Elevation of Privilege: Drawing Developers into Threat Modeling

by adam on December 19, 2012

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at (…)

Read the rest of this entry »

Information Security Risk: A Conversation with CSO

by adam on December 17, 2012

Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered (…)

Read the rest of this entry »

The Fog of Reporting on Cyberwar

by adam on December 11, 2012

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of (…)

Read the rest of this entry »

Usable Security: Timing of Information?

by adam on December 10, 2012

As I’ve read Kahneman’s “Thinking, Fast and Slow,” I’ve been thinking a lot about “what you see is all there is” and the difference between someone’s state of mind when they’re trying to decide on an action, and once they’ve (…)

Read the rest of this entry »

Infosec Lessons from Mario Batali’s Kitchen

by adam on December 3, 2012

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d (…)

Read the rest of this entry »