This document discusses the use of humor in security. It begins by outlining some of the benefits of using humor, such as entertaining audiences, emphasizing important points, and reducing tension. It then explores various theories of humor, including incongruity theory and benign violation theory. The document also examines different types of humor, such as affiliative, self-enhancing, aggressive, and self-deprecating humor. The author shares examples of humor they have used effectively in security contexts, including silly jokes, self-deprecating humor, jokes that emphasize a security point, and subversive humor that criticizes security practices.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Audits should focus on ensuring good security practices rather than strict compliance. Auditors should ask employees about potential security weaknesses and improvements rather than criticizing minor violations. The goal of auditing should be cooperative discussions to strengthen security, not punitive enforcement of rules from disconnected leaders. Effective auditing recognizes that security depends on local expertise and conditions, not top-down mandates.
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link. Now available as an ebook, paperback, or hardcover.
This book is written by a Vulnerability Assessor with 35+ years of experience. The book covers the common misconceptions and problems with how Security Vulnerability Assessments are thought of and done. Various security tips and advice are also offered. If you do or think about security, you need this book!
This March 2021 issue of the Journal of Physical Security has papers on:
• tax credits for physical security R&D
• pinhole cameras for surreptitious surveillance
• insider threat issues
• tamper-indicating seals for fast food in the era of Covid
• security for sealed radiological sources
Back issues are available for free at https://jps.rbsekurity.com
1. The author conducted an informal experiment on food orders from a popular fast food chain, finding that the pressure-sensitive adhesive seals used on paper bags were easy to remove and reapply without detection within the first 24-48 hours.
2. Additionally, the bottom of the bags without seals could be pried open and resealed without visible evidence of tampering.
3. While not a rigorous assessment, the seals seem unlikely to reliably detect tampering. Possible purposes for the seals include reassurance during the pandemic or detecting tampering within the restaurant rather than security purposes.
This is the Oct 2020 issue with the usual security news and editor's rants, plus Viewpoint papers on Security Assurance and Election Security.
Back issues are available at http://jps.rbsekurity.com
This document discusses the use of humor in security. It begins by outlining some of the benefits of using humor, such as entertaining audiences, emphasizing important points, and reducing tension. It then explores various theories of humor, including incongruity theory and benign violation theory. The document also examines different types of humor, such as affiliative, self-enhancing, aggressive, and self-deprecating humor. The author shares examples of humor they have used effectively in security contexts, including silly jokes, self-deprecating humor, jokes that emphasize a security point, and subversive humor that criticizes security practices.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Audits should focus on ensuring good security practices rather than strict compliance. Auditors should ask employees about potential security weaknesses and improvements rather than criticizing minor violations. The goal of auditing should be cooperative discussions to strengthen security, not punitive enforcement of rules from disconnected leaders. Effective auditing recognizes that security depends on local expertise and conditions, not top-down mandates.
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link. Now available as an ebook, paperback, or hardcover.
This book is written by a Vulnerability Assessor with 35+ years of experience. The book covers the common misconceptions and problems with how Security Vulnerability Assessments are thought of and done. Various security tips and advice are also offered. If you do or think about security, you need this book!
This March 2021 issue of the Journal of Physical Security has papers on:
• tax credits for physical security R&D
• pinhole cameras for surreptitious surveillance
• insider threat issues
• tamper-indicating seals for fast food in the era of Covid
• security for sealed radiological sources
Back issues are available for free at https://jps.rbsekurity.com
1. The author conducted an informal experiment on food orders from a popular fast food chain, finding that the pressure-sensitive adhesive seals used on paper bags were easy to remove and reapply without detection within the first 24-48 hours.
2. Additionally, the bottom of the bags without seals could be pried open and resealed without visible evidence of tampering.
3. While not a rigorous assessment, the seals seem unlikely to reliably detect tampering. Possible purposes for the seals include reassurance during the pandemic or detecting tampering within the restaurant rather than security purposes.
This is the Oct 2020 issue with the usual security news and editor's rants, plus Viewpoint papers on Security Assurance and Election Security.
