Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Effective Cybersecurity Communication SkillsJack Whitsitt
Presentation describes the problems associated with communication with others - as an information receiver or provider - about cybersecurity and provides insights into how those problems may be overcome through structured communication, the use of positive and negative space, and the setting of perspective and context through lensing.
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
The document provides an overview and analysis of the NIST Cybersecurity Framework released in February 2014. It discusses:
- The framework's structure which aligns with incident response functions but leaves things tangled when trying to apply to businesses more broadly.
- It describes common security controls but does not provide guidance on how to build an effective cybersecurity program or reduce risks.
- While the framework process had value in collaboration, the actual framework content may not adequately address critical security problems or needs of the community. Improvements to the structure are needed to define problems, desired outcomes, and guide development of more useful guidance.
Introduction to National Critical Infrastructure Cyber Security: Background a...Jack Whitsitt
Given at SOURCE Boston 2013, this presentation is one of the only places you will find the conceptual and policy underpinnings of U.S. national cyber security and critical infrastructure protection efforts and information about the recent White House Cyber Executive Order
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
SJ Terp is an expert in cognitive security who has worked on disinformation response for the European Union, UNDP, and other organizations. They teach cognitive security courses focused on defending against disinformation, and research related topics including risk frameworks and countermeasure strategies. Their work emphasizes adapting information security principles and practices to address high-volume disinformation threats online.
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
This document discusses cognitive security and disinformation risk assessments. It outlines three layers of security - physical, cyber, and cognitive. It describes various disinformation strategies and risks, including different types of misleading information like disinformation, misinformation, and malinformation. It then discusses approaches for assessing and managing disinformation risks, including analyzing the information, threat, and response landscapes in a country. It provides frameworks for classifying disinformation incidents and objects. Finally, it discusses how to set up a cognitive security operations center (CogSOC) to conduct near real-time monitoring, analysis, and response to disinformation threats.
Effective Cybersecurity Communication SkillsJack Whitsitt
Presentation describes the problems associated with communication with others - as an information receiver or provider - about cybersecurity and provides insights into how those problems may be overcome through structured communication, the use of positive and negative space, and the setting of perspective and context through lensing.
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
The document provides an overview and analysis of the NIST Cybersecurity Framework released in February 2014. It discusses:
- The framework's structure which aligns with incident response functions but leaves things tangled when trying to apply to businesses more broadly.
- It describes common security controls but does not provide guidance on how to build an effective cybersecurity program or reduce risks.
- While the framework process had value in collaboration, the actual framework content may not adequately address critical security problems or needs of the community. Improvements to the structure are needed to define problems, desired outcomes, and guide development of more useful guidance.
Introduction to National Critical Infrastructure Cyber Security: Background a...Jack Whitsitt
Given at SOURCE Boston 2013, this presentation is one of the only places you will find the conceptual and policy underpinnings of U.S. national cyber security and critical infrastructure protection efforts and information about the recent White House Cyber Executive Order
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
The following presentation slides were used during the 2014 Cyber Summit Panel Session on Cyber Critical Infrastructure Guidelines at the University of Alabama at Birmingham
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
SJ Terp is an expert in cognitive security who has worked on disinformation response for the European Union, UNDP, and other organizations. They teach cognitive security courses focused on defending against disinformation, and research related topics including risk frameworks and countermeasure strategies. Their work emphasizes adapting information security principles and practices to address high-volume disinformation threats online.
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
This document discusses cognitive security and disinformation risk assessments. It outlines three layers of security - physical, cyber, and cognitive. It describes various disinformation strategies and risks, including different types of misleading information like disinformation, misinformation, and malinformation. It then discusses approaches for assessing and managing disinformation risks, including analyzing the information, threat, and response landscapes in a country. It provides frameworks for classifying disinformation incidents and objects. Finally, it discusses how to set up a cognitive security operations center (CogSOC) to conduct near real-time monitoring, analysis, and response to disinformation threats.
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
The document discusses the importance of developing an information security policy that balances security needs with business goals. It explains that a policy should be based on assessing risks and regulations while protecting assets like data, networks, and reputation. A good policy also considers factors like budget, priorities, and how security could impact customers. The goal is to implement controls that cost-effectively mitigate risks through confidentiality, integrity, and availability of information.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
This document discusses cybersecurity challenges related to information sharing between the public and private sectors. It outlines concerns private sectors have about sharing information, including losing control and proprietary information being disclosed through FOIA requests. The importance of information sharing is discussed to help early detection, resolution, and prevention of cyberattacks. The document also proposes tools like STIX, CybOX and TAXII to help the public and private sectors better share threat information and collaborate on cybersecurity issues.
1) The document discusses the emerging field of cognitive security, which applies information security principles to address disinformation, misinformation, and influence operations.
2) It outlines different definitions and approaches to cognitive security, focusing on risk management of confidentiality, integrity, and availability of information.
3) The document maps the ecosystem of cognitive security, including the threat, information, and response landscapes, and examines frameworks for analyzing disinformation campaigns and incidents.
