How Much Should an Information Security Book Cost?

As a reader and author of information security books, I wonder how much should such books cost and whether we can expect the price of electronic infosec books to drop?

Factors That Might Drive Down the Cost of Books

Most information security authors don’t write technical for the money, because technical books rarely generate significant revenue through royalties. However, writing a book allows the author to spread knowledge and also to benefit from the recognition one receives for the publication. From this perspective, the author might chose to forgo royalties for the book if that would increase the reader base.

Moreover, many sources of information compete for the reader’s attention. There’s a plethora of insightful infosec materials available freely on the web in the form of blogs and articles; many of them are written by the same person who would write a book. As the result, some readers may avoid paying for a book in favor of receiving similar web content for free. Might we find ourselves in a situation where the readers will even be paid for the time they would devote to reading the book?

Several Book-Pricing Examples

Richard Bejtlich pointed out that not all books, nor reading practices, are created equal. We might read some information security books for fun, to learn a specific skill set or to obtain a high-level perspective on the topic. We also treat some books as a reference, rarely reading them from cover to cover, but periodically dipping into their contents to answer specific questions. Different types of books might differ in how they are priced. Here are a few examples:

  • Information Security Policies Made Easy by Charles Cresson Wood costs $795. The book comes with a CD that includes “1400 individual pre-written security policies” and other canned security documents. The reader might justify paying the high price to obtain these templates. The book’s price might seem less outrageous when compared to the cost of a few hours of a consultant’s time to begin generating this documentation.
  • Malware Analyst’s Cookbook by Michael Ligh, Steven Adair, Blake Hartstein and Matthew Richard costs around $38 in print and $34 on Kindle. It comes with a DVD of tools, most of which weren’t available prior to the book’s release. The DVD’s contents are also available on-line for free. Presumably, the reader would justify purchasing the book to read the insights regarding using these tools for analyzing malware.
  • Windows Internals by Mark Russinovich, David A. Solomon and Alex Ionescu costs around $44 in print and $39 on Kindle. It offers reference materials and explanations of internal aspects of Windows operating systems that are hard to find elsewhere. Obtaining convenient access to these details may be the reason why readers would purchase the book.
  • Cyberforensics by several authors, including yours truly costs, around $149. The book presents insights from several specialists in several aspects of digital forensics. I believe the contents are good, but the relatively high price might set unrealistic expectations regarding the value of the text. The book is positioned by the publisher as a textbook—this price is not unusual in that context.
  • Forget the Parachute, Let Me Fly the Plane by Mike Murray costs $2.99 on Kindle. (The book offers career advice and is not infosec-specific.) Mike priced the book relatively low, wondering whether readers would “trade a cup of coffee for some solid career advice.”
  • Do the Work by Steven Pressfield costs around $10 in print and is free on Kindle. (This is a non-infosec book about being productive.) The author found a sponsor to cover the fixed cost of the e-book, which allowed him to offer the e-book as a free Kindle download.

The Value of a Technical Book

To understand what value a book might bring despite the broad availability of free content on the web, consider the how Kevin Kelly defined a book:

A book is a self-contained story, argument, or body of knowledge that takes more than an hour to read. A book is complete in the sense that it contains its own beginning, middle, and end.

The value that a technical book brings is in bringing together a set of related concepts into a story and argument or a theme that helps the reader understand the concepts.

For instance, this blog contains lots of information security posts, which I publish one day at a time. I leave it up to the reader to figure out how the postings are related together. If I unified related articles from the blog to focus on a particular topic, fixed any inconsistencies in my arguments and added appropriate transition text, I could publish the resulting volume as a book. There would be some value that readers would derive from my taking the time to organize the concepts in this manner, and they may be willing to pay for that benefit.

What Does The Future Hold?

The authors’ desire to be recognized, the low royalties from technical books and the increasing availability of free on-line content, and the low incremental cost of distributing an e-book will drive the price of infosec e-books down. The publishers’ actions to protect their business model will resist this trend and might be strong enough to prevent a significant drop in prices.

As an author, I would prefer to use a publisher to distribute printed copies of the book at prices that allow the publisher to cover costs and derive profit from the marketing and distribution activities of the book. I would prefer to have the electronic version of the book distributed for a very low cost.

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more