The document discusses how to identify "security theater" or superficial security measures that provide little real protection. It provides a 33 question survey to assess how likely a given security technology, measure or program is security theater rather than effective security. Scoring higher indicates more attributes of theater like complexity for its own sake, lack of input from security experts, and resistance to independent evaluation. Effective security relies on identifying vulnerabilities, input from end users, and openness to criticism.
This document discusses developing a Project Early Warning System (PEWS) to detect potential issues in a project early. It recommends engaging the entire project team to serve as "eyes and ears" to log any issues. Technical team leads act as "gatekeepers" to filter issues and escalate important ones. Signal detection methods include earned value tracking, risk management, and external scanning of related projects, stakeholders, and the operational environment. The document provides templates for tools like SWOT analysis, stakeholder analysis, and assumption surfacing to aid in anticipation. It emphasizes issue logging and regular review meetings to address problems before they become major crises. The goal is to move from reactive "management by crisis" to proactive management through early issue
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
Using Periodic Audits To Prevent Catastrophic Project Failureicgfmconference
The document discusses the importance of periodic audits in preventing IT project failures. It argues that audits can help ensure projects are on track to meet requirements and catch problems before it's too late. While audits are costly and politically difficult, they can help avoid wasting tens or hundreds of millions by uncovering issues with a project's scope, design, or feasibility. Regular assessments by an independent third party are recommended to objectively evaluate a project's status and direction.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
BSidesLondon 20th April 2011 - Chris John Riley
Chris Sumner, Arron "finux" Finnon and Frank Breedijk
---------------
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....
--------------- for more information about the presenters follow them in twitter, @ChrisJohnRiley
TheSuggmeister, @seccubus,@F1nux
The document provides tips for IT security professionals to effectively communicate security risks to the board of directors. It advises understanding the board's risk tolerance, identifying who owns the risks, exploring risk management frameworks, focusing presentations on solutions rather than problems, and emphasizing how risks impact business operations and the bottom line. The overall goal is to reassure the board that the company is protected while gaining their trust and support for security initiatives.
Making the Business Case for Security InvestmentRoger Johnston
(1) Traditional ROI arguments for security spending often don't convince executives who are unaware of security issues and risks. (2) Executives may not envision security failures occurring on their watch and would rather save money now. (3) Estimating attack probabilities and costs is difficult, and long-term damage is underestimated in ROI analyses. (4) The author proposes an 8-step hybrid approach using best practices, legal perspectives, competitor comparisons, vivid failure scenarios, and scare tactics to convince executives to invest in security.
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
This document discusses developing a Project Early Warning System (PEWS) to detect potential issues in a project early. It recommends engaging the entire project team to serve as "eyes and ears" to log any issues. Technical team leads act as "gatekeepers" to filter issues and escalate important ones. Signal detection methods include earned value tracking, risk management, and external scanning of related projects, stakeholders, and the operational environment. The document provides templates for tools like SWOT analysis, stakeholder analysis, and assumption surfacing to aid in anticipation. It emphasizes issue logging and regular review meetings to address problems before they become major crises. The goal is to move from reactive "management by crisis" to proactive management through early issue
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
Using Periodic Audits To Prevent Catastrophic Project Failureicgfmconference
The document discusses the importance of periodic audits in preventing IT project failures. It argues that audits can help ensure projects are on track to meet requirements and catch problems before it's too late. While audits are costly and politically difficult, they can help avoid wasting tens or hundreds of millions by uncovering issues with a project's scope, design, or feasibility. Regular assessments by an independent third party are recommended to objectively evaluate a project's status and direction.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
BSidesLondon 20th April 2011 - Chris John Riley
Chris Sumner, Arron "finux" Finnon and Frank Breedijk
---------------
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....
--------------- for more information about the presenters follow them in twitter, @ChrisJohnRiley
TheSuggmeister, @seccubus,@F1nux
The document provides tips for IT security professionals to effectively communicate security risks to the board of directors. It advises understanding the board's risk tolerance, identifying who owns the risks, exploring risk management frameworks, focusing presentations on solutions rather than problems, and emphasizing how risks impact business operations and the bottom line. The overall goal is to reassure the board that the company is protected while gaining their trust and support for security initiatives.
Making the Business Case for Security InvestmentRoger Johnston
(1) Traditional ROI arguments for security spending often don't convince executives who are unaware of security issues and risks. (2) Executives may not envision security failures occurring on their watch and would rather save money now. (3) Estimating attack probabilities and costs is difficult, and long-term damage is underestimated in ROI analyses. (4) The author proposes an 8-step hybrid approach using best practices, legal perspectives, competitor comparisons, vivid failure scenarios, and scare tactics to convince executives to invest in security.
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
This document provides an overview of key concepts related to risk management, including definitions of risk, vulnerability, probability, and impact. It discusses approaches to assessing risk such as quantifying probability and impact, analyzing threats and vulnerabilities, and measuring the effectiveness of security controls. The document is authored by Phillip Banks and copyrighted by The Banks Group Inc., which provides risk consulting and security services. It references numerous standards and guidelines for risk and security management.
66Chapter 3Security Surveys and the AuditLawrence .docxblondellchancy
66
Chapter 3
Security Surveys and the Audit
Lawrence J. Fennelly, CPO, CSS, HLC III
A security survey is a critical on-site examination and analysis of a place, which may be an industrial
plant, business, home, or public or private institution to ascertain the present security status, identify
deficiencies or excesses, determine the protection needed, and make recommendations to improve the
overall security. Your survey or audit must include the external and internal complex, as well as the
identification of threats, identify controls, level of risk and your completed risk assessment, which
should include risk analysis, risk identification, and risk evaluation.
