"Towards Better Usability, Security and Privacy of Information Technology"

Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy:

Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient usability to accomplish tasks efficiently and with less effort, users will often tend to bypass security features. A small but growing community of researchers, with roots in such fields as human-computer interaction, psychology, and computer security, has been conducting research in this area.

Regardless of how familiar you are with usable security, this report is a worthwhile read.

(Cross-posted from Emergent Chaos)

"Towards Better Usability, Security and Privacy of Information Technology"

Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy:

Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient usability to accomplish tasks efficiently and with less effort, users will often tend to bypass security features. A small but growing community of researchers, with roots in such fields as human-computer interaction, psychology, and computer security, has been conducting research in this area.

Regardless of how familiar you are with usable security, this report is a worthwhile read.

Grope-a-thon: Today's TSA roundup

What is Information Security: New School Primer

Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”.  This stuck me funny for a number of reasons, mainly  it showed a basic bias towards what InfoSec *is*.  And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough to be described at a high level in a few paragraphs in a blog post. So I thought I’d write a “primer” post on what InfoSec is to create a reference point.

First, InfoSec is a hypothetical construct. It is something that we can all talk about, but it’s not directly observable and therefore measurable like, say, speed that we can describe km/hr.   “Directly” is to be stressed there because there are many hypothetical constructs of subjective value that we do create measurements and measurement scales for in order to create a state of (high) intersubjectivity between observers (don’t like that wikipedia definition, I use it to mean that you and I can kind of understand the same thing in the same way).

Because it’s a hypothetical construct, what is “secure enough” is also subjective to the observer, and a subjective assessment that is then immediately, almost subconsciously compared to the relative risk tolerance of the owner in their mind. This presents many challenges in managing a security program, not the least of which is establishing that high degree of intersubjectivity, above.

Second, security is not an engineering discipline, per se.  Our industry treats it as such because most of us come from that background, and because the easiest thing to do to try to become “more secure” is buy a new engineering solution (security product marketing).   But the bankruptcy of this way of thinking is present in both our budgets and our standards.   A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker.  For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air.  In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure.  At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers.  Their sentience includes creativity and adaptability.  The wind does not act to deceive.  Gravity and rust do not go “low and slow” to evade detection.  Rain does not customize its raindrops to bypass umbrellas.  But sentient attackers do change to evade defenses and reach their goal.

And because InfoSec is not solely a “computer/software engineering” problem, it requires an understanding of both technology and non-technology fields.  Yes, this includes software engineering, hardware engineering, and network engineering – but it also means concepts like management science and behavioral analytics (among many others)  should have their place in understanding all the phenomena that creates a state of “secure”.

For example the outcome of having more than a “vulnerability-centric” view of InfoSec (from above) is that “secure” would reasonably measured by understanding both the force that the attackers can apply, and our ability to resist that force (1).  In this way,”threat-centric” security (study of ability to apply force) is as useless without “vulnerability-centric” security (study of the ability to resist).  It’s like trying to measure “distance-centric” speed without it being relative to “time-centric” speed, and is as equally useless.

Finally, InfoSec is a subset of Information Risk Management (IRM).  IRM takes what we know about “secure” and adds concepts like probable impacts and resource allocation strategies.  This can be confusing to many because of the many definitions of the word “risk” in the english language, but that’s a post for a different day.

THE NEWSCHOOL APPROACH – THE MONEYBALL-ING OF INFORMATION SECURITY?

Moneyball is a fantastic book about how new approaches to measuring and modeling the performance of baseball players created market efficiencies for those baseball teams who were better able to use the data they had at hand.  In a sense, the New School of InfoSec seeks to foster the collection of data and the development of new and better models for managing security.

But that simplistic analogy belies other important concepts.  A call for the application of scientific method, the recognition that our standards are really just hypothesis about “how to secure”, the requirement that claims of success be backed up with data and not just a logical argument or isolated anecdotes, data sharing, transparency – these are all fundamental premises, needs even, of the New School of Information Security.

Because Security is a hypothetical construct, one that requires a great deal of intersubjectivity and a broad array of applicable knowledge  to understand, the evidence of history suggests that a New School approach – a scientific approach, is the most efficient way of making progress.

—-

(1) Jack Jones – The Factor Analysis of Information Risk

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants.

Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, BBC)

What’s interesting to me about this story is that it illustrates how part of the cost of using Facebook is the occluded future. If you’d asked me if Facebook impacted on military draft, I’d have said no. Predictions are hard, especially about the future. And the young women in question probably didn’t think that their use of a social networking site would cause them to be drafted.

A second interesting aspect to this is that it indicates that one’s Facebook profile, in aggregate, is a religious identifier. That’s interesting because religious information is categorized specially under the Canadian privacy act (PIPED) and possibly also under European data protection laws. I haven’t seen this aspect covered in the analyses that I’ve read from those regulators. (Admittedly, I have not read all of those analyses.)

Happy Birthday, Stan

“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.”

– George Will

“When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and see how he performs and how he comports himself you say, ‘He’s truly one of a kind.’ There will never be another like him.”

– Jack Buck

One day, I got a chance to visit with a neighbor of Stan’s.  They took me over to meet the Musial’s, unannounced.  Here’s a young kid, showing up unannounced at the door of a man who by all rights was Mr. St. Louis.  Turns out Stan and Mrs. Musial were in the pool.  He happily gets out of the pool, and standing there dripping wet not caring a tinkers cuss about himself, graciously carries on a conversation with me, showing nothing but genuine warmth and kindness.  I have a copy of that picture there, but with the autograph “To Al, hope you become a ball player.  Stan Musial”

Happy 90th Birthday to one of the nicest guys on the planet.

Animals and Engineers

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)”

Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces.

…After calculating things like the Froude number and the aspect ratio, they were able to figure out how fast a cat should lap to get the greatest amount of water into its mouth. The cats, it turns out, were way ahead of them — they lap at just that speed…The engineers worked out a formula: the lapping frequency should be the weight of the cat species, raised to the power of minus one-sixth and multiplied by 4.6. They then made friends with a curator at Zoo New England, the nonprofit group that operates the Franklin Park Zoo in Boston and the Stone Zoo in Stoneham, Mass., who let them videotape his big cats. Lions, leopards, jaguars and ocelots turned out to lap at the speeds predicted by the engineers.

I was also listening to the Quirks and Quarks story on “Wet Dogs Rule,” in which the researchers have used high speed photography figured out that dogs (and other animals) shake water out at a precisely optimal rate for energy invested versus surface tension and other factors that keep the water in their fur.

What’s surprising to me is the surprise that … “they lap at just that speed.” As anyone who’s ever read Darwin knows, any animal that expends extra energy on something, be it drying off or drinking water, will be disadvantaged compared to one that spends less energy for the same benefit. And over time, the animal that spends its energy more efficiently will have more energy to reproduce. To the extent that such strategies are influenced by genes, those genes that drive better strategies will spread. So I’m surprised that engineers are surprised that they can’t improve on millions of years of evolution.

Incidentally, congratulations to the CBC for being a news site that clearly links to the real academic work and researchers web sites.