Play as Webslides

Jeff Walzer's List: Security

Finally, a Real Return on Security Spending - Security ROI

www.cio.com/...security.html - Preview

uploaded on 2008-03-22 and saved by 2 people
Security - Calculated Risk

www.csoonline.com/...calculate.html - Preview

CSOonline.com ROI Risk Security assessment mitigation risk on 2008-03-22 and saved by 2 people
How to Use Metrics

www.csoonline.com/...fea_metrics.html - Preview

CSOonline.com Risk Security assessment metrics mitigation risk security on 2008-03-22 and saved by 2 people
Cover Story: Working for Gold - IT Security News - SC Magazine US

www.scmagazine.com/...cover-story-working-gold - Preview

ROI Security magazine metrics sc security on 2008-03-22
Why we still invite data breaches

www.news.com/Why-we-still-invite-data-breaches/2010-1029_3-6215627.html?part=rss&tag=2547-1_3-0-5&subj=news - Preview

CNET Security data breach risk on 2008-03-23
IT security and management on collision course

www.infoworld.com/...-and-management-collide_1.html - Preview

Security infoworld technology on 2008-03-23
NBA Basketball Referees as Single Points of Failure

www.wired.com/...securitymatters_0906 - Preview

Bruce Schneier Security wired.com on 2008-03-23
Behavior analysis puts traffic in perspective

www.networkworld.com/...100907-tech-update.html - Preview

Network Security network behavior analysis networkworld on 2008-03-23
Security Products: Suites vs. Best-of-Breed

www.schneier.com/...security_produc_1.html - Preview

Bruce Schneier Security on 2008-03-23 and saved by 4 people
IBM expert: IT risk is opaque | InfoWorld | News | 2008-04-03 | By Matt Hines

www.infoworld.com/...xpert-IT-risk-is-opaque_1.html - Preview

Data Governance Council infoworld it risk risk analysis on 2008-04-04
- IT security executives must begin using more progressive risk management techniques if they ever hope to get ahead of data
  breaches, malicious attacks and emerging compliance regulations.
- Most businesses are already collecting volumes of data that could be put to use in making more informed decisions about IT security and management, but they simply don't know how to put the information to work in a manner that will allow them to do so, according to the
  expert.
- 2 more annotations...
- - "CIOs are already collecting reams of data that could help with risk calculation in their logs, identity management systems, and intrusion prevention tools, but most of the time, it sits uncorrelated, uncompared, and unanalyzed," he said. "These
    companies have a wealth of information that could help them calculate risk more effectively; as an industry, we need to talk
    more about new data models, analytical tools, and what future standards need to look like. That's the type of thing that the
    Data Governance Council believes in."
  - Security today is an arms race handled on a weekly or daily basis, and most companies are so challenged by this process that
    they don't even have the bandwidth to be strategic about risk calculation," he said. "That has to change, and we instead need
    to hold people accountable who create the vulnerabilities; we will always have risk, but we need to start holding the average
    employee more accountable, and for those assessing [via risk management and governance techniques], that's already happening."
The Psychology of Security

www.schneier.com/essay-155.html - Preview

Bruce Schneier psychology risk security on 2008-04-04 and saved by 16 people
- The reality of security is mathematical, based on the probability of different
  risks and the effectiveness of different countermeasures.
- But security is also a feeling, based not on probabilities and mathematical
  calculations, but on your psychological reactions to both risks and
  countermeasures.
- 44 more annotations...
- - Or, more generally, you can be secure even though you don't feel secure. And you
    can feel secure even though you're not. The feeling and reality of security are
    certainly related to each other, but they're just as certainly not the same as
    each other.
  - Four fields of research--two very closely related--can help illuminate this
    issue. The first is behavioral economics, sometimes called behavioral finance.
  - Behavioral economics looks at human biases--emotional, social, and
    cognitive--and how they affect economic decisions. The second is the psychology
    of decision-making, and more specifically bounded rationality, which examines
    how we make decisions.
  - Neither is directly related to security, but both look at the concept of risk:
    behavioral economics more in relation to economic risk, and the psychology of
    decision-making more generally in terms of security risks.
  - There is also direct research into the psychology of risk.
  - A fourth relevant field of research is neuroscience.
  - Security is a trade-off.
  - Security costs money, but it also costs in time, convenience, capabilities,
    liberties, and so on.
  - It makes no sense to just look at security in terms of effectiveness.
  - in terms of effectiveness.
    "Is this
    effective against the threat?" is the wrong question to ask. You need to ask:
    "Is it a good trade-off?"
  - There are several specific aspects of the security trade-off that can go
    wrong. For example:
    
