Archive for the “human factors” category

Introducing Cyber Portfolio Management

by adam on February 21, 2017

At RSA’17, I spoke on “Security Leadership Lessons from the Dark Side.” Leading a security program is hard. Fortunately, we can learn a great deal from Sith lords, including Darth Vader and how he managed security strategy for the Empire. (…)

Read the rest of this entry »

What CSOs can Learn from Pete Carroll

by adam on February 6, 2015

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call (…)

Read the rest of this entry »

Security Lessons from Drug Trials

by adam on December 15, 2014

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (…)

Read the rest of this entry »

Usable Security: History, Themes, and Challenges (Book Review)

by adam on November 17, 2014

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because (…)

Read the rest of this entry »

Modeling Attackers and Their Motives

by adam on November 11, 2014

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and (…)

Read the rest of this entry »

Adam’s Mailing List and Commitment Devices

by adam on January 31, 2014

Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break (…)

Read the rest of this entry »

The Worst User Experience In Computer Security?

by adam on January 16, 2014

I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for (…)

Read the rest of this entry »

TrustZone and Security Usability

by adam on May 23, 2013

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is (…)

Read the rest of this entry »

“The Phoenix Project” may be uncomfortable

by adam on January 16, 2013

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, (…)

Read the rest of this entry »

Infosec Lessons from Mario Batali’s Kitchen

by adam on December 3, 2012

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d (…)

Read the rest of this entry »