Collaborate Disseminate
It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map: "Estimating the Global Cost of Cyber Risk: Methodology and Examples": Abstract: There is marked variability from… Continue reading Estimating the Cost of Internet Insecurity
It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map: "Estimating the Global Co… Continue reading Estimating the Cost of Internet Insecurity
Interesting paper. John Scott-Railton on securing the high-risk user…. Continue reading "Security for the High-Risk User"
Interesting research…. Continue reading Privacy Makes Workers More Productive
Last week, Yahoo! announced that it was hacked pretty massively in 2014. Over half a billion usernames and passwords were affected, making this the largest data breach of all time. Yahoo! claimed it was a government that did it: A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company’s… Continue reading The Hacking of Yahoo
Interesting research from Sasha Romanosky at RAND: Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of… Continue reading The Cost of Cyberattacks Is Less than You Might Think
I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as… Continue reading Report on the Vulnerabilities Equities Process
The New York Times wrote a good piece comparing airport security around the world, and pointing out that moving the security perimeter doesn’t make any difference if the attack can occur just outside the perimeter. Mark Stewart has the good quote: "Perhaps the most cost-effective measure is policing and intelligence — to stop them before they reach the target," Mr…. Continue reading Good Article on Airport Security
Interesting research: Mark G. Stewart and John Mueller, "Risk-based passenger screening: risk and economic assessment of TSA PreCheck increased security at reduced cost?" Executive Summary: The Transportation Security Administration’s PreCheck program is risk-based screening that allows passengers assessed as low risk to be directed to expedited, or PreCheck, screening. We begin by modelling the overall system of aviation security by… Continue reading Security Analysis of TSA PreCheck
Interesting research paper: Cormac Herley, "Unfalsifiability of security claims: There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary conditions for security (and sufficient conditions for insecurity)… Continue reading The Unfalsifiability of Security Claims