It is interesting to note that a definition of as outlined by the British Home Officecrime prevention
Crime Prevention Program—“the anticipation, recognition and appraisal of a crime risk and the
initiation of action to remove or reduce it”—could, in fact, be an excellent description of a security
survey. The only difference, of course, is that a survey generally does not become the “action” as such
but rather a basis for recommendations for action.
This definition can be divided into five components and analyzed so that its implications can be
applied to the development of a working foundation for the security surveyor:
1. How does the anticipation of a crime risk become important to the security or crimeAnticipation.
prevention surveyor? Obviously, a primary objective of a survey is the anticipation or prevention
aspects of a given situation—the pre- or before concept. Thus, an individual who keeps anticipation
in the proper perspective maintains a proper balance in the total spectrum of security surveying. In
other words, the anticipatory stage could be considered a prognosis of further action.
2. What does an individual need to conduct a survey of the relationships betweenRecognition.
anticipation and appraisal? Primarily, the ability to recognize and interpret what seems to be a
crime risk becomes an important skill a security surveyor acquires and develops.
3. The responsibility to develop, suggest, and communicate recommendations is certainlyAppraisal.
a hallmark of any security survey.
4. As defined in this text, a crime risk is the opportunity gained from crime. The totalCrime risk.
elimination of opportunity is most difficult, if not improbable. Therefore, the cost of protection is
measured in (1) protection of depth and (2) delay time. Obviously, the implementation of the
recommendation should not exceed the total (original or replacement) cost of the item(s) to be
protected. An exception to this rule would be human life.
5. This section indicates the phase of aThe initiation of action to remove or reduce a crime risk.
survey in which the recipient of the recommendations decides whether to act, based on the
suggestions (recommendations) set forth by the surveyor. In some cases, the identification of
Co
py
ri
gh
t
@
20
12
.
Bu
tt
er ...
This document provides an agenda for a presentation on using the MITRE ATT&CK framework to quantify cybersecurity risk and prioritize security controls and projects. The presentation will discuss assumptions around security as risk management, challenges in measuring risk, and how ATT&CK can help by providing standardized threat models, estimates of risk reduction for different controls, and metrics for measuring impact and likelihood. Examples are provided of how ATT&CK can be used to model risk for password management and single sign-on projects. The presentation considers criticisms of the approach and provides disclaimers around calibrating people and the challenges of implementation.
Cyber Security testing in an agile environmentArthur Donkers
How do you test your cyber security in an agile environment? Moving to a continuous testing methodology, applying red teaming, using a smart bugbounty program and having a well oiled incident response process help you maintaining your cyber security in an agile environment.
Security hacks are happening everywhere and it is almost impossible to keep up with all new developments. So how do you test your own security in such a dynamic cybersecurity landscape?
The days of narrow-scoped and limited penetration tests are over, responsible disclosure, bug bounty programs and red and blue teams are the new way of continuously testing your security. This webinar will help you adapt this new testing paradigm.
Main points that will be covered:
• Limits of 'old' penetration testing;
• Continuous testing to stay on top;
• Leveraging the hacker community through a bug bounty program
• Responsible disclosure and handling incidents
Presenter:
Arthur Donkers (arthur@1secure.nl):
Interested in infosec, technology, organization and combining these all into one solution Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000). Convinced that Infosec is a means to an end, not a purpose in itself.
Link of the recorded session published on YouTube: https://youtu.be/Kck8zBY27Hg
Metrics & Reporting - A Failure in CommunicationChris Ross
Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.
Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk.
Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well- designed security awareness strategy.
Convince your management and launch your ideas in a comprehensive language for
your target audience!
Intro to a Data-Driven Computer Security DefenseRoger Grimes
Introduces a Data-Driven Computer Security Defense, a computer security defense strategy introduced by the author. Slide deck complements the book and whitepaper and can be used by anyone.
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
Threat intelligence has long existed but is now recognized as a distinct discipline. Tradecraft and technology in threat intelligence are rapidly maturing, along with industry expectations. Choosing how to invest in threat intelligence programs should be driven by business risk, though any organization can be targeted. Providing context increases the value of threat intelligence, and the strongest programs understand the return on investment of sharing intelligence externally.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
The document discusses how to build an effective security awareness program by empowering and engaging employees rather than intimidating them. It advocates treating employees as "cyber warriors" rather than victims by providing them with the right information and tools to help defend the organization from cyber threats. Some key points made include: focusing on employee engagement; using "nudging" tactics rather than scare tactics to motivate better security behaviors; tailoring the message to different audiences; and measuring the impact of the program through before-and-after baselines. The goal is to change employee mindsets around security and turn intimidated, confused workers into empowered protectors of organizational data and systems.
A Vulnerability analyst detects vulnerabilities in networks and software and then takes the necessary steps to manage security within the system.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
A presentation I made for the ISACA Belgium open forum of June 2015 in Brussels on Reporting relevant IT risks to stakeholders. This presentation served as starter for the discussions in the open forum.
This document summarizes a workshop on implementing leading indicator programs to improve safety. The workshop will address key questions around health, safety and environment leading indicators and how to use collected data to create change. Presentations will cover lagging and leading indicators, a case study of a successful leading indicator program, using technology for leading indicators, and data reporting. Attendees will participate in a workshop activity to experience using a mobile application to record inspection results. Recommendations provided include making leading indicators measure proactive activities, applying a plan-do-check-act model, and using data visualization and analytics to drive decisions to prevent incidents.
