With the commercial, and in some cases regulatory, pressures to make data more widely available, there is an emerging need to be able to selectively manage the sharing or disclosure of potentially sensitive data. In many sectors there is also a need to manage access to federated data, some of which may be commercially or reputationally sensitive. Current access control practices are limited in their ability to handle the more sophisticated requirements associated with selective openness and/or federated data sharing.

Using case studies, this session will consider the application of different access control methods and their limitations, particularly with regards to file- or object-based sharing. It will examine the issues that arise from data aggregation and permit the pattern-of-life of assets, individuals, and groups to be determined. It will explore the requirements for more sophisticated controls and consider how the requirements can be expressed in a standardised format.

In the “new normal”, also known as the hybrid workplace, effective leadership is more important than ever, especially when it comes to fostering a sense of connection and strong culture within organizations.

The latest Gallup research shows that in 2023, an overwhelming 59% of employees prefer a hybrid work model (up from 32% in 2019), and that 60% are “extremely likely to change companies” if they cannot be offered the flexibility that they want (up from 37% in 2021). In fact, “managers don’t know what to do and are accumulating dangerous levels of stress and subsequent burnout (real mental health issues)”.

Simon Sinek, renowned leadership expert, has identified a set of key fundamentals of effective leadership, that offers valuable insights to leaders who want to build a strong and connected culture that supports all team members, regardless of their location or work schedule.

This session will look at how to apply these fundamentals to the Gallup research on the future of hybrid work, to create and support strong, high-performing teams that are motivated and engaged in achieving shared goals.

Many consultants need a laptop for their work at home or at the office of their clients. In many cases you are totally dependent on your computer and as many years when by, the more complex the systems became.

I did some research on the behaviour of Windows 10 systems, and guess what: A lot of information is sent to and from the system towards Internet, without knowing of the owner or any need to, especially during startup of the system.

When I ask a consultant the question: “Do you trust your computer?”, most of the time the answer is: “Yes, I use bitlocker and a virus program to protect my system.”

In my research I found a lot of information that is sent during startup to or from the internet that can harm your system of even disclose information about the system, yourself or even the data of the client.

In my presentation I will show some examples of information flows during startup and emphasise on the possibilities of disclosure of information at the startup of a system and show a way how SABSA can help you to minimise the risk of any possible disclosure.

At COSAC 2021 we learned how businesses had to evolve their approach to risk management as a result of the COVID-19 pandemic, and how individuals need to pay more heed to their own risk management if they are to minimise the impact on themselves of adverse events.

Since 2021, governments, organisations and companies have continued to re-shape the ways in which they engage with their citizens and customers. Generally, it has become harder for customers to engage with organisations on a human-to-human level and the frustration around the resulting impression of the customer ‘not being important’ has driven trust levels heading to an all-time low.

But does this matter? What real power do customers have? Will there be more “Elon moments” or is this the new normal. If you were mapping out an organisation’s Business Attributes, would you be just making sure you had “Resilient” under the Operational Attributes heading of your Taxonomy or would you be trying a different approach?

How does timeliness affect this? Trust is often lost when the trust relationship becomes asymmetric and the power has been mostly moving in organisations’ favour. Being on hold and 947th in the queue and hearing that “your call is important to us” is not timely at all.

But what if it can flip the other way? What if your customers start using crowd-sourced high-speed messaging against you because they cannot contact you? If the trust in your relationship is in doubt, then your organisation could be toast, think Silicon Valley Bank becoming insolvent in a matter of hours because of Twitter.

In this talk I will review the ways in which trust can affect an individual’s or an organisation’s approach to risk and what organisations should be doing about it. Is it feasible to deploy AI to actively engage with customers, or key influencers, to head off a customer Trunami? And what does good look like?

As ever, there will be some illuminating real-world examples and plenty of opportunities for contributions from the COSAC delegates.

