October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Schedule: The human element sessions

Add to your personal schedule
11:20am–12:00pm Tuesday, 11/01/2016
Location: Grand Ballroom West Level: Intermediate
Average rating: ***..
(3.33, 3 ratings)
Security education's ultimate goal is to influence user behavior, ideally in an engaging way that allows us to collect metrics on our efficacy. Why then do most programs rely only on phishing to teach and test? Samantha Davison explores how to build simulations to test your users on secure behaviors, provide teachable moments, and stage your tests to collect meaningful data. Read more.
Add to your personal schedule
1:15pm–1:55pm Tuesday, 11/01/2016
Location: Grand Ballroom West Level: Non-technical
Lance Hayden (ePatientFinder)
Average rating: ***..
(3.75, 4 ratings)
Lance Hayden introduces Security FORCE, a model adapted from research on high-reliability organizations (HROs). HROs thrive in dangerous and uncertain environments through a culture that emphasizes failure, operations, resilience, complexity, and expertise. The FORCE model applies these traits to cybersecurity operations and provides metrics to support successful enterprise FORCE adoption. Read more.
Add to your personal schedule
2:10pm–2:50pm Tuesday, 11/01/2016
Location: Mercury Ballroom Level: Non-technical
Jamesha Fisher (GitHub), Christina Morillo (wocintechChat.com), Quiessence Phillips (Barclays | JOURNi), Heather Adkins (Google), Krystall Parrington (DePaul University)
Average rating: *****
(5.00, 2 ratings)
The security community has called for more talent to fuel the roles we have lying empty; however, security has an unusually hardened pipeline that must be improved to support capable candidates getting through to promising security careers. Join in to hear the panel discuss their experiences encountering security's steel pipeline and share ways to improve it. Read more.
Add to your personal schedule
2:10pm–2:50pm Tuesday, 11/01/2016
Location: Grand Ballroom West Level: Non-technical
Laura Mather (Unitive)
Average rating: ****.
(4.33, 3 ratings)
Groupthink is a serious vulnerability in which the desire for conformity within a group of people results in an irrational or dysfunctional decision-making outcome. Laura Mather describes lessons learned while designing teams to be resistant to groupthink at the NSA, eBay, Silver Tail Systems, and Unitive and outlines best practices for data-driven team building. Read more.
Add to your personal schedule
3:50pm–4:30pm Tuesday, 11/01/2016
Location: Grand Ballroom West Level: Non-technical
Audrey Crane (DesignMap), Scott Cronin (DesignMap)
Average rating: ****.
(4.50, 2 ratings)
There is a gap between cybersecurity jobs and the people trained to do them, and this gap will grow in the near-term. The user experience of cybersecurity systems will be a factor in mitigating the inexperience of future security specialists. Audrey Crane and Scott Cronin explore primary user research, present archetypal personas, and share prototypes of potential near-future security software. Read more.
Add to your personal schedule
4:45pm–5:25pm Tuesday, 11/01/2016
Location: Grand Ballroom West Level: Intermediate
Kymberlee Price (Bugcrowd)
Average rating: ***..
(3.67, 3 ratings)
To build and maintain secure products, organizations need to enable their incident response teams to receive and respond to vulnerability reports and effectively partner with development, customer support, and communications teams. Kymberlee Price shares best practices for supporting these teams' product incident response programs and offers several free templates you can put to use right away. Read more.
Add to your personal schedule
11:20am–12:00pm Wednesday, 11/02/2016
Location: Rendezvous Trianon Level: Non-technical
Brendan O'Connor (Malice Afterthought, Inc.)
Average rating: ****.
(4.50, 2 ratings)
Security people are "only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare," but often the relationship between security and everyone else is fraught. Brendan O'Connor explores how another group charged with protecting everyone handled this problem with humor, kindness, and a commitment to service. Read more.
Add to your personal schedule
1:15pm–1:55pm Wednesday, 11/02/2016
Location: Rendezvous Trianon
Sara "Scout" Brody (Simply Secure)
Average rating: ****.
(4.75, 4 ratings)
The security community has spent decades trying to define what secure systems look like in theory and how to achieve them in practice. This effort has largely focused on the machine components of the systems rather than the human needs and processes they are meant to enable. Scout Brody explores the mismatch between security wisdom and user realities and offers best practices for secure systems. Read more.
Add to your personal schedule
2:10pm–2:50pm Wednesday, 11/02/2016
Location: Rendezvous Trianon Level: Beginner
Susan Sons (Center for Applied Cybersecurity Research, Indiana University)
Average rating: *****
(5.00, 3 ratings)
Susan Sons tells the story of the ongoing intervention to save the troubled but ubiquitous Network Time Protocol's reference implementation, explaining how social, technical, and resourcing challenges came together to threaten a core piece of Internet infrastructure and how these challenges were overcome. Read more.
Add to your personal schedule
3:50pm–4:30pm Wednesday, 11/02/2016
Location: Rendezvous Trianon Level: Beginner
Average rating: ***..
(3.50, 2 ratings)
Common security issues, such as user and software security or cybercrime, are affected by underlying economics—information asymmetry, market failures, cognitive biases, and so on. Thus, addressing security issues requires understanding how they can be seen as economics problems. Fernando Montenegro offers an overview of economics concepts and their application to cybersecurity. Read more.
Add to your personal schedule
4:45pm–5:25pm Wednesday, 11/02/2016
Location: Rendezvous Trianon
Dan Kaminsky (White Ops)
Average rating: ****.
(4.57, 7 ratings)
Hacking is a game, and defense both makes the rules and is under no particular obligation to play fair. So cheat! Dan Kaminsky explores better ways to deploy cryptography, protect data, leverage clouds, and more. Read more.