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
Visit www.plusconsulting.com for more information. Organizations are losing the cyber-security battle and most don't know that it is happening (or choose to ignore it). The persistent threat environment means that you have had or will have a breach and may not know about it. Growth in data, applications features, and collaboration makes cyber-security a greater challenge. Complex, clever and continuous threats and security tools in isolation of a continuous security program only delay the inevitable.
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
Pat Kelly is a SOC analyst who is experiencing burnout due to being overwhelmed by security incidents and alerts. As a SOC analyst 1, Pat is responsible for monitoring security data and generating tickets for security incidents around the clock. Pat wants to be appreciated for the important contributions made to the organization's security but finds the job demanding. SOC analysts experience challenges like identifying threats among hundreds of thousands of data points daily, getting other teams to prioritize security issues, and feeling underqualified due to the sophisticated nature of modern threats. They need solutions that provide more insight, visibility, and automation to resolve problems faster and reduce stress.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
The document provides guidance on conducting workplace accident investigations, including defining accidents and incidents, explaining why investigations are important, describing the investigation process from developing a plan to writing a report, and outlining required actions and notifications for the Department of Labor and Industries. The goal of an investigation is to determine the root causes in order to prevent future accidents and ensure workplace safety.
This document discusses the use of humor in security. It begins by outlining some of the benefits of using humor, such as entertaining audiences, emphasizing important points, and reducing tension. It then explores various theories of humor, including incongruity theory and benign violation theory. The document also examines different types of humor, such as affiliative, self-enhancing, aggressive, and self-deprecating humor. The author shares examples of humor they have used effectively in security contexts, including silly jokes, self-deprecating humor, jokes that emphasize a security point, and subversive humor that criticizes security practices.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
This document provides an overview of key concepts related to risk management, including definitions of risk, vulnerability, probability, and impact. It discusses approaches to assessing risk such as quantifying probability and impact, analyzing threats and vulnerabilities, and measuring the effectiveness of security controls. The document is authored by Phillip Banks and copyrighted by The Banks Group Inc., which provides risk consulting and security services. It references numerous standards and guidelines for risk and security management.
66Chapter 3Security Surveys and the AuditLawrence .docxblondellchancy
66
Chapter 3
Security Surveys and the Audit
Lawrence J. Fennelly, CPO, CSS, HLC III
A security survey is a critical on-site examination and analysis of a place, which may be an industrial
plant, business, home, or public or private institution to ascertain the present security status, identify
deficiencies or excesses, determine the protection needed, and make recommendations to improve the
overall security. Your survey or audit must include the external and internal complex, as well as the
identification of threats, identify controls, level of risk and your completed risk assessment, which
should include risk analysis, risk identification, and risk evaluation.
It is interesting to note that a definition of as outlined by the British Home Officecrime prevention
Crime Prevention Program—“the anticipation, recognition and appraisal of a crime risk and the
initiation of action to remove or reduce it”—could, in fact, be an excellent description of a security
survey. The only difference, of course, is that a survey generally does not become the “action” as such
but rather a basis for recommendations for action.
This definition can be divided into five components and analyzed so that its implications can be
applied to the development of a working foundation for the security surveyor:
1. How does the anticipation of a crime risk become important to the security or crimeAnticipation.
prevention surveyor? Obviously, a primary objective of a survey is the anticipation or prevention
aspects of a given situation—the pre- or before concept. Thus, an individual who keeps anticipation
in the proper perspective maintains a proper balance in the total spectrum of security surveying. In
other words, the anticipatory stage could be considered a prognosis of further action.
2. What does an individual need to conduct a survey of the relationships betweenRecognition.
anticipation and appraisal? Primarily, the ability to recognize and interpret what seems to be a
crime risk becomes an important skill a security surveyor acquires and develops.
3. The responsibility to develop, suggest, and communicate recommendations is certainlyAppraisal.
a hallmark of any security survey.
4. As defined in this text, a crime risk is the opportunity gained from crime. The totalCrime risk.
elimination of opportunity is most difficult, if not improbable. Therefore, the cost of protection is
measured in (1) protection of depth and (2) delay time. Obviously, the implementation of the
recommendation should not exceed the total (original or replacement) cost of the item(s) to be
protected. An exception to this rule would be human life.
5. This section indicates the phase of aThe initiation of action to remove or reduce a crime risk.
survey in which the recipient of the recommendations decides whether to act, based on the
suggestions (recommendations) set forth by the surveyor. In some cases, the identification of
Co
py
ri
gh
t
@
20
12
.
Bu
tt
er ...
This document provides an agenda for a presentation on using the MITRE ATT&CK framework to quantify cybersecurity risk and prioritize security controls and projects. The presentation will discuss assumptions around security as risk management, challenges in measuring risk, and how ATT&CK can help by providing standardized threat models, estimates of risk reduction for different controls, and metrics for measuring impact and likelihood. Examples are provided of how ATT&CK can be used to model risk for password management and single sign-on projects. The presentation considers criticisms of the approach and provides disclaimers around calibrating people and the challenges of implementation.
Cyber Security testing in an agile environmentArthur Donkers
How do you test your cyber security in an agile environment? Moving to a continuous testing methodology, applying red teaming, using a smart bugbounty program and having a well oiled incident response process help you maintaining your cyber security in an agile environment.
Security hacks are happening everywhere and it is almost impossible to keep up with all new developments. So how do you test your own security in such a dynamic cybersecurity landscape?
The days of narrow-scoped and limited penetration tests are over, responsible disclosure, bug bounty programs and red and blue teams are the new way of continuously testing your security. This webinar will help you adapt this new testing paradigm.
