Archive for the “measurement” category

Measuring ROI for DMARC

by nsadmin on October 17, 2018

I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis (…)

Read the rest of this entry »

Do Games Teach Security?

by adam on December 8, 2016

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and (…)

Read the rest of this entry »

What Boards Want in Security Reporting

by adam on August 22, 2016

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are (…)

Read the rest of this entry »

“Cyber” Insurance and an Opportunity

by adam on January 22, 2013

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that (…)

Read the rest of this entry »

The High Price of the Silence of Cyberwar

by adam on January 9, 2013

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are (…)

Read the rest of this entry »

The Fog of Reporting on Cyberwar

by adam on December 11, 2012

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of (…)

Read the rest of this entry »

Usable Security: Timing of Information?

by adam on December 10, 2012

As I’ve read Kahneman’s “Thinking, Fast and Slow,” I’ve been thinking a lot about “what you see is all there is” and the difference between someone’s state of mind when they’re trying to decide on an action, and once they’ve (…)

Read the rest of this entry »

The “Human Action” argument is not even wrong

by adam on November 15, 2012

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. (…)

Read the rest of this entry »

Where is Information Security’s Nate Silver?

by adam on November 14, 2012

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis (…)

Read the rest of this entry »

Effective training: Wombat’s USBGuru

by adam on November 12, 2012

Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going (…)

Read the rest of this entry »