jump to navigation

MY LATEST BOOK RELEASED! “The Science of Security” May 16, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Piracy & Maritime Security, Risk & Risk Management, security, security theater.
Tags: , , , , , , , , , , ,
add a comment

Announcing Scientia Securitatis: The Science of Security

After 34 years across nearly every security domain that exists — armed physical security at an overseas critical installation, combat force protection, security in a regional hospital’s psychiatric ward, payment-card industry compliance, armed maritime contracting off the East African coast, and a return to enterprise cybersecurity that has occupied the past decade — I have written the book I wish someone had written when I started.

Scientia Securitatis: The Science of Security — Theory, Frameworks, and Practice is available now.

The gap this book is intended to fill

The security profession does not lack books. Walk into any bookstore, scan any conference vendor floor, search any retailer’s security category, and you will find more material on cybersecurity, physical security, risk management, military theory, criminology, intelligence analysis, and organizational resilience than any single practitioner could read in a career. The field is overwhelmed with information.

What it lacks is integration.

Each security domain has developed its own vocabulary, its own frameworks, its own bestsellers, its own consultants. Each domain — when traced carefully to its analytical roots — is reaching for the same underlying concepts the next domain over named differently. Practitioners in physical and cybersecurity are working on the same analytical problems and rarely speak to one another. When they do, they discover that they have been duplicating each other’s work for decades.

Scientia Securitatis is an attempt to make that recognition the starting point of professional practice rather than an accident a few practitioners stumble into late in their careers.

What’s in the book

The book runs to 525 pages across 11 chapters and three appendices. It develops four original analytical frameworks:

  • The Mark Heptad — a taxonomy of seven adversary motivations (financial, espionage, war/defense, facilitation, hacktivism, revenge, nuisance) that maps directly to deterrence strategy
  • The IMCM Framework — Ignorance, Mistake, Complacency, Malice — for classifying human-induced vulnerabilities and matching them to specific interventions
  • The DIVE Framework — Direction, Intensity, Vulnerability, Exposure — for assessing specific exposure surfaces
  • The Multiplicative Security Model — the mathematical basis for defense-in-depth, with implications for how security architecture should actually combine

These original frameworks sit within a broader analytical apparatus drawn from criminology (Cohen and Felson’s Routine Activity Theory, Cornish and Clarke’s Twenty-Five Techniques of Situational Crime Prevention), cognitive science (Kahneman and Tversky on judgment under uncertainty), military theory (Sun Tzu, Clausewitz, contemporary unrestricted warfare doctrine), and systems-safety scholarship (James Reason’s Swiss Cheese Model, Charles Perrow’s normal-accident theory).

The book also examines — and critically engages — the victim-blaming reflex that dominates post-incident analysis, drawing on the foundational criminological literature on victim precipitation and contemporary case studies including Equifax, OPM, Target, and Snowflake.

A note on the Latin title

Scientia Securitatis translates as “the science of security,” and the choice was deliberate. The Latin signals that the book engages security as a serious analytical discipline whose intellectual roots long predate the cybersecurity industry’s tendency to treat its problems as historically unprecedented. The phenomena security examines are ancient; the framework for studying them rigorously has been available since at least the mid-20th century. The book argues that practitioners have, with rare exceptions, declined to use it.

Who this book is for

This book is for the practitioner who has noticed that decades of escalating security investment have not produced proportional security gains, and who wants to understand why. It is for the security executive building defensible programs across multiple domains. The policy professional confronting unrestricted warfare doctrine. The risk and compliance leader who suspects that frameworks alone are not stopping sophisticated adversaries. The graduate student approaching security as an analytical discipline rather than a job category.

It is not a tactical handbook. It is not a configuration guide. It is the analytical apparatus that determines whether tactical choices are well-made — the apparatus the field has been operating without.

Where to get it

Scientia Securitatis: The Science of Security is available now on Amazon in eBook, paperback, and hardcover formats:

Scientia Securitatis

If you find the book useful, please consider leaving a review. Self-published analytical nonfiction lives and dies by word-of-mouth among the practitioners it was written for — and a thoughtful Amazon review from a working professional is worth more to other professionals than any amount of marketing.

— Chris Mark

New Book Published! “The War God’s Face Has Become Indistinct” May 13, 2026

Posted by Chris Mark in cyberespionage, cybersecurity, Politics.
Tags: , , , , , , , ,
add a comment

I am proud to announce that after years of research, writing and formatting (the bane of my existence as a writer) my latest book about Chinese Unrestricted Warfare against the United States is finally published! You can buy either a Kindle, soft cover, or hardback. Here is a description of the book. The full title is “The War Gods Face Has Become Indistinct: China’s Unrestricted Warfare Doctrine and the War America Doesn’t Know It’s Fighting” It is 423 pages long and pretty heavy reading but insightful.

In 1999, two Senior Colonels of the People’s Liberation Army published a doctrinal blueprint for how a militarily inferior power could defeat the United States without ever firing a shot. Twenty-five years later, every operational case in that blueprint has been executed against American interests.

The War God’s Face Has Become Indistinct is the first comprehensive analytical treatment of Chinese unrestricted warfare doctrine and its operational record against the United States from 2000 to 2026. Drawing on twenty-five years of professional experience in cybersecurity, military reconnaissance, and intelligence analysis, Chris Mark traces the doctrine’s seven operational domains — from the Volt Typhoon and Salt Typhoon cyber campaigns against American critical infrastructure, through the Thousand Talents Plan and the academic-warfare prosecutions, to the political cultivation operations that have reached from California congressional staff to municipal mayors.

