Developing a Security Mindset
Category:Higher Education,Information Security,Infosec Communicator,Risk,UncategorizedIn my Cyber Self Defense course at the Rochester Institute of Technology, I teach a module on Developing a Security Mindset. Based on a class exercise by Tadayoshi Kohno at the University of Washington (mentioned in a blog posting by Bruce Schneier), the goal of the module is to reorient students’ thinking from the features of a product and how those features are supposed to be used to thinking about how someone might “hack” the product. In other words, develop a security mindset.
I ask the students to determine product assets and vulnerabilities and identify how someone might attack the product. The students are told that they do not have resources to counter every possible threat.
I also have the students create a risk map that depicts the likelihood of a particular attack and the potential impact of that attack. Placing specific threats on a risk map helps students understand that since not all threats bear the same weight they need to choose what is most important to defend against.
The twist to the exercise is that students may not conduct an analysis of a computer-related product. For example, subjects presented by my students this quarter included Water Purification, Bicycle Safety, Running a Pizza Business, etc. As the students presented, we discussed their risk maps and the choices they made.
Group one risk map for a water purification plant
Although we may not agree with the students’ risk map, the exercise stretches IT students to think “outside the box.”
Related articles
- Bruce Schneier: “The Security Mindset” (schneier.com)
1 Comment
Tweets that mention Developing a Security Mindset « Infosec Communicator — Topsy.com
October 27, 2010at 11:31 pm[…] This post was mentioned on Twitter by RIT InfoSec/Ben, Education, STC Rochester, Lori Meyer, Ben Woelk and others. Ben Woelk said: Developing a Security Mindset: https://wp.me/pVsey-bM […]