So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]
Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]
Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool. Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting: http://itacidentityblog.com/rsa-podcast-alex-hutton-principal-in-research-and-risk-intelligence-verizon-business
Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.
In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to […]
In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see: Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”? I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small […]
A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.
Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]
Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.
We can all learn from this great role model, aimed at personal nutrition awareness and education: Nutritiondata.com. If only security awareness web sites were this good.
The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.
We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.
An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.
Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]
First, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen […]