References

Abend, V., et al. (2008). Cybersecurity for the banking and finance sector. In Wiley Handbook of Science and Technology for Homeland Security, ed. J. G. Voeller. Hoboken, NJ: John Wiley & Sons, Inc.

Acohido, B. and J. Swartz (2008). Zero Day Threat. New York: Sterling Publishing Co., Inc.

Adair, S., R. Deibert, et al. (2010). Shadows in the cloud: Investigating Cyber Espionage 2.0. A joint report of the Information Warfare Monitor and Shadowserver Foundation.

Alexander, K. (2011). Congressional testimony. House Armed Services Committee. Washington, DC.

Alperovitch, D. (2011). Revealed: Operation shady RAT, McAfee.

Amoroso, E. (1999). Intrusion Detection. Sparta, NJ: Intrusion.Net Books.

Amoroso, E. (2006). Cyber Security. Summit, NJ: Silicon Press.

Amoroso, E. (2010). Cyber Attacks. Burlington, MA: Butterworth-Heinemann.

ANSI and ISA (2010). The financial management of cyber risk. An Implementation Framework for CFOs, American National Standards Institute (ANSI) and the Internet Security Alliance (ISA).

Assante, M. (2009). Critical cyber asset identification letter. Chief Information Security Officer, North American Electric Reliability Corporation (NERC).

ASTM (2009). ASTM Standard F2761 Integrated Clinical Environment, or ICE. From http://www.astm.org, ASTM International, West Conshohocken, PA.

Baker, W., A. Hutton, et al. (2011). Data breach investigations report. From http://www.verizonbusiness.com/go/2011dbir, Verizon Business.

Barrera, D. and P. Van Oorschot (2011). Secure software installation on smartphones. IEEE Security & Privacy, 42–51.

Bayuk, J. (2000). Information security metrics: An audit-based approach. Computer Systems Security and Privacy Advisory Board (CSSPAB) Security Metrics Workshop (Sponsored by NIST).

Bayuk, J. (2005). Stepping through the IS Audit, A Guide for Information Systems Managers, 2nd Edition. Rolling Meadows, IL: Information Systems Audit and Control Association.

Bayuk, J. (2007). Stepping through the InfoSec Program. Rolling Meadows, IL: Information Systems Audit and Control Association.

Bayuk, J. (2010). Enterprise Security for the Executive: Setting the Tone at the Top. Santa Barbara, CA: Praeger.

Bayuk, J., D. Barnabe, et al. (2010). Systems security engineering, a research roadmap, final technical report, Systems Engineering Research Center. From http://www.sercuarc.org.

Bilgerm, M., L. O’Connor, et al. (2006). Data-centric Security, IBM.

Bishop, B. (2010). China’s internet: The invisible birdcage. China Economic Quarterly September. Available at http://www.theceq.info/.

BITS (2007). BITS email security toolkit. From http://www.bitsinfo.org, The Financial Services Roundtable.

BITS (2011). Malware risks and mitigation. From http://www.bitsinfo.org, The Financial Services Roundtable.

Boardman, J. and B. Sauser (2008). Systems Thinking: Coping with 21st Century Problems. Boca Raton, FL: Taylor & Francis.

Botha, R. A., S. M. Furnell, et al. (2009). From desktop to mobile: Examining the security experience. Computers & Security 28(3–4): 130–137.

Boyd, J. (1987). A discourse on winning and losing. Briefing slides. Maxwell Air Force Base, AL, Air University Library Document No. M-U 43947.

Brafman, O. and R. A. Beckstrom (2006). The starfish and the spider: The unstoppable power of leaderless organizations portfolio hardcover.

Brenner, J. (2011). America the Vulnerable. New York: Penguin Press.

Byres, E., J. Karsch, et al. (2005). Good practice guide on firewall deployment for SCADA and process control networks. UK National Infrastructure Security Coordination Centre (NISCC).

Byres, E. and D. Leversage (2006). The industrial security incident database. Metricon 1.0, From http://www.securitymetrics.org.

Carlson, J. (2009). Financial services. In Enterprise Information Security and Privacy, ed. C. W. Axelrod, J. Bayuk, and D. Schutzer. Norwood, MA: Artech House.

Ceruzzi, P. E. (2003). A History of Modern Computing, 2nd Edition. Cambridge, MA: MIT Press.

CETS (2004). Convention on cybercrime. CETS No.: 185. From http://conventions.coe.int.