This document discusses cognitive security, which involves defending against attempts to intentionally or unintentionally manipulate cognition and sensemaking at scale. It covers various topics related to cognitive security including actors, channels, influencers, groups, messaging, and tools used in disinformation campaigns. Frameworks are presented for analyzing disinformation incidents, adapting concepts from information security like the cyber kill chain. Response strategies are discussed, drawing from fields like information operations, crisis management, and risk management. The need for a common language and ongoing monitoring and evaluation is emphasized.
Distributed defense against disinformation: disinformation risk management an...Sara-Jayne Terp
This document discusses distributed defense against disinformation through cognitive security operations centers (CogSecCollab). It proposes a multi-pronged approach involving platforms, law enforcement, government, and other actors to address the complex problem of online disinformation. Key aspects include establishing disinformation security operations centers to conduct threat intelligence, incident response, risk mitigation, and enablement activities like training, tools, and processes. The centers would use frameworks to model disinformation campaigns and share indicators across heterogeneous teams in a collaborative manner. Simulations, red teaming, and other techniques are recommended to test defenses and learn from examples.
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
This document discusses cognitive security and disinformation risk assessments. It outlines three layers of security - physical, cyber, and cognitive. It describes various disinformation strategies and risks, including different types of misleading information like disinformation, misinformation, and malinformation. It then discusses approaches for assessing and managing disinformation risks, including analyzing the information, threat, and response landscapes in a country. It provides frameworks for classifying disinformation incidents and objects. Finally, it discusses how to set up a cognitive security operations center (CogSOC) to conduct near real-time monitoring, analysis, and response to disinformation threats.
disinformation risk management: leveraging cyber security best practices to s...Sara-Jayne Terp
This document discusses leveraging cybersecurity best practices to support cognitive security goals related to disinformation and misinformation. It outlines three layers of security - physical, cyber, and cognitive security. It then provides examples of cognitive security risk assessment and mapping the risk landscape. Next, it discusses working together to mitigate and respond to risks through proposed cognitive security operations centers. Finally, it provides a hypothetical example of conducting a country-level risk assessment and designing a response strategy. The document advocates adapting frameworks and standards from cybersecurity to help conceptualize and coordinate cognitive security challenges and responses.
Opportunities and Challenges in Crisis InformaticsLea Shanley
This document outlines opportunities and challenges in crisis informatics, which is an integrated approach to the technical, social, and informational aspects of crises. It begins with definitions of key terms like crisis informatics and crowdsourcing. It then discusses types of social media and ways crowdsourcing is used during crises. Opportunities of crisis informatics include citizen-based hazard science, situational awareness, and damage estimates. Challenges include ensuring data quality, integrating crowdsourced and authoritative data, and addressing legal/policy issues. The document concludes by identifying priority research challenges such as developing validation methods and best practices for data integration.
This document provides an overview of a workshop on achieving attribute-based access control (ABAC). The workshop featured several presentations on implementing ABAC from industry experts. Topics included the roadmap to implementing ABAC, how to find and use attributes, mobile API management for ABAC, and the ABAC lifecycle. The document also provides a brief summary of each presentation.
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
The document provides an overview of the Department of Homeland Security's Science and Technology Directorate (S&T). Key points include:
- S&T is one of 10 DHS components that provides technical and analytical support to DHS and the homeland security enterprise. It has around 1,200 personnel and accounts for about 1.2% of the DHS budget.
- S&T focuses on six primary areas: first responders, borders and maritime, cyber, chemical/biological defense, explosives, and resilience. It operates five internal laboratories and works with DOE laboratories and federally funded research centers.
- S&T supports the DHS mission through operationally focused research and development,
Chuck Brooks is a technology evangelist, corporate executive, speaker, and thought leader focused on emerging technologies, cybersecurity, and homeland security. He currently works as a principal market growth strategist at General Dynamics and teaches at Georgetown University. Brooks has extensive experience in government, consulting, and the technology sector. He is widely published and a sought-after speaker on issues related to cybersecurity, emerging technologies, and digital transformation.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Professor Martin Gill, Director, Perpetuity Research CSSaunders
A presentation by Professor Martin Gill, Director, Perpetuity Research on the role of private security in tackling cybercrime, delivered at the Police Foundation's annual conference 'Policing and Justice for a Digital Age'.
Chuck Brooks Profile: on Homeland Security, Cybersecurity, Emerging Technolog...Chuck Brooks
From LinkedIn's Marketing Blog: Chuck Brooks – Security Voice and “Government Relations and Marketing Executive, Thought Leader”
Chuck’s varied security experience is evident in what he publishes. From aviation to public sector, government to science, his posts take on the multifaceted aspects of cyber security as it relates to industries/verticals, homeland issues and next-gen technology. Since he’s keen on variety, with formats ranging from expert Q&As to content roundups, to non-tech posts associated with topics/verticals he’s covered, his perspective truly stands out.
Tech marketer takeaways: Chuck focuses core content on security, but isn’t afraid to include content tangentially related to core subject matter (e.g. a post focused on mastering the art of influence in Washington, D.C.) which incorporates fresh/unexpected content to help keep readers interested and foster conversation.