What you will find inside:

• A complete operational analysis of the Qiao-Wang doctrine and its institutional adoption by the Chinese state
– The first systematic account of Volt Typhoon, Salt Typhoon, and the undersea-cable threat picture in a single analytical framework
– The Mark Heptad — the author’s original threat-assessment framework, used to analyze adversary motivation in seven categories
– The cost-exchange revolution in drone and missile warfare, and what the Israel-Iran engagement of April 2024 revealed about the next conflict
– The Russia-Iran-North Korea adversary architectures examined through the same doctrinal lens
– A six-domain framework for democratic response that does not require America to become what it is defending against

For policy professionals, intelligence community readers, military officers, and the educated public who follow national security — this book provides the analytical vocabulary the contemporary American strategic environment requires.

Digital Impersonation on OnlyFans: Is it Possible? October 20, 2025

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

Recently, I was personally accused of “digitally impersonating” someone to set up an OnlyFans in their name! Let me be clear. #1…I would NEVER do that and #2…it is NOT possible (well..it approaches mathematical impossibility. But, I digress). Because I know this person and I know technology, when it was exposed, I was the easy target…sooooo…. I took the opportunity to actually do a study on OnlyFans authentication architecture! (because I am a cyber nerd) The findings are mind blowing! Outside of financial institutions, OnlyFans has one of the, if not THE, most robust authentication architecture in the industry! Read the entire paper here! Good Job OnlyFans! Of to court we go!!

Here is a summary of the findings…

“This analysis examines OnlyFans’ multi-layered verification system to demonstrate how multiplicative security controls create exponential attack complexity. The platform employs three sequential, mandatory verification layers: document verification (government ID analysis), biometric verification (liveness detection and facial matching), and banking verification (KYC/AML compliance through financial institutions).

Using a multiplicative probability model, the analysis calculates that attackers face dramatically reduced success rates. Unsophisticated attackers have only 0.003% success probability (1 in 33,000 attempts), while even sophisticated attackers using professional forgeries and advanced deepfakes face just 0.21% success rates (1 in 476 attempts). This represents a 452-fold security improvement over single-factor systems.

Banking verification emerges as the critical control, providing a 28.6× security multiplier due to independent organizational oversight, regulatory requirements, and specialized fraud detection infrastructure.” (read the rest here!) I hope you read the article!! It is actually a great read for us nerds!

Chinese Cyber Attacks and Unrestricted Warfare February 1, 2024

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

I first wrote about this phenomenon in 2012. It is becoming reality. The recent cyber-attacks attributed to the Chinese government on American infrastructure can be analyzed within the conceptual framework of “unrestricted warfare,” a doctrine developed by two PLA Colonels, Qiao Liang and Wang Xiangsui, in response to the perceived military superiority of the United States. This doctrine signifies a strategic shift from traditional, kinetic warfare to a multifaceted approach incorporating a broad spectrum of tactics including economic, political, and PR maneuvers to conduct ‘sub wars’ and ‘pseudo wars’.

At the core of unrestricted warfare is the recognition that the principles of war have evolved. As the authors state, “If we acknowledge that the new principles of war are no longer ‘using armed force to compel the enemy to submit to one’s will,’ but rather are ‘using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests’”[1]. This perspective broadens the scope of warfare to encompass non-traditional methods such as economic manipulation, cyber-attacks, and disinformation campaigns, transcending the conventional battlefield.

The Chinese cyber-attacks on the U.S. infrastructure, as reported in the aforementioned sources, align with this doctrine. These attacks represent a strategic choice to exploit vulnerabilities in critical systems to cause disruption and potential societal panic, without resorting to open military confrontation. This approach fits into the broader pattern of asymmetric threats.

Asymmetric threats, characterized by a disparity in the means and methods between different adversaries, are further defined by three criteria: the involvement of a tactic that one adversary could and would use against another, the unique ability or willingness of the adversary to use such means, and the potential for serious consequences if these means are not countered. In the cybersecurity realm, these threats take on a significant role. A minor actor with basic hacking tools can compel major entities to invest heavily in defense, illustrating the asymmetry in resources and efforts between attackers and defenders.

The Chinese strategy, as evidenced by the cyber-attacks, meets these criteria of asymmetric warfare. It involves tactics that the Chinese government is capable and willing to employ, which the U.S. would not mirror. The potential consequences of these attacks are severe, necessitating significant defensive measures.

Further aligning with the principles of unrestricted warfare, the authors note that unconventional methods can be formidable weapons in modern conflict. They observe, “As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons”[2]. This recognition of non-traditional tactics as weapons underscores the expanded battlefield that now includes economic, political, and technological realms.

In conclusion, the Chinese cyber-attacks on U.S. infrastructure, as part of their broader strategic approach, are indicative of the principles of unrestricted warfare. They represent a calculated move to use asymmetric tactics to undermine U.S. strengths and exploit vulnerabilities, extending the battlefield into the cyber realm. This strategy exemplifies a modern approach to warfare, where the lines between military and non-military means are blurred, and the battleground extends into multiple domains.

Loading the Elevenlabs Text to Speech AudioNative Player…

References:

  1. Qiao Liang and Wang Xiangsui, “Unrestricted Warfare.”
  2. Ibid.

“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

The incomparableYATWL Dr. Heather Mark (my wife…and compliance expert) has a new blog post…

“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people.  Firewalls don’t just randomly open ports.  Email clients don’t just decide to send proprietary and sensitive information to third parties.  These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information.  Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted.  Of course, we can implement technology to mitigate the risk presented by human nature.  But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent.  And to a very large extent, it’s correct.  But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like.  My favorite, though, is Dateline when the story is presented by Keith Morrison.  He has a way of telling a story.  Don’t believe me?  I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!