SlideShare a Scribd company logo

The 4 Eyes of Information Security - AiS 2019

Fernando Montenegro
Fernando Montenegro

This talk presents the '4 eyes framework' as defined by Spencer Greenberg of ClearerThinking.org, with applications to security as presented by me. Updated version delivered at Art into Science: A Conference for Defense. Austin, Jan 2019.

1 of 22
Download to read offline
4 Eyes of Information Security Fernando Montenegro @fsmontenegro
"It's unbelievable how much you don't know about the game you've been playing all your life.“ Mickey Mantle 4EyesInfoSec - ArtIntoScience 2 Security is important. Why isn’t it working? (or is it? ☺ )
$finger –l fsmontenegro @fsmontenegro • Industry Analyst at 451 Research – Endpoint Security, Cloud Infrastructure Security – Container/CloudNative Security, Deception • Previous Roles – Sales Engineering, ProfSev, SecOps, SecArch – CompSci ’94 (Greying hair) • Curious - Finance (DIY), Economics, Data Science • Presented @ ACoD2017 – Economics of CyberSecurity 2019-01-31 4EyesInfoSec - ArtIntoScience 3 Source:memegenerator.net
2019-01-31 4EyesInfoSec - ArtIntoScience 4
(Behaviour) Economics FTW 2019-01-31 4EyesInfoSec - ArtIntoScience 5
4 EYES FRAMEWORK 4EyesInfoSec - ArtIntoScience 62019-01-31
Take an existing, important problem Why hasn’t it been solved? 2019-01-31 4EyesInfoSec - ArtIntoScience 7
Perspective 1: Incentives • Agents not under proper incentive structure. – Positive OR Negative • Examples – Package delivery – Copier sales – Daycare in Israel • How to Address? – Grants & Competitions – Regulations & Taxes – Bonuses & Recognitions – Rules & Monitoring 2019-01-31 4EyesInfoSec - ArtIntoScience 8
Perspective 2: Ignorance • No knowledge to develop or apply solution – Individual OR Societal • Examples – STD prevention – Energy storage – Poor coding practices • How to Address? – Education & Advertising – Basic Research – Training Programs – Data Collection 2019-01-31 4EyesInfoSec - ArtIntoScience 9
Perspective 3: Investments • Lack of resources to tackle issue – Individual OR Societal – Money, Time, Others • Examples – Poverty Reduction – Animal Cruelty – Customer Satisfaction • How to Address? – Increased/Alternate Funding – Increased Publicity – Additional Budgets – Additional Headcount 2019-01-31 4EyesInfoSec - ArtIntoScience 10
Perspective 4: Irrationality • Are human biases or decision flaws preventing action? • 150+ Biases in broad categories: – Too Much Information – Not Enough Meaning – Need to Act Fast – What Should We Remember • Examples – Too many to list… ☺ • How to Address? – Reward Rationality – Adjust Defaults – Adopt Checklists – Use second opinions 2019-01-31 4EyesInfoSec - ArtIntoScience 11
4EyesInfoSec - ArtIntoScience 122019-01-31
2019-01-31 4EyesInfoSec - ArtIntoScience 13
SECURITY APPLICATIONS 4EyesInfoSec - ArtIntoScience 142019-01-31
(5th “Eye”: Importance?) It is difficult to get a man to understand something when his salary depends upon his not understanding it. Upton Sinclair Jr. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues. S. Romanosky (RAND) 2019-01-31 4EyesInfoSec - ArtIntoScience 15
“Mind the Denominator” 4EyesInfoSec - ArtIntoScience 162019-01-31 • Prof. Eric Jardine, VTech • Daniel Miessler https://danielmiessler.com/blog/the-reason-software-remains-insecure/https://www.cigionline.org/publications/global-cyberspace-safer-you-think-real-trends-cybercrime
Software Quality 2019-01-31 4EyesInfoSec - ArtIntoScience 17 src: Russ Bowling/Flickr src: Bugcrowd
User Behaviour • Phishing – “Hot states” vs policy • Data Handling – Principal Agent Problem • Ransomware – Smart Defaults • Macros/GPOs/Whitelist 4EyesInfoSec - ArtIntoScience 182019-01-31
WRAP UP 4EyesInfoSec - ArtIntoScience 192019-01-31
Looking back… • Attempts at persistent problems fail for many reasons. • 4 Eyes Framework • Applicability to InfoSec: – Software Quality – User Behaviour – … 2019-01-31 4EyesInfoSec - ArtIntoScience 20
2019-01-31 4EyesInfoSec - ArtIntoScience 21 clearerthinking.org https://www.youtube.com/watch?v=osOKFkGA3AI
@fsmontenegro

