Author: Russell

There seems to be no notification that these files are publicly available and no web page listing all the submissions. Therefore, unless you know they are there, you won’t find them. But you can find them all through Google using this search string “NOI site:http://www.nist.gov/itl/upload/”

Read More Secret Stash: responses to DoC/NIST 'Cybersecurity and Innovation in the Internet Economy' Notice of Inquiry

This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction.    Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and…

Read More GAO report on the state of Federal Cyber Security R&D

This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities. One of the three themes is “Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.”

Read More "Cyber Economic Incentives" is one of three themes at Federal Cybersecurity R&D Kickoff Event

Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

Read More 'Experts' misfire in trying to shoot down Charney's 'Internet Security Tax' idea

There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.

Read More Everybody complains about lack of information security research, but nobody does anything about it

The New School approach to information security promotes the idea that we can make better security decisions if we can measure the effectiveness of alternatives.  Critics argue that so much of information security is unmeasurable, especially factors that shape risk, that quantitative approaches are futile.  In my opinion, that is just a critique of our current methods…

Read More Measuring the unmeasurable — inspiration from baseball

There is no better illustration of the institutional and social taboos surrounding data breach reporting and information security in general than the Google-Adobe-China affair. While the Big Thinkers at the World Economic Forum discussed every other idea under the sun, this one was taboo.

Read More 'Don't Ask, Don't Tell in Davos' — Act 3 in the Google-China affair