One of the first requests of a new security leader is to build a cybersecurity strategy for their organization. How does one go about building one? What are the considerations for the security leader. How does the leader really know what will work and what won’t? This session will focuses on 4 main methods to build a cybersecurity strategy, a proposed 6 step process, and 13 control frameworks that are in use by different organizations today. This is intended to be an open discussion across the pros and cons of each of these approaches, with the goal to debate which frameworks work well in which situations.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2022) and ISACA top-rated speaker.

This session will present an integration and enhancement of the SABSA Risk Management Process using Cyber Threat Intelligence. During the Chaos Monkey Threat Modelling session in COSAC APAC 2023, the conversation turned to the Intelligence Preparation of the Battlefield methodology and its utility for threat modelling in cyber security.

This session will introduce the Intelligence Life Cycle, its application to cyber security with the Intelligence Preparation of the Cyber Environment and will align with the SABSA Risk Management Process. The session will also discuss modern Intelligence Driven incident response processes and help network defenders to build a security architecture that meets with the capabilities of modern threats.

The session will come back to the fictitious State Power Corporation and will help architects with a worked example of how to build cyber threat intelligence informed cyber security architectures. The session will encourage participation and aim to educate on the why we need to use threat modelling to inform defensible architectures.

This presentation will provide an in-depth analysis of recent developments in ransomware response, with a focus on alternatives to paying the ransom. The growing threat of ransomware attacks has led many organizations to consider paying the ransom as a last resort, but this option can be costly and may not guarantee the safe return of data.

One significant challenge is the use of cryptocurrency for ransom payments, which can exacerbate the problem by making it easier for criminals to demand payment and avoid detection. Moreover, recent regulatory efforts in various countries seek to make the payment of ransom illegal, which further complicates the response to ransomware attacks.

In addition to the ethical and legal considerations, the cost-benefit analysis of paying ransom also needs to be taken into account. In some cases, paying ransom may seem like the most cost-effective option in the short term, but it could ultimately lead to more attacks and higher costs in the long term.

Export control regulations, sanctions regulations, and Specially Designated National regulations also need to be taken into consideration when devising ransomware response strategies. These regulations may restrict the ability of organizations to use certain technologies or engage in business transactions with certain individuals or entities, which can limit the available options for responding to ransomware attacks.

Moreover, there may be laws, regulations, or restrictions on paying ransom under the laws of Ireland or Great Britain, which can further complicate the decision-making process. The presentation will examine the legal and regulatory landscape in these jurisdictions and provide guidance on how to navigate these complex issues.

Alternative approaches to ransomware response will also be discussed, including hacking the ransomware itself, hacking the encryption keys, and taking affirmative action against the threat actors behind the ransomware attacks. These options may offer a viable alternative to paying the ransom, but they are not without risks and challenges.

The presentation will conclude with a discussion of the importance of taking a proactive approach to ransomware response, including investing in cybersecurity measures that can help prevent ransomware attacks from occurring in the first place. By adopting a comprehensive strategy that includes both preventive and responsive measures, organizations can better protect themselves against this growing threat and avoid the need to pay ransom.

Security is often seen as a technical problem that can be solved by implementing technical controls. Yet, effective security requires more than just technical controls.

We know that culture plays a significant role in cybersecurity, perhaps the most critical. Despite this, for the past 30 years, it has received little attention, and our efforts are limited to publishing security policies and delivering awareness training in an attempt to make security everyone's responsibility.

But how effective are these initiatives? How successful are they at establishing positive security cultures? Are they more than a compliance box-ticking exercise? Can they cause more harm than good?

Is it time for us to explore a different approach? In this interactive session, we will:

• • examine why traditional methods fail to establish security cultures,
• • discuss the factors that influence culture and explore how they apply to organisations and cybersecurity, and
• • explore what we can borrow from other theories and disciplines** to architect effective security cultures.

** These may include social norms, organisation design, and team topologies.

Over the last year we have almost doubled the size of our team. It’s been hard work finding the right people and starting to shape our future. But the real work starts here.