Back issues are available at http://jps.rbsekurity.com
The document is a viewpoint paper from a vulnerability assessor on U.S. election security. Some of the key points made in the paper include: 1) Vote-by-mail is likely more secure than in-person voting due to fewer insiders and a required paper trail; 2) Election security is generally better with high voter turnout since more votes need to be altered without detection; 3) While difficult to tamper with a national election, compromising local elections through voting machine or ballot tampering is probably easy in most jurisdictions.
The document discusses security assurance and argues that security managers should not seek assurance or comfort that their security programs are effective. Instead, they should focus on ongoing risk management through techniques like vulnerability assessments to continuously improve security. Providing high-level assurance to stakeholders is unavoidable for purposes like funding, but security programs themselves should not prioritize assurance and instead prioritize identifying weaknesses through methods like vulnerability assessments. The document cautions that using security tests or past vulnerability assessment results to claim assurance can incentivize not thoroughly testing and identifying issues.
A New Approach to Vulnerability AssessmentRoger Johnston
Most organizations don't do Vulnerability Assessment, or confuse them with something else, or do them but not very effectively, imaginatively, or proactively, thinking like the bad guys. Here is some practical advice for how to do better from a Vulnerability Assessor with 35+ years of experience.
We can't test our way to good #security. Why? Because we can't test—or prevent—what we have not envisioned. (Think 9/11.) Effective, imaginative vulnerability assessments are essential. This book explains how to do them based on the 35+ years experience of a Vulnerability Assessor.
This book is the missing manual for the missing link: It provides practical advice on how to do effective, imaginative, proactive Vulnerability Assessments based on the authors 30+ years of experience as a vulnerability assessor.
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
Vulnerability assessments aim to identify security flaws and likely attack scenarios in order to improve security, but they can be challenging for security managers due to fears about vulnerabilities being uncovered. Design reviews provide a less frightening alternative that still allows for security improvements. A design review briefly reviews design issues and offers recommendations, while identifying fewer vulnerabilities than a full assessment. However, about half of organizations that do a design review later pursue a more comprehensive vulnerability assessment once they see the initial results. The author suggests design reviews or market analyses as ways to introduce vulnerability issues in a palatable manner for hesitant organizations.
In addition to the usual security news and editor's rants about security, this issue (Volume 12, Issue 3) has papers about:
• automatic vehicle security gates
• 3D magnetometer arrays as a more secure replacement for BMS
• best practices in physical security
• design reviews vs. vulnerability assessments
JPS, a peer reviewed journal, is hosted by Right Brain Sekurity as a free public service. See http://jps.rbsekurity.com
In addition to the usual security news and editor’s rants about security, this (August 2019) issue has papers about security by design,defeating electronic locks with radio frequency attack tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, and a revised and updated list of popular (mostly smart ass) security maxims.
This document describes 33 unconventional security devices, including tamper-indicating seals, tags, real-time monitoring devices, and access control techniques. It summarizes two devices in particular:
Device #1 is an electronic, reusable time-out seal called a "Time Lock" that can be set to open automatically after a set period of time without a key. It provides low to medium level security.
Device #2 is a covert, high security "Time Trap" tamper-indicating seal that computes a new hash value each minute based on a secret key. If opened unauthorized, it erases the key, displaying the open time and hash value to indicate tampering.
Making the Business Case for Security InvestmentRoger Johnston
(1) Traditional ROI arguments for security spending often don't convince executives who are unaware of security issues and risks. (2) Executives may not envision security failures occurring on their watch and would rather save money now. (3) Estimating attack probabilities and costs is difficult, and long-term damage is underestimated in ROI analyses. (4) The author proposes an 8-step hybrid approach using best practices, legal perspectives, competitor comparisons, vivid failure scenarios, and scare tactics to convince executives to invest in security.
This is the August 2018 issue of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security, this issue has papers on
• election security
• physical security networks
• technology for tracking sealed radiological sources
• an analysis of active shooter training videos
• whether security belongs under Facility Management (Operations)
JPS is hosted as a public service by Right Brain Sekurity, a small company devoted to vulnerability assessments, security consulting, and R&D.
