Readings on: The Security Mindset and Threat Modeling
The Security Mindset and Threat Modeling
Guidance/Questions -- As you read, try to internalize this vocabulary and think about these ideas.
Define: "security mindset", "harmless failure", "adversary", "asset", "vulnerability", "threat", "risk", "security theater", "movie-plot threat", "the attacker's asymmetric advantage"
Consider that there is no such thing as perfect security, and so security is fundamentally about risk analysis.
The security mindset can encourage (or emerge out of) a sort of paranoia that sees the strangest risks in every situation. How can the framing of threat modeling harness the security mindset in trying to defend systems rationally?
Readings (don't worry, most of these are SHORT)
Kenneth F. Belva, "The Misleading Nature of Schneier’s Security Mindset"
J. Alex Halderman, "Security Requirements for Voting" (video, 15 minutes long)
Eliezer Yudkowsky, "Security Mindset and Ordinary Paranoia" (longish; skim if bored)
Denning, Friedman, and Kohno, "Security Threat Brainstorming Cards: The Cards"
Jan Schaumann, "Know Your Enemy - An Introduction to Threat Modeling" (longish; skim if bored)
Shehzad Merchant, "Reversing the Asymmetry Between the Attacker and Defender" (kind of an ad, but makes interesting claims nonetheless)