Charette, R. (2009). Now is the time to define software never-events. IEEE Spectrum.

Chatzinotas, S., J. Karlsson, et al. (2008). Evaluation of security architectures for mobile broadband access. In Handbook of Research on Wireless Security, ed. Y. Zhang, J. Zheng, and M. Miao. Hershey, PA: IGI Global.

Cheswick, W. R. and S. M. Bellovin (1994). Firewalls and Internet Security. Reading, MA: Addison-Wesley.

Chew, E., M. Swanson, et al. (2008). Performance Measurement Guide for Information Security. (Rev 1, first version 2003). Washington, DC: National Institute of Standards and Technology.

CISWG (2005). Report of the best practices and metrics teams. Corporate Information Security Working Group, US House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Government Reform Committee.

Clarke, R. A. and R. K. Knake (2010). Cyberwar. New York: HarperCollins.

Cleland, S. and I. Brodsky (2011). Search and Destroy: Why You Can’t Trust Google Inc. St. Louis, MO: Telescope Books.

Cloppert, M. (2010). Evolution of APT state of the ART and intelligence-driven response. US Digital Forensic and Incident Response Summit. From http://computer-forensics.sans.org, SANS.

COSO (2009). Guidance on monitoring internal control systems. Internal Control—Integrated Framework Introduction, Committee of Sponsoring Organizations of the Treadway Commission, Members include: American Accounting Association, American Institute of Certified Public Accountants, Financial Executive Institute, Institute of Internal Auditors, Institute of Management Accountants. From http://www.coso.org.

CSIS (2008). Securing Cyberspace for the 44th Presidency. Washington, DC: Center for Strategic and International Studies.

DeBlasio, A., T. Regan, et al. (2002). Effects of Catastrophic Events on Transportation System Management and Operations, New York City—September 11, U.S. Department of Transportation, ITS Joint Program Office, April 21, 2002. From ntl.bts.gov/lib/jpodocs/repts_te/14129_files/14129.pdf.

Denmark, A. M. and J. Mulvenon, Eds. (2010). Contested Commons: The Future of American Power in a Multipolar World. Washington, DC: Center for a New American Society (CNAS).

Denning, D. (1982). Cryptography and Computer Security. Reading, MA: Addison-Wesley.

DHS (2009). National infrastructure protection plan (NIPP). U.S. Department of Homeland Security. Available at http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

DoD (1985). The Orange Book, Trusted Computer System Evaluation Criteria. Washington, DC: Department of Defense. (supercedes first version of 1983).

DoD (2005). Information assurance workforce improvement program. US Department of Defense, DoD 8570.01-M.

Drew, C. (2011). Stolen data is tracked to hacking at lockheed. The New York Times, June 3.

Drucker, P. (2001). The Essential Drucker. New York: HarperCollins.

DSB (1970). Security controls for computer systems. Defense Science Board.

DSB (1996). Information warfare—Defense. Defense Science Board.

DSB (2005). High performance microchip supply. Defense Science Board.

FBIIC and FSSCC (2007). Banking and finance, critical infrastructure and key resources, sector-specific plan as input to the national infrastructure protection plan. Financial and Banking Infrastructure Information Committee and Financial Services Sector Coordinating Council.

FDIC (2004). Putting an end to account-hijacking identity theft. Federal Deposit Insurance Corporation Division of Supervision and Consumer Protection Technology Supervision Branch.

Fernandez, E. B. and N. Delessy (2006). Using patterns to understand and compare web services security products and standards. Proceedings of the Advanced International Conference on Telecommunications and International Conference on Internet and Web Applications and Services (AICT/ICIW 2006), IEEE.

FFIEC (2006). IT Examination Handbook—Information Security Booklet. Washington, DC: Federal Financial Institutions Examination Council, www.ffiec.gov.

FS-ISAC (2011). Threat viewpoint, advanced persistent threat. Financial Services Information Sharing and Analysis Center, www.fsisac.com.

FSSCC (2008). Research and development agenda. Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, Financial Services Sector Coordinating Council, www.fsscc.org.

FTC (2011). Consumer Sentinel Network Data Book. Washington, DC: U.S. Federal Trade Commission. From http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2010.pdf.

Furr, J. (1990). Wikepedia entry attributes spam usage to him.

Gallaher, M. P., A. N. Link, et al. (2008). Cyber Security, Economic Strategies and Public Policy Alternatives. Cheltenham, UK: Edward Elgar.

