The Psych of Sec

Some really great thoughts. Krypt3ia is always worth a visit.

“To sum up here we have a lot of talk about the ROI of security measures like awareness training. Some say it is useless but I say it is not. In fact I would say that the current model of security awareness (i.e. once a year by powerpoint) is not enough. The reality is that people learn only by repetitive means. This is why we teach children times tables in school as well as innately children want to be read the same story over and over and over again. Our brain makes long term memory and learning by repetitive means. So yes, I would say our current model of awareness is useless because we are not really teaching anything to anyone by not doing it repeatedly and more than once a year.”


It is a cool fact taken from economy theories, that business value is also equalling reduced, or mitigated risks. If a risk is avoided, it is contributing to a company’s profitability, as a risk that has materialized is reducing profit. Given the fact that security breaches like that or Target cause stock prices to tumble, profits to vanish in thin air and reputation being lost, spending a fraction of those costs should be a no-brainer.

Nevertheless, in our beautiful, quarterly world, there is a visibility block to the ability to realize the virtue of precautions, until a breach has happened. And then, of course, there is no more abundance of profit to spend mitgation costs from …


I recently gave this presentation at BsidesCT and have found that slideshare does not like my sense of graphic design as well as a slide deck at times alone just doesn’t tell the full story of the presentation. So, I am going to add commentary here that I gave in person and let you all see a better picture of what was talked about.


Screenshot from 2014-06-15 05_53_30

Screenshot from 2014-06-15 05_53_51

Screenshot from 2014-06-15 05_54_22

Screenshot from 2014-06-15 05_54_42

Screenshot from 2014-06-15 05_54_59

Screenshot from 2014-06-15 05_55_19

Computer security starts and ends with people. People are the ones creating the hardware, software, processes, and operating the internet of things. We are the reason we have these problems around security and we are the reason as well that things don’t get done right or are abused. Our species, the tool user, has created a series of tools that outstrip our capacities to comprehend them en mas as well as operate them securely as a whole. I want you to remember one thing from…

View original post 2,795 more words