Main points that will be covered:
• Limits of 'old' penetration testing;
• Continuous testing to stay on top;
• Leveraging the hacker community through a bug bounty program
• Responsible disclosure and handling incidents
Presenter:
Arthur Donkers (arthur@1secure.nl):
Interested in infosec, technology, organization and combining these all into one solution Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000). Convinced that Infosec is a means to an end, not a purpose in itself.
Link of the recorded session published on YouTube: https://youtu.be/Kck8zBY27Hg
Metrics & Reporting - A Failure in CommunicationChris Ross
Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.
Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk.
Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well- designed security awareness strategy.
Convince your management and launch your ideas in a comprehensive language for
your target audience!
Intro to a Data-Driven Computer Security DefenseRoger Grimes
Introduces a Data-Driven Computer Security Defense, a computer security defense strategy introduced by the author. Slide deck complements the book and whitepaper and can be used by anyone.
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
Threat intelligence has long existed but is now recognized as a distinct discipline. Tradecraft and technology in threat intelligence are rapidly maturing, along with industry expectations. Choosing how to invest in threat intelligence programs should be driven by business risk, though any organization can be targeted. Providing context increases the value of threat intelligence, and the strongest programs understand the return on investment of sharing intelligence externally.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
The document discusses how to build an effective security awareness program by empowering and engaging employees rather than intimidating them. It advocates treating employees as "cyber warriors" rather than victims by providing them with the right information and tools to help defend the organization from cyber threats. Some key points made include: focusing on employee engagement; using "nudging" tactics rather than scare tactics to motivate better security behaviors; tailoring the message to different audiences; and measuring the impact of the program through before-and-after baselines. The goal is to change employee mindsets around security and turn intimidated, confused workers into empowered protectors of organizational data and systems.
A Vulnerability analyst detects vulnerabilities in networks and software and then takes the necessary steps to manage security within the system.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
A presentation I made for the ISACA Belgium open forum of June 2015 in Brussels on Reporting relevant IT risks to stakeholders. This presentation served as starter for the discussions in the open forum.
This document summarizes a workshop on implementing leading indicator programs to improve safety. The workshop will address key questions around health, safety and environment leading indicators and how to use collected data to create change. Presentations will cover lagging and leading indicators, a case study of a successful leading indicator program, using technology for leading indicators, and data reporting. Attendees will participate in a workshop activity to experience using a mobile application to record inspection results. Recommendations provided include making leading indicators measure proactive activities, applying a plan-do-check-act model, and using data visualization and analytics to drive decisions to prevent incidents.
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
Visit www.plusconsulting.com for more information. Organizations are losing the cyber-security battle and most don't know that it is happening (or choose to ignore it). The persistent threat environment means that you have had or will have a breach and may not know about it. Growth in data, applications features, and collaboration makes cyber-security a greater challenge. Complex, clever and continuous threats and security tools in isolation of a continuous security program only delay the inevitable.
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
Pat Kelly is a SOC analyst who is experiencing burnout due to being overwhelmed by security incidents and alerts. As a SOC analyst 1, Pat is responsible for monitoring security data and generating tickets for security incidents around the clock. Pat wants to be appreciated for the important contributions made to the organization's security but finds the job demanding. SOC analysts experience challenges like identifying threats among hundreds of thousands of data points daily, getting other teams to prioritize security issues, and feeling underqualified due to the sophisticated nature of modern threats. They need solutions that provide more insight, visibility, and automation to resolve problems faster and reduce stress.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
The document provides guidance on conducting workplace accident investigations, including defining accidents and incidents, explaining why investigations are important, describing the investigation process from developing a plan to writing a report, and outlining required actions and notifications for the Department of Labor and Industries. The goal of an investigation is to determine the root causes in order to prevent future accidents and ensure workplace safety.
This document discusses the use of humor in security. It begins by outlining some of the benefits of using humor, such as entertaining audiences, emphasizing important points, and reducing tension. It then explores various theories of humor, including incongruity theory and benign violation theory. The document also examines different types of humor, such as affiliative, self-enhancing, aggressive, and self-deprecating humor. The author shares examples of humor they have used effectively in security contexts, including silly jokes, self-deprecating humor, jokes that emphasize a security point, and subversive humor that criticizes security practices.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Audits should focus on ensuring good security practices rather than strict compliance. Auditors should ask employees about potential security weaknesses and improvements rather than criticizing minor violations. The goal of auditing should be cooperative discussions to strengthen security, not punitive enforcement of rules from disconnected leaders. Effective auditing recognizes that security depends on local expertise and conditions, not top-down mandates.
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link. Now available as an ebook, paperback, or hardcover.
This book is written by a Vulnerability Assessor with 35+ years of experience. The book covers the common misconceptions and problems with how Security Vulnerability Assessments are thought of and done. Various security tips and advice are also offered. If you do or think about security, you need this book!
This March 2021 issue of the Journal of Physical Security has papers on:
• tax credits for physical security R&D
• pinhole cameras for surreptitious surveillance
• insider threat issues
• tamper-indicating seals for fast food in the era of Covid
• security for sealed radiological sources
Back issues are available for free at https://jps.rbsekurity.com
1. The author conducted an informal experiment on food orders from a popular fast food chain, finding that the pressure-sensitive adhesive seals used on paper bags were easy to remove and reapply without detection within the first 24-48 hours.
2. Additionally, the bottom of the bags without seals could be pried open and resealed without visible evidence of tampering.