Garcia, M. L. (2008). The Design and Analysis of Physical Protection Systems. Burlington, MA: Butterworth-Heinemann.

Gilliland, A. and R. Gula (2009). SCAP panel discussion. Financial Services Information Security Caucus. New York.

Gilmore Commission (1999). First annual report to the President and the Congress of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction. Available at www.rand.org.

Gordon, L. A. and M. P. Loeb (2005). Managing Cybersecurity Resources. New York: McGraw-Hill.

Gorman, S. (2012). Chinese hackers suspected in long-term Nortel breach. The Wall Street Journal, February 14.

Gourley, B. (2010). JTF-CND to JTF-CNO to JTF-GNO to Cybercom, ctovision.com, September 8, 2010. Available at http://ctovision.com/2010/09/jtf-cnd-to-jtf-cno-to-jtf-gno-to-cybercom/.

Grampp, F. T. and M. D. McIlroy (1989), Why we moved crypt to /usr/games, and other fatherly advice. AT&T Bell Laboratories Technical Memorandum nos. TM 11275-890302-03TMS and TM 11270-890301-06TMS.

Guinnane, T. W. (2005). Trust: A concept too many. Economic Growth Center, Yale University, www.econ.yale.edu/∼egcenter/research.htm.

Hathaway, M., et al. (2009). Cyberspace policy review, assuring a trusted and resilient information, and communications infrastructure. United States Executive Branch.

Hayden, L. (2010). IT security metrics: A practical framework for measuring security & protecting data: McGraw-Hill Osborne media.

Herley, C. (2009). So long, and no thanks for the externalities: The rational rejection of security advice by users. New security paradigms workshop. Oxford, United Kingdom, ACM.

Herrmann, D. (2007). The Complete Guide to Security and Privacy Metrics. Boca Raton, FL: Auerbach Publications.

HHS (2010). Nationwide Health Information Network (NHIN) exchange architecture overview. DRAFT v.0.9, US Department of Health and Human Services.

HIPAA (2003). Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule. US Department of Health and Human Services. Federal Register Vol. 68, No. 34.

Hoglund, G. and G. McGraw (2008). Exploiting Online Games. Boston, MA: Pearson Education.

Hubbard, D. W. (2007). How to Measure Anything. Hoboken, NJ: John Wiley & Sons, Inc.

Hubbard, D. W. (2009). The Failure of Risk Management. Hoboken, NJ: John Wiley & Sons, Inc., p. 6.

IETF (ongoing). Request for Comments (RFC). Internet Engineering Task Force Archives. Available at http://www.ietf.org/rfc.html.

Igure, V. M., S. A. Laughter, et al. (2006). Security issues in SCADA networks. Computers & Security 25(7): 498–506.

INCOSE (2011). INCOSE systems engineering handbook, version 3.2.1.

ISA. International Society of Automation S99—Industrial Automation and Control Systems Security.

ISACA (2007). Control Objectives for Information Technology (COBIT). Rolling Meadows, IL, Information Systems Audit and Control Association, IT Governance Institute.

ISF (2007). The standard of good practice for information security. Information Security Forum, http://www.isfsecuritystandard.com.

ISO/IEC (2002). Information technology—Systems Security Engineering—Capability Maturity Model (SSE-CMM, ISO/IEC 28127). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

ISO/IEC (2005a). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). From http://www.iso.org.

ISO/IEC (2005b). Information technology—Security techniques—Code of practice for information security management (ISO/IEC 27002). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

ISO/IEC (2007). Systems and software engineering—Measurement process (ISO/IEC 15939). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

ISO/IEC (2009a). Information technology—Security techniques—Evaluation criteria for IT security—Part 1: Introduction and general model (ISO/IEC 15408). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

ISO/IEC (2009b). Information technology—Security techniques—Information security management—Measurement (ISO/IEC 27004). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

ISO/IEC (2009c). Systems and software engineering—Systems and Software Assurance—Part 2: Assurance case (ISO/IEC 15026). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

Jacobs, A. and M. Helft (2010). Google, citing attack, threatens to exit China. The New York Times, January 12.

Jakobsson, M. (2009). Academia. In Enterprise Information Security and Privacy, ed. C. W. Axelrod, J. Bayuk, and D. Schutzer. Norwood, MA: Artech House, 191–198.

Jansen, W. (2009). Directions in security metrics research. National Institute of Standards and Technology Interagency Report. NISTIR 7564, www.nist.gov.

