Archive for the “research papers” category

Calls for an NTSB?

by adam on February 20, 2017

In September, Steve Bellovin and I asked “Why Don’t We Have an Incident Repository?.” I’m continuing to do research on the topic, and I’m interested in putting together a list of such things. I’d like to ask you for two (…)

Read the rest of this entry »

Do Games Teach Security?

by adam on December 8, 2016

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and (…)

Read the rest of this entry »

Usable Security: History, Themes, and Challenges (Book Review)

by adam on November 17, 2014

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because (…)

Read the rest of this entry »

Indicators of Impact — Ground Truth for Breach Impact Estimation

by Russell on March 18, 2013

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)

Read the rest of this entry »

New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”

by Russell on March 17, 2013

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)

Read the rest of this entry »

Base Rate & Infosec

by adam on September 25, 2012

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)

Read the rest of this entry »

Time for an Award for Best Data?

by adam on February 1, 2012

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award (…)

Read the rest of this entry »

Sharing Research Data

by adam on January 30, 2012

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share (…)

Read the rest of this entry »

Paper: The Security of Password Expiration

by adam on January 5, 2012

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended (…)

Read the rest of this entry »

Infosec’s Flu

by adam on February 4, 2011

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you (…)

Read the rest of this entry »