3. While not a rigorous assessment, the seals seem unlikely to reliably detect tampering. Possible purposes for the seals include reassurance during the pandemic or detecting tampering within the restaurant rather than security purposes.
This is the Oct 2020 issue with the usual security news and editor's rants, plus Viewpoint papers on Security Assurance and Election Security.
Back issues are available at http://jps.rbsekurity.com
The document is a viewpoint paper from a vulnerability assessor on U.S. election security. Some of the key points made in the paper include: 1) Vote-by-mail is likely more secure than in-person voting due to fewer insiders and a required paper trail; 2) Election security is generally better with high voter turnout since more votes need to be altered without detection; 3) While difficult to tamper with a national election, compromising local elections through voting machine or ballot tampering is probably easy in most jurisdictions.
The document discusses security assurance and argues that security managers should not seek assurance or comfort that their security programs are effective. Instead, they should focus on ongoing risk management through techniques like vulnerability assessments to continuously improve security. Providing high-level assurance to stakeholders is unavoidable for purposes like funding, but security programs themselves should not prioritize assurance and instead prioritize identifying weaknesses through methods like vulnerability assessments. The document cautions that using security tests or past vulnerability assessment results to claim assurance can incentivize not thoroughly testing and identifying issues.
A New Approach to Vulnerability AssessmentRoger Johnston
Most organizations don't do Vulnerability Assessment, or confuse them with something else, or do them but not very effectively, imaginatively, or proactively, thinking like the bad guys. Here is some practical advice for how to do better from a Vulnerability Assessor with 35+ years of experience.
We can't test our way to good #security. Why? Because we can't test—or prevent—what we have not envisioned. (Think 9/11.) Effective, imaginative vulnerability assessments are essential. This book explains how to do them based on the 35+ years experience of a Vulnerability Assessor.
This book is the missing manual for the missing link: It provides practical advice on how to do effective, imaginative, proactive Vulnerability Assessments based on the authors 30+ years of experience as a vulnerability assessor.
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
Vulnerability assessments aim to identify security flaws and likely attack scenarios in order to improve security, but they can be challenging for security managers due to fears about vulnerabilities being uncovered. Design reviews provide a less frightening alternative that still allows for security improvements. A design review briefly reviews design issues and offers recommendations, while identifying fewer vulnerabilities than a full assessment. However, about half of organizations that do a design review later pursue a more comprehensive vulnerability assessment once they see the initial results. The author suggests design reviews or market analyses as ways to introduce vulnerability issues in a palatable manner for hesitant organizations.
In addition to the usual security news and editor's rants about security, this issue (Volume 12, Issue 3) has papers about:
• automatic vehicle security gates
• 3D magnetometer arrays as a more secure replacement for BMS
• best practices in physical security
• design reviews vs. vulnerability assessments
JPS, a peer reviewed journal, is hosted by Right Brain Sekurity as a free public service. See http://jps.rbsekurity.com
In addition to the usual security news and editor’s rants about security, this (August 2019) issue has papers about security by design,defeating electronic locks with radio frequency attack tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, and a revised and updated list of popular (mostly smart ass) security maxims.
This document describes 33 unconventional security devices, including tamper-indicating seals, tags, real-time monitoring devices, and access control techniques. It summarizes two devices in particular:
Device #1 is an electronic, reusable time-out seal called a "Time Lock" that can be set to open automatically after a set period of time without a key. It provides low to medium level security.
Device #2 is a covert, high security "Time Trap" tamper-indicating seal that computes a new hash value each minute based on a secret key. If opened unauthorized, it erases the key, displaying the open time and hash value to indicate tampering.
This is the August 2018 issue of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security, this issue has papers on
• election security
• physical security networks
• technology for tracking sealed radiological sources
• an analysis of active shooter training videos
• whether security belongs under Facility Management (Operations)
JPS is hosted as a public service by Right Brain Sekurity, a small company devoted to vulnerability assessments, security consulting, and R&D.
Volume 10, issue 1 (July 2017) of the Journal of Physical Security. This issue has papers about:
• The “Rule of Two” for firefights
• Security and forensic criminology
• A vulnerability assessment of “indelible” voter’s ink used for elections in many developing countries
• Security outsourcing in Nigeria
• How Compliance can sometimes harm Security
• Unconventional security metrics and “Marginal Analysis”
• Common security reasoning errors
Specific ServPoints should be tailored for restaurants in all food service segments. Your ServPoints should be the centerpiece of brand delivery training (guest service) and align with your brand position and marketing initiatives, especially in high-labor-cost conditions.
408-784-7371
Foodservice Consulting + Design
A presentation on mastering key management concepts across projects, products, programs, and portfolios. Whether you're an aspiring manager or looking to enhance your skills, this session will provide you with the knowledge and tools to succeed in various management roles. Learn about the distinct lifecycles, methodologies, and essential skillsets needed to thrive in today's dynamic business environment.
Integrity in leadership builds trust by ensuring consistency between words an...Ram V Chary
Integrity in leadership builds trust by ensuring consistency between words and actions, making leaders reliable and credible. It also ensures ethical decision-making, which fosters a positive organizational culture and promotes long-term success. #RamVChary
12 steps to transform your organization into the agile org you deservePierre E. NEIS
During an organizational transformation, the shift is from the previous state to an improved one. In the realm of agility, I emphasize the significance of identifying polarities. This approach helps establish a clear understanding of your objectives. I have outlined 12 incremental actions to delineate your organizational strategy.
Org Design is a core skill to be mastered by management for any successful org change.