The document provides an introduction and overview of the Nuix Black Report, which aims to take a unique perspective on cybersecurity threats by directly surveying hackers about their attack methodologies. It notes that typical cybersecurity reports analyze past incidents and trends, but this report seeks to understand the source of threats by asking attackers about their tactics and which defenses are most and least effective. The report found that perceptions of effective defenses often do not align with reality. It aims to illuminate which security measures actually improve protections based on hacker feedback. This perspective could provide new insights on how to best allocate security resources.
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Although a latecomer to the security party, HR organizations can play an important role in protecting assets and influencing good security behaviors. HR leadership can strengthen hiring practices, tighten responses for disgruntled employees, spearhead effective employee security education, advocate regulatory compliance and exemplify good privacy practices, be a good custodian of HR data, and rise to the challenges of hiring good cybersecurity professionals.
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
The document discusses the importance of developing an information security policy that balances security needs with business goals. It explains that a policy should be based on assessing risks and regulations while protecting assets like data, networks, and reputation. A good policy also considers factors like budget, priorities, and how security could impact customers. The goal is to implement controls that cost-effectively mitigate risks through confidentiality, integrity, and availability of information.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
This document discusses cybersecurity challenges related to information sharing between the public and private sectors. It outlines concerns private sectors have about sharing information, including losing control and proprietary information being disclosed through FOIA requests. The importance of information sharing is discussed to help early detection, resolution, and prevention of cyberattacks. The document also proposes tools like STIX, CybOX and TAXII to help the public and private sectors better share threat information and collaborate on cybersecurity issues.
1) The document discusses the emerging field of cognitive security, which applies information security principles to address disinformation, misinformation, and influence operations.
2) It outlines different definitions and approaches to cognitive security, focusing on risk management of confidentiality, integrity, and availability of information.
3) The document maps the ecosystem of cognitive security, including the threat, information, and response landscapes, and examines frameworks for analyzing disinformation campaigns and incidents.
This document discusses cognitive security, which involves defending against attempts to intentionally or unintentionally manipulate cognition and sensemaking at scale. It covers various topics related to cognitive security including actors, channels, influencers, groups, messaging, and tools used in disinformation campaigns. Frameworks are presented for analyzing disinformation incidents, adapting concepts from information security like the cyber kill chain. Response strategies are discussed, drawing from fields like information operations, crisis management, and risk management. The need for a common language and ongoing monitoring and evaluation is emphasized.
Distributed defense against disinformation: disinformation risk management an...Sara-Jayne Terp
This document discusses distributed defense against disinformation through cognitive security operations centers (CogSecCollab). It proposes a multi-pronged approach involving platforms, law enforcement, government, and other actors to address the complex problem of online disinformation. Key aspects include establishing disinformation security operations centers to conduct threat intelligence, incident response, risk mitigation, and enablement activities like training, tools, and processes. The centers would use frameworks to model disinformation campaigns and share indicators across heterogeneous teams in a collaborative manner. Simulations, red teaming, and other techniques are recommended to test defenses and learn from examples.
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
This document discusses cognitive security and disinformation risk assessments. It outlines three layers of security - physical, cyber, and cognitive. It describes various disinformation strategies and risks, including different types of misleading information like disinformation, misinformation, and malinformation. It then discusses approaches for assessing and managing disinformation risks, including analyzing the information, threat, and response landscapes in a country. It provides frameworks for classifying disinformation incidents and objects. Finally, it discusses how to set up a cognitive security operations center (CogSOC) to conduct near real-time monitoring, analysis, and response to disinformation threats.
disinformation risk management: leveraging cyber security best practices to s...Sara-Jayne Terp
This document discusses leveraging cybersecurity best practices to support cognitive security goals related to disinformation and misinformation. It outlines three layers of security - physical, cyber, and cognitive security. It then provides examples of cognitive security risk assessment and mapping the risk landscape. Next, it discusses working together to mitigate and respond to risks through proposed cognitive security operations centers. Finally, it provides a hypothetical example of conducting a country-level risk assessment and designing a response strategy. The document advocates adapting frameworks and standards from cybersecurity to help conceptualize and coordinate cognitive security challenges and responses.
Opportunities and Challenges in Crisis InformaticsLea Shanley
This document outlines opportunities and challenges in crisis informatics, which is an integrated approach to the technical, social, and informational aspects of crises. It begins with definitions of key terms like crisis informatics and crowdsourcing. It then discusses types of social media and ways crowdsourcing is used during crises. Opportunities of crisis informatics include citizen-based hazard science, situational awareness, and damage estimates. Challenges include ensuring data quality, integrating crowdsourced and authoritative data, and addressing legal/policy issues. The document concludes by identifying priority research challenges such as developing validation methods and best practices for data integration.
This document provides an overview of a workshop on achieving attribute-based access control (ABAC). The workshop featured several presentations on implementing ABAC from industry experts. Topics included the roadmap to implementing ABAC, how to find and use attributes, mobile API management for ABAC, and the ABAC lifecycle. The document also provides a brief summary of each presentation.
