This is a collection of resources and references to accompany my talk on Doing Security WITH your organisation and not TO it at the 2017 RSA Conference.
The kind people at RSA recorded the presentation so if you were there, you can go back and re-watch it. If you’re just here for the first time then remember this is unedited so there is hesitation, repetition and deviation.
Notes and corrections
It’s very hard to provide footnotes to a live presentation, and almost impossible to proofread – so here are some references, apologies and elaborations.
“A bit of a Nirvana Land” – I think I more accurately meant “conference speaker ideal world”. Not a land where there is “a transcendent state in which there is neither suffering, desire, nor sense of self”.
If you think that companies really don’t do this type of thing anymore then I give you Virgin Atlantic’s loyalty programme – FlyingClub.
“The first time you log in to your Flying Club account on our new website you will be asked to set up security questions and answers. The answers need to be a minimum of 4 and maximum of 100 characters.”
Yes, I know, SAS does fly to SFO
That came out somewhat wrong. I’ve been to Norway, Sweden and Denmark and I know they are pretty large (with some great coastlines). When Calrson wrote the book the community of people who flew regularly on SAS was small and well connected with each other.
I know, you can’t see the laser pointer. Sorry. I have to admit I didn’t think about the recording at this point. Hopefully you can work out what I’m pointing at.
No it really would be PCI DDS compliant if the post-it notes were destroyed in compliance with requirement 9.8.1
I know, my pronunciation here is terrible. Sorry Iacovos.
I said right hand, I hope it was obvious I meant “top left hand”
A colleague commented that it appears that I suggest that business usability and security effectiveness were dependent variables. That if you had good business usability it naturally had poor security effectiveness, and vice-versa. This isn’t the case – they are independent. You can have poor security and poor usability (passwords!) and good usability and great security (SSO with something you have and something you are).
If you’re not familiar with Mr Creosote then YouTube will be educational (although avoid mealtimes)
I should perhaps have added “allegedly”
I should point out as an ex-QSA I meant this in a purely metaphorical way.
Users and Security
- The user is not the enemy -
- The compliance budget: managing security behaviour in organisations
- Recognising and addressing ‘security fatigue’ (subscription required)
- Learning from ‘Shadow Security’: Why understanding noncompliant behaviors provides the basis for effective security
- Shadow security as a tool for the learning organization
Evidence based password research
- “Ten strikes and you’re out”: Increasing the number of login attempts can improve password usability
- NCSC Password Guidelines
- Federal Trade Commission – Time to rethink mandatory password changes
Customer Journey Maps
The one book to read
Despite its age, this is a great book on security usability