jump to navigation

MY LATEST BOOK RELEASED! “The Science of Security” May 16, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management, security, security theater.
Tags: , , , , , , , , , , ,
add a comment

Announcing Scientia Securitatis: The Science of Security

After 34 years across nearly every security domain that exists — armed physical security at an overseas critical installation, combat force protection, security in a regional hospital’s psychiatric ward, payment-card industry compliance, armed maritime contracting off the East African coast, and a return to enterprise cybersecurity that has occupied the past decade — I have written the book I wish someone had written when I started.

Scientia Securitatis: The Science of Security — Theory, Frameworks, and Practice is available now.

The gap this book is intended to fill

The security profession does not lack books. Walk into any bookstore, scan any conference vendor floor, search any retailer’s security category, and you will find more material on cybersecurity, physical security, risk management, military theory, criminology, intelligence analysis, and organizational resilience than any single practitioner could read in a career. The field is overwhelmed with information.

What it lacks is integration.

Each security domain has developed its own vocabulary, its own frameworks, its own bestsellers, its own consultants. Each domain — when traced carefully to its analytical roots — is reaching for the same underlying concepts the next domain over named differently. Practitioners in physical and cybersecurity are working on the same analytical problems and rarely speak to one another. When they do, they discover that they have been duplicating each other’s work for decades.

Scientia Securitatis is an attempt to make that recognition the starting point of professional practice rather than an accident a few practitioners stumble into late in their careers.

What’s in the book

The book runs to 525 pages across 11 chapters and three appendices. It develops four original analytical frameworks:

  • The Mark Heptad — a taxonomy of seven adversary motivations (financial, espionage, war/defense, facilitation, hacktivism, revenge, nuisance) that maps directly to deterrence strategy
  • The IMCM Framework — Ignorance, Mistake, Complacency, Malice — for classifying human-induced vulnerabilities and matching them to specific interventions
  • The DIVE Framework — Direction, Intensity, Vulnerability, Exposure — for assessing specific exposure surfaces
  • The Multiplicative Security Model — the mathematical basis for defense-in-depth, with implications for how security architecture should actually combine

These original frameworks sit within a broader analytical apparatus drawn from criminology (Cohen and Felson’s Routine Activity Theory, Cornish and Clarke’s Twenty-Five Techniques of Situational Crime Prevention), cognitive science (Kahneman and Tversky on judgment under uncertainty), military theory (Sun Tzu, Clausewitz, contemporary unrestricted warfare doctrine), and systems-safety scholarship (James Reason’s Swiss Cheese Model, Charles Perrow’s normal-accident theory).

The book also examines — and critically engages — the victim-blaming reflex that dominates post-incident analysis, drawing on the foundational criminological literature on victim precipitation and contemporary case studies including Equifax, OPM, Target, and Snowflake.

A note on the Latin title

Scientia Securitatis translates as “the science of security,” and the choice was deliberate. The Latin signals that the book engages security as a serious analytical discipline whose intellectual roots long predate the cybersecurity industry’s tendency to treat its problems as historically unprecedented. The phenomena security examines are ancient; the framework for studying them rigorously has been available since at least the mid-20th century. The book argues that practitioners have, with rare exceptions, declined to use it.

Who this book is for

This book is for the practitioner who has noticed that decades of escalating security investment have not produced proportional security gains, and who wants to understand why. It is for the security executive building defensible programs across multiple domains. The policy professional confronting unrestricted warfare doctrine. The risk and compliance leader who suspects that frameworks alone are not stopping sophisticated adversaries. The graduate student approaching security as an analytical discipline rather than a job category.

It is not a tactical handbook. It is not a configuration guide. It is the analytical apparatus that determines whether tactical choices are well-made — the apparatus the field has been operating without.

Where to get it

Scientia Securitatis: The Science of Security is available now on Amazon in eBook, paperback, and hardcover formats:

Scientia Securitatis

If you find the book useful, please consider leaving a review. Self-published analytical nonfiction lives and dies by word-of-mouth among the practitioners it was written for — and a thoughtful Amazon review from a working professional is worth more to other professionals than any amount of marketing.

— Chris Mark

I am back ;) “The Markerian Heptad and Understanding Attacker Motivations” February 24, 2020

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , , ,
add a comment

It has been a bit of time since I have posted.  I am back with a blog post I wrote for AT&T CyberSecurity Blog. Titled, “Understanding CyberAttacker Motivations”  It discusses what I call the “Markerian Heptad” (Yes..I named it after myself 🙂 and describes the 7 basic motivations that underpin why an attacker would target a particular person, company, organization, etc.

“Implementing a risk based security program and appropriate controls against adaptive cyber threat actors can be a complex task for many organizations. With an understanding of the basic motivations that drive cyber-attacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks.  This article will discuss the Rational Actor Model (RAM) as well as the seven primary intrinsic and extrinsic motivations for cyber attackers.

Deterrence and security theory fundamentally rely upon the premise that people are rational actors. The RAM is based on the rational choice theory, which posits that humans are rational and will take actions that are in their own best interests.  Each decision a person makes is based upon an internal value calculus that weighs the cost versus the benefits of an action.  By altering the cost-to-benefit ratios of the decisions, decisions, and therefore behavior can be changed accordingly. 

It should be noted at this point that ‘rationality’ relies upon a personal calculus of costs and benefits.  When speaking about the rational actor model or deterrence, it is critical to understand that ‘rational’ behavior is that which advances the individual’s interests and, as such, behavior may vary among people, groups and situations.”..READ MORE HERE!

Thank You for 1,000,000 Views! January 26, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
1 comment so far

million

I was just notified that the GlobalRiskInfo blog just had it’s 1 millionth view with over 850,000 visitors!  I want to give a big “Thank You!” to everyone that has taken the time to read my inane drivel and for those who take the time to comment!  This is simply a labor of love and I am grateful for the support.  This started 4 years ago and I have published 404 blog posts. While some have been big hits others have not.  Regardless..thank you!

Dupont’s Titanium Oxide Color Recipe- Stolen for Chinese Advantage July 22, 2015

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Oddly (to me anyhow) this is the 2nd most  popular post on my blog!  It was written over 3 years ago but since it gets so much traffic I thought I should re-post.  Here it is in 2015!

Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft.  In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government.  Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide.  What is TD used in?  Titanium Dioxide is the ingredient in many white products that makes the products white.  Products such as paint, toothpaste, and Oreo cookie filling!  Stealing the ingredients to Oreos shows just how low cyberthieves will go!   According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”

I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest.  Make no mistake.  If your company has a unique process, technology, or product, it IS of interest to many companies.  Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.

photo from: http://www.titaniumexposed.com

Getting into Information Assurance Careers June 2, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
1 comment so far

March coverI have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested.  In 2001, I landed in InfoSec by pure luck and I have never looked back.  It is an amazing field and a great career path.  First..for some marketing.  According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year.  In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them.  In short, it is a very high demand field.

InfoSec?  CyberSecurity? Information Assurance?  WHAT?

It is even confusing to me sometimes.  At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data.  This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization).  While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.

What types of Jobs are Out There? (more…)