Org Topologies™ in its essence is a two-dimensional space with 16 distinctive boxes - atomic organizational archetypes. That space helps you to plot your current operating model by positioning individuals, departments, and teams on the map. This will give a profound understanding of the performance of your value-creating organizational ecosystem.
Sethurathnam Ravi: A Legacy in Finance and LeadershipAnjana Josie
Sethurathnam Ravi, also known as S Ravi, is a distinguished Chartered Accountant and former Chairman of the Bombay Stock Exchange (BSE). As the Founder and Managing Partner of Ravi Rajan & Co. LLP, he has made significant contributions to the fields of finance, banking, and corporate governance. His extensive career includes directorships in over 45 major organizations, including LIC, BHEL, and ONGC. With a passion for financial consulting and social issues, S Ravi continues to influence the industry and inspire future leaders.
Enriching engagement with ethical review processesstrikingabalance
New ethics review processes at the University of Bath. Presented at the 8th World Conference on Research Integrity by Filipa Vance, Head of Research Governance and Compliance at the University of Bath. June 2024, Athens
Employment PracticesRegulation and Multinational CorporationsRoopaTemkar
Employment PracticesRegulation and Multinational Corporations
Strategic decision making within MNCs constrained or determined by the implementation of laws and codes of practice and by pressure from political actors. Managers in MNCs have to make choices that are shaped by gvmt. intervention and the local economy.
Senior Project and Engineering Leader Jim Smith.pdfJim Smith
I am a Project and Engineering Leader with extensive experience as a Business Operations Leader, Technical Project Manager, Engineering Manager and Operations Experience for Domestic and International companies such as Electrolux, Carrier, and Deutz. I have developed new products using Stage Gate development/MS Project/JIRA, for the pro-duction of Medical Equipment, Large Commercial Refrigeration Systems, Appliances, HVAC, and Diesel engines.
My experience includes:
Managed customized engineered refrigeration system projects with high voltage power panels from quote to ship, coordinating actions between electrical engineering, mechanical design and application engineering, purchasing, production, test, quality assurance and field installation. Managed projects $25k to $1M per project; 4-8 per month. (Hussmann refrigeration)
Successfully developed the $15-20M yearly corporate capital strategy for manufacturing, with the Executive Team and key stakeholders. Created project scope and specifications, business case, ROI, managed project plans with key personnel for nine consumer product manufacturing and distribution sites; to support the company’s strategic sales plan.
Over 15 years of experience managing and developing cost improvement projects with key Stakeholders, site Manufacturing Engineers, Mechanical Engineers, Maintenance, and facility support personnel to optimize pro-duction operations, safety, EHS, and new product development. (BioLab, Deutz, Caire)
Experience working as a Technical Manager developing new products with chemical engineers and packaging engineers to enhance and reduce the cost of retail products. I have led the activities of multiple engineering groups with diverse backgrounds.
Great experience managing the product development of products which utilize complex electrical controls, high voltage power panels, product testing, and commissioning.
Created project scope, business case, ROI for multiple capital projects to support electrotechnical assembly and CPG goods. Identified project cost, risk, success criteria, and performed equipment qualifications. (Carrier, Electrolux, Biolab, Price, Hussmann)
Created detailed projects plans using MS Project, Gant charts in excel, and updated new product development in Jira for stakeholders and project team members including critical path.
Great knowledge of ISO9001, NFPA, OSHA regulations.
User level knowledge of MRP/SAP, MS Project, Powerpoint, Visio, Mastercontrol, JIRA, Power BI and Tableau.
I appreciate your consideration, and look forward to discussing this role with you, and how I can lead your company’s growth and profitability. I can be contacted via LinkedIn via phone or E Mail.
Jim Smith
678-993-7195
jimsmith30024@gmail.com
Ganpati Kumar Choudhary Indian Ethos PPT.pptx, The Dilemma of Green Energy Corporation
Green Energy Corporation, a leading renewable energy company, faces a dilemma: balancing profitability and sustainability. Pressure to scale rapidly has led to ethical concerns, as the company's commitment to sustainable practices is tested by the need to satisfy shareholders and maintain a competitive edge.
Public Speaking Tips to Help You Be A Strong Leader.pdfPinta Partners
In the realm of effective leadership, a multitude of skills come into play, but one stands out as both crucial and challenging: public speaking.
Public speaking transcends mere eloquence; it serves as the medium through which leaders articulate their vision, inspire action, and foster engagement. For leaders, refining public speaking skills is essential, elevating their ability to influence, persuade, and lead with resolute conviction. Here are some key tips to consider: https://joellandau.com/the-public-speaking-tips-to-help-you-be-a-stronger-leader/
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
Is it Security Theater?
1. 1
First
appeared
in
Security
Magazine,
September
2013,
http://www.securitymagazine.com/articles/84691-‐is-‐your-‐program-‐security-‐theater
But is it Security Theater?
Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D.
Vulnerability Assessment Team, Argonne National Laboratory
rogerj@anl.gov 630-252-6168 http://www.ne.anl.gov/capabilities/vat
INTRODUCTION
Security guru Bruce Schneier coined the term “Security Theater” to describe phony security
measures, procedures, or technologies that give the superficial appearance of providing security
without actually countering malicious adversaries to any significant degree. As an example,
much of the activities undertaken by airport screeners have been characterized by some as little
more than Security Theater.