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
The document provides an overview of the Department of Homeland Security's Science and Technology Directorate (S&T). Key points include:
- S&T is one of 10 DHS components that provides technical and analytical support to DHS and the homeland security enterprise. It has around 1,200 personnel and accounts for about 1.2% of the DHS budget.
- S&T focuses on six primary areas: first responders, borders and maritime, cyber, chemical/biological defense, explosives, and resilience. It operates five internal laboratories and works with DOE laboratories and federally funded research centers.
- S&T supports the DHS mission through operationally focused research and development,
Chuck Brooks is a technology evangelist, corporate executive, speaker, and thought leader focused on emerging technologies, cybersecurity, and homeland security. He currently works as a principal market growth strategist at General Dynamics and teaches at Georgetown University. Brooks has extensive experience in government, consulting, and the technology sector. He is widely published and a sought-after speaker on issues related to cybersecurity, emerging technologies, and digital transformation.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Professor Martin Gill, Director, Perpetuity Research CSSaunders
A presentation by Professor Martin Gill, Director, Perpetuity Research on the role of private security in tackling cybercrime, delivered at the Police Foundation's annual conference 'Policing and Justice for a Digital Age'.
Chuck Brooks Profile: on Homeland Security, Cybersecurity, Emerging Technolog...Chuck Brooks
From LinkedIn's Marketing Blog: Chuck Brooks – Security Voice and “Government Relations and Marketing Executive, Thought Leader”
Chuck’s varied security experience is evident in what he publishes. From aviation to public sector, government to science, his posts take on the multifaceted aspects of cyber security as it relates to industries/verticals, homeland issues and next-gen technology. Since he’s keen on variety, with formats ranging from expert Q&As to content roundups, to non-tech posts associated with topics/verticals he’s covered, his perspective truly stands out.
Tech marketer takeaways: Chuck focuses core content on security, but isn’t afraid to include content tangentially related to core subject matter (e.g. a post focused on mastering the art of influence in Washington, D.C.) which incorporates fresh/unexpected content to help keep readers interested and foster conversation.
The document provides an introduction and overview of the Nuix Black Report, which aims to take a unique perspective on cybersecurity threats by directly surveying hackers about their attack methodologies. It notes that typical cybersecurity reports analyze past incidents and trends, but this report seeks to understand the source of threats by asking attackers about their tactics and which defenses are most and least effective. The report found that perceptions of effective defenses often do not align with reality. It aims to illuminate which security measures actually improve protections based on hacker feedback. This perspective could provide new insights on how to best allocate security resources.
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Although a latecomer to the security party, HR organizations can play an important role in protecting assets and influencing good security behaviors. HR leadership can strengthen hiring practices, tighten responses for disgruntled employees, spearhead effective employee security education, advocate regulatory compliance and exemplify good privacy practices, be a good custodian of HR data, and rise to the challenges of hiring good cybersecurity professionals.
Cybersecurity is difficult. It is a serious endeavor which over time strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone. Characteristics of cyber risk continue to mature and expand on the successes of technology innovation, integration, and adoption. It is no longer a game of tactics, but rather a professional discipline, continuous in nature, where to be effective strategic leadership must establish effective and efficient structures for evolving controls to sustain an optimal level of security.
This presentation will discuss the emerging challenges as it analyzes the cause-and-effect relationships of factors driving the future of cybersecurity.
Understanding the security_organizationDan Morrill
This document discusses risks in information security from regulatory, business, technology, and security perspectives. It outlines how decisions are made based on existing contracts and perceived power rather than technical understanding. Risk is defined as threats times vulnerabilities plus the influence of politics and power. Both proactive and reactive security approaches are discussed along with their limitations. Information security challenges include complexity, unknown vulnerabilities, and persistence of hackers. Overall risk management must account for known and unknown threats within organizational politics.
This document summarizes a presentation on the convergence of IT and operational technology (OT) in cybersecurity. It discusses how cybersecurity has become integral to business activities as the world has become more interconnected. It describes how cybersecurity has evolved from preventative, network-focused security to a more dynamic approach using predictive analytics. The presentation emphasizes the need for cross-functional collaboration between IT, OT, and other departments given today's interconnected reality. It stresses that cybersecurity is no longer just a technical function and must be aligned with business needs and priorities.
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
Organizations need to implement a risk management strategy in order to mitigate, and whenever possible, eliminate cyber risks and threats.
ISO/IEC 27032 and ISO 31000 combined help you to manage cyber risks.
Amongst others, the webinar covers:
• ISO/IEC 27032 vs. ISO 31000
• IRTVH Assessment Framework
Presenters:
Sherifat Akinwonmi
Sherifat is a Cyber Security professional with over 12 years of experience across diverse industries including Agriculture, Oil & Energy Services, Pharmaceuticals, Financial and IT services.
She is part of the top 20 Canadian Women in Cybersecurity – ITWC. She is also a Business Information Security Officer (BISO) with one of the top banks in Northern America.
Sherifat is member of several boards including the Advisory Board for Canadian Women in Cybersecurity, Girls & Women Technological Empowerment Organization (GWTEO).
