Information Security Practice Principles

The very best information security professionals are like health care professionals, lawyers, and military commanders. They do much more than implement compliance checklists or set up firewalls: they think critically and use judgment to make decisions and offer guidance. They apply their experience and expertise to the full scale of cyber problems, from system design to developing and implementing cybersecurity programs addressed to an entire mission or campaign.  Most importantly: they adapt.

We need more of these cyber samurai, and that means maturing the information security community and how we educate and train. There are true masters of information security, but we believe that excellence in this field leans heavily on master-apprentice relationships, trial-and-error experience, and the mimetic transfer of knowledge and know-how. These represent very powerful ways to learn, but they don’t necessarily scale or produce quick results. The ISPPs can be a cornerstone of information security education, helping new practitioners build a very deep and very broad insight into what information security is all about, not unlike the Fair Information Practice Principles for privacy professionals, or the Model Rules of Professional Conduct for lawyers.

Moreover, we need more people up and down the chain of command and in other specialties to be able to engage in and (at some level) understand the information security dialogue. The intended audience for this work is anyone making security decisions at any level of an organization: current practitioners, future practitioners, technologists whose decisions interact with or impact security, managers, and stakeholders.

Resources and Publications:

How you can help:

Contact us to let us know how you are using the principles, and what you'd like to learn more about.  Email addresses below under "the team".

Donate to CACR to support our work, so that we can continue building resources and curriculum, running trainings, and more.

The team:

Email the team about the Principles

Craig Jackson

Craig Jackson is Chief Policy Analyst at Indiana University's Center for Applied Cybersecurity Research (CACR), where his research interests include risk management, information security program development and governance, legal and regulatory regimes’ impact on information security, and identity management.

Scott Russell

Scott Russell is a Senior Policy Analyst with CACR, where his work focuses on the improvement of federal cybersecurity standards. A lawyer and researcher, Scott specializes in privacy, cybersecurity, and international law, and his past research has included cybersecurity due diligence norms under international law, cybersecurity self-governance, international data jurisdiction, and constitutional issues on digital surveillance. He received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a post-doctoral fellow at CACR.

Susan Sons

Susan Sons is a software engineer and information security analyst dedicated to security systems and software critical to our physical infrastructure, the internet, computational science, and scientific research.  Her work includes the rescue of the Network Time Protocol reference implementation, many operational security projects, and serving as a member of the NSF's Cybersecurity Center of Excellence.


This work is made available under the terms of the Creative Commons Attribution 4.0 International license. For more details, please visit the following URL:

Please credit Indiana University Center for Applied Cybersecurity Research and the URL The individual authors appreciate mention, as well, when convenient.