Archive for May, 2012

Behavioral Security Modeling Secure360 Presentation

without comments

Copyright © 2012 Brophey Consulting and Transvasive Security. All rights reserved.

Here are the slides from our talk at Secure360 on our recently published white paper, Behavioral Security Modeling: Functional Security Requirements.

We’ll provide a link to the video when it becomes available.

Written by JohnB

May 8th, 2012 at 11:47 am

Posted in Posts

Behavioral Security Modeling: Functional Security Requirements

without comments

Copyright © 2012 Brophey Consulting and Transvasive Security. All rights reserved.

In my Behavioral Security Modeling talk at OWASP AppSec USA 2011, I promised a white paper on BSM. Since then, I enlisted the aid of Karl Brophey, a friend who has a wealth of experience in software development and architecture, and the result of our collaboration is finally complete! I’m pleased to formally announce the release of the first BSM white paper, “Behavioral Security Modeling: Functional Security Requirements.” Karl and I will be speaking about the paper today at Secure360 in St Paul. Hope to see you there!

Abstract:

Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.

Version 1.0 disclaimer: this white paper attempts to formally capture our collective knowledge on how to effectively define functional security requirements. The next step is to test the theory by implementing the approach in a number of application development environments.

Paper:

Behavioral Security Modeling: Functional Security Requirements

Written by JohnB

May 8th, 2012 at 5:31 am

Posted in Posts

SIRACon: Organization of Risk Management Programs

without comments

Copyright © 2012 Transvasive Security. All rights reserved.

I spoke today (May 7, 2012) at SIRACon, the first ever conference of the Society of Information Risk Analysts. Here is the description I submitted for the talk – it is fairly close to the final product:

Effective, established Risk Management practices fall into two major categories: management of risk due to accidental damage (safety) and management of risk due to threats (protection). This talk will present the case that these are two distinct methodologies, and all information risk management should be divided into protection functions (like the Secret Service) and safety functions (like the Aviation Industry), staffed by different people if possible, due to the differences in approach, available data, threat behavior, and the cognitive biases of the risk analysts themselves.

I’ve uploaded copies of the talk to my site: Organizing Risk Management Programs, Or, What I learned from the Aviation Industry and the US Secret Service.

I really enjoyed the day’s talks, and appreciated all the different perspectives, they all help with our still-immature business of information risk analysis and information risk management.

I believe there will also be a video of my talk as well, I’ll post a link to that once it becomes available.

Written by JohnB

May 7th, 2012 at 12:00 am

Posted in Posts