The Security Mindset and Threat Modeling

Guidance/Questions -- As you read, try to internalize this vocabulary and think about these ideas.

• Define: "security mindset", "harmless failure", "adversary", "asset", "vulnerability", "threat", "risk", "security theater", "movie-plot threat", "the attacker's asymmetric advantage"

• Consider that there is no such thing as perfect security, and so security is fundamentally about risk analysis.

• The security mindset can encourage (or emerge out of) a sort of paranoia that sees the strangest risks in every situation. How can the framing of threat modeling harness the security mindset in trying to defend systems rationally?

Readings (don't worry, most of these are SHORT)

• Bruce Schneier, "The Security Mindset"

• Ed Felten, "The Security Mindset and 'Harmless Failures'"

• Alex, "Evolving Schneier’s Security Mindset"

• Kenneth F. Belva, "The Misleading Nature of Schneier’s Security Mindset"

• J. Alex Halderman, "Security Requirements for Voting" (video, 15 minutes long)

• Eliezer Yudkowsky, "Security Mindset and Ordinary Paranoia" (longish; skim if bored)

• Denning, Friedman, and Kohno, "Security Threat Brainstorming Cards: The Cards"

• Bruce Schneier, "Terrorists Don't Do Movie Plots"

• Bruce Schneier, "Beyond Secuirty Theater"

• Jan Schaumann, "Know Your Enemy - An Introduction to Threat Modeling" (longish; skim if bored)

• Shehzad Merchant, "Reversing the Asymmetry Between the Attacker and Defender" (kind of an ad, but makes interesting claims nonetheless)

• Tara Parker-Pope, "Wrong About Risk? Blame Your Brain"

• Bruce Schneier, "Perceived Risk vs. Actual Risk"