Transvasive Security

the human factor

ISC2 Security Congress Talk and SIRACon

Today I spoke at the (ISC)2 Security Congress in Philadelphia, which is co-located with the ASIS International Conference. I talked about Behavioral Threat Modeling, which is my proposal for a better way of identifying security design flaws. I enjoyed the talk, and got several good questions at the end.

Although video of the talk is only available to conference participants, I’ve posted a copy of my slides below. For those who would like a copy of the Excel template I used for the Threat Profiles, I’m working on posting a copy here as well, but until then, please contact me and I’ll be happy to email you a copy.

Defending Against Attacks by Modeling Threat Behaviors

Sample Threat Profiles Excel template

If you happen to live in the Minneapolis / St Paul area, I’ll be giving the talk again at the local OWASP MSP chapter a week from today, on September 17. (It’s the same talk, we just had a problem getting the title right) The OWASP MSP group is fun, and I’m hoping I’ll get some hecklers.

Finally, here is a link to videos of all of the talks at SIRACon, including the talk I gave on Information Safety.

Update: I’ve posted both the slides, and the sample threat profiles, links above.

Thoughts on Information Safety

Lately, I’ve been thinking about the concept of Information Safety, and how it differs from Information Security. When I talk to people about the idea, especially non-security people, they typically find “safety” more appealing than “security,” but for the concept to pay off, it has to be more than just a re-branding of existing security concepts.

For me, the concept of information safety is an answer to Donn Parker’s challenge to information risk management in 2006. In his article for the ISSA Journal, “Making the Case for Replacing Risk-Based Security,” Donn observes that there are two types of problems information security: ongoing attacks that are virtual certainties, like viruses, and rare, unpredictable incidents. I agree with his observations, but disagree (somewhat) with his conclusion to use a due diligence approach – do what we have always done. For me, information safety is the approach for ongoing & certain attacks, and protection is the approach for the rare & unpredictable.

I recently came across an article published by the American Institute of Architects (by way of Wikipedia) that includes elegant definitions for both security and safety, which highlight the problems within the information security profession that demonstrate the need for a safety practice:

Safety involves whatever contributes to maintaining the “steady state” of a social and physical structure or place in terms of whatever it is intended to do. Safety connotes stability over time, continuity of function and reliability of structure.

Security is the process or means of delaying, preventing and otherwise protecting against external or internal dangers, loss, criminals, and other individuals or actions that threaten to weaken, hinder or destroy an organization’s “steady state,” and otherwise deprive it of its intended purpose for being.

For me, the notion of “steady state” is key to safety. Our current focus on security (what I call “protection”) leads us to focus on protecting against threats, while establishing and maintaining a steady state is undervalued and even neglected. We have information security organizations, but where are our information safety teams?

Information Safety Basics

You have a computer.
You can install software.
Four things you can do to improve your personal safety.

I recently gave a short presentation at the SkillShare Fair at CoCo, where I spend time working and writing. I pitched it as “The top 4 things you can do to keep your computer safe and secure.” Although the group attending was small, I had a great time, and learned from the participants. It was a test run for a class I’m developing to teach basic computer safety, blending both my experiences giving security advice to friends & family and my concept of Information Safety.

Here is a copy of the slides I used. I mentioned specific products in my talk, since they’re representative of the solutions I like for the typical risks most computer users face – those are listed below.