Dinei Florncio
Cormac Herley
Presentation [PDF]
Twitter transcript
#weis2011 New threat model (that may scale). Rather than use individual users & attackers, use population of users, pop of attackers
#weis2011 assumption/proposition: attacker attacks when Expected{gain} > Expected{loss}
#weis2011 (me) more good math on the slides. using the populations, they made a probability model to predict detection/succumb/gain & cost
#weis2011 model has a core of "sum of efforts defense" (vs weakest link)
#weis2011 attacks are proven unprofitable if prob of success is too low or gain is too low < this may seem obv. but it's an intersting model #weis2011 (me) really good examples of practical example of model efficacy. mimics/validates 2011 DBIR results (does not mention DBIR) #weis2011 working though another example of using "dog's name" as password. (me) this could be a *rly* handy tool for threat modeling #weis2011 Security does not mean avoiding harm, and avoiding harm is less expensive than being secure. #weis2011 "Thinking like an attacker" does not end when an attack is found. Ask how you can use what you found to your advantage.