Archive for the “research papers” category
Indicators of Impact — Ground Truth for Breach Impact Estimation
by Russell on March 18, 2013
One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)
New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”
by Russell on March 17, 2013
Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)
Base Rate & Infosec
by adam on September 25, 2012
At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)
Time for an Award for Best Data?
by adam on February 1, 2012
Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award (…)
Sharing Research Data
by adam on January 30, 2012
I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share (…)
Paper: The Security of Password Expiration
by adam on January 5, 2012
The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended (…)
Infosec’s Flu
by adam on February 4, 2011
In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you (…)
More Bad News for SSL
by Chandler on March 26, 2010
I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new (…)
Everybody complains about lack of information security research, but nobody does anything about it
by Russell on March 9, 2010
There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.
Human Error
by Chandler on February 22, 2010
In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents. (…)