Shostack + Friends Blog Archive


SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.)

So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an update to this post.

Attempting to reconstruct what I said, or intended to say. (Yes, I suppose I could listen to the audio..but then again, this is more fun for me.)

So it’s a struggle to say something new at the end of a workshop like this. And Ross Anderson even said that. So how do we fix security and human behavior? We first need some degree of understanding of what needs fixing. It’s easy at the end of all the talks to think we know what’s wrong, but I don’t think we do. What leads to more failures? 0day or patches not installed? Authentication failures or configuration failures?

We don’t know what goes wrong because people are concerned about a laundry list of issues from customers fleeing to stock price collapse, but we actually know that those don’t really happen. So why don’t we know what goes wrong? Shame. People are ashamed that their security is imperfect and don’t want to talk about it.

This holds us back. When Angela Sasse talks about a compliance budget, we don’t know what to spend it on. When Diana Smetters discusses prioritizing how to train users, we don’t know what to prioritize. When Mark Stewart shows frequency/loss equations, we don’t know what to put into them (for information security).

So we need something like the National Transportation Safety Board, or a Truth and Reconciliation Commission which will hear testimony, ask questions, and provide analysis.

In order to improve security and human behavior, we need more and better data. And to get more and better data, we’ll need to overcome shame.

I’d also like to thank Addison Wesley for providing copies of The New School (the book) to the attendees of the workshop. As I’ve said, they’ve been great [a great publisher] to work with.