Until now, the organisation expected us to deliver the security designs for individual project solutions, but we know we have more to offer. We want to deliver an enterprise security architecture that shapes all our solutions and enables the business. We want to sell our vision and convince our stakeholders what they should (and shouldn’t) expect from us. We want to be shaping the security investment portfolio for 2024. We want to flip from project-based design methods to fast-paced security architecture in a scaled agile methodology. We want to introduce SABSA. And we want to make everything we do more organised, repeatable, consistent.

It’s ambitious. Will we do all of this in 12 months? Probably not. But we have started.

In this talk, I will describe the journey we’re on, how we’ve decided to tackle the challenges, what’s working, what’s not, and what we’ve learned in the process so far. Whatever happens, we’re looking forward to understanding ourselves better along the way. By sharing, I’m hoping our experience can help you, and your experience can help us.

Leveraging our discussion at COSAC Connect 2021 on Critically Destructive Cyber Incidents and Cyber Trauma (thanks to Sian John for excellent moderation of discussion and quizzes!)… informed by our on-going work with professional Hostage Negotiators (Kidnap & Ransom experts ex- U.N., Politie Netherlands & Canada), a deeper dive with Professional Psychologists who are also Cybersecurity practitioners.

1. Acute Toxicity – Cyber Incidents can be directly traumatizing or merely a vector for existing trauma. From cyber-bullying through sextortion, cyber can be just an accelerant for long-standing toxic-behaviors. But it can also lead to new modus operandi that can and should be recognized. We explore this in true COSAC fashion with an examination of the attributes and artifacts and the help of our six honest serving wo/men “(they taught me all i knew); Their names are What and Why and When And How And Where and Who.”

2. Chronic Toxicity – “… is the development of adverse effects as the result of long term exposure to a toxicant or other stressor. It can manifest as direct lethality but more commonly refers to sublethal endpoints such as decreased growth, reduced reproduction, or behavioral changes ...” Multiple cyber-incidents over an extended period of time, the continued feeling of inadequacy and never ever is it ‘good enough’ as there is always yet another attainment just out of reach in our search for the unattainable ‘perfect security.’ We set ourselves up for failure at the outset. Whether it is something we carry from role to role and accrue over time. We explore the artifacts and evidences and negative behaviors thought processes and exacerbating mental models …

3. Organizational Toxicity: Lessons learned from the RSA Hack 10-years later: What are the behaviors during the ‘worst shitstorm ever’ and the narratives developed by momentary behaviors and how do these impact us long-term? What are the damages caused by the culture of secrecy and of the ten-leading-indicators of organizational toxicity, how many of these can we see in the cyber-defense teams and reactions to cyber incidents?:

And, what does Lesly Kipling and Sian John along with Marie Kondo approach to cybersecurity (discussed at COSAC long before Bob Lord chatted about it at RSA in 2022 [ref]. From cleaning out our mental attic to figuring out how to spark joy in our cybersecurity ecosystems? How many excess solutions and workarounds have we layered upon ourselves by making tactical decisions time after time until we trip over our own feet and diminish our performance and satisfaction exacerbating our daily frustrations. How do we take a retrospective ‘cleaning’ and ‘trash-taking’ exercise to our security layers.

Lastly we explore evolutions of thought and ‘therapy’ in treating the individual and the aggregate entity: ”…The trauma can always be conceptualized as a dent in your identity. The traumatic part isn't that a car almost ran you over, the traumatic part is what kinds of things you tell yourself about it, like "I'm not in control of the situation" or "bad things happen to me repeatedly because I'm unworthy …these are all equally much nonsense as telling yourself you ARE in control … 'corporate identity' is a group identity that can be similarly healed through the individuals, by creating a new narrative and going through the neutral events (this happened, that happened, then this happened) with the new positive narrative in hand. A kind of appreciative enquiry into the worst shitstorm ever. Switch the focus from all the things that were bad to the things that worked, and tie it all into the more positive narrative. Don't avoid the trauma or silence it to death, because like emotions and personal trauma, everything pushed into the closet will just grow, and tend to repeat…”

Going on 3 years now, the presenter has been hosting a weekly podcast host, interviewing over 150 Chief Information Security Officers (CISOs) and top industry leaders, discussing top security issues. This session will consist of an interactive game, where we randomly select a “dial-a-CISO”, and listen to a 30 second clip that introduces their topic. We will then briefly discuss, agree, disagree, debate, with their opening statement! This will be an interactive session where we discuss and have an appreciation for the breadth of issues a CISO faces today.

This session describes how a SABSA deployment that initially focused on securing change has evolved into an extensive distributed security controls assessment function, spanning both change and run. We also explore how we intend to take this function into the future, including ongoing/continuous controls assessment and the new frameworks we are building.

We start with the back-story of the ‘Secure by Design’ practice at a large financial services organisation in Australia - a practice that was originally inspired by SABSA but has now been operating for over 15 years. We then explore how this ‘Secure by Design’ has evolved over the years, and how it is now delivering value far beyond its initial scope. This leads to a discussion about what might be possible if we continue to extend SABSA beyond Architecture. Finally, we outline our intent for future experimentation.

The speaker has led this program over fifteen years, embedding SABSA at the core of the security architecture function at this large financial organisation in Australia. This speaker helped create and enable a large cohort of SABSA-certified professionals that operated across architecture and security teams, ensuring the concepts permeated far beyond their security architecture roots.

Politics always influences our cybersecurity agenda, geopolitics drives our risk agenda, and compliance requirements with new laws and regulations drive the implementation of various mandatory controls. Currently, the world is changing faster than ever before. Geopolitical tensions, the fight against cybercrime and espionage, state protectionism, and the continued focus on data privacy, on the other hand, create a challenging cocktail of laws and regulations to abide by.

In this session, we will go around the world region by region and discuss new and anticipated laws, regulations, and other political issues that might influence your cybersecurity roadmap in that region. Among other things, this talk will cover:

• • The new EU Cyber security law “NIS2 Directive”
• • The US FAR provision 52.204-24, "Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment."
• • Implementation of the Cybersecurity Law of the People's Republic of China.
• • India’s 6-Hour Data Breach Reporting Rule
• • The UK’s update to NIS Regulations

Per region, we will discuss what is new, expected, and strange, and we will discuss the impact those laws and regulations can or will have on our cybersecurity agenda.

In this session I will present and discuss some insights gathered during a chat with my daughter and her friends regarding how information is shared, how assets are shared and how security is perceived amongst their generation, the next generation.

A short impression of this was given at the Rump session at COSAC APAC 2023, and many believed this should be extended with more details and insights.

Let us discuss how we can reach out to them on the basis of our observations. How can we best address the messages we need to get across for them to support the required level of security for the organization.

Today, there is not a lot of published case studies on the successful application of a SABSA-based approach to Cybersecurity Solution design, especially from organizations based in the USA. There are several factors for a lack of case studies. The purpose of this talk is to contribute to the body of case studies successfully applying a SABSA-based approach to cybersecurity solution design. The SABSA-based approach utilized for the case study is derived from applying the lessons and techniques learned from official SABSA training classes and from the ”Building Effective Security Architectures” program.

The value of the talk is: 1) to encourage to others to publish and share their SABSA success stories; 2) to learn about barriers and enablers for implementing a SABSA-based approach to Cybersecurity Solution design; 3) to see and discuss architecture artifacts and techniques. All of this content and expected discussion is to help others accelerate their cybersecurity solution design efforts and cybersecurity architecture program in general.

Reflecting well established principles of Responsible Research and Innovation (RRI), the UK’s AREA Framework aims to ensure the careful consideration of the future consequences of emerging technical innovation processes, policies, and outputs. The AREA framework is supposed to lend structure to the way in which we approach thinking about the future uses, abuses, and longer-term multi-order impacts of the accessible and inclusive technologies we are designing and introducing to market. First and foremost, the framework asks us to Anticipate – to imagine a wide range of the intended and unintended uses and abuses that a product or service might encounter; the desirable and undesirable outcomes that might result from its release into the real world. Increasingly, however, digital devices designed to enhance security, accessibility, and inclusivity are reportedly being misused: cases of technology-facilitated domestic abuse worldwide, for example, reveals the extent to which connected doorbell apps, banking apps, smart energy meters, and the like, can be exploited to cause real world harms.