Recommended

NUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS Learning Day 2018-Leading conversation in IoT securityNUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS
 
News letter feb 11
News letter feb 11News letter feb 11
News letter feb 11
captsbtyagi
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
Evan Francen
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
Fernando Montenegro
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
Fernando Montenegro
 
2020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 22020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 2
FRSecure
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
The Five Major Areas of AI Ethics Before Superintelligence
The Five Major Areas of AI Ethics Before SuperintelligenceThe Five Major Areas of AI Ethics Before Superintelligence
The Five Major Areas of AI Ethics Before Superintelligence
Juho Vaiste
 

Recommended

NUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS Learning Day 2018-Leading conversation in IoT securityNUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS Learning Day 2018-Leading conversation in IoT security
NUS-ISS
 
News letter feb 11
News letter feb 11News letter feb 11
News letter feb 11
captsbtyagi
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
Evan Francen
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
Fernando Montenegro
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
Fernando Montenegro
 
2020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 22020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 2
FRSecure
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
The Five Major Areas of AI Ethics Before Superintelligence
The Five Major Areas of AI Ethics Before SuperintelligenceThe Five Major Areas of AI Ethics Before Superintelligence
The Five Major Areas of AI Ethics Before Superintelligence
Juho Vaiste
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]
Assespro Nacional
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
Security Bootcamp
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
businessforward
 
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsWhitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Happiest Minds Technologies
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
Evan Francen
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
Dan Michaluk
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
Angilina Jones
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
Matthew Rosenquist
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
The data science revolution in insurance
The data science revolution in insuranceThe data science revolution in insurance
The data science revolution in insurance
Stefano Perfetti
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
Paperjam_redaction
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Ernst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
NishantSisodiya
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -
Claro Partners Inc.
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

More Related Content

Similar to The 4 Eyes of Information Security - AiS 2019

News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]
Assespro Nacional
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
Security Bootcamp
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
businessforward
 
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsWhitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Happiest Minds Technologies
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
Evan Francen
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
Dan Michaluk
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
Angilina Jones
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
Matthew Rosenquist
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
The data science revolution in insurance
The data science revolution in insuranceThe data science revolution in insurance
The data science revolution in insurance
Stefano Perfetti
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
Paperjam_redaction
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Ernst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
NishantSisodiya
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -
Claro Partners Inc.
 

Similar to The 4 Eyes of Information Security - AiS 2019 (20)

News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
 
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest MindsWhitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
Whitepaper: IP Risk Assessment & Loss Prevention - Happiest Minds
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
The data science revolution in insurance
The data science revolution in insuranceThe data science revolution in insurance
The data science revolution in insurance
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -Five Misconceptions about Personal Data - Dataconomy Barcelona -
Five Misconceptions about Personal Data - Dataconomy Barcelona -
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 

