How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit.

First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t want to be that person.

Second, if you want to ask a good question, ask a question that you think others will want to hear answered. If your question is narrow, go up to the speaker afterwards.

Now, there are some generic best practice questions that I love to ask, and want to encourage you to ask.

  • You claimed “X”, but didn’t explain why. Could you briefly cover your methodology and data for that claim?
  • You said “X” is a best practice. Can you cover what practices you would cut to ensure there’s resources available to do “X”?
  • You said “if you get breached, you’ll go out of business. Last year, 2600 companies announced data breaches. How many of them are out of business?”
  • You said that “X” dramatically increased your organization’s security. Since we live in an era of ‘assume breach’, can I assume that your organization is now committed to publishing details of any breaches that happen despite X?
      I’m sure there’s other good questions, please share your favorites, and I’ll try for a new post tomorrow.

New School of Information Security Book Reading at Ada's

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort zone in promotional activity. Since Ada’s is just getting started on taking video, the quality of the recording isn’t super-high, but the conversation afterwards is great stuff.

Adam Shostack at Ada’s Technical Books from Ada's Technical Books on Vimeo.

Thanks to Danielle for inviting me, and I’d be happy to do more readings in the future.

Pie charts are not always wrong

In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to present.” Which is true. But in every case I’ve seen, those situations are as well served with a small bar graph.

What’s the least contrived situation in which a pie chart is better than a bar graph or table? (Pac man and pies are two obvious examples.)

The Visual Display of Quantitative Information

In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see:


Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”?

I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small example in the utlity of pie charts will inform report writers. The report writers and their graphics departments, loving their customers, will move to bar charts to help them compare numbers between sources.

I’m confident that not using pie charts is a best practice.

Elsewhere: “The only time it makes sense to use a pie chart.”

And elsewhere: “The Visual Display of Quantitative Information, 2nd edition

Miscommunicating risks to teenagers

A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.

Security programs that depend on 100% compliance are a bad idea, especially if they depend on 100% compliance from people who are proven to be poor in compliance capabilities.

Case in point:  I saw a documentary about “Abstinence only” sex education programs for teens in the public schools of New Mexico — one negative example in Albuquerque and one positive example in Socorro.   (This is federally funded.)  Skipping over the most aggregious errors and misstatements in these programs, I noticed one big blooper regarding risk estimation and risk communication.

The educators who developed and deliver this program emphasize the failure rate of condoms as argument against relying on them.  In contrast, abstinence-only is touted because it is 100% effective in preventing unplanned pregnancy and all the negative stuff that goes along with it.  Funny thing–they never mentioned the failure rate of abstinence-only when implemented by teenagers!     Sure, you can tell teenagers to be abstinent and they can even commit to it, but would you bet on it?   What odds would you demand for a large bet(say, $100,000 from your bank account) that a large group of teens would remain abstinent for five years?  There are plenty of studies (e.g. here and here) that demonstrate the limited capabilities of teens to avoid risky behavior, control impulses, rationally balance short-term gain against long-term pain, think beyond a short planning horizon, resist peer pressure, etc.    For most teens in the US, their “failure rate” (i.e. failing to avoid risky behaviors) is greater than 0%, and in cases of “multiple-risk adolescents ” the failure rate is far above 0%.

full-body condom

I would bet that condoms are much more reliable than the average teenager’s commitments to eschew immediate pleasures.   Of course, using both would be much more reliable than either alone.   This is “defense in depth”, of course.  Better still, take it to the max and advise that they add a “full-body condom”.  Then they would be “fer sher,  fer sher!”, as the Valley Girl might say. 🙂

Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe:


Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?”

It appears that I’m going to have to update my commentary. Thanks, Brett!

[And thanks Scott–I misspelt orrery, now corrected.]

Visualization Friday – Beautiful, Functional, and Effective

We can all learn from this great role model, aimed at personal nutrition awareness and education: If only security awareness web sites were this good.

We can all learn from this great role model, aimed at personal nutrition awareness and education: .

I encourage you to click on the images below to visit the site and explore interactive features. 















If only security awareness web sites aimed at end-users and consumers were this good.