This session discusses whether the AREA framework is working well enough in anticipating (and pre-empting these abuses) – especially in critical contexts such as the design of statutory services that are not only digital by default but that are also realisably secure for those who are vulnerable in society. Among possible refinements to the framework, we will explore the ‘universal barriers library’ recently developed by the UK’s Government Digital Service in collaboration with designer and anthropologist Ute Schauberger. We reflect on how security design processes might incorporate universal barriers as part of the AREA framework as a method to ensure we really are designing the most secure, accessible and inclusive technologies that we can.

Historically, societal views on people who are different to the more dominant traits of the population have been extremely damaging and compromise our ability to get the best innovative potential from them.

Even with innovative and creative thinking being required more than ever, people who think and learn differently to most are finding it harder than ever to find and retain meaningful employment. Current diversity efforts often focus on key diversity dimensions often at the expense of other dimensions.

One of the hurdles neurodivergent people face is the prisoner’s dilemma of risking discrimination or face not acquiring the very accommodations they need to survive and thrive.

NeuroInclusivity recognises the need for diversity initiatives to focus on the diversity of what is inside people’s brains rather than on the physically obvious by recognising that everyone needs accommodations at some point in their life – whether it’s because they’re going through a divorce, struggling with depression, naturally sensitive to stimuli or whether they need to be able to pickup their kids from school and that these needs should not require people to disclose a diagnosis. By embracing this concept organisations can finally properly tap into the innovative potential that often already exists

Have you ever been in a conversation where one word or phrase alters the entire direction and feeling of it?

We all have internal subconscious filters that delete, distort or generalise inputs we receive every day from our senses. These are formed based upon our own individual experiences and perspectives of those throughout our lives from the moment we are born. A simple word such as “Normal” could have significant differences from person to person. For one going out before breakfast hunting in the Serengeti with a rifle at eight years old is normal. For another sitting at the breakfast table eating their Weetabix watching cartoons is normal.

Now take the word “Architect”…….BOOM! Ask ten different people you get ten different answers when it comes to the technology realm and don’t get me started on what job adverts claim it to be.

Following on from Rob Campbell and Gorden Jenkins sparking debate at COSAC 2022 on “Mistaken Identity” one madman returns with an architected identity of a Security Architect to be placed under the COSAC microscope! Be gentle….please!

This presentation will explore the growing divergence between the fields of cybersecurity and data privacy, as well as the implications of this trend for information security professionals. In recent years, there has been a growing focus on data privacy, particularly in the wake of major data breaches and new regulations such as GDPR and CCPA. However, this focus has often come at the expense of cybersecurity, with some professionals becoming experts in privacy but having little knowledge or experience in cybersecurity, and vice versa.

The presentation will highlight specific examples of this divergence, including the rise of data protection officers (DPOs) who are responsible for ensuring compliance with privacy regulations but may have limited experience in cybersecurity. Conversely, cybersecurity experts may have limited understanding of privacy regulations and may focus more on technical solutions rather than broader data ethics considerations.

The presentation will also explore the implications of this divergence for information security professionals, including the need for greater collaboration between cybersecurity and privacy experts. It will examine the importance of a holistic approach to information security that takes into account both cybersecurity and data privacy considerations. Finally, it will discuss the role of emerging technologies such as artificial intelligence and blockchain in bridging the gap between these two fields.

In conclusion, while the fields of cybersecurity and data privacy have diverged in recent years, they remain inextricably linked. It is essential for information security professionals to have a deep understanding of both fields in order to effectively protect their organizations from cyber threats and ensure compliance with privacy regulations. By embracing a holistic approach to information security, organizations can strike the right balance between cybersecurity and data privacy, and stay ahead of emerging threats and regulations.