The 4 Eyes of Information Security - AiS 2019

  • 1. 4 Eyes of Information Security Fernando Montenegro @fsmontenegro
  • 2. "It's unbelievable how much you don't know about the game you've been playing all your life.“ Mickey Mantle 4EyesInfoSec - ArtIntoScience 2 Security is important. Why isn’t it working? (or is it? ☺ )
  • 3. $finger –l fsmontenegro @fsmontenegro • Industry Analyst at 451 Research – Endpoint Security, Cloud Infrastructure Security – Container/CloudNative Security, Deception • Previous Roles – Sales Engineering, ProfSev, SecOps, SecArch – CompSci ’94 (Greying hair) • Curious - Finance (DIY), Economics, Data Science • Presented @ ACoD2017 – Economics of CyberSecurity 2019-01-31 4EyesInfoSec - ArtIntoScience 3 Source:memegenerator.net
  • 4. 2019-01-31 4EyesInfoSec - ArtIntoScience 4
  • 5. (Behaviour) Economics FTW 2019-01-31 4EyesInfoSec - ArtIntoScience 5
  • 6. 4 EYES FRAMEWORK 4EyesInfoSec - ArtIntoScience 62019-01-31
  • 7. Take an existing, important problem Why hasn’t it been solved? 2019-01-31 4EyesInfoSec - ArtIntoScience 7
  • 8. Perspective 1: Incentives • Agents not under proper incentive structure. – Positive OR Negative • Examples – Package delivery – Copier sales – Daycare in Israel • How to Address? – Grants & Competitions – Regulations & Taxes – Bonuses & Recognitions – Rules & Monitoring 2019-01-31 4EyesInfoSec - ArtIntoScience 8
  • 9. Perspective 2: Ignorance • No knowledge to develop or apply solution – Individual OR Societal • Examples – STD prevention – Energy storage – Poor coding practices • How to Address? – Education & Advertising – Basic Research – Training Programs – Data Collection 2019-01-31 4EyesInfoSec - ArtIntoScience 9
  • 10. Perspective 3: Investments • Lack of resources to tackle issue – Individual OR Societal – Money, Time, Others • Examples – Poverty Reduction – Animal Cruelty – Customer Satisfaction • How to Address? – Increased/Alternate Funding – Increased Publicity – Additional Budgets – Additional Headcount 2019-01-31 4EyesInfoSec - ArtIntoScience 10
  • 11. Perspective 4: Irrationality • Are human biases or decision flaws preventing action? • 150+ Biases in broad categories: – Too Much Information – Not Enough Meaning – Need to Act Fast – What Should We Remember • Examples – Too many to list… ☺ • How to Address? – Reward Rationality – Adjust Defaults – Adopt Checklists – Use second opinions 2019-01-31 4EyesInfoSec - ArtIntoScience 11
  • 13. 2019-01-31 4EyesInfoSec - ArtIntoScience 13
  • 14. SECURITY APPLICATIONS 4EyesInfoSec - ArtIntoScience 142019-01-31
  • 15. (5th “Eye”: Importance?) It is difficult to get a man to understand something when his salary depends upon his not understanding it. Upton Sinclair Jr. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues. S. Romanosky (RAND) 2019-01-31 4EyesInfoSec - ArtIntoScience 15
  • 16. “Mind the Denominator” 4EyesInfoSec - ArtIntoScience 162019-01-31 • Prof. Eric Jardine, VTech • Daniel Miessler https://danielmiessler.com/blog/the-reason-software-remains-insecure/https://www.cigionline.org/publications/global-cyberspace-safer-you-think-real-trends-cybercrime
  • 17. Software Quality 2019-01-31 4EyesInfoSec - ArtIntoScience 17 src: Russ Bowling/Flickr src: Bugcrowd
  • 18. User Behaviour • Phishing – “Hot states” vs policy • Data Handling – Principal Agent Problem • Ransomware – Smart Defaults • Macros/GPOs/Whitelist 4EyesInfoSec - ArtIntoScience 182019-01-31
  • 19. WRAP UP 4EyesInfoSec - ArtIntoScience 192019-01-31
  • 20. Looking back… • Attempts at persistent problems fail for many reasons. • 4 Eyes Framework • Applicability to InfoSec: – Software Quality – User Behaviour – … 2019-01-31 4EyesInfoSec - ArtIntoScience 20
  • 21. 2019-01-31 4EyesInfoSec - ArtIntoScience 21 clearerthinking.org https://www.youtube.com/watch?v=osOKFkGA3AI