Tools vs threats model: making the conscious use of tools for trainees
Usual situation: after the digital security training an average participant know lots of new tools, but actually doesn't realize what tool is doing what; and (extremely important) what the tool does not. Here in DSS380 (Digital security school Ukraine) we have started to pay a lot of attention to threat modeling, and for now we think that the model "polisy - threat model - mechanism" really works and makes everything much more clear. I would like to do a small 45-minutes session with an example of how it could be done at the training; to take a one tool, or a mechanism (to choose just right there at the beginning of the session) and to bring it inside the "polisy - threat model - mechanism" model.
|Tools vs threats model: making the conscious use of tools for trainees|
|Bio/s||32 yo leading trainer of the DSS380.ORG - Digital security school in Ukraine (established by eQualit.ie in summer 2015), before - independent DS trainer, worded with OSCE, IWPR, Europeum, Internews Network, ISC project and others.|
|Language||English (not the best one)|
- Security != tools
Big problem, trainees expect tools / silver bullet - it's not a training w/o tool learning
but also so many tools; overlapping and confusing; need better understanding of threat models
good allegory of people taking pills w/o doctor input; taking random pills, get conflicting Rx's
- How to deal?
Discuss threat models of personas
asset-based threat modeling - talking about data/assets and adversaries
Operational risks; starting even with travel and seat belts; moving in to risk assessment and priority setting
flow diagram to show the the exceptional security and "normal" daily level pair with threat model
rad.cat immersive exercise that shows how things travel, starts with sending a letter