Adam Shostack (Shostack & Associates)

"We Need A Discipline of Cyber Public Health"

Adam Shostack

Copyright: Adam Shostack

Abstract. For all the tragedy the coronavirus has brought and difficulties in fighting it, we have a discipline of public health. Scientists are advancing the science of public health. We have public health institutions at many scales: local, national and international. They are defining, gathering and distributing statistical measures. Those measures include most prominently deaths, but also hospital admissions, and for some diseases doctor diagnoses. We have guidance for the public. We have few equivalents in the world of cybersecurity. We do not know how many computers have malware on them. We do not know what the equivalent of deaths are: is it systems lost to ransomware? What if they were backed up? We do not study means of infection or transmission rates. These issues are important to me both in a broad sense and in a very specific one. Much of my work is focused on threat modeling: the anticipation of future security problems in technology. What problems ought we anticipate and address? Some security problems are a result of developer errors. These errors include selecting bad tooling, using tools badly, or failing to recognize that they must authenticate, sanitize or otherwise apply security knowledge to a situation. Other problems are what we call “user error,” but that assignment of blame is, itself, hotly contested and often unfair. Security experts rarely give advice on the level of “wash your hands.” Their advice is rarely consistent with other experts, or the public. People are naturally confused and give up. These are all things that public health statistics could help us define and measure. Because we cannot quantify how computers are compromised, or the causes, it is hard to justify answers to the question of “what should developers know about security?” We know there are aspects of security developers must consider, but the time and attention of developers is a scarce resource. Educating and training them effectively is dependent on prioritization, and for that we need cyber public health and its measurement capabilities.

Biography. Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Zum Youtube-Video