measurement

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card…

Read More Do Games Teach Security?

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and…

Read More What Boards Want in Security Reporting

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past…

Read More "Cyber" Insurance and an Opportunity

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there…

Read More The High Price of the Silence of Cyberwar

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system…

Read More The Fog of Reporting on Cyberwar

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can,…

Read More The "Human Action" argument is not even wrong

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of…

Read More Where is Information Security's Nate Silver?