She has a great passion and interest in enabling women in their professional careers. She volunteers her time mentoring young people to launch their careers in Technology and supports the less privileged.
Geary Sikich
Geary Sikich is a Senior Crisis Management Consultant at Health Care Service Corporation (HCSC). Prior to joining HCSC, Geary was a Principal with Logical Management Systems, Corp., a management consulting, and executive education firm with a focus on enterprise risk management, contingency planning, executive education and issues analysis. Geary developed LMSCARVERtm the “Active Analysis” framework, which directly links key value drivers to operating processes and activities. LMSCARVERtm provides a framework that enables a progressive approach to business planning, scenario planning, performance assessment and goal setting.
Prior to founding Logical Management Systems, Corp. in 1985 Geary held a number of senior operational management positions in a variety of industry sectors. Geary served in the U.S. Army; responsible for the initial concept design and testing of the U.S. Army's National Training Center and other related activities. Geary holds a M.Ed. in Counseling and Guidance from the University of Texas at El Paso and a B.S. in Criminology from Indiana State University.
Geary has developed and taught courses for Norwich University, University of Nevada Reno, George Washington University and University of California Berkley. He is active in Executive Education, where he has developed and delivered courses in enterprise risk management, contingency planning, performance management and analytics. Geary is a frequent speaker on business continuity issues business performance management.
Date: October 12, 2022
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
Matthew Rosenquist presented on cybersecurity workforce opportunities. He discussed how future challenges will drive demand for cybersecurity professionals. The best organizations see security as continuous process of risk management and adaptation. There is currently a shortage of qualified cybersecurity professionals, with an estimated 2 million unfilled positions by 2017. Needed skills include both technical hard skills as well as soft skills. Experience and industry certifications are important for jobs. Resources like the NICE framework and CyberSeek can help students understand skills and job market insights.
Convergence innovative integration of securityciso_insights
The document discusses the trends of technology, security risks, and the importance of having a clear security strategy and framework. It recommends converging security resources across an organization in a collaborative way to improve risk mitigation, operational effectiveness, and reduce costs. Key aspects include having a preventative security approach, leveraging security technologies, and ensuring security spending aligns with the most important business risks.
This document discusses the evolution of cyber security and its growing importance. It covers how cyber security now impacts individuals, businesses, and geopolitics. The document also defines key cyber security terms and concepts, examines perspectives like threat management and information assurance, and argues that cyber security must take an integrated, holistic approach going forward. It concludes by noting that with modern society's growing digital interconnectedness, not taking a comprehensive view of cyber security may be the biggest risk.
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
2014 NSF Cybersecurity Summit keynote presentation from Matthew Rosenquist, Cybersecurity Strategist for Intel Corp.
Cybersecurity is difficult. It is a serious endeavor which strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone. Characteristics of cyber risk have matured and expanded on the successes of technology innovation, integration, and adoption. It is no longer a game of tactics, but rather a professional discipline, continuous in nature, where to be effective strategic leadership must establish effective and efficient structures for evolving controls to sustain an optimal level of security.
This presentation will discuss the challenges, organizational opportunities, and explore best practices to align investments in security to the risk appetite of an organization.
2014 10 16_challenge of natural security systemsrbrockway
Static security models and "business as usual" directives have naturally resulted in a collective eyes wide shut mentality of organizational entropy. Organisms, as well as organizations, can only adapt to changing environments by leaving (or being forced from) their comfort zones. It should be obvious that today's threat landscape is changing at a breakneck pace, yet most organizations are seemingly content in adding "spend" to the annual budget for more systems that claim to protect against the latest FUD. This is not learning and without learning adaptation cannot occur. Challenges to the organism and organization that move them both out of their respective comfort zones are crucial for successful adaptation. This talk will explore these adaptation requirements in an effort to develop a framework for more naturally secure systems and organizations. At its conclusion it will present a challenge for all those willing to get out of their own respective comfort zones and organically contribute to naturally stronger systems and organizations.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
Juan Morales advises prioritizing vulnerability remediation by first identifying the critical assets that are most important to keeping the business running operationally and financially. It is important to understand where these key assets are located and have conversations with business stakeholders to obtain insight on the criticality of the assets. Quantifying risk to stakeholders in terms of potential system downtime and financial impact, such as revenue loss, can help communicate risk more effectively than simply stating the cost to fix a vulnerability. Visuals like charts and dashboards with trend lines are also effective for stakeholders to understand risk.
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
Visit www.plusconsulting.com for more information. Organizations are losing the cyber-security battle and most don't know that it is happening (or choose to ignore it). The persistent threat environment means that you have had or will have a breach and may not know about it. Growth in data, applications features, and collaboration makes cyber-security a greater challenge. Complex, clever and continuous threats and security tools in isolation of a continuous security program only delay the inevitable.