    The severity of the risk.
    The probability of the risk.
    The magnitude of the costs.
    How effective the countermeasure is at mitigating the risk.
    How well disparate risks and costs can be compared.
  - The more your perception diverges from reality in any of these five aspects, the
    more your perceived trade-off won't match the actual trade-off.
  - It's my contention that these irrational trade-offs can be explained by
    psychology.
  - Most of the time, when the perception of security doesn't match the reality of
    security, it's because the perception of the risk doesn't match the reality of
    the risk.
  - These heuristics affect how we think about risks, how we evaluate the
    probability of future events, how we consider costs, and how we make trade-offs.
    We have ways of generating close-to-optimal answers quickly with limited
    cognitive capabilities.
  - The first, and most common, area that can cause the feeling of security to
    diverge from the reality of security is the perception of risk. Security is a
    trade-off, and if we get the severity of the risk wrong, we're going to get the
    trade-off wrong.
  - Traditional economics is based on something called "utility theory," which
    predicts that people make trade-offs based on a straightforward calculation of
    relative gains and losses.
  - The authors of this study explained this difference by developing something
    called "prospect theory." Unlike utility theory, prospect theory recognizes that
    people have subjective values for gains and losses. In fact, humans have evolved
    a pair of heuristics that they apply in these sorts of trade-offs. The first is
    that a sure gain is better than a chance at a greater gain. ("A bird in the hand
    is better than two in the bush.") And the second is that a sure loss is worse
    than a chance at a greater loss.
  - These two heuristics are so powerful that they can lead to logically
    inconsistent results.
  - People make very different trade-offs if something is presented as a gain than
    if something is presented as a loss.
  - Behavioral economists and psychologists call this a "framing effect": peoples'
    choices are affected by how a trade-off is framed. Frame the choice as a gain,
    and people will tend to be risk averse. But frame the choice as a loss, and
    people will tend to be risk seeking.
  - Another way of explaining these results is that people tend to attach a greater
    value to changes closer to their current state than they do to changes further
    away from their current state.
  - people also value something more when it is considered as something that can be
    lost, as opposed to when it is considered as a potential gain.
  - This is called the "endowment effect,"
  - Given that, prospect theory implies two things. First, it means that people are
    going to trade off more for security that lets them keep something they've
    become accustomed to--a lifestyle, a level of security, some functionality in a
    product or service--than they were willing to risk to get it in the first place.
    Second, when considering security gains, people are more likely to accept an
    incremental gain than a chance at a larger gain; but when considering security
    losses, they're more likely to risk a larger loss than accept the certainty of a
    small one.
  - We have other heuristics and biases about risks. One common one is called
    "optimism bias": we tend to believe that we'll do better than most others
    engaged in the same activity.
  - The literature also discusses a "control bias," where people are more likely
    to accept risks if they feel they have some control over them. To me, this is
    simply a manifestation of the optimism bias, and not a separate bias.
  - Another bias is the "affect heuristic," which basically says that an automatic
    affective valuation--I've seen it called "the emotional core of an attitude"--is
    the basis for many judgments and behaviors about it.
  - With regard to security, the affect heuristic says that an overall good
    feeling toward a situation leads to a lower risk perception, and an overall bad
    feeling leads to a higher risk perception. This seems to explain why people tend
    to underestimate risks for actions that also have some ancillary
    benefit--smoking, skydiving, and such--but also has some weirder effects.
  - Another bias is that we are especially tuned to risks involving people.
  - The second area that can contribute to bad security trade-offs is probability.
    If we get the probability wrong, we get the trade-off wrong.
  - Generally, we as a species are not very good at dealing with large numbers.
  - Additionally, there are heuristics associated with probabilities. These aren't
    specific to risk, but contribute to bad evaluations of risk. And it turns out
    that our brains' ability to quickly assess probability runs into all sorts of
    problems.
  - The "availability heuristic" is very broad, and goes a long way toward
    explaining how people deal with risk and trade-offs. Basically, the availability
    heuristic means that people "assess the frequency of a class or the probability
    of an event by the ease with which instances or occurrences can be brought to
    mind."^²⁸ In other words, in any
    decision-making process, easily remembered (available) data are given greater
    weight than hard-to-remember data.
  - In general, the availability heuristic is a good mental shortcut.
  - But like all heuristics, there are areas where the heuristic breaks down and
    leads to biases.
  - The moral here is that people will be persuaded more by a vivid, personal story
    than they will by bland statistics and facts, possibly solely due to the fact
    that they remember vivid arguments better.
  - More generally, this kind of thing is related to something called "probability
    neglect": the tendency of people to ignore probabilities in instances where
    there is a high emotional content.
  - The availability heuristic also explains hindsight bias. Events that have
    actually occurred are, almost by definition, easier to imagine than events that
    have not, so people retroactively overestimate the probability of those events.
  - The best way I've seen this all described is by Scott Plous:
    
