An information security case study is a concise report of a real-life project involving some aspect of information security. It can be written to illustrate best practice, to report on a transition to good practice, or to serve as a dreadful warning of what might happen if good practice is not followed. The envisaged readership might include business executives, infosec consultants, or students.
Information security case studies are usually short, with minimal descriptive text beyond what is necessary to set the infosec examples in context. They begin by outlining the original situation, with special reference to any deficiencies in information security, and any incidents that may have arisen. They then go on to describe what was done to implement change, finishing with a description of the current (and hopefully improved) situation.
Finally, case studies may benefit students of information security, or business management, in preparing themselves for a career in this very young field. The infosec examples can help to anchor the theoretical foundation of their learning, and link it to the real world.
Clearly, information security case studies need to satisfy many competing needs. Some readers will prefer a detailed and specialised exposition of a rare situation, while others will benefit more from a general overview of typical situations. Other readers, of course, will be looking for infosec examples from their own market sector. In all cases, however, an information security case study can provide vital and useful information that no other type of document can offer.