A quarter of a century of computer and network security research and writing

Twenty-five years ago this month McGraw-Hill published a book I wrote about computer and network security. And the first thing I tell people about this book is that I did not put the word "complete" in the title! That was the publisher's decision. Because if there was one thing that I learned in the three years during which I researched the book it was this: there will never be a "complete book" of security.

The second thing I tell people is that The Stephen Cobb Complete Book of PC and LAN Security was not a big seller. Indeed, it was a complete flop compared to some of the other books I wrote in the late 1980s and early 1990s. My best seller...
-- which actually topped the computer book best seller list for a couple of weeks -- was about how to use the Quattro Pro spreadsheet. That one sold 80,000 copies in the first three months of publication. If you include foreign translations and reprinting rights, more than a million books were published with my name on them in the period 1988-1993.

The PC and LAN security book accounted for a mere 5,000 copies out of that million. So, was it a crap book? I don't think so. The National Computer Security Association, which was the leading membership organization for IT security professionals back in the early 1990s, backed a revised and expanded edition that McGraw-Hill published as The NCSA Guide to PC and LAN Security.

That book came out in 1996 and sold better. Why? My theory is that in 1991 not many people were thinking about computer security. More people were thinking about IT security in 1996.

By the late 1990s the emergence of the Internet and its many security issues had made LAN security old news. McGraw-Hill allowed the NCSA version of the book to run out of print in 2001 so I regained the rights to the work and was able republish it as Cobb's Guide to PC and LAN Security through the Authors Guild a print-on-demand system. Later, just for fun and the historical record, I split the 700-page book into the three PDF files linked here: Part One; Part Two; and Part Three.

By 2002 it was possible to sell decent numbers of specialized security books, like the one my brother co-authored on IIS Security for McGraw-Hill with Marty Jost (I contributed a chapter on data privacy). Marty had been my co-author on a book about the TOPs networking systems and before that a colleague at ACC, an Oakland-based startup that did end user training and network installs from IBM.

In 2003, my wife's Network Security for Dummies appeared and sold well (tens of thousands of copies). However, as the decade wore on there was no denying that a lot of security content was going "straight to website" and so in 2005 I started this blog.

Five years ago I started writing for the blog published by the security software company ESET. That has since evolved into We Live Security, which now exists in English, Spanish, and German editions. I heartily recommend this site for security news, advice, opinion, and award-winning antimalware research, written and edited by my colleagues from ESET research favilities around the world.

And that's the abridged version of my quarter century of computer security research and writing. I have to say that in some ways that first security book was a huge success. The few people who bought it were the few people for whom security was an issue of interest and concern in the early 1990s. I came to know many of them through that book and the doors it opened. More than a few have remained good friends and colleagues over the years.

And here's one very important thing that I learned from writing that first security book: if you write a book about something, then many people will assume -- sometimes to a frightening extent -- that you know what you're talking about. I have spent the last 25 years trying to justify that assumption.

Let me leave you with the closing words of that 1991 edition. You decide if they remain overly optimistic:

The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use.

(Note: Back in 2012 I wrote about the 20th anniversary of this book, under the mistaken impression that it first appeared in 1992. However, I have since been reminded that the official publication date was late 1991, hence the timing of this 25th anniversary.)