This is a collection of resources and references to accompany my talk on Doing Security WITH your organisation and not TO it at the 2017 RSA Conference.


The kind people at RSA recorded the presentation so if you were there, you can go back and re-watch it. If you’re just here for the first time then remember this is unedited so there is hesitation, repetition and deviation.

Notes and corrections

It’s very hard to provide footnotes to a live presentation, and almost impossible to proofread – so here are some references, apologies and elaborations.

02:02 “A bit of a Nirvana Land” – I think I more accurately meant “conference speaker ideal world”. Not a land where there is “a transcendent state in which there is neither suffering, desire, nor sense of self”.
02:30 If you think that companies really don’t do this type of thing anymore then I give you Virgin Atlantic’s loyalty programme – FlyingClub. https://www.virginatlantic.com/us/en/flying-club/how-flying-club-works/help-logging-in.html.

“The first time you log in to your Flying Club account on our new website you will be asked to set up security questions and answers. The answers need to be a minimum of 4 and maximum of 100 characters.”

05:42 Yes, SAS does fly to SFO – https://www.flysas.com/en/us/promotions-and-prices/summer-sale/san-francisco/
08:26 That came out somewhat wrong. I’ve been to Norway, Sweden and Denmark and I know they are pretty large (with some great coastlines). When Calrson wrote the book the community of people who flew regularly on SAS was small and well connected with each other.
09:40 I know, you can’t see the laser pointer. I have to admit I didn’t think about the recording at this point. Hopefully you can work out what I’m pointing at.
09:49 Yes, in Japan it really is a blue man http://www.japantimes.co.jp/life/2013/02/25/language/the-japanese-traffic-light-blues-stop-on-red-go-on-what/
13:44 No it really would be PCI DDS compliant if the post-it notes were destroyed in compliance with requirement 9.8.1
14:17 I know, my pronunciation here is terrible. Sorry Iacovos.
17:50 I said right hand, I hope it was obvious I meant “top left hand”
20:08 A colleague commented that it appears that I suggest that business usability and security effectiveness were dependent variables. That if you had good business usability it naturally had poor security effectiveness, and vice-versa. This isn’t the case – they are independent. You can have poor security and poor usability (passwords!) and good usability and great security (SSO with something you have and something you are).
23:05 If you’re not familiar with Mr Creosote then YouTube will be educational (although avoid mealtimes) https://www.youtube.com/watch?v=aczPDGC3f8U
30:12 I should perhaps have added “allegedly”
32:17 The attack against the Bank of Bangladesh SWIFT system http://www.reuters.com/article/us-cyber-heist-philippines-idUSKCN0YA0CH
35:30 Sorry 😮
38:56 Net Promotor score https://en.wikipedia.org/wiki/Net_Promoter
43:13 I should point out as an ex-QSA I meant this in a purely metaphorical way.
44:3 Again, sorry.

Users and Security

The user is not the enemy
The compliance budget: managing security behaviour in organisations
Recognising and addressing ‘security fatigue’
(subscription required)

Shadow security

Learning from ‘Shadow Security’: Why understanding noncompliant behaviors provides the basis for effective security
Shadow security as a tool for the learning organization

Evidence based password research

“Ten strikes and you’re out”: Increasing the number of login attempts can improve password usability

CESG Password Guidelines
Federal Trade Commission – Time to rethink mandatory password changes

Customer Journey Maps

Joel Flom
NN/g training in Journey Mapping

The one book to read

Despite its age, this is a great book on security usability

Security and Usability: Designing Secure Systems that People Can Use