Volume 10, issue 1 (July 2017) of the Journal of Physical Security. This issue has papers about:
• The “Rule of Two” for firefights
• Security and forensic criminology
• A vulnerability assessment of “indelible” voter’s ink used for elections in many developing countries
• Security outsourcing in Nigeria
• How Compliance can sometimes harm Security
• Unconventional security metrics and “Marginal Analysis”
• Common security reasoning errors
This paper is an account of a rudimentary vulnerability assessment on the type of supposedly "indelible" voter's ink used in 38 countries to prevent double voting. 6 new attacks were devised and successfully demonstrated. While 11 different countermeasures were proposed for dealing with these kinds of attacks, voter's inks based on silver nitrate do not appear to be particularly secure.
This paper discusses some unusual and helpful ways to measure security, and promotes the idea of Marginal Analysis as a promising method for optimizing complex enterprise security.
This is the December 2016 issue of the Journal of Physical Security (JPS). In addition to the usual security news and editor’s rants, this issue (Volume 9, Issue 2) has papers about:
• Cargo security and the law
• HR and security
• Combining safety and security
• Principals’ views on school security
• An analysis of the productivity of the DOE national laboratories
JPS is a peer-reviewed journal devoted to the technical and social science aspects of Physical Security R&D, testing, evaluation, modeling, theory, and analysis. It is edited and hosted by Right Brain Sekurity as a public service.
Mentoring can be beneficial by helping protégés understand an organization and providing career advice. However, mentors can also become a crutch or impediment if they try to mold their protégé into their own image instead of fostering innovation. The author argues that protégés need to depart from their mentors earlier than many think in order to develop their own ideas, as some of history's greatest scientists achieved their best work after breaking from their mentors or without having mentors at all. While mentoring has value, protégés should be wary of overreliance on their mentors and end the relationship sooner rather than later.
In theory, the Human Resources (HR) Department is one of the most powerful tools an organization has for improving security and reducing insider threat (both deliberate and inadvertent). In many organizations, however, HR makes security worse.
When HR isn’t doing what they need to do to reduce security vulnerabilities (especially in regards to engendering a healthy Security Culture and mitigating employee disgruntlement), perhaps it is up to you as a security manager to try to compensate for HR’s arrogance, ignorance, recklessness, and incompetence when it comes to security.
Two recent serious security incidents demonstrate the problems of having ineffective (or no) vulnerability assessments. VAs are not the same thing as audits, compliance testing, DBT, security surveys, "Red Teaming", penetration tests, performance testing, "gap" determination, etc.
The document is a viewpoint paper from a vulnerability assessor on U.S. election security. Some of the key points made in the paper include: 1) Vote-by-mail is likely more secure than in-person voting due to fewer insiders and a required paper trail; 2) Election security is generally better with high voter turnout since more votes need to be altered without detection; 3) While difficult to tamper with a national election, compromising local elections through voting machine or ballot tampering is probably easy in most jurisdictions.
The document discusses security assurance and argues that security managers should not seek assurance or comfort that their security programs are effective. Instead, they should focus on ongoing risk management through techniques like vulnerability assessments to continuously improve security. Providing high-level assurance to stakeholders is unavoidable for purposes like funding, but security programs themselves should not prioritize assurance and instead prioritize identifying weaknesses through methods like vulnerability assessments. The document cautions that using security tests or past vulnerability assessment results to claim assurance can incentivize not thoroughly testing and identifying issues.
A New Approach to Vulnerability AssessmentRoger Johnston
Most organizations don't do Vulnerability Assessment, or confuse them with something else, or do them but not very effectively, imaginatively, or proactively, thinking like the bad guys. Here is some practical advice for how to do better from a Vulnerability Assessor with 35+ years of experience.
We can't test our way to good #security. Why? Because we can't test—or prevent—what we have not envisioned. (Think 9/11.) Effective, imaginative vulnerability assessments are essential. This book explains how to do them based on the 35+ years experience of a Vulnerability Assessor.
This book is the missing manual for the missing link: It provides practical advice on how to do effective, imaginative, proactive Vulnerability Assessments based on the authors 30+ years of experience as a vulnerability assessor.
