Information Safety

Improving technology through lessons from safety.

SIRAcon 2022

As I posted yesterday, I’m working through cataloging my past presentations, and I’m nearly done! Today I’m sharing a talk from SIRAcon 2022 that’s much different than what I typically do, “Making R Work for You (With Automation)”.

Many SIRA members do data analysis as part of their work, and talk about the results of their analysis at SIRAcon. However, we don’t often talk about the mechanics of our craft, how we go about doing data analysis. However, in 2019, Elliot Murphy gave a talk about just that, by showing how to use Jupyter (Python) and R Notebooks for data analysis. His presentation inspired me to start working with R using R Notebooks, and I wanted to share what I’d learned, and built to automate my workflow.

I think the talk went reasonably well, although it was hard to say for sure, as the conference was once again virtual that year. Unfortunately, some of the key attendees weren’t able to attend, and I didn’t get their feedback - although later one of them did watch the replay and shared that what I did was similar to his approach.

Aside from learning how to write better R code, I learned a couple of things from the experience (both doing it and talking about it):

  • Doing something brings deeper knowledge than reading about something. One of my goals with R was to learn good software engineering practices (documentation, testing, source code control, etc.) including DevOps practices (continuous integration and continuos delivery, CI/CD). While my experience was limited mainly to myself, I did come away with a better and deeper understanding of what it’s like to write modern software.
  • If writing software was more physically demanding, we’d probably do a better job creating tools and automation to help with the writing. As I noted in my talk, the carpenters who worked on our house spent a whole day setting up their environment to make it easier to move materials they were removing to the dumpster, and didn’t try to just brute-force the work. Experience and the challenge of physical labor led them to an economy of movement.

A copy of my slides are here, and the visual notes from the talk are below!

visual notes

comment

Cybersecurity NTSB

As I work through cataloging presentations I’ve done this week, I’ve come across a few that I haven’t yet posted here (or on https://transvasive.com). I’ll be posting them here over the next three days.

One of the “missing” talks was a short slide deck I put together as part of a “Papers We Love” discussion on Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity, a paper published by a working group organized by Harvard’s Belfer Center to explore the concept of creating a “Cyber NTSB”.

I came across this paper having met one of the lead authors, Adam Shostack. Adam especially has been interested in creating a “Cyber NTSB”, an idea we share, although I likely take a broader interest in adapting safety to cybersecurity.

The paper is well written and the workshop seemed well thought out, as it included presentations from people actually working at the NTSB, grounding the discussion in work-as-done instead of work-as-imagined at the NTSB. It also included a session led by the psychologist and safety scientist David Woods on cross-domain learning; as I discovered in my studies, safety doesn’t translate directly (for example between aviation and marine safety). The findings are sound and follow current safety science thinking and are included in the slides.

For me, the practical takeaways were and remain:

  • A recurring theme is discussion of blame, and how NTSB specifically avoids assigning liability in accident investigations, as avoiding blame improves learning
  • There are domain-specific challenges unique to Security; don’t blindly copy what works in aviation safety
  • Near Miss reporting is an important complement to incident investigation; share stories of the close calls

You can download a copy of the slides here.

comment

Secure360 2024

Today I spoke at Secure360 2024! My talk, Security Differently, builds on my earlier post on the topic.

The session was very well attended, so if you were there, thank you! We filled the room - standing room only - 150 people checked in. I got some great and challenging questions at the end, I appreciated everyone’s engagement!

Here is the link I shared in the QR code at the end: https://bento.me/jbenninghoff.

Session Description

Cybersecurity, especially traditional security, has stagnated; adding security controls hasn’t appreciably improved outcomes and we continue to struggle with basic problems like vulnerabilities. Safety faced a similar problem 10-15 years ago; scientists and practitioners saw that safety outcomes were stagnant and concluded that the traditional method of avoiding accidents through centralized policies, procedures, and controls was no longer driving improvements.

I believe we’re seeing the same thing in security: historically, we’ve focused on constraining worker behavior to prevent cybersecurity breaches, and the limits of that approach are becoming increasingly clear. Adapting concepts from Safety Differently and Safety II offers a solution, by supporting success and focusing on positive capacities. In this talk, I will present practical advice on how to create a security program based on modern safety principles using evidence from both security and safety, and how it changes the role of the security professional.

Slides

My slides with notes, including references, are here.

Video

While the talk was not recorded, I did create a short video to promote the talk, you can watch that here.

comment