Daniel Woods

In a new paper for Lawfare's Security by Design Series, Sezaneh Seymour and @IelTop argue that "Secure by Design (SbD) policies should be calibrated to the actual risks faced by small businesses, rather than focusing primarily on software vulnerabilities."

I moved to <the other platform> and hope others will join. @CDra_90n set up a "security economics" follower-pack so you can quickly build a network of WEIS-y people. Contact one of us if you join <the other platform> and want to be added to the starter-pack.

@RobTerrin Apparently it's the old number because that was 2004! Buffet as an unlikely Gen Z who thinks you need $500k a year for a comfortable life.

Wait... $10M is the new number for "so they can do anything but not enough that they can do nothing"!?!?

@rossjanderson @CDra_90n also scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.

My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very much @rossjanderson.

Very proud of @CDra_90n who had his first article accepted at @IEEESSP. The paper looks at the role of hacker teams in the Chinese bug bounty ecosystem. We very sadly lost @rossjanderson mid way through this project. computer.org/csdl/proceedin…

@RobTerrin @ravirockks @ollieatnowhere /who gets the bigger long term pay bump for doing so.

@RobTerrin @ravirockks @ollieatnowhere The real question is what's more expensive. Paying an InfoSec person not to do Infosec and instead learn a bit of insurance, or to pay an Insurance person to learn a bit of InfoSec 😀

Some points on whether insurance data is good data for general cyber risk modelling. @ollieatnowhere, @IelTop, any views? @TindrasGrove/113517028907060506" target="_blank" rel="nofollow noopener">infosec.exchange/@TindrasGrove/…

@ravirockks @ollieatnowhere The points about InfoSec expertise bothered me more, as if the industry hasn't thought about hiring/acquiring outside insurance.

@IelTop @ollieatnowhere Yeah, agree re the pessimism of the tone. I mean, the samples in the Coalition, etc reports aren't tiny.

The entire 3rd-edition of @rossjanderson's "Security Engineering" is available free as PDFs now! cl.cam.ac.uk/archive/rja14/…

Interested in pursuing an MSc in Cyber Security, Privacy and Trust, freshly certified by @NCSC? Register for our virtual open day next week to hear more: informatics.ed.ac.uk/postgraduate-v… @InfAtEd @EdinburghUni

Overview of the recent (lack of) progress towards establishing a software liability regime. therecord.media/cybersecurity-…

📅 Join us on 29 October for an online panel on the cyber insurance industry’s efforts to shape global cybersecurity governance. Find our more on our website. 🗣Speaker include: @josephinecwolff, @IelTop, and @tjohansmeyer. my.rusi.org/events/webinar…

@ale_paulus @CyberStatecraft This kind of argument has been made for over a decade, but the availability of info has changed in the last few years. For example, Sezaneh Seymour and I assembled info on security control efficacy in our 2024 article: tandfonline.com/doi/full/10.10…

"Policymakers and practitioners currently lack the capacity to evaluate the cybersecurity ecosystem and assess [...] which policies work and how well. The need for such an understanding is fundamental." Good read by @CyberStatecraft 's Stew Scott. lawfaremedia.org/article/counti…

@ravirockks @jamiemaccoll @arekfurt @jamiemaccoll will be able to speak to how insurers influence DFIR firms on payment decisions, but the influence won't be via wordings

@ravirockks @jamiemaccoll @arekfurt I think insurance wordings/disputes are a red herring. They've made a court acknowledge the elephant in the room, e.g. that OFAC don't enforce ransomware sanctions. But that doesn't mean the specific wordings matter much.

'The cantonal court thus ruled that it was highly unlikely that the Insurance would be subject to [US sanctions] penalties ... [Insurer then appealed unsuccessfully.]

@Maxwsmeets What do you see as the gold standard for estimating ransomware trends?

Using leak site data also makes it difficult to say anything meaningful about sectoral targeting: sectors where organizations are less likely to pay (due to regulation, difficulty of extortion, insurance coverage, etc.) are overrepresented, skewing the data

I appreciate IST's work and @craignewmark efforts but these statistics can be misleading without proper context. The source of data matters; aggregated from leak sites.