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
Vulnerability assessments aim to identify security flaws and likely attack scenarios in order to improve security, but they can be challenging for security managers due to fears about vulnerabilities being uncovered. Design reviews provide a less frightening alternative that still allows for security improvements. A design review briefly reviews design issues and offers recommendations, while identifying fewer vulnerabilities than a full assessment. However, about half of organizations that do a design review later pursue a more comprehensive vulnerability assessment once they see the initial results. The author suggests design reviews or market analyses as ways to introduce vulnerability issues in a palatable manner for hesitant organizations.
In addition to the usual security news and editor's rants about security, this issue (Volume 12, Issue 3) has papers about:
• automatic vehicle security gates
• 3D magnetometer arrays as a more secure replacement for BMS
• best practices in physical security
• design reviews vs. vulnerability assessments
JPS, a peer reviewed journal, is hosted by Right Brain Sekurity as a free public service. See http://jps.rbsekurity.com
In addition to the usual security news and editor’s rants about security, this (August 2019) issue has papers about security by design,defeating electronic locks with radio frequency attack tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, and a revised and updated list of popular (mostly smart ass) security maxims.
This document describes 33 unconventional security devices, including tamper-indicating seals, tags, real-time monitoring devices, and access control techniques. It summarizes two devices in particular:
Device #1 is an electronic, reusable time-out seal called a "Time Lock" that can be set to open automatically after a set period of time without a key. It provides low to medium level security.
Device #2 is a covert, high security "Time Trap" tamper-indicating seal that computes a new hash value each minute based on a secret key. If opened unauthorized, it erases the key, displaying the open time and hash value to indicate tampering.
Making the Business Case for Security InvestmentRoger Johnston
(1) Traditional ROI arguments for security spending often don't convince executives who are unaware of security issues and risks. (2) Executives may not envision security failures occurring on their watch and would rather save money now. (3) Estimating attack probabilities and costs is difficult, and long-term damage is underestimated in ROI analyses. (4) The author proposes an 8-step hybrid approach using best practices, legal perspectives, competitor comparisons, vivid failure scenarios, and scare tactics to convince executives to invest in security.
This is the August 2018 issue of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security, this issue has papers on
• election security
• physical security networks
• technology for tracking sealed radiological sources
• an analysis of active shooter training videos
• whether security belongs under Facility Management (Operations)
JPS is hosted as a public service by Right Brain Sekurity, a small company devoted to vulnerability assessments, security consulting, and R&D.
Volume 10, issue 1 (July 2017) of the Journal of Physical Security. This issue has papers about:
• The “Rule of Two” for firefights
• Security and forensic criminology
• A vulnerability assessment of “indelible” voter’s ink used for elections in many developing countries
• Security outsourcing in Nigeria
• How Compliance can sometimes harm Security
• Unconventional security metrics and “Marginal Analysis”
• Common security reasoning errors
This paper is an account of a rudimentary vulnerability assessment on the type of supposedly "indelible" voter's ink used in 38 countries to prevent double voting. 6 new attacks were devised and successfully demonstrated. While 11 different countermeasures were proposed for dealing with these kinds of attacks, voter's inks based on silver nitrate do not appear to be particularly secure.
This paper discusses some unusual and helpful ways to measure security, and promotes the idea of Marginal Analysis as a promising method for optimizing complex enterprise security.
This is the December 2016 issue of the Journal of Physical Security (JPS). In addition to the usual security news and editor’s rants, this issue (Volume 9, Issue 2) has papers about:
• Cargo security and the law
• HR and security
• Combining safety and security
• Principals’ views on school security
• An analysis of the productivity of the DOE national laboratories
JPS is a peer-reviewed journal devoted to the technical and social science aspects of Physical Security R&D, testing, evaluation, modeling, theory, and analysis. It is edited and hosted by Right Brain Sekurity as a public service.
Mentoring can be beneficial by helping protégés understand an organization and providing career advice. However, mentors can also become a crutch or impediment if they try to mold their protégé into their own image instead of fostering innovation. The author argues that protégés need to depart from their mentors earlier than many think in order to develop their own ideas, as some of history's greatest scientists achieved their best work after breaking from their mentors or without having mentors at all. While mentoring has value, protégés should be wary of overreliance on their mentors and end the relationship sooner rather than later.
In theory, the Human Resources (HR) Department is one of the most powerful tools an organization has for improving security and reducing insider threat (both deliberate and inadvertent). In many organizations, however, HR makes security worse.