Jaquith, A. (2007). Security Metrics. Upper Saddle River, NJ: Pearson Education.

Jaquith, A. and D. Geer (2005). Security Metrics, a community website for security practitioners. From http://www.securitymetrics.org.

Khusial, D. and R. McKegney (2005). e-Commerce security: Attacks and preventive strategies. From http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/0504_mckegney.html#N10078.

Kim, G., P. Love, et al. (2008). Visible Ops Security. Eugene, OR: Information Technology Process Institute.

Kim, G. and E. H. Spafford (1994). The Design and Implementation of Tripwire: A File System Integrity Checker. Proceedings of the 2nd ACM conference on computer and communications security. Fairfax, VA: ACM Press.

King, S. (2010). Science of Cyber Security, JST-10-102. McLean, VA: MITRE.

Kocieniewski, D. (2006). Six animal rights advocates are convicted of terrorism. The New York Times, March 3.

Kuehl, D. T. (2009). From cyberspace to cyberpower: Defining the problem. In Cyberpower and National Security, ed. F. D. Kramer, S. H. Starr, and L. Wentz. Dulles, VA: Potomac Books, Inc.

Landwehr, C. E. (2009). A national goal for cyberspace: Create an open, accountable internet. IEEE Security & Privacy, 7(3): 3–4.

Littman, J. (1990). Shockwave rider. PC Computing, June.

Loveland, G. and M. Lobel (2011). Global state of information security survey. Price Waterhouse Coopers, CIO Magazine, and CSO Magazine.

Lynn, W. (2010). Defending a new domain. Foreign Affairs 89(5): 97–108.

Markoff, J. (2012). Researchers find a flaw in a widely used online encryption method. The New York Times, February 15.

Maughan, D. (2009). A roadmap for cybersecurity research. US Department of Homeland Security.

McGraw, G. (2006). Software Security. Boston: Pearson Education.

McHugh, J. (2000). Testing intrusion detection systems. ACM Transactions on Information and System Security, 3(4).

McMillan, R. (2010). More than 100 companies targeted by Google hackers. Computerworld, February 27. Available at www.computerworld.com.

McNeil, J. (1978). The Consultant, Coward, McCann, and Geoghegan, Inc., also a BBC television series.

MD FIRE (ongoing). Medical device free interoperability requirements for the enterprise. From http://www.mdpnp.org.

Menn, J. (2010). Fatal System Error. New York: Perseus Books Group.

Meserve, J. (2007). Staged cyber attack reveals vulnerability in power grid. CNN News. From http://www.youtube.com/watch?v=C2qd6xXbySk.

Miniwatts (ongoing). Internet World Stats, Miniwatts Marketing Group. http://www.internetworldstats.com/stats.htm.

MITRE (ongoing). Common Vulnerabilities and Exposures, dictionary of common names for publicly known information security vulnerabilities. http://cve.mitre.org.

MITRE (2009). Common Weakness Enumeration (CWE/SANS) top 25 most dangerous programming errors. From http://cwe.mitre.org/. S. Christey.

Mohawk (1997). Putting the terror in terrorism, busted in 97. December 26. Available at http://web.textfiles.com/ezines/OCPP/ocpp05.txt.

Monty Python (1970). Monty Python’s flying circus spam sketch. From http://www.youtube.com/watch?v=anwy2MPT5RE.

Mylroie, L. (1995). The World Trade Center bomb: Who is Ramzi Yousef? And why it matters. The National Interest, December 1. Available at http://nationalinterest.org/article/the-world-trade-center-bomb-who-is-ramzi-yousef-and-why-it-matters-1035.

National vulnerability database. http://nvd.nist.gov/.

NCPI (2001). Understanding Crime Prevention, 2nd Edition. National Crime Prevention Institute. Woburn, MA: Butterworth-Heinemann.

Nelson, A. J., G. W. Dinolt, et al. (2011). A security and usability perspective of cloud file systems. SoSE 2011 6th International Conference on System of Systems Engineering, Albuquerque NM.

NERC (2010). High-impact, low-frequency event risk report. From http://www.nerc.com/files/HILF.pdf, North American Electric Reliability Corporation, June 2010.

Neumann, P. G. (2004). Principled assuredly trustworthy composable architectures. SRI International. Available at http://www.csl.sri.com/∼neumann/chats4.pdf.

NIST (2011). Managing information security risk. National Institute of Standards and Technology, Joint Task Force Transformation Initiative Interagency Working Group.

