Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 4 Eyes of Information Security - AiS 2019

565 views

Published on

This talk presents the '4 eyes framework' as defined by Spencer Greenberg of ClearerThinking.org, with applications to security as presented by me. Updated version delivered at Art into Science: A Conference for Defense. Austin, Jan 2019.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The 4 Eyes of Information Security - AiS 2019

  1. 1. 4 Eyes of Information Security Fernando Montenegro @fsmontenegro
  2. 2. "It's unbelievable how much you don't know about the game you've been playing all your life.“ Mickey Mantle 4EyesInfoSec - ArtIntoScience 2 Security is important. Why isn’t it working? (or is it? ☺ )
  3. 3. $finger –l fsmontenegro @fsmontenegro • Industry Analyst at 451 Research – Endpoint Security, Cloud Infrastructure Security – Container/CloudNative Security, Deception • Previous Roles – Sales Engineering, ProfSev, SecOps, SecArch – CompSci ’94 (Greying hair) • Curious - Finance (DIY), Economics, Data Science • Presented @ ACoD2017 – Economics of CyberSecurity 2019-01-31 4EyesInfoSec - ArtIntoScience 3 Source:memegenerator.net
  4. 4. 2019-01-31 4EyesInfoSec - ArtIntoScience 4
  5. 5. (Behaviour) Economics FTW 2019-01-31 4EyesInfoSec - ArtIntoScience 5
  6. 6. 4 EYES FRAMEWORK 4EyesInfoSec - ArtIntoScience 62019-01-31
  7. 7. Take an existing, important problem Why hasn’t it been solved? 2019-01-31 4EyesInfoSec - ArtIntoScience 7
  8. 8. Perspective 1: Incentives • Agents not under proper incentive structure. – Positive OR Negative • Examples – Package delivery – Copier sales – Daycare in Israel • How to Address? – Grants & Competitions – Regulations & Taxes – Bonuses & Recognitions – Rules & Monitoring 2019-01-31 4EyesInfoSec - ArtIntoScience 8
  9. 9. Perspective 2: Ignorance • No knowledge to develop or apply solution – Individual OR Societal • Examples – STD prevention – Energy storage – Poor coding practices • How to Address? – Education & Advertising – Basic Research – Training Programs – Data Collection 2019-01-31 4EyesInfoSec - ArtIntoScience 9
  10. 10. Perspective 3: Investments • Lack of resources to tackle issue – Individual OR Societal – Money, Time, Others • Examples – Poverty Reduction – Animal Cruelty – Customer Satisfaction • How to Address? – Increased/Alternate Funding – Increased Publicity – Additional Budgets – Additional Headcount 2019-01-31 4EyesInfoSec - ArtIntoScience 10
  11. 11. Perspective 4: Irrationality • Are human biases or decision flaws preventing action? • 150+ Biases in broad categories: – Too Much Information – Not Enough Meaning – Need to Act Fast – What Should We Remember • Examples – Too many to list… ☺ • How to Address? – Reward Rationality – Adjust Defaults – Adopt Checklists – Use second opinions 2019-01-31 4EyesInfoSec - ArtIntoScience 11
  12. 12. 4EyesInfoSec - ArtIntoScience 122019-01-31
  13. 13. 2019-01-31 4EyesInfoSec - ArtIntoScience 13
  14. 14. SECURITY APPLICATIONS 4EyesInfoSec - ArtIntoScience 142019-01-31
  15. 15. (5th “Eye”: Importance?) It is difficult to get a man to understand something when his salary depends upon his not understanding it. Upton Sinclair Jr. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues. S. Romanosky (RAND) 2019-01-31 4EyesInfoSec - ArtIntoScience 15
  16. 16. “Mind the Denominator” 4EyesInfoSec - ArtIntoScience 162019-01-31 • Prof. Eric Jardine, VTech • Daniel Miessler https://danielmiessler.com/blog/the-reason-software-remains-insecure/https://www.cigionline.org/publications/global-cyberspace-safer-you-think-real-trends-cybercrime
  17. 17. Software Quality 2019-01-31 4EyesInfoSec - ArtIntoScience 17 src: Russ Bowling/Flickr src: Bugcrowd
  18. 18. User Behaviour • Phishing – “Hot states” vs policy • Data Handling – Principal Agent Problem • Ransomware – Smart Defaults • Macros/GPOs/Whitelist 4EyesInfoSec - ArtIntoScience 182019-01-31
  19. 19. WRAP UP 4EyesInfoSec - ArtIntoScience 192019-01-31
  20. 20. Looking back… • Attempts at persistent problems fail for many reasons. • 4 Eyes Framework • Applicability to InfoSec: – Software Quality – User Behaviour – … 2019-01-31 4EyesInfoSec - ArtIntoScience 20
  21. 21. 2019-01-31 4EyesInfoSec - ArtIntoScience 21 clearerthinking.org https://www.youtube.com/watch?v=osOKFkGA3AI
  22. 22. @fsmontenegro

×