Estimating the Cost of Internet Insecurity

It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map: "Estimating the Global Cost of Cyber Risk: Methodology and Examples": Abstract: There is marked variability from… Continue reading Estimating the Cost of Internet Insecurity

Estimating the Cost of Internet Insecurity

It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map: "Estimating the Global Co… Continue reading Estimating the Cost of Internet Insecurity

The Hacking of Yahoo

Last week, Yahoo! announced that it was hacked pretty massively in 2014. Over half a billion usernames and passwords were affected, making this the largest data breach of all time. Yahoo! claimed it was a government that did it: A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company’s… Continue reading The Hacking of Yahoo

The Cost of Cyberattacks Is Less than You Might Think

Interesting research from Sasha Romanosky at RAND: Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of… Continue reading The Cost of Cyberattacks Is Less than You Might Think

Report on the Vulnerabilities Equities Process

I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as… Continue reading Report on the Vulnerabilities Equities Process

Good Article on Airport Security

The New York Times wrote a good piece comparing airport security around the world, and pointing out that moving the security perimeter doesn’t make any difference if the attack can occur just outside the perimeter. Mark Stewart has the good quote: "Perhaps the most cost-effective measure is policing and intelligence — to stop them before they reach the target," Mr…. Continue reading Good Article on Airport Security

Security Analysis of TSA PreCheck

Interesting research: Mark G. Stewart and John Mueller, "Risk-based passenger screening: risk and economic assessment of TSA PreCheck increased security at reduced cost?" Executive Summary: The Transportation Security Administration’s PreCheck program is risk-based screening that allows passengers assessed as low risk to be directed to expedited, or PreCheck, screening. We begin by modelling the overall system of aviation security by… Continue reading Security Analysis of TSA PreCheck

The Unfalsifiability of Security Claims

Interesting research paper: Cormac Herley, "Unfalsifiability of security claims: There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary conditions for security (and sufficient conditions for insecurity)… Continue reading The Unfalsifiability of Security Claims