Wednesday, March 30, 2011

Information security threat models, folk & expert

I've written a pair of blog posts for Global Crossing's "Defense in Depth Security" blog based on recent work by Rick Wash and by multiple people at Intel including Timothy Casey about modeling the agents behind information security threats. The first post is about non-expert home computer users' "folk models" of the threats from viruses and hackers,which makes the point that seemingly irrational decisions about security may in fact be completely rational based on their conceptual understanding of the threat they believe they are combatting.  Only by changing their understanding of the threat, which requires not just information but appropriately salient information and the right incentives, are we likely to see changes in user behavior.  I point out an example of a recent news story that might help provide both elements with regard to one type of vulnerability, open wireless access points.

The second blog post, which will appear tomorrow, is about expert models of threat agents--the Intel Threat Agent Library.  Intel created a large set of attacker personas and identified their attributes, for use in matching against vulnerabilities and prioritizing controls as part of a broader risk assessment process.

I'm happy to discuss these further either here or at the Global Crossing blogs.