MY LATEST BOOK RELEASED! “The Science of Security” May 16, 2026
Posted by Chris Mark in cyberespionage, cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management, security, security theater.Tags: ai, artificial-intelligence, cybersecurity, data breach, History, InfoSec, Maritime Security, philosophy, Piracy & Maritime Security, risk management, security, technology
add a comment
Announcing Scientia Securitatis: The Science of Security
After 34 years across nearly every security domain that exists — armed physical security at an overseas critical installation, combat force protection, security in a regional hospital’s psychiatric ward, payment-card industry compliance, armed maritime contracting off the East African coast, and a return to enterprise cybersecurity that has occupied the past decade — I have written the book I wish someone had written when I started.
Scientia Securitatis: The Science of Security — Theory, Frameworks, and Practice is available now.
The gap this book is intended to fill
The security profession does not lack books. Walk into any bookstore, scan any conference vendor floor, search any retailer’s security category, and you will find more material on cybersecurity, physical security, risk management, military theory, criminology, intelligence analysis, and organizational resilience than any single practitioner could read in a career. The field is overwhelmed with information.
What it lacks is integration.
Each security domain has developed its own vocabulary, its own frameworks, its own bestsellers, its own consultants. Each domain — when traced carefully to its analytical roots — is reaching for the same underlying concepts the next domain over named differently. Practitioners in physical and cybersecurity are working on the same analytical problems and rarely speak to one another. When they do, they discover that they have been duplicating each other’s work for decades.
Scientia Securitatis is an attempt to make that recognition the starting point of professional practice rather than an accident a few practitioners stumble into late in their careers.
What’s in the book
The book runs to 525 pages across 11 chapters and three appendices. It develops four original analytical frameworks:
- The Mark Heptad — a taxonomy of seven adversary motivations (financial, espionage, war/defense, facilitation, hacktivism, revenge, nuisance) that maps directly to deterrence strategy
- The IMCM Framework — Ignorance, Mistake, Complacency, Malice — for classifying human-induced vulnerabilities and matching them to specific interventions
- The DIVE Framework — Direction, Intensity, Vulnerability, Exposure — for assessing specific exposure surfaces
- The Multiplicative Security Model — the mathematical basis for defense-in-depth, with implications for how security architecture should actually combine
These original frameworks sit within a broader analytical apparatus drawn from criminology (Cohen and Felson’s Routine Activity Theory, Cornish and Clarke’s Twenty-Five Techniques of Situational Crime Prevention), cognitive science (Kahneman and Tversky on judgment under uncertainty), military theory (Sun Tzu, Clausewitz, contemporary unrestricted warfare doctrine), and systems-safety scholarship (James Reason’s Swiss Cheese Model, Charles Perrow’s normal-accident theory).
The book also examines — and critically engages — the victim-blaming reflex that dominates post-incident analysis, drawing on the foundational criminological literature on victim precipitation and contemporary case studies including Equifax, OPM, Target, and Snowflake.
A note on the Latin title
Scientia Securitatis translates as “the science of security,” and the choice was deliberate. The Latin signals that the book engages security as a serious analytical discipline whose intellectual roots long predate the cybersecurity industry’s tendency to treat its problems as historically unprecedented. The phenomena security examines are ancient; the framework for studying them rigorously has been available since at least the mid-20th century. The book argues that practitioners have, with rare exceptions, declined to use it.
Who this book is for
This book is for the practitioner who has noticed that decades of escalating security investment have not produced proportional security gains, and who wants to understand why. It is for the security executive building defensible programs across multiple domains. The policy professional confronting unrestricted warfare doctrine. The risk and compliance leader who suspects that frameworks alone are not stopping sophisticated adversaries. The graduate student approaching security as an analytical discipline rather than a job category.
It is not a tactical handbook. It is not a configuration guide. It is the analytical apparatus that determines whether tactical choices are well-made — the apparatus the field has been operating without.
Where to get it
Scientia Securitatis: The Science of Security is available now on Amazon in eBook, paperback, and hardcover formats:
If you find the book useful, please consider leaving a review. Self-published analytical nonfiction lives and dies by word-of-mouth among the practitioners it was written for — and a thoughtful Amazon review from a working professional is worth more to other professionals than any amount of marketing.
— Chris Mark
Asymmetric Warfare 101 July 21, 2015
Posted by Chris Mark in Risk & Risk Management, weapons and tactics.Tags: asymmetric threats, asymmetric warfare, Chris Mark, guerrilla warfare, mark consulting group, risk management, security
1 comment so far
With the current state of affairs I thought it appropriate to ‘republish’ this blog post from 2012. You can also read the article from Secure Payments Magazine on the same topic applied to InfoSec.
Asymmetric Warfare can be described as the strategy of using weapons, tactics, and methods to render the asymmetry that exists between two adversaries as moot. Consider the US Military for a moment. Since the end of World War II, which is arguably the start of US hegemony, the United States has fielded what many believe is the most powerful conventional military in the history of the world (or at least modern world). In spite, of this fact the US, and her allies) have struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser-trained, relatively ill-equipped insurgents that created significant challenges to the US military. By applying guerilla tactics, and employing IEDs and other technologies, the adversaries were able to balance the perceived asymmetry between the might of the US and their own capabilities.