When HR isn’t doing what they need to do to reduce security vulnerabilities (especially in regards to engendering a healthy Security Culture and mitigating employee disgruntlement), perhaps it is up to you as a security manager to try to compensate for HR’s arrogance, ignorance, recklessness, and incompetence when it comes to security.
Two recent serious security incidents demonstrate the problems of having ineffective (or no) vulnerability assessments. VAs are not the same thing as audits, compliance testing, DBT, security surveys, "Red Teaming", penetration tests, performance testing, "gap" determination, etc.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Combined Illegal, Unregulated and Unreported (IUU) Vessel List.Christina Parmionova
The best available, up-to-date information on all fishing and related vessels that appear on the illegal, unregulated, and unreported (IUU) fishing vessel lists published by Regional Fisheries Management Organisations (RFMOs) and related organisations. The aim of the site is to improve the effectiveness of the original IUU lists as a tool for a wide variety of stakeholders to better understand and combat illegal fishing and broader fisheries crime.
To date, the following regional organisations maintain or share lists of vessels that have been found to carry out or support IUU fishing within their own or adjacent convention areas and/or species of competence:
Commission for the Conservation of Antarctic Marine Living Resources (CCAMLR)
Commission for the Conservation of Southern Bluefin Tuna (CCSBT)
General Fisheries Commission for the Mediterranean (GFCM)
Inter-American Tropical Tuna Commission (IATTC)
International Commission for the Conservation of Atlantic Tunas (ICCAT)
Indian Ocean Tuna Commission (IOTC)
Northwest Atlantic Fisheries Organisation (NAFO)
North East Atlantic Fisheries Commission (NEAFC)
North Pacific Fisheries Commission (NPFC)
South East Atlantic Fisheries Organisation (SEAFO)
South Pacific Regional Fisheries Management Organisation (SPRFMO)
Southern Indian Ocean Fisheries Agreement (SIOFA)
Western and Central Pacific Fisheries Commission (WCPFC)
The Combined IUU Fishing Vessel List merges all these sources into one list that provides a single reference point to identify whether a vessel is currently IUU listed. Vessels that have been IUU listed in the past and subsequently delisted (for example because of a change in ownership, or because the vessel is no longer in service) are also retained on the site, so that the site contains a full historic record of IUU listed fishing vessels.
Unlike the IUU lists published on individual RFMO websites, which may update vessel details infrequently or not at all, the Combined IUU Fishing Vessel List is kept up to date with the best available information regarding changes to vessel identity, flag state, ownership, location, and operations.
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...OECDregions
Preliminary findings from OECD field visits for the project: Enhancing EU Mining Regional Ecosystems to Support the Green Transition and Secure Mineral Raw Materials Supply.
Food safety, prepare for the unexpected - So what can be done in order to be ready to address food safety, food Consumers, food producers and manufacturers, food transporters, food businesses, food retailers can ...
Contributi dei parlamentari del PD - Contributi L. 3/2019Partito democratico
DI SEGUITO SONO PUBBLICATI, AI SENSI DELL'ART. 11 DELLA LEGGE N. 3/2019, GLI IMPORTI RICEVUTI DALL'ENTRATA IN VIGORE DELLA SUDDETTA NORMA (31/01/2019) E FINO AL MESE SOLARE ANTECEDENTE QUELLO DELLA PUBBLICAZIONE SUL PRESENTE SITO
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
2024: The FAR - Federal Acquisition Regulations, Part 39
Devil's Dictionary of Security Terms
1. Devil’s Dictionary of Security Terms
Why go through your entire security, law
enforcement, or intelligence career being
confused? Here, at last, is an 850+ word
dictionary to clarify all that confusing
security jargon, and tell you the TRUE
meaning of various terms, never mind
what the experts think!
Examples
unauthorized disclosure: lunch
adjudication: Making an official determination
of whether hiring or retaining this loser would
be blatantly gross negligence, or just arguably
gross negligence.
decipher: Turning gibberish ciphertext into
gibberish plaintext.
special agent: A law enforcement officer or
federal investigator who is called “special”
because the word “retarded” is no longer
politically correct.
https://www.amazon.com/dp/B08CP92PCC