The document discusses the need for organizations to adopt a strategy of cyber resilience in response to the growing threats posed by the digital environment. It emphasizes that while complete risk elimination is impossible, cyber resilience involves managing security through a multi-layered approach across people, processes, and technology. This can help organizations better prepare for, detect, respond to, and recover from cyber attacks in order to minimize potential damage and disruption. Symantec is presented as uniquely qualified to help organizations achieve cyber resilience through its security solutions, intelligence capabilities, scale, expertise and infrastructure.
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
The document discusses definitions of cyber resilience from academic and industry sources. It finds that while definitions generally refer to withstanding and recovering from cyber threats, they differ in how they define the threats, who or what is resilient, and the core components of resilience. The document also analyzes the origins and practice of cyber resilience, finding it aims to manage inherent insecurity but responsibilities are unclear. It concludes that more research is needed on organizing for resilience across organizations and boundaries.
Metrics & Reporting - A Failure in CommunicationChris Ross
Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.
Similar to Yours Anecdotally: Developing a Cybersecurity Problem Space (20)
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
2. Progress in economics consists almost entirely in a progressive
improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of choosing
models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)
3. Artist
Hacker Compound
Open Source (Honeypots)
Managed Commercial Security
FBI SOC
Enterprise Security Architect
National Control Systems Incident Response
Gov: Public/Private Partnership as the Transportation SSA
Non-Profit Community Building
International Policy Discussions
….and Civilization Escape Artist
4. We’re Losing, We’re Repeating Ourselves with
Increasing Specialization, We Have No Strategy
We must learn to Fail, Iterate, and Evolve (better?) or
Admit We’re Insane
5. We have been focusing on improving information security and risk management practices to
reduce cybersecurity risk.
This focus has improved information security practices, but without meaningfully or sustainable
reducing cybersecurity risk
This has come at the cost of the resources we will require to displace the dangerously entrenched
behavior and misaligned markets created as an outcome of this focus.
Our focus on information security solution spaces prevents us from making necessary
transformative (as opposed to incremental) improvements because:
Information Security might, presently, be largely tangential and non-causal with regard to long
term cybersecurity success –
Its practices and solution spaces do not control or speak to enough of the exposure environment to
create sustained, strategic improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
6.
7. Island Internet
Isolated Security Events
Techies without funding or buy-in develop practices
Automated Worms Disrupt Business
Market need identified and met by selling practices
Connected Important Stuff
Merging Realities, Conflict and All
Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem
space expansion and we’ve failed to improve and update models or develop
appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and
strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)
8.
9. Help overcome the flawed strategies we’ve imposed
on ourselves by artificially limiting the scope of
cybersecurity to InfoSec
Suggest areas of research and data gathering that are
either lacking or should be made more accessible to
the markets, industries, and individuals driving risk
management change.
10. Some Famous President Or General (I think):
“There is no seemingly intractable problem I’ve faced whose
solution didn’t present itself with an increase of scope”-ish
Famous Penetration Testers:
The companies that eventually keep us from achieving our
objectives are the ones that narrowed the scope of their
objectives and funded them
Start wide, then focus:
Where are we?
What are we, really?
How do we get OUT of here?
11.
12.
13.
14.
15.
16. The world already has a lot of cybersecurity “solutions” and “products”
The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million
According to Gartner, the worldwide Information Security market is valued
at more than $70 billion.
And, yet…
The list to your right contains many, but not all, major Fortune 500 breaches
since 2011
These are not companies that cannot afford cybersecurity
Most organizations are notified by external parties (“Cyber Healthcare
Professionals” re yesterday’s post-lunch talk) 100’s of days after breach
Cybersecurity is a hard problem that clearly – by any public metric available
- remains unsolved in any sustainable way
97% of networks have been breached
(FireEye)
17.
18. Of Solutions
At the Wrong Level
Without being Able to Articulate the Problem
NISTCSF
Common Practices
List of things that aren’t sufficient
Cybersec EU, Poland, 2015
Talking Information Sharing at Highest International levels
Conducting, not winning conflict
Same solution spaces provided over and over again
Specificity intersecting with applicability and repeatability
extraordinarily difficult
This has to stop
19.
20. We do not have a consensus definition “Cybersecurity”
Neither the problem space nor the discipline
We can’t even decide if there is a <space> between Cyber
and Security
Ask any 5 experts, get 5+ answers
Speaking of experts…..
21. System Administrators
Malware Analysts`
Incident Responders
Lawyers
CISOs
Procurement Officials
Chairmen of the Senate
Whatever Committee
Heads of the NSA
Senior Sales Engineers for
Security Companies
Hackers
Children
• CEO/Executive Board
Members
• Criminals/Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Ecology PhD’s
• Diplomats
• Control Systems Engineers
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
• Firewall Engineers
22. Cybersecurity is a huge domain that spans entire
cultures, industries, and nations while remaining highly
individualized
As a discipline, it is an amalgamation of existing as
disparate as business management, computer science,
political science, and even art.
This means we have to always be cognizant of context.
34. Cybersecurity MUST be Lensed
Because it is a human problem
And Human Problems are Communication Problems
Lenses can provide the human-specific focus required for
communication
Communication lenses are composed of:
Domain: Broad Problem Space Definition
Perspectives: Who is Involved?