The US is not alone in this dubious distinction of struggling with conventionally weaker adversaries. The Soviet Union was defeated in Afghanistan in the 1980s, and a much weaker France, led by Napoleon, defeated the powerful Prussian Military. France, in turn, lost French Indochina with the coup-de-grace coming in the surrender at Dien Bein Phu in 1954. If each of these countries were militarily superior to their foes, how did they end up losing their respective wars? These examples outline the effectiveness of asymmetric warfare.
While there exist a number of different definitions of Asymmetric Warfare, in a basic sense it applies to the strategies and tactics employed by a militarily weaker opponent to take advantage of vulnerabilities in the stronger opponent. As an example, few military forces on the planet would face the US military and her allies in open combat either on land or the sea. Doing so would be certain suicide. A look at the Persian Gulf War in 1991 shows the result of taking on the military might of the Western World in open combat. The Battle of Medina Ridge is a prime example. In this battle between the US 2nd Brigade, 1st Armored Division against the Iraqi, 2nd Brigade of 2nd Medina Luminous Division the US recorded 1 killed, and 30 wounded while recording 4 tanks as being damaged. The Iraqis, meanwhile, reported “heavy manpower losses” while reporting 186 tanks destroyed and 127 Armored Fighting Vehicles destroyed.
If a militarily inferior opponent cannot face the US, or Western powers in open combat, how do they fight? It is fair to day the days of Mahanian sea battles are behind us. Quite simply, they employ strategies that render the superior military might irrelevant or at least less relevant. Guerilla warfare is an example of an asymmetric strategy against a militarily superior foe. As stated in the military classic “On Guerrilla Warfare” by Mao Tse-Tung:
“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.
At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. ..Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will occupy a previously prepared ambush.”
This is warfare today. Unfortunately, the US, and her allies have learned that technology alone cannot win a war against a determined, creative enemy.
As discussed earlier the concept of Asymmetric Warfare is a field of some debate. When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of Asymmetric Threats posited by C.A. Primmerman. Without going through too much of the math, and modifying Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:
- Adversary A could & would attack Adversary B by doing X
- Adversary B could & would respond to Adversary A by doing X.
Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.
As an example of this concept working in practice, consider the following:
1a. Adversary A would attack Adversary B by using terror tactics against the civilian population.
2a. Adversary B would respond to Adversary A by terror tactics against the civilian population.
If statement 2a is false then the threat in 1a is asymmetric.
According to Pimmerman, an Asymmetric Threat must meet three criteria. These have been modified for our purposes and include:
- It must involve a weapon, tactic or strategy that the adversary both could and would use against another adversary.
- It must involve a weapon, tactic, or strategy that the would not or could not be be employed by one adversary.
- It must involve a weapon, tactic, or strategy that, if not countered, could have serious consequences. If a threat meets these three criteria, it would be considered asymmetric.
As any student of military strategy can attest, being in a purely defensive mode is a losing proposition. Unfortunately, in many instances asymmetric threats place one adversary in an almost purely defensive position. One of my favorite quotes that appears appropriately relevant now is by Julius Ceasar:
“There is no fate worse than being continuously under guard, for it means you are always afraid.”
While not intended to be a comprehensive discussion of Asymmetric Threats the basic concepts are relevant in today’s world.
CyberEspionage (Again)…The Counter Terrorist Magazine February 19, 2014
Posted by Chris Mark in Uncategorized.Tags: AT&T, Chris Mark, cybercrime, cyberespionage, cybersecurity, PCI DSS, risk management, security
add a comment
In light of the continuing attacks against companies by Eastern European organized criminal groups, I thought it appropriate to remind everyone that state sponsored attacks are still a major issue. Here is a link to an article I wrote in The Counter Terrorist Magazine on the topic of CyberEspionage. “The economics of cyber-theft is simple: Stealing technology is far easier and cheaper than doing original research and development. It is also far less risky to the spy than historic cloak and dagger economic espionage.”
Chris Mark & Heather Mark in Feb 2013 TransactionWorld February 1, 2013
Posted by Chris Mark in Uncategorized.Tags: AT&T, Chris Mark, cybercrime, cybersecurity, Heather Mark, Maritime Security, PCI, risk management, somali pirates
add a comment
February’s edition of TransactionWorld was released today and both Chris and Heather have articles in the issue. Chris (that is me) wrote “Security in Dangerous Waters; Pirates & CyberCrime” while Heather wrote “Shifting Targets; Dealing with Regulatory Shifts in Data Security & Privacy”. Please be sure to check out the articles..
Security Survey December 3, 2012
Posted by Chris Mark in Uncategorized.Tags: CISSP, risk management, security, security survey
add a comment
I am completing a project for an research brief and would appreciate if any security professionals (or former security professionals) could take 5 minutes to answer the survey. NO personal information is collected. Thank you in advance for your help!
Global Security, Privacy, & Risk Management 