Category Archives: Uncategorized

The Consumer Authentication Strength Maturity Model (CASMM)

A few days ago, Daniel Miessler updated the Consumer Authentication Strength Maturity Model (CASMM) to the version 6.

It is a great #visualization of consumers’ password maturity.

While we are sometimes still struggling with people using shared password or bad quality passwords, it will help show the path to more secure behaviours.

Also, it might create an anchoring effect and move the perceived norm for authentication to a higher level of maturity.

You can find the latest version of the CASMM on Daniel’s website: https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model/

Security Awareness Series from NCSA

In 2019, Adobe, the US National Cyber Security Alliance, and Speechless have partnered to bring you a series of security awareness videos. The plan is to release one video every other month starting November 2019. A total of eight videos have been released. 

Episode 1: Passwords
Episode 2: Data Handling
Episode 3: Compter Theft
Episode 4: Phishing and Ransomware
Episode 5: Removable Media
Episode 6: Vishing
Episode 7: Internet Downloads
Episode 8: Wi-Fi

Is Security Awareness victim of the Shiny Object Syndrome?

Shiny Object Syndrome is not a medical or psychological syndrome. It is rather a human trend, identified by various professionals from different background, to be attracted, or should I say distracted, by the new thing, without knowing if it is what you need.

What is the link with human-centric cybersecurity? Well, I heard many times managers talking about a new tool or service they would like to try to help “fix” their human-related cybersecurity issues. Another content provider, phishing platform, or LMS. Whatever else claims to be the solution to their problems.

The issue is that there was no issue. The changes they were expecting weren’t there yet and not tools would have solved that. At least, it would not have made it happen faster. As the saying goes, a woman can have one baby in nine months but there is no way to have a baby in a month, even with nine women. Changes takes time, or to be more accurate, people need time to change. Of course, while we know quite precisely how much time is required to have a baby, it is hard to predict exactly how much time we need to shape behaviours and transform corporate culture.

It is important to measure the progress we make, adapt our strategy, constantly learning from our experience with the people we want to educate. Still, it does not mean we have to change everything and start over. I have seen too many cybersecurity projects failing because the management did not give them the 10% extra-time they needed to achieve their goal. They went for another product, started over and did exactly the same thing with the new solution a few years later. You should be better than this. In fact, you are! Have some trust in your people and in the process.