Conversation

I'd like to give a conference talk about what infosec can learn about risk from outdoor recreation — kayaking, backcountry skiing, climbing, mountaineering, etc.

A focus in these communities is “safety culture": finding ways to pursue inherently dangerous activities more safely. Lots of it translates to infosec!

If you think this would be a good fit for your con, reach out! I'm not looking for special treatment, happy to put a proposal into a CFP, just not sure who might be interested.

4
2
0

A teaser:

Here's today's avalanche forecast for the Mt Hood zone: https://nwac.us/avalanche-forecast/#/mt-hood

I bet you can read and understand a lot of it, even without any prior avalanche training! And if you _do_ have even some basic avy awareness, it'll give you super-clear information about what is and isn't safe out there right now.

This isn't accidental; there are literally multiple PhD's obtained from researching how to communicate this clearly.

What if we could communicate security risks this clearly?

1
0
0

@jacob I would imagine there is a fair bit of overlap with aviation too, both commercial and general!

2
0
0

@ThePaulMcBride indeed there is, @andrew gave that talk! I'm not a pilot, but I _do_ participate in a lot of these potentially-risky outdoor activities, so I can give some first-hand perspective about that part.

1
0
0

@ThePaulMcBride yes, and I want @thatandromeda and @zorkian (who are pilots) and @sigridellis (who worked for many years as an air traffic controller) to write and speak about that, from their position of personal experience including their own personal stories!

@jacob has a bunch of outdoors recreation experience and personal stories to tell that I'm looking forward to hearing

1
0
0

@jacob [Or piggyback a track onto an existing one, like a fringe fest/BSides/Hatchery/FOSDEM Devrooms sort of thing.]

0
0
0

@jacob @ThePaulMcBride One of my favourite talks I've ever given, in fact. Aviation's parallel is more with the engineering side of things, while I think there's also a lot of value in (what I think Jacob is proposing) of the process and procedural side of things. You can't engineer a hiking trail to have triple redundancy but you can approach a known risk with a good safety culture.

1
0
0

@jacob Even though I don’t do much outdoor climbing anymore, every few years, I read the latest Accidents in North American Mountaineering as a reminder to not be complacent. I suppose the equivalent for developers is reading incident reports? Unfortunately there aren’t many that are on the same scale as ANAM, which doesn’t just cover major incidents.

1
0
0

@andrew exactly! The term outdoor communities often use is "objective hazards”— risks that exist in the real world that you can't do anything about, e.g. avalanche conditions, whitewater, poor rock on a climb, etc. You then develop tools and techniques to deal with those objective hazards, everything from "wear a PDF" to "snow's dangerous, stay indoors today”. Most communities with robust safety cultures have fairly well-developed processes and practices here. @ThePaulMcBride

0
0
0

@jacob I love this talk proposal idea!! Your mentioning weather reminds me of a blog post I wrote awhile back about security comms and what they can learn from the national weather service: https://thisisimportant.net/posts/security-communications-lessons-from-the-national-weather-service/

but as an avid listener of podcasts like The Sharp End (play hard and be smart!) I love the outdoor recreation angle so much! I hope you can find a venue for this talk!

1
0
0

@smore I LOVE The Sharp End, one of my favorite podcasts. I've often fantasied about a similar show about breaches! (Darknet Diaries does this sometimes but not in the same way and not all the time.)

0
0
0

@alpha yup! I'm a member of the AAC specifically for that pub. The closest equivalent in our field is the DBIR (https://www