This is a novel and unique discussion on changing the way we think and enhancing human performance using neurolinguistic programming (NLP) from the perspectives of both neuroscience and information security. This timely presentation debunks current human resource and information security thought leadership and training materials, addressing how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misunderstanding of how the brain works.

Reprogramming the nervous system through the use of language, dubbed neurolinguistic programming, is referenced in security awareness training, self-help programs and seminars, and leadership training. Authoritative sources claim that one can leverage eye-gaze patterns, posture, tone of voice, and language patterns to communicate effectively, influence others, and change their own thoughts. By exaggerating the potential impact of behavior when presenting otherwise accurate information, these professionals can skew materials to make them entirely incorrect. This impairs the ability of information security professionals to influence system changes, develop awareness training, and create appropriate defenses.

The value in this session is providing information from current brain science to use in training. The approach of this session is to provide opportunities to challenge and give input while imparting attainable, accurate science on the brain.

A game for Security Architects to sharpen their skills in honourable intellectual combat

Duelling Architects is an original competitive team-based serious game designed to create development opportunities for enterprise security architects. Play follows the full lifecycle of an enterprise security engagement. Teams are pitted against each other to create, present their solutions while critiquing other teams work and defending their own. This gameful approach leads to peer learning through social constructivist techniques.

The game is needful as there are few opportunities outside of professional engagements to exercise these skills in full and with other skilled practitioners. Many practitioners find that they only have opportunity to implement parts of a full strategic enterprise security architecture. While this is to be expected it limits personal skills growth and can lead to atrophy of our collective tradecraft.

Duelling Architects creates opportunities for motivated security architects to learn from each other through play. The game aims to complement existing development options such formal training, on-the-job experience and peer presentations or papers.

The session will include an introduction, walkthrough and abridged demonstration of the game. Further video and print resources will be made available for attendees to explore independently.

On 22 July 1940 at the request of the newly appointed British Prime Minister, Winston Churchill, the Special Operations Executive (SOE) was formed officially from the amalgamation of three existing secret organisations. Its purpose was to create and aid resistance organisations to carry out subversive operations in enemy-held territory, mainly in Europe. Its head, Hugh Dalton, wrote in his diary that on that day the War Cabinet agreed to his new duties and that Churchill had told him, "And now go and set Europe ablaze”.

Over seventy country houses, castles, colleges, hunting lodges and other remote properties were requisitioned in Britain and even more overseas to provide this new organisation with the special equipment and services that it required.

One critical service that SOE agents needed was the production of the highest quality forgeries of those official documents that validated their clandestine identity and would withstand scrutiny in the event they were examined by the authorities in Nazi-occupied Europe.

SOE’s False Document (Forgery) Section was first established in the basement of Briggens House, near Harlow in Essex. Initially designated Station 38, the house and grounds had been used to complete the training of elite Polish saboteurs and provide them with counterfeit documents before they were parachuted into Nazi-occupied Poland. SOE’s Forgery Section was designated Station 14 and co-existed with Station 38 until the demand for its false documents required it to expand its space, whereupon Station 38 moved to another location and Station 14 occupied the whole site.

Little was known of Station 14 until Des Turner’s book ‘The Secrets of Station 14 – Briggens House, SOE’s Forgery and Polish Elite Agent Training Station’ was published in 2022.

Its publication came at the same time as we were starting work on handlisting the private collection of the Late Tony Sale that his family had donated to the National Museum of Computing on Bletchley Park. Within that collection were items in a box marked ‘Briggens’, that included several tightly wound rolls of printed paper, cards, photographs and negatives. These original artefacts are of significant historical value and we are in the process of having them professionally conserved so they can form part of a special exhibition in due course.

In this talk we will show some images of those artefacts and, courtesy of one other private archive, put into context the importance of the work at Briggens through stories of individual SOE agents and their activities.

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• • Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.