As vulnerability assessors, we frequently find Security Theater across a wide range of
different physical security and nuclear safeguards devices, systems, and programs. It’s important
to realize, however, that Security Theater is not automatically a bad thing. It can present the
appearance (false though it may be) of a hardened target to potential adversaries, thus potentially
discouraging an attack (at least for a while). Security Theater can reassure the public while more
effective measures are under development, and help encourage employees and the public to stay
focused on security. In nuclear treaty monitoring, Security Theater can provide an excuse to get
inspectors inside nuclear facilities where their informal observations and interactions with host
facility personnel can be of great value to disarmament, nonproliferation, and international
cooperation.
The real problem occurs when Security Theater is not ultimately recognized as such by
security officials or the public, or creates cynicism about security, or stands in the way of Real
Security, or wastes resources and energy, or is actually preferred over Real Security (because it
is usually easier and less painful).
HOW TO TELL SECURITY THEATER FROM THE REAL THING
The best way to determine if a given security technology, measure, or program (STMP) is
primarily Security Theater is to conduct comprehensive vulnerability assessments and threat
assessments to determine how easily the STMP can be defeated, and what threats and attacks it
might have to stand up to. But this can be time consuming and expensive.
In our experience, STMPs that eventually prove to be very easy to defeat and/or not
particularly effective—to the point of being Security Theater—almost always exhibit certain
common attributes. In fact, we can use these attributes to predict fairly reliably how easy it will
be for us as vulnerability assessors to demonstrate multiple successful and simple attacks, even
before beginning the vulnerability assessment.
2. As a public service, we offer the following survey that you can take to determine how likely it
is that your security technology, measure, or program (STMP) is Security Theater. This survey
is about as scientific as a “how’s your love life?” survey in a teen magazine, but we think it may
nevertheless have some value. The survey questions being asked, along with our comments
associated with some of the questions can at least help suggest warning signs and
countermeasures for Security Theater.
Add up your total points for all 33 survey questions and then see the interpretation for your
score below. (If you’re between 2 choices on any question, split the difference on the points.)
1. Is the security application quite complex and/or challenging?
2
☐ A lot 2 points
☐ A little 1 point
☐ Not at All 0 points
2. Is (or was) there great urgency from anywhere to get something out in the field or in the marketplace?
☐ Yes 2 points
☐ No 0 points
3. Has substantial time, funding, and political capital already been spent developing, promoting, or analyzing the
security technology, measure, or program (STMP)?
☐ Yes 2 points
☐ No 0 points
4. Is there a great deal of bureaucratic, political, or marketing momentum behind the STMP, or a strong push from
bureaucrats, a committee, or senior non-security managers?
☐ Yes 2 points
☐ No 0 points
5. Is there considerable excitement, exuberance, pride, ego, and/or strong emotions associated with the proposed (or
fielded) STMP?
☐ A lot 5 points
☐ A little 3 points
☐ Not at All 0 points
6. Is the STMP viewed with great confidence, arrogance, and/or characterized as “impossible to defeat”, “tamper
proof”, etc.? (Effective security is very difficult to achieve. Generally, if developers, promoters, and end users of a
given security approach or product have carefully considered the real-world security issues, they will not be in such
a confident mood. Fear is, in fact, a good indicator of a realistic mindset when it comes to security.)
☐ A lot 5 points
☐ A little 3 points
☐ Not at All 0 points
7. Does the STMP in question have a feel good “aura” or make people quite comfortable with their security risk?
(In general, Real Security doesn’t make people feel better, it makes them feel worse. This is because it is almost
always more expensive, time-consuming, and painful than Security Theater. Moreover, when security is carefully
thought-through—as Real Security must be—the difficulty of the task, the unknowns, and the knowledge of the
unmitigated vulnerabilities will cause alarm. If you’re not running scared, you probably have bad security or a bad
security product.)
☐ A lot 6 points
☐ A little 3 points
☐ Not at All 0 points
3. 3
8. Do the promoters and developers of the technology or the STMP earnestly—even desperately—want it to solve
the security problems at hand, and/or are they highly idealistic? (Strong desires to achieve a valuable goal can
sometimes lead to wishful thinking.)
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
9. Is the STMP a pet technology of the promoters and developers, and/or not chosen from among many candidates
via careful analysis?
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
10. Do the people or organization promoting or deciding on the STMP have a conflict of interest (financial,
psychological, collegial, or political), or are they at least unable to objectively evaluate it, and/or are they overly
enthusiastic/optimistic?
☐ Yes 3 points
☐ No 0 points
11. Do the people developing or promoting the STMP have significant real-world security experience (not just
experience as bureaucrats or experience developing security technology)?
☐ Yes 0 points
☐ No 3 points
12. Has the person who ultimately decides to field the STMP ever seen a new security technology that they didn’t
like, or have they ever found fault with their own security or (publicly) with their employer?
☐ Yes 0 points
☐ No 2 points
13. Is the person who ultimately decides that the STMP should be deployed often thought of as naïve, a bureaucrat,
or less than astute, and/or did they get most of their information about STMP from promoters and vendors?
☐ Yes 2 points
☐ No 0 points
14. Do the people promoting, deploying, or choosing the STMP substantially understand the technology or security
strategy?
☐ Yes 0 points
☐ No 2 points
15. Are the people promoting or deciding on the STMP mostly non-technical and/or limited in their understanding
of real-world security?
☐ Yes 2 points
☐ No 0 points
16. Are the people developing the STMP mostly engineers? (In our experience, the mindset, culture, and practices
that make one good at engineering aren’t optimal for thinking like the bad guys.)
☐ Yes 3 points
☐ No 0 points
17. Does the STMP rely primarily on complexity, advanced technology, the latest technological “fad”, and/or
multiple layers? (High technology does not equal high security, and layered security isn’t always better.)
