Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4 Eyes of Information Security - Converge Detroit 2017

229 views

Published on

An introduction to ClearerThinking.org's 4 Eyes framework and an application of those perspectives to information security topics.
Delivered at Converge Detroit 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

4 Eyes of Information Security - Converge Detroit 2017

  1. 1. 4 Eyes of Information Security Fernando Montenegro @fsmontenegro
  2. 2. About me @fsmontenegro • Independent Consultant – Sales Engineer (NetSec,AntiFraud) – Previous PS, Ops, Arch roles… • CompSci ’94 • Greying hair • Curious – Finance (DIY) – Economics (EMH, Behaviour) – Data Science (Coursera) 2017-05-12 4EyesInfoSec - Converge 2 Source:memegenerator.net
  3. 3. 2017-05-12 4EyesInfoSec - Converge 3
  4. 4. (Behaviour) Economics FTW 2017-05-12 4EyesInfoSec - Converge 4
  5. 5. 4 EYES FRAMEWORK 4EyesInfoSec - Converge 52017-05-12
  6. 6. Take an existing, important problem Why hasn’t it been solved? 2017-05-12 4EyesInfoSec - Converge 6
  7. 7. Perspective 1: Incentives • Agents not under proper incentive structure. – Positive OR Negative • Examples – Fedex packages – Xerox copiers – Daycare in Israel • How to Address? – Grants & Competitions – Regulations & Taxes – Bonuses & Recognitions – Rules & Monitoring 2017-05-12 4EyesInfoSec - Converge 7
  8. 8. Perspective 2: Ignorance • No knowledge to develop or apply solution – Individual OR Societal • Examples – STD prevention – Energy storage – Poor coding practices • How to Address? – Education & Advertising – Basic Research – Training Programs – Data Collection 2017-05-12 4EyesInfoSec - Converge 8
  9. 9. Perspective 3: Investments • Lack of resources to tackle issue – Individual OR Societal – Money, Time, Others • Examples – Poverty Reduction – Animal Cruelty – Customer Satisfaction • How to Address? – Increased/Alternate Funding – Increased Publicity – Additional Budgets – Additional Headcount 2017-05-12 4EyesInfoSec - Converge 9
  10. 10. Perspective 4: Irrationality • Are human biases or decision flaws preventing action? • 150+ Biases in broad categories: – Too Much Information – Not Enough Meaning – Need to Act Fast – What Should We Remember • Examples – Too many to list… ☺ • How to Address? – Reward Rationality – Adjust Defaults – Adopt Checklists – Use second opinions 2017-05-12 4EyesInfoSec - Converge 10
  11. 11. 4EyesInfoSec - Converge 112017-05-12
  12. 12. 2017-05-12 4EyesInfoSec - Converge 12
  13. 13. SECURITY APPLICATIONS 4EyesInfoSec - Converge 132017-05-12
  14. 14. (5th “Eye”: Importance?) It is difficult to get a man to understand something when his salary depends upon his not understanding it. Upton Sinclair Jr. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues. S. Romanosky (RAND) 2017-05-12 4EyesInfoSec - Converge 14
  15. 15. Patch Management 4EyesInfoSec - Converge 15 src: Verizon DBIR 2017 2017-05-12
  16. 16. Software Quality 2017-05-12 4EyesInfoSec - Converge 16 src: Russ Bowling/Flickr src: Bugcrowd
  17. 17. User Behaviour • Phishing – “Hot states” vs policy • Data Handling – Principal Agent Problem • Ransomware – Smart Defaults • Macros/GPOs/Whitelist 4EyesInfoSec - Converge 172017-05-12
  18. 18. WRAP UP 4EyesInfoSec - Converge 182017-05-12
  19. 19. Looking back… • Attempts at persistent problems fail for many reasons. • 4 Eyes Framework • Applicability to InfoSec: – Patch Management – Software Quality – User Behaviour – … 2017-05-12 4EyesInfoSec - Converge 19
  20. 20. 2017-05-12 4EyesInfoSec - Converge 20 clearerthinking.org
  21. 21. @fsmontenegro

×