NRC (1996). Cryptography’s Role in Securing the Information Society. National Research Council. Washington, DC: National Academy Press.

NSPD-54/HSPD-23 (2008). The Comprehensive National Cybersecurity Initiative, National Security Presidential Directive 54/Homeland Security Presidential Directive 23.

NTIA (1998). Improvement of technical management of internet names and addresses. National Telecommunications and Information Administration (Editor), Federal Register, Vol. 63, No. 34, FR Doc. 98-4200.

NTSB (2010). San Bruno pipeline incident, preliminary report. Accident No.: DCA10MP008. From http://www.ntsb.gov/Surface/pipeline/Preliminary-Reports/San-Bruno-CA.html, National Transportation Safety Board.

OCC (2008). Bulletin OCC 2008-16. Subject: Information Security Description: Application Security, US Office of the Comptroller of the Currency.

Pande, P., R. Neuman, et al. (2001). The Six Sigma Way. New York: McGraw-Hill.

Pariser, E. (2011). The Filter Bubble. London: Penguin Group.

PCI (2008). Payment Card Industry (PCI) Data Security Standard, Version 1.2. Payment Card Industry (PCI) Security Standards Council, https://www.pcisecuritystandards.org.

PDD-63 (1998). U.S. Presidential Decision Directive 63. Available at http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.

Peltier, T. R. (2001). Information Security Policies, Procedures, and Standards. Boca Raton, FL: CRC Press.

Pike, J. (2012a). Eligible receiver. Available at http://www.globalsecurity.org/military/ops/eligible-receiver.htm.

Pike, J. (2012b). Solar sunrise. Available at http://www.globalsecurity.org/military/ops/solar-sunrise.htm.

PMI (2008). A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 4th Edition. Newton Square, PA: Project Management Institute.

Ponemon Institute (2009). Electronic health information at risk. Available at www.ponemon.org.

Powell, C. (2009). Security leadership. Fortify Executive Summit & ISE Mid-Atlantic Awards Washington, DC, Executive Alliance, Inc.

Preckshot, G. G. (1994). Method for performing diversity and Defense-in-Depth analyses of reactor protection systems. UCRL-ID-119239. US Nuclear Regulatory Commission Lawrence Livermore National Laboratory, Fission Energy and Systems Safety Program.

President’s Commission on Critical Infrastructure Protection (1997). Critical foundations: Protecting America’s infrastructures, http://www.fas.org/sgp/library/pccip.pdf.

Proctor, P. (2001). The Practical Intrusion Detection Handbook. Upper Saddle River, NJ: Prentice Hall.

Ramachandran, J. (2002). Designing Security Architecture Solutions. Hoboken, NJ: John Wiley & Sons, Inc.

Rattray, G. (2001). Strategic Warfare in Cyberspace. Cambridge MA: The MIT Press.

Rekhter, Y., R. G. Moskowitz, et al. (1996). Address allocation for private internets. Request for Comments: 1918 Internet Engineering Task Force, Network Working Group.

Rescorla, E. and T. Dierks (1999). The Transport Layer Security (TLS) protocol, version 1.2. Request for Comments: 5246, Internet Engineering Task Force, Network Working Group.

Rice, D. (2008). Geekonomics. Boston: Pearson Education.

Robb, J. (2007). Brave New War, The Next Stage of Terrorism and the End of Globalization. Hoboken, NJ: John Wiley & Sons, Inc.

Rohmeyer, P. (2010). Technology malpractice. In Cyberforensics: Understanding Information Security Investigations, ed. J. Bayuk. New York: Springer.

Ross, R., S. Katzke, et al. (2007). Recommended security controls for federal information systems, SP 800-53 Rev 2. National Institute of Standards and Technology.

Rost, J. and R. L. Glass (2011). The Dark Side of Software Engineering. Hoboken, NJ: Wiley.

RSTA (ongoing). Root Server Technical Operations Association, www.root-servers.org.

Ruitenbeek, E. V. and K. Scarfone (2009). The Common Misuse Scoring System (CMSS): Metrics for software feature misuse—DRAFT NISTIR 7517. National Institute of Standards and Technology.

Safire, W. (1994). On language—Cyberlingo. The New York Times Magazine, December 11, 1994.

Sarno, D. (2012). Phone apps dial up privacy worries. Los Angeles Times, February 18.

Savola, R. M. (2007). Towards a taxonomy for information security metrics. International Conference on Software Engineering Advances (ICSEA). Cap Esterel, France, ACM.

