Security Training and Ebbinghaus’ Forgetting Curve

There is a problem with training users outside of the security field. People forget things, so no matter how much we might try to teach them about warning signs there is always a limit. For those who work in security, it is sometimes hard to relate to the problems people outside our domain might have with retaining training. Not only do we tend to take various points as common sense, but we also forget how difficult it is to understand deliberate breaches of the social contract.

In addition, if we’re completely honest with ourselves, we forget to check things as well – it’s just that the regular exposure to incidents that increase awareness means that these points get thoroughly burned in. Continue reading “Security Training and Ebbinghaus’ Forgetting Curve”

Teaching Cryptography with Lockpicking

I want to look at ways to relate physical models to core security concepts such as cryptography, to raise awareness and understanding of security for those who are less technical. As part of this I’ll be looking at mapping picking to power analysis, a technique for monitoring power consumption in hardware to discover cryptographic secrets.

Mechanical lock picking is an obvious starting point for this form of teaching since the terminology carries across reasonably well (or at least everyone understands keys) to digital lock picking. The first problem is that while it is simple enough to come up with a lockbox analogy for symmetric and asymmetric encryption, the single pin picking of locks doesn’t map across quite so well. Continue reading “Teaching Cryptography with Lockpicking”