Andrew Stewart

I received my M.Sc. in Information Security from Royal Holloway, University of London. My book A Vulnerable System: The History of Information Security in the Computer Age was published by Cornell University Press in September, 2021.

This page lists my academic work. Some personal information about me is here.

Email: andrewinfosec@gmail.com / andrew.james.stewart@kcl.ac.uk
Google Scholar: https://scholar.google.com/citations?user=EFFU4wsAAAAJ

Academic Work

• A. J. Stewart, A Vulnerable System: The History of Information Security in the Computer Age, Cornell University Press, 2021. This book was reviewed in California History, in Technology & Culture, in IEEE Cipher - the newsletter of the IEEE Technical Committee on Security & Privacy, and in Login - a publication of The Advanced Computing Systems Association. It was also inducted into the Cybersecurity Canon Hall of Fame at The Ohio State University, and translated into Japanese and Mandarin. [JSTOR; Project MUSE; Oxford University Press; Cornell University Press blog post].
• A. Shostack & A. Stewart, The New School of Information Security, Addison-Wesley, 2008. This book was used at Harvard Kennedy School, Drexel University, the Heinz School of Public Policy and Management at Carnegie Mellon University, and was reviewed in IEEE Cipher.

Refereed Journal Articles

• A. Stewart & C. Hobbs, Systematic Analysis of Security Advice on the Topic of Insider Threats, Computers & Security 154 (2025).
• A. Stewart & M. Handy, The Design and Implementation of an Insider Threat Maturity Model, Counter-Insider Threat Research and Practice (2024).
• A. Stewart, A Utilitarian Re-Examination of Enterprise-Scale Information Security Management, Information and Computer Security 26, no. 1 (2018): 39-57.
• A. Stewart, Can Spending on Information Security be Justified? Evaluating the Security Spending Decision from the Perspective of a Rational Actor, Information Management & Computer Security 20, no. 4 (2012): 312-326.
• A. Stewart, A Contemporary Approach to Network Vulnerability Assessment, Network Security 2005, no. 4 (2005): 7-10.
• A. Stewart, Information Security Technologies as a Commodity Input, Information Management & Computer Security 13, no. 1 (2005): 5-15.
• A. Stewart, On Risk: Perception and Direction, Computers & Security 23, no. 5 (2004): 362-370.
• A. Stewart, No Illusions: Rethinking Information Security Policies and Standards, Information Security Bulletin 8, (2003): 229-234.

Refereed Conference Papers

• A. Stewart, Efficient Visualization of Change Events in Enterprise Networks, IEEE Workshop On Enterprise Network Security, Baltimore MD, August 28, 2006.

Technical Reports

• A. Stewart, A Utilitarian Re-Examination of Enterprise-Scale Information Security Management, Department of Mathematics, Royal Holloway, University of London, 2014. This M.Sc. thesis was subsequently published in Information and Computer Security 26, no. 1 (2018): 39-57.

Other Papers

• Sasha & Beetle (pseud.), A Strict Anomaly Detection Model for IDS, Phrack Magazine, 10, no. 56 (2000).
• A. J. Stewart, Distributed Metastasis: A Computer Network Penetration Methodology, Phrack Magazine 9, no. 55 (1999).

Academic Service

• Editorial Advisory Board Member and Referee, Information and Computer Security (formerly Information Management & Computer Security), 2009-present; 54 reviews completed.
• Referee, Computers & Security, 2009-present; 49 reviews completed.

• In April 2024, I achieved a long-held goal of completing 100 academic journal peer-reviews.

Education

• M.Sc. Information Security, with Distinction, Information Security Group, Royal Holloway, University of London, 2013.
• MBA, Emory University, 2009.
• B.Sc. Computing, with Honors, Oxford Brookes University, 1997.