An information security case study is a concise report of a real-life project involving some aspect of information security. It can be written to illustrate best practice, to report on a transition to good practice, or to serve as a dreadful warning of what might happen if good practice is not followed. The envisaged readership might include business executives, infosec consultants, or students.
Information security case studies are usually short, with minimal descriptive text beyond what is necessary to set the infosec examples in context. They begin by outlining the original situation, with special reference to any deficiencies in information security, and any incidents that may have arisen. They then go on to describe what was done to implement change, finishing with a description of the current (and hopefully improved) situation.
The organisation that is the subject of an information security case study is always anonymised, even if the text is actually highly complimentary of the organisation. This is done in order to preserve the confidentiality of all information, including the identity of any consulting firm involved in the project. For this reason, some identifying details may be obfuscated or omitted entirely. However, this does not in any way affect the usefulness of the infosec case study for the intended readership, since the underlying principles are still included.
The document can be of great value to business executives who are looking for some examples of what has been done in the past, in order to spark off their thinking as to what might be done in the future in their own organisation. To this end, it is important for case studies to contain as wide a range of people and situations as possible, to maximise the probability that a business executive will find an example that matches their own situation reasonably closely.
An information security case study can also benefit infosec consultants, in expanding their specialist knowledge of the field. This readership would be especially interested in detailed reports of the rarer and more specialised situations that might arise, since they themselves may not have encountered these situations even with many years of experience.
Finally, case studies may benefit students of information security, or business management, in preparing themselves for a career in this very young field. The infosec examples can help to anchor the theoretical foundation of their learning, and link it to the real world.
Clearly, information security case studies need to satisfy many competing needs. Some readers will prefer a detailed and specialised exposition of a rare situation, while others will benefit more from a general overview of typical situations. Other readers, of course, will be looking for infosec examples from their own market sector. In all cases, however, an information security case study can provide vital and useful information that no other type of document can offer.