Archive for the “science” category

Do Games Teach Security?

by adam on December 8, 2016

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and (…)

Read the rest of this entry »

Incentives, Insurance and Root Cause

by adam on December 2, 2016

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should (…)

Read the rest of this entry »

Why Don’t We Have an Incident Repository?

by adam on September 14, 2016

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a (…)

Read the rest of this entry »

Security Lessons from Drug Trials

by adam on December 15, 2014

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (…)

Read the rest of this entry »

Usable Security: Timing of Information?

by adam on December 10, 2012

As I’ve read Kahneman’s “Thinking, Fast and Slow,” I’ve been thinking a lot about “what you see is all there is” and the difference between someone’s state of mind when they’re trying to decide on an action, and once they’ve (…)

Read the rest of this entry »

The Evolution of Information Security

by adam on July 9, 2012

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the (…)

Read the rest of this entry »

Active Defense: Show me the Money!

by adam on June 21, 2012

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t (…)

Read the rest of this entry »

Feynman on Cargo Cult Science

by adam on June 11, 2012

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would (…)

Read the rest of this entry »