    In very general terms: (1) the more available an event is,
    the more frequent or probable it will seem; (2) the more vivid a piece of
    information is, the more easily recalled and convincing it will be; and (3) the
    more salient something is, the more likely it will be to appear
    causal.^³⁷
  - "Representativeness" is a heuristic by which we assume the probability that an
    example belongs to a particular class is based on how well that example
    represents the class. On the face of it, this seems like a reasonable heuristic.
    But it can lead to erroneous results if you're not careful.
  - As the researchers explain: "As the amount of detail in a scenario increases,
    its probability can only decrease steadily, but its representativeness and hence
    its apparent likelihood may increase. The reliance on representativeness, we
    believe, is a primary reason for the unwarranted appeal of detailed scenarios
    and the illusory sense of insight that such constructions often provide."^⁴¹
  - Mental accounting is the process by which people categorize different
    costs.^⁴⁵
    People don't simply think of costs as costs; it's much more complicated than
    that.
  - "Time discounting" is the term used to describe the human tendency to discount
    future costs and benefits. It makes economic sense; a cost paid in a year is not
    the same as a cost paid today, because that money could be invested and earn
    interest during the year. Similarly, a benefit accrued in a year is worth less
    than a benefit accrued today.
Symantec study reframes IT risk management | InfoWorld | News | 2008-01-31 | By Matt Hines

www.infoworld.com/...ames-IT-risk-management_1.html - Preview

it risk risk management risk analysis security symantec on 2008-04-05
- fewer businesses are utilizing a strategy that approaches IT risk as a stand-alone skill set or initiative
- "IT risk doesn't necessarily equate to security risk. That's a big shift, and the key takeaway is that organizations are getting
  more mature around the portfolio of risks they have to manage,"
- 4 more annotations...
- - "In the past, people looked at one area as discrete, but now they're addressing the four pillars of compliance,
    security, risk, and performance availability as part of a balanced strategy."
  - Increasing interdependence on IT systems shared between business partners has elevated availability and performance concerns
    above security issues -- and businesses are more worried about causing a bottleneck in their global supply chain then they
    are looking to thwart attacks, the expert contends.
  - "Part of the problem
    is that people only do assessments on a bi-annual basis, or they might inventory their assets sporadically; that gap is what
    often leads to exposure in availability, security, compliance, or performance." All the individual projects involved need
    to be managed on an ongoing basis, he said.
  - "The area where most people need to focus on is classifying their data, what it's used for, and what its sensitivity may be,"
    said Kapuria. "Rather than just throwing technology at their problems, companies need to assess, and then apply the appropriate
    availability, security, and compliance requirements."
Security expert discusses a possible future for PCI-DSS… it’s grim | Zero Day | ZDNet.com

