Friday, January 23, 2015

New book

So this week has been full of good news for me. I've been working with an amazing group of professionals on a InfoSec book (Portuguese) for which I wrote the Risk Management chapter. Well, the book has just been released this month, including a Kindle edition that you can get from Amazon.

http://amzn.com/B00S8CQJ20

By the way... the book is composed of a series of small chapters on different security aspects. I was lucky of getting my chapter as the second one in the book, and the book sample available from Amazon on their website happens to include the whole chapter! Feel free to go there if you want to read it. Reminder, the book is entirely in Portuguese.

Tuesday, January 20, 2015

The Art of Thinking Security Clearly - RSA Conference 2015

My work with behavioral economics and security is becoming even more interesting! I've just got the confirmation that my session at RSA Conference this year has been accepted:


HUM-F03

The Art of Thinking Security Clearly

Augusto Barros, CIBC, Security Architect

Friday, Apr 24, 11:20 AM

West|2022

50 minutes

A cognitive bias is deviation from thinking or acting rationally due to unconscious inferences about other people and situations. Information Security is full of situtions where cognitive biases affect our judgement. This session will cover the most common cognitive biases, how they relate to information security and what can be done to avoid or reduce their impact on our actions and decisions.

Human Element



The longer session will allow me to go deeper into some cognitive biases that I wasn't able to cover during the BSidesTO talk. I'm excited about this as it's the first time I'll be speaking at RSA. Hope to see you all there, I know it's that Friday morning when everyone is either destroyed from partying the whole week or flying back home, but if you're still planning to attend sessions that day, please consider this one for your schedule :-)

Thursday, January 15, 2015

Groups, Security and Behavior Economics

I'm currently reading a book by behavior economics authors Cass Sunstein and Reid Hastie, Wiser: Getting Beyond Groupthink to Make Groups Smarter. Cass Sunstein is one of the authors of "Nudge", which is seen by many as a seminal work on the idea of "Choice Architecture". All this is related to my currently favorite research topic, Behavior Economics on Information Security.

Wiser is interesting for us because a lot of decisions and processes in security involve groups. There are groups working around risk assessments, deciding about security controls and measures and also doing incident response. The way that groups fail to behave in an optimal manner and how to correct that is thus important to infosec. A good example on this just came up in a recent Twitter exchange.



Richard Bejtlich was talking the use of a "red team" to mitigate the risk of groupthink during an attribution exercise. This is a perfect example of techniques to improve group work being used on security related processes. He followed up on the twitter exchange with a nice post on his blog.

(I understand Zanero's point from a logical point of view; the fact that you can't prove A doesn't necessarily means that B is truth is the universe of possibilities is bigger than A+B. However, I don't think that's the objective of the red team in that context. The red team is there to reduce the trend of the group to rapidly converge to a decision without properly considering the alternatives. This is a decision making aid tool, not a logical argument)