publications. Also inadequate is the book’s treatment on page 66 of cracking passwords by making trial encryptions and comparing them to available ciphertext; page 166 is written as though such cracking were of concern only in exceptional cases. Also, the book’s history could leave the reader with the incorrect impression that all advances in computer security stemmed from governmental agencies’ activities.

DoD-related flaws and emphasis notwithstanding, Russell and Gangemi have produced a fine and sorely needed text that is well designed and well edited. One must hope that it will edify those to whom the subject of computer security has heretofore seemed all too arcane.