blogs.zdnet.com/security - Preview

zdnet security pci dss web application firewall on 2008-04-14
- however, the Web Application Firewalls? Talk about products with a poor
  track record. Also let’s think about what Web Application Firewalls are
  good at, signature-based protections. So, yeah, they’ll help with XSS and
  SQL Injection, although I’ll go to the grave saying they don’t prevent the
  issues entirely, but they have absolutely no capability to find a huge number of
  very serious security flaws, such as (off the top of my head and in no specific
  order):
  
  Authentication issues
  Authorization issues
  Arbitrary File Upload/Download
  Cross-Site Request Forgery
  Improper Error Handling
  Flawed Business Logic
Stop employees from leaking your corporate data | InfoWorld | News | 2008-04-14 | By Jennifer McAdams, Computerworld

www.infoworld.com/...ing-your-corporate-data_1.html - Preview

infoworld security Bruce Schneier risk management threat on 2008-05-02
- so, too, can IT officials thwart breaches by customizing security plans for
  individual employees in every zone of their companies
- The lessons we learn from craps pits and blackjack tables reveal that it's never
  wise to entrust your business's most valuable or vulnerable assets to a single
  employee. Instead, compartmentalize access whenever possible, and never hesitate
  to look over employees' shoulders
- 2 more annotations...
- - "People are the weakest link in security. They always have been, and you will
    never change that," Schneier says. "But the reality is that you've got to deal
    with people, and people are going to make mistakes."
  - The people problem continues to grow, since it is now harder to differentiate
    between internal and external threats. "The difference between an insider and an
    outsider is no longer clear," says Anderson, who cautions corporations to be
    aware of the ways that contractors, outsourcers, vendors, partner companies and
    suppliers could gain access to sensitive corporate data -- either by accident or
    by design.
Hackers open new front in payment card data thefts | InfoWorld | News | 2008-04-15 | By Jaikumar Vijayan, Computerworld

www.infoworld.com/...ayment-card-data-thefts_1.html - Preview

pci credit card data breach transit security on 2008-05-02
Security upgrades may not buy Hannaford full data protection - Network World

www.networkworld.com/...rity-upgrades-may-not-buy.html - Preview

security Hannaford Network World encryption pci on 2008-04-29
- encrypting card numbers on point-of-sale devices is "the most significant
  action" that retailers can take to stop attacks such as the one that hit
  Hannaford, said Gartner Inc. analyst Avivah Litan.
- But that doesn't necessarily mean that the new security measures will make
  Hannaford -- or other companies that follow its lead -- immune to future
  attacks.
- 1 more annotations...
- - Huguelet said that the planned end-to-end encryption of card data also sounds
    good -- on paper. But to make the data hacker-proof, he added, it would have to
    be encrypted from the PIN entry devices in stores to the systems of the
    payment-processing firm that authorizes card transactions.
Security preparedness instead of threat prediction - Network World