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
4. 4
18. Do the people using the STMP on the front lines substantially understand the technology or security strategy?
☐ Yes 0 points
☐ No 2 points
19. Are the use protocols, training materials, and manuals for the STMP non-existent, vague, poorly written, or ill-conceived,
and/or is the terminology sloppy or misleading?
☐ Yes 3 points
☐ No 0 points
20. Is the STMP complicated or difficult to use?
☐ Yes 2 points
☐ No 0 points
21. Was the STMP forced on the end users from superiors?
☐ Yes 2 points
☐ No 0 points
22. Have the end users of the STMP ever been consulted about it? (These are people who understand the real-world
implementation issues, and are the ones who will have to make the STMP actually work).
☐ A lot 0 points
☐ A little 1 point
☐ Not at All 2 points
23. Have vulnerability assessors, hacker types, devil’s advocates, question askers, or creative independent outsiders
closely analyzed the STMP?
☐ No, Weren’t Allowed to 6 points
☐ No 4 points
☐ Yes 0 points
24. If anybody questioned/questions the efficacy of the STMP, or raises concerns were/are they (choose one)…
☐ Attacked Emotionally 7 points
☐ Attacked Unemotionally 4 points
☐ Ignored 2 points
☐ Vaguely Tolerated 1 point
☐ Listened to but Ignored 1 point
☐ Enthusiastically Listened to 0 points
25. Are vulnerabilities only considered, and vulnerability assessors only involved, after the development of the
STMP has been completed or nearly completed? (At this point, it is usually too difficult to make necessary changes
to improve the security for economic, political, timeliness, inertia, or psychological reasons).
☐ Yes, or Vulnerabilities Aren’t Considered at All 3 points
☐ No 0 points
26. Does the STMP involve new technology piled on existing STMP in hopes of getting better security, but without
actually addressing the Achilles heel of the old STMP?
☐ A lot 3 points
☐ A little 1 point
☐ Not at All 0 points
27. Do considerations of security focus mainly on software, firmware, or cyber attacks, largely ignoring physical
security?
☐ Yes 3 points
☐ No 0 points
5. 5
28. Is the main tamper detection mechanism—if there even is one—a mechanical tamper switch, a light sensor, or
an adhesive label seal? (This is approximately the same, in our experience, as having no tamper detection at all.)
☐ Yes 2 points
☐ No 0 points
☐ There are no tamper detection mechanisms 3 points
29. Is the STMP directed against a specific, well-defined adversary with well-defined resources?
☐ Yes 0 points
☐ No 3 points
30. Is the STMP dominated by the desire to address security compliance, rather than true security? (Compliance-based
security is a particularly pernicious type of Security Theater.)
☐ Yes 3 points
☐ No 0 points
31. Is deployment of the STMP really motivated more by a desire for control than for real security?
☐ Yes 2 points
☐ No 0 points
32. Is the operation of the STMP strongly dependent on rules that only the good guys will follow? (For example,
don’t bring thumb drives into the facility.)
☐ Yes 2 points
☐ No 0 points
33. Is the effectiveness of the STMP thought to require keeping long-term secrets, or using manufacturing processes
that can’t be duplicated? (“Security by Obscurity” doesn’t really work long-term because people and organizations
can’t keep secrets. See Manning and Snowden.)
☐ A lot 4 points
☐ A little 2 points
☐ Not at All 0 points
INTERPRETATION
Add up the total points for questions 1-33. If the sum is…
81-100 then: You have so much Theater going on that you ought to charge admission!
61-80 then: You’re pretty heavy into Security Theater, but there’s at least some Real Security.
41-60 then: This appears to be a mix of Security Theater and Real Security.
21-40 then: You apparently have more Real Security than Security Theater, but there’s still
plenty of nonsense going on!
0-20 then: Good job! There’s likely still room for improvement but you’ve got serious security!
6. COUNTERMEASURES TO SECURITY THEATER
Being alert for the presence of Security Theater, knowing its characteristic attributes, and
applying common sense countermeasures can go a long way towards avoiding it. This survey
might be a useful tool to at least get you thinking about some of these issues.
The countermeasures for avoiding Security Theater are relatively straightforward, and some
are not much different from countermeasures for groupthink and cognitive dissonance. Perform
legitimate (not “rubber stamp”) vulnerability assessments and threat assessments early, often,
and iteratively—not only after it is too late to make any changes. Focus on what the purpose is
for the security technology/measure/program, and on the adversary’s mindset and goals.
Early on, invite independent, skeptical, and creative people to analyze your security. Appoint
a devil’s advocate if necessary. Don’t let the enthusiasm for solving the security problems
steamroll over the realities of the task. The people developing or promoting a given security
technology/measure/program should not be the ones to decide whether to implement it. And
don’t automatically believe everything manufacturers and vendors say!
Hold egos, hype, and boosterism in check. Talk (early!) to the end user and to the people
(including low level personnel) who will actually be doing the security in the field, and learn
from them.
Always bear in mind that Security Theater is going to be seductive. It is easier, cheaper, and
less painful than Real Security, and it takes a whole lot less thought.
DISCLAIMER
This submitted manuscript has been created by UChicago Argonne, LLC, Operator of
Argonne National Laboratory (“Argonne”). Argonne, a U.S. Department of Energy Office of
Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S.
Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable
worldwide license in said article to reproduce, prepare derivative works, distribute copies to the
public, and perform publicly and display publicly, by or on behalf of the Government.
The views expressed here are those of the authors and should not necessarily be ascribed to
Argonne National Laboratory or the United States Department of Energy.
6