Although video of the talk is only available to conference participants,
I’ve posted a copy of my slides below. For those who would like a copy
of the Excel template I used for the Threat Profiles, I’m working on
posting a copy here as well, but until then, please contact me and I’ll
be happy to email you a copy.
If you happen to live in the Minneapolis / St Paul area, I’ll be giving
the talk again at the local OWASP MSP
chapter a week
from today, on September 17. (It’s the same talk, we just had a problem
getting the title right) The OWASP MSP group is fun, and I’m hoping I’ll
get some hecklers.
Lately, I’ve been thinking about the concept of Information
Safety, and how it differs from Information
Security. When I talk to people about the idea, especially non-security
people, they typically find “safety” more appealing than “security,” but
for the concept to pay off, it has to be more than just a re-branding of
existing security concepts.
For me, the concept of information safety is an answer to Donn
Parker’s challenge to
information risk management in 2006. In his article for the ISSA
Journal, “Making the Case for Replacing Risk-Based
Security,”
Donn observes that there are two types of problems information security:
ongoing attacks that are virtual certainties, like viruses, and rare,
unpredictable incidents. I agree with his observations, but disagree
(somewhat) with his conclusion to use a due diligence approach – do
what we have always done. For me, information safety is the approach for
ongoing & certain attacks, and protection is the approach for the rare &
unpredictable.
I recently came across an article published by the American Institute
of Architects (by
way of Wikipedia) that includes
elegant definitions for both security and safety, which highlight the
problems within the information security profession that demonstrate the
need for a safety practice:
Safety involves whatever contributes to maintaining the “steady state”
of a social and physical structure or place in terms of whatever it is
intended to do. Safety connotes stability over time, continuity of
function and reliability of structure.
Security is the process or means of delaying, preventing and otherwise
protecting against external or internal dangers, loss, criminals, and
other individuals or actions that threaten to weaken, hinder or destroy
an organization’s “steady state,” and otherwise deprive it of its
intended purpose for being.
For me, the notion of “steady state” is key to safety. Our current focus
on security (what I call “protection”) leads us to focus on protecting
against threats, while establishing and maintaining a steady state is
undervalued and even neglected. We have information security
organizations, but where are our information safety teams?
You have a computer.
You can install software.
Four things you can do to improve your personal safety.
I recently gave a short presentation at the SkillShare Fair at
CoCo, where
I spend time working and writing. I pitched it as “The top 4 things you
can do to keep your computer safe and secure.” Although the group
attending was small, I had a great time, and learned from the
participants. It was a test run for a class I’m developing to teach
basic computer safety, blending both my experiences giving security
advice to friends & family and my concept of Information
Safety.
Here is a copy of the slides I used. I
mentioned specific products in my talk, since they’re representative of
the solutions I like for the typical risks most computer users face –
those are listed below.