www.networkworld.com/...042908-risk-reward.html - Preview

security Network World risk on 2008-04-30
- The strategy of threat prediction suffers from two major flaws. First, it
  assumes predictability in a field that is full of surprises.
- New attacks are not designed in a vacuum; they are designed explicitly to
  sidestep our expectations.
- 5 more annotations...
- - Second, threat prediction causes tunnel vision. It pushes us to focus on attacks
    rather than assets, on the “bad” rather than the “valuable.”
  - This plays right into the hands of attackers, as tunnel vision narrows our
    defenses thereby making them easier to bypass. Rather than trying to predict
    threats, we should focus on general security preparedness.
  - Rather, secure companies are those that minimize both the incidence of
    successful attacks and then further minimize the impact of those few breaches.
  - But most companies put a lot less emphasis on preparedness that they do on
    specific threats.
  - We have seen this in our research year after year, where we find very few
    companies with specific, well designed and well drilled incident-response
    policies.
Numbers: Employees find ways to skirt enterprise security - Network World

www.networkworld.com/...rs-employees-find-ways-to.html - Preview

network world security survey controls policies on 2008-04-29
- Associated risks include:
  
  -- Data loss through unmonitored and/or unauthorized file transfers
  
  -- Compliance violations, both with internal policies and external
  regulations
  
  -- Business exposure from malware propagation or application vulnerability
  exploits
  
  -- Operational cost increases due to higher bandwidth consumption and added
  IT expense
  
  -- Lost productivity from excessive use of personal applications
HP’s security management model brings comprehensive approach to corporate risk reduction | Dana Gardner’s BriefingsDirect | ZDNet.com

blogs.zdnet.com/Gardner - Preview

HP security Security Management on 2008-04-28
- Surprisingly, the answer has more to do with management methodology than
  security technology.
- it’s not necessarily that a product failed. It’s not necessarily that an
  individual failed. It’s that the process failed. There was no end-to-end
  workflow and nobody understood where the break points were in the process.
- 1 more annotations...
- - If you don’t know it and if you can’t see it, you can’t manage it.
When the inside threat is from outsiders - Network World

www.networkworld.com/...042108insider.html - Preview

network world security threat data protection risk mitigation on 2008-04-23
- Organizations today must protect sensitive data by first identifying where this
  data is, then determining who can access it.
- Data discovery or content inventorying is the first step organizations must take
  to determine what content exists where.
- 1 more annotations...
- - Data-at-rest discovery tools can solve this problem by scanning the network to
    discover machines and then go on to crawl the content on these machines. The
    analysis of content is sophisticated in that pre-defined compliance templates
    can be used as well as hundreds of other content classifications.

1 - 20 of 28 Next ›

Showing 20▼ items per page

List Comments (0)

List Info

Jeff Walzer

28 items | 18 visits

Updated on 2008-05-02
Created on 2008-03-22

Category: Computers & Internet

security

URL:

Jeff Walzer's List: Security

Finally, a Real Return on Security Spending - Security ROI

Security - Calculated Risk

How to Use Metrics

Cover Story: Working for Gold - IT Security News - SC Magazine US

Why we still invite data breaches

IT security and management on collision course

NBA Basketball Referees as Single Points of Failure

Behavior analysis puts traffic in perspective

Security Products: Suites vs. Best-of-Breed

IBM expert: IT risk is opaque | InfoWorld | News | 2008-04-03 | By Matt Hines

The Psychology of Security

Symantec study reframes IT risk management | InfoWorld | News | 2008-01-31 | By Matt Hines

Security expert discusses a possible future for PCI-DSS… it’s grim | Zero Day | ZDNet.com

Stop employees from leaking your corporate data | InfoWorld | News | 2008-04-14 | By Jennifer McAdams, Computerworld

Hackers open new front in payment card data thefts | InfoWorld | News | 2008-04-15 | By Jaikumar Vijayan, Computerworld

Security upgrades may not buy Hannaford full data protection - Network World

Security preparedness instead of threat prediction - Network World

Numbers: Employees find ways to skirt enterprise security - Network World

HP’s security management model brings comprehensive approach to corporate risk reduction | Dana Gardner’s BriefingsDirect | ZDNet.com

When the inside threat is from outsiders - Network World

List Info

Sponsored Links

Jeff Walzer's Public Lists (9)