Archive for the “Data Analysis” category

Base Rate & Infosec

by adam on September 25, 2012

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. (…)

Read the rest of this entry »

Aitel on Social Engineering

by adam on July 19, 2012

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on (…)

Read the rest of this entry »

The Evolution of Information Security

by adam on July 9, 2012

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the (…)

Read the rest of this entry »

Why Sharing Raw Data is Important

by adam on May 11, 2012

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this (…)

Read the rest of this entry »

Sharing Research Data

by adam on January 30, 2012

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share (…)

Read the rest of this entry »

The New School of Software Engineering?

by adam on January 11, 2012

This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong (…)

Read the rest of this entry »

More on Authorization Persistence Threats

by adam on November 18, 2011

Wade Baker has a quick response to my “Thoughts on the 2011 DBIR and APT,” including the data that I was unable to extract. Thanks!

Diginotar Quantitative Analysis (“Black Tulip”)

by adam on September 13, 2011

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what (…)

Read the rest of this entry »

Securosis goes New School

by Russell on August 10, 2011

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out (…)

Read the rest of this entry »

Fixes to Wysopal’s Application Security Debt Metric

by Russell on March 5, 2011

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections (…)

Read the rest of this entry »