Contexts: Which problem piece is in front of us?
Discipline Areas: What tools are available?
*These are my definitions only
35. Cybersecurity: The application of several disciplines to
enabling an environment in which specific non-ICT based
objectives are sustainably achievable with the aid of
Information Security, Control Systems Security, and Other
Related Security Practices in the face of continuous risk
resulting from the use of cyber systems.
Secure system: One that does no more or less than we want
it to for the amount of effort and resources we’re willing to
invest in it.
36. Those definitions still don’t describe a
problem to be solved, they describe
solution sets and objectives.
37. This is a Domain we can ask specific questions of and turn into lenses…
38.
39. If InfoSec is an error handler for the overall cybersecurity risk
environment, then we’ve let the main system go at the expense of
the error handler.
For the Error Handler to be the source of stability, it would have to
have all or most main system knowledge.
So what does the problem space really look like OUTSIDE of
InfoSec? Outside of the Error Handler?
Managing the following extra-InfoSec domains is a precondition to
or a part of effective information risk management
40.
41. 1. Global
2. Body Political
3. Organizational
4. Individual
Technical … This might be a business problem pertaining
to complexity?
(In Order. List Likely Not Complete. Threat Exclusion Intentional.)
42. Offense/Defense
Individuals and Businesses are NOT defenders
Asking them to participate in global conflict is, in a word, silly
They do not, and will not, have competence or capacity over time
18,500 US Firms with over 500 employees!
Parasite Management
Maintain value Control despite competition for shared, not owned infrastructure
Sustained Resilience: Continuity of Operations, DR
Exposure Management vs Incident Management
Exposure/Environment Management OR ELSE
Information Security is non-causal in Exposure Management
Lack of Exposure Management is an eventual permanent loss
Incidents do not aggregate up to long term risk
The Primary Conflict Model is that of a Siege
Non-combatants not in control of surrounding environment being drained of resources forced to make
daily risk decisions that are not pertinent to eventual win
This is true whether or not different threat groups *intend* to put us under siege
Strategic win is possible, not possible under other models
Accounts for resource drainage, supply chain problems, massive externalities problem, etc
Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple*
guilds (regimes)
43. Confidence Building Measures & Stability Problems
Unknown Exposure: Game Theory vs Control Based Regulation
Too many actors
Tools too accessible
Norms of Behavior
Some norms support both conflict and stability
Difficulty developing norms in the middle of conflict
Information vs Kinetic Warfare
Intentional Abuse of Conflict Culture & Definitions
Targeting of formal/informal “civilian” information and regimes
Western governance has long term strategic vulnerabilities
Capacity Building
vs Conflict Execution (Retains almost Exclusive Focus)
vs Exposure Management (Done only to aid Conflict)
Same as InfoSec, but larger
Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context
44. Overall rising hostility under the radar
Sustained non-ICT Regime Instability
Costs in money, trust, unconstrained resilience
requirements
Unintended Specific Fallout from General Instability
Systems not functioning as desired in emergencies
High Intensity Conflict resulting from unrelated events
45. Business Borders: Disappearing?
Is it more useful to constrain cybersecurity around
business borders or supply (and value) chains?
If the latter, is that even possible?
This is only one of several boundary problems)
Un-constrainable? Mesh vs Chains
Since these aren’t really chains, does this become a
statistical problem?
Supply chain as a mechanism for risk reduction?
46. Geography & Power Delegation
The internet is a form of “geography”
Power Plants are part of the internet,
therefore they are geography
They’re also targets
The government is *not* the primary arbiter
of power within the borders of this virtual
geography
Ooops. This is new.
Geography & Proximity
Everyone is a Neighbor
Have you ever been stuffed shoulder to
shoulder in a hot train car with drunk
friends, enemies, and strangers?
Ooops. This is new, or at least worse.
47. Common Problem Space Consensus
Development
Socialization
Multi-stakeholder Model/Regime Management
Targeting & Engagement
Aligned, Unaligned, Oppositional Stakeholders
Development
Goal Targeting and Rationalization
Language normalization
Practice Development
As opposed to Stabilization
Tragedy of the Commons
Without Ownership of Practices, Infrastructure,
or Goals
RealPolitik
48. Power
2nd Amendment and the Right to Bear Digital Arms
Responsibilities
Voting Knowledgeably
Participation in Multi-Stakeholder Regimes
Education
Access
Rights of Individual Access vs Rights of Society
Business & Government Customers
Voting, Markets, and Courts intended as arbiters,
but…
Social
Perception & Expectation Management
Media!
Health & Safety
49. Entrenched Industry Must be Derailed
Costing us time, money, cultural capital
Hijacking regimes
Abstract, tenuous connection to risk
Hope, hope, hope, hope
(Vendor vs Hacker)
Academia not competing
Tools
Behavior Change
Applicability
50. “The difference between how it’s supposed
to work and how it really works is where
the vulnerabilities happen,” - Chris
Wysopal/Weld Pond (L0pht)
Complexity
Exposure rising directly and infinitely
with complexity
Competency
Technical competency required by all,
who cannot maintain
Security Express-ability
Lower layers are approximating upper
layer expressions
51. Exposure Management
Decision Making Capacity Building
Action Capacity (Authority/Responsibility)
Full System (Human) Threat Modeling
Requires Role/Lever reasoning
Fuzzy (but it’s done all the time anyway)
Anyone can make a good plan, and one that works, but can it be kept tight
enough to achieve goals in the face of constant, organized, trained, funded,
motivated, threats?
