Cybersecurity and the Art of Cyberwar - Dan Shoemaker

The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system.
The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart.
That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor."
In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force—if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device.
A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement—e.g., no apparent gaps in the defence—is the justification for this book.
The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.