Schacht, J. M. (1975). Jobstream Separator System Design. NIST History of Computer Security. McLean, VA: MITRE.

Schewe, P. F. (2007). The Grid. Washington, DC: Joseph Henry Press.

Schmidt, H. (2006). Patrolling Cyberspace. N. Potomac, MD: Larstan Publishing.

Schneider, F. B., Ed. (1999). Trust in Cyberspace. National Research Council. Washington, DC: National Academy Press.

Schneier, B. (2003). Beyond Fear. New York: Copernicus.

Schwartz, N. D. and C. Drew (2011). RSA faces angry users after breach. The New York Times, June 7.

Schweitzer, J. A. (1982). Managing Information Security, A Program for the Electronic Age. Woburn, MA: Butterworth Publishers Inc.

Schweitzer, J. A. (1983). Protecting Information in the Electronic Workplace. Reston, VA: Reston Publishing.

Shannon, C. E. (1949). Communication theory of secrecy systems. Bell Labs Technical Journal, 28(4).

Siegel, M. (2005). False Alarm, the Truth about the Epidemic of Fear. Hoboken, NJ: John Wiley and Sons, Inc.

Singleton, F. (1994). The evolution of EDP auditing in North America. IS Audit and Control Journal IV: 38–48.

SIT (2010). Global Cybersecurity Policy Conference. Washington, DC: Stevens Institute of Technology.

Skoudis, E. and L. Zeltser (2004). Malware: Fighting Malicious Code. Upper Saddle River, NJ: Prentice Hall.

Slater, R. (1987). Portraits in Silicon. Cambridge, MA: MIT Press.

Smedinghoff, T. J. (2009). Legal and regulatory obligations. In Enterprise Information Security and Privacy, ed. C. W. Axelrod, J. Bayuk, and D. Schutzer. Norwood, MA: Artech House.

Spamhaus (ongoing). The Spamhaus Project. From http://www.spamhaus.org.

SSE-CMM® (2003). Systems Security Engineering Capability Maturity Model®. Model Description Document, Version 3.0.

Stamp, J., P. Campbell, et al. (2003). Sustainable Security for Infrastruture SCADA, Sandia National Laboratories. SABD2003-4670.

State (2010). International traffic in arms regulations. http://www.pmddtc.state.gov/regulations_laws/itar_official.html, US Department of State.

Sterling, B. (1992). Hacker Crackdown. New York: Bantam Doubleday Dell Publishing Group.

Stoll, C. (1989). The Cuckoo’s Egg. New York: Doubleday.

Stouffer, K., J. Falco, et al. (2009). Guide to Industrial Control Systems Security, SP 800-82. National Institute of Standards and Technology.

Thompson, H. H. (2003). Why security testing is hard. IEEE Security & Privacy, 1(4).

Thompson, H. H. and S. G. Chase (2005). The Software Vulnerability Guide. Hingham, MA: Charles River Media.

Toner, E. S. (2009). Creating situational awareness: A systems approach. Workshop on Medical Surge Capacity, Institute of Medicine Forum on Medical and Public Health Preparedness for Catastrophic Events.

UCF (ongoing). Unified Compliance Framework™, http://www.unifiedcompliance.com/.

US-CERT (ongoing). The original CERT was privately operated, and has since been supplemented with one run by the US Department of Homeland Security, From http://www.cert.org/ and http://www.us-cert.gov/.

Vijayan, J. (2008). McColo takedown: Internet vigilantism or online neighborhood watch? Computerworld, November 17. Available at www.computerworld.com.

Virus.org (1998). Targeting the Pentagon, Rome labs attack story. InfoSec News, March 31. Available at http://lists.virus.org/isn-9803/msg00123.html.

Ware, W. (1970). Security controls for computer systems. From http://seclab.cs.ucdavis.edu/projects/history/papers/ware70.pdf, Report of Defense Science Board Task Force on Computer Security.

Weiss, J. (2010). Protecting Industrial Control Systems from Electronic Threats. New York: Momentum Press.

Wolf, C. (2008). Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age. New York: Practising Law Institute.

Wyatt, E. (2012). White House, consumers in mind, offers online privacy guidelines. The New York Times, February 23.

Zetter, K. (2011). How digital detectives deciphered Stuxnet, the most menacing malware in history. Wired. Available at http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1.

Zimmer, B. (2009). On language. The New York Times Magazine, October 5.