52. We Need Generals
Now Guys with Guns Espousing Tactical
Requirements in Place of Strategies to
Win
Win = Desired level of risk for desired
investment over tim
Formal Roles limit Routing of
Knowledge/Capability into available
levers
If you’re not selling something, you’re not
participating
53. Sustained Socialization
Meme-ification - Passive Education
Active Education
Clarity across Discipline Borders
Common Language
Knowledge
Language & terminology
Organic
Hijacked
Perspective & Context Awareness
Trouble Seeing the Big Picture for the Small
Validation & Action
54. Psychology
Stakeholders Receptiveness
Distance between action and risk
Conceptual Processing
Ability to Process sufficient incoming
knowledge tangential to core life
Analysts vs Engineers
Average is Average
Cannot require or assume exceptionalism
55. Wok
Wok Wok
Wok?
W.O.K.
Wok Wok wok wok
This is, obviously, a wildly incomplete framework.
But it is a start?
56.
57. Exposure is primarily created outside of InfoSec (although not “only”)
Informing InfoSec Practices with Business Goals instead of vice versa removes levers
InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber
risk CONTROLS
Cyber isn’t a risk TO you in most cases;
The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)
Risk management’s job is not limited to a process or approach or framework.
It is, instead, behavioral and decision making capacity building
Awareness is not behavior change
Psych, Marketing, Comms
Target: “Risk Based” often conflated with “Have a Priority” in common practice
Difficult to quantify security management non-security benefits because security
management is typically focused on improving security management – even when
contextualized by business.
We can perhaps, instead, quantify benefits of non-security activities that benefit security by
leveraging dual purpose activities
58.
59. Expand
Clarify
Communicate
Maintain
Use
Market
Criticize
Trash it and Start Over if Needed
We still need one
Let’s just stop repeating ourselves
60. Goal Development:
Siege Breaking and Parasitic Environment Management (next slide)
Roles to Risk Modeling to…
Create Exposure Management Strategies
Aid Targeted Education for Risk Decisions in Role Context
Mitigate Tech/Process Controls
A Non-Sec Initiative
Integrate Disparate Disciplines into a Cybersecurity Discipline
Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists
against InfoSec…
Socialize QA as applied to Cyber Exposure Creation
This should exist, but perhaps unapplied
Citizens as a DHS Critical Infrastructure Sector
Contextualize abstract risks in existing process
Identify Psychological Motivation Profiles for Targeted Behavior Change
Business Levers that affect security with the most non-security ROI.
61. Develop cross-environment joint actor strategies to more
effectively and sustainably compete for the ability to
provide value smack in the middle of a constant conflict
that cannot be won against players we may or may not be
able to see, know, or influence and whose values and
goals may be in support of yours, oppositional to yours,
or tangential to yours while, over time ,gradually de-
incentivizing the use of cyberspace as a conflict domain.
62. Think Beyond InfoSec
Broaden Scope Out As Far As You Can Go
Re-Consider your Metaphors and Models from the Ground Up
If Only as a Thought Exercise
Ask how to manage risk without InfoSec
Then build an error handler
Wonder at why we are where we are
And treat common practices as solving an insufficiently complete
list of problems
When submission time came, for this, I hadnt spent a lot of time doing hard research, but sometimes that’s ok…because thinking about models can be a valuable precursor to getting data….especially in a new space like cybersecurity (and I use the word intentionally) here….and especially when you think that perhaps existing models are deeply off. Many times, though, we’re stuck in the grind, though, and cant really focus on deep, big picture, abstract thoughts. But this year, I did have that chance….to very literally think about the forest for the trees
Left to Escape Ebola Zombies
Came back, turns out I made an effectively prioritized decision that had nothing to do with my perceived risk and executed a really well performed solution that improved my life, but not in a way I anticipated. Actually, no, I had goals, changed environmental factors, and suddenly my decision making capacity and effectiveness improved
But out there, eventually you run out of things to say to yourself and you start challenging your fundamentals…and this is what this talk is really about; Do we really know what the forest looks like, or are we getting lost in the trees? How do we find a way out?
Why is this? Why are we doing so poorly? What am I trying to get at with this talk….bad metaphors and targeted problem spaces
. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework….
What am I trying to get at with this talk….bad metaphors and targeted problem spaces (is infosec even relevant? <stories…guys with guns, history of infosec as bandaid practices and models and conflicts and perimeters and defense in depth …….. And then targeted problem space. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework…. SOMEWHERE ANSWER WHY MY FRAMEWORK…NEXT? “SO, WHERE ARE WE?”
Wide Scope, narrow in. (pull from class, puzzle pieces, quote)