steve at srevilak.net
Sat Oct 31 00:33:53 UTC 2015
semprephi> Btw, related, does anyone have a quick way to convey the
semprephi> concept of "threat modeling” (or even “attack surface”) to
semprephi> the layperson? Or perhaps to allow participants to identify
semprephi> threats? (Construing “threat” broadly to include annoyances
semprephi> such as the encroaching corporate and governmental reach.)
semprephi> This will set the stage for describing the “security
semprephi> sliders” available on Tor and other tools.
I've generally had good luck in framing these topics as "risk
management". Yes, "risk management" is another piece of jargon, but I
find that once you explain what it is, people seem to get it.
When giving a talk, I might say something like this:
Risk management is about as exciting as buying insurance (which, I
should point out, is a form of risk management). The basic idea is
to start with something bad that might happen. Risk management is
whatever you do to prevent the bad thing from happening, or to make
it not so bad when it eventually does happen.
How many people here lock the door to your apartment? How about
your car? Okay, why do you do that? (So no one comes in and steals
my stuff). That's an example of risk management.
Anyone here ride a bicycle? Do you wear a helmet? That's another
form of risk mangement; the kind that can make a bad thing (e.g., a
bicycle accident) less bad. Helmets are much cheaper than skull
From there you can go in a couple directions. You could go on to
introduce security as a continuum, along with cost/benefit
considerations. (Would 15 locks on your door be more secure than one?
So why don't you have 15 locks on your door?)
It can also be an introduction to threat modeling. For example: What
risks are you concerned about? (This is a good question for
cryptoparties.) Have you thought about these other things?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the tor-teachers