Whether you’re studying for a cyber security certification or qualification or want to enhance your own information security knowledge, there’s a wealth of books available that’ll help you learn and improve your cyber security skills.
As you read on, we’ll share our list of the books that are, in our opinion, best for studying cyber security and those that are good for people looking to improve their cyber security skills.
We’ve tried to take a balanced approach, recommending some text books that will enable cyber security practitioners to study and prepare for cyber security qualifications and certifications.
We’ve also looked through our library of books and selected ones that provide some historical context - books that discuss and detail how we, as a community of IT and security professionals, have come to find ourselves facing down kinetic attacks, nation state actors, hacktivists and highly organised gangs of professional malware pedlars.
We’ve also included books that are simply a good read!
Information Security Management Principles (2e)
By David Alexander, Amanda Finch, David Sutton, Andy Taylor
Technology plays a central role in all personal and professional lives. And that technology needs to be reliable and dependable: it needs to always be on and it needs to be available. From a security perspective, a compromise needs to be struck between availability and security.
Aimed at technical experts and business professionals, this book offers a practical (rather than theoretical) guide to delivering information assurance. Here in its second edition, 'Information Security Management Principles', is updated to include securing cloud-based resources.
The book’s text has also been enhanced to reflect recently made changes in the BCS Certification in Information Security Management Principles - a certification that 'Information Security Management Principles' supports.
The book’s team of authors have a collective wealth of experience with a particular focus on implementing best practice and shaping policy.
Ghost in the Wires
By Kevin Mitnick
'Ghost in the Wires' takes a time machine back to the 1970s and the formative days of a young boy who went on to become one of the world’s most notorious hackers: Kevin Mitnick. Telling his own story in his own words, 'Ghost in the Wires' is a must-read autobiography for any cyber security professional - or anybody with a passing interest in computers.
The story starts with a young boy subverting the ticketing system on local busses and stealing free rides. From there Mitnick became immersed in ham radio technology and then discovered phone phreaking - exploring and exploiting the American’s phone network for free calls and intellectual thrills.
Phreaking propelled Mitnick inexorably toward hacking and exploring phone companies’ computers. Such were his talents technical talents, social engineering skills and his near addiction to understanding how phones worked Mitnick became one of America’s most wanted fugitives.
'Ghost in the Wire' is enjoyable and educational in equal measure. It provides an intimate insight into how a hacker’s mind works and also illustrates the power of social engineering.
Cyber Security: A practitioner's guide
By David Sutton
Cyber security often dominates the headlines and seldom for good reasons: bugs in software and operating systems, compromised systems, criminal activity and stolen details. Given the damage being hacked can cause - both for businesses and homes - taking practical steps to maintain a solid security posture has never been more important.
This book takes a practical and informed approach. It explores today’s most prevalent attacks, issues and threats. With the headline grabbers covered, it lifts the lid on critical topics such as how criminals select targets, what motivates attackers, risk management, incident recovery and risk. It also offers plenty of advice about how to defend and protect.
The book is relevant to home and business users alike and is written by David Sutton - a expert whose cyber security career spans five decades.
Stuxnet is a malware case worth studying. It was a highly malicious worm that came to light in 2010 and it had one target: sabotaging Iran’s nuclear program. As such it’s widely regarded as the world’s first cyber weapon: a piece of software design specifically to bring to bear a kinetic attack against an adversary’s infrastructure. Although it was never openly admitted, it’s believed that Stuxnet malware was created though a joint Israeli and American effort.
Many things mark Stuxnet as a darkly impressive piece of malware. It targeted programmable logic controllers (PLC) - devices that, among other things, control centrifuges for separating nuclear material. As such, it needed to move, undetected, across a Windows based network and then cross to proprietary PLCs. To achieve all of this it drew on an elegantly nefarious mix of rootkitting, zero day exploits, stealth and a huge amount of patience.
Zetter’s book explores the story’s technical aspects and also looks to the future, asking what Stuxnet tells us about the future of cyber weapons.
Hands-on Incident Response and Digital Forensics
By Mike Sheward
When the bad guys make their move and launch an attack against an organisation, it needs to take the right steps and invoke the right processes. Acting in the right way makes it possible to keep disruption to a minimum. Act in the wrong way and an organisation can turn a problem into a crisis. Very quickly.
Incident response focuses on the processes and techniques necessary to identify and recover from a cyber security incident - with the minimum of impact and disruption.
With the incident remediated, the next phase is digital forensics - a scientific grade investigation into what caused the incident. The ultimate aim is, of course, to bring the attacker to justice.
Often mentioned in the same breath, incident response and digital forensics have a close and also complex relationship. Though invoking both are essential when an incident becomes apparent, balancing the emphasis placed on the two specialisms is important.
This practical guide unpicks this relationship and, as it does, teaches how to undertake each in a way that’s right for each organisation.
'The Cuckoo’s Egg' is a golden oldie and a classic. Published originally in 1989 and set in 1986, its author and main protagonist Cliff Stoll - a system administrator at Lawrence Berkeley Laboratory’s physics lab - recalls how he spotted and helped to apprehend a hacker.
The story starts when he spots an almost inconsequential error in his system’s account time charges. This 75 cent anomaly eventually saw Stoll, a self-proclaimed hippy, rub shoulders with spooks from the NSA, CIA, the FBI and the German police as he unravelled a web of international computer based espionage.
The book provides a tour of the early internet and Unix fundamentals. Don’t discount the book because of its age - there’s valuable stuff to be learned here. And it’s a good tale too.
Information Risk Management
By David Sutton
The practice of information risk management has three core concepts: identifying, assessing and prioritising risk, all with the aim of ensuring that information is kept secure and available.
'Information Risk Management' is a highly structured, informative and practical book that focuses on understanding risk management’s key principles. It also goes beyond theory and explores how practitioners can design, create and deploy a risk management process within their organisation. The book also includes a chapter that explores information risk management in the public sector.
This is the only textbook for the BCS Practitioner Certificate in Information Risk Management.
Security Architect Careers in information security
By Jon Collins
A security architect’s role and responsibilities are broad. Traditionally, and at the highest level, a security architect is tasked with ensuring that an organisation’s computers are secure. There is more to it than that.
A big part of the job is understanding businesses requirements and designing, developing and reviewing securing solutions and architectures that align with those requirements.
Those developed solutions, while meeting business needs, must also mitigate risk while complying with existing security policies.
For those interested in taking on - or growing into - a security architecture role, 'Security Architect Careers in information security' gives hands-on advice. It covers: fundamentals, the security architect’s skillset, standards, tools, techniques and gives career guidance.
Send us your ideas
If you’ve read a cyber security book and would like to see it added to this cyber security reading list, please email firstname.lastname@example.org or tweet @bcs. We’d like to build the definitive list of what books are best for studying cyber security and the texts that are best for improving cyber security skills.