More than most other engineering areas, information security is an elusive practice. Practitioners are called both geniuses and gurus, sometimes depicted as white coated lab scientists and sometimes as mavericks. Is it a science or a religion? Is it based on empirical evidence, common sense or preconditioned beliefs? Does the data even exist?
This blog attempts to discuss those and related issues by breaking out of the walls of information security, exploring comparative practices as well as relevant research fields such as cognitive psychology and philosophy of science. Some of the specific areas discussed are: risk management, incidents and vulnerabilities statistics, intellectual property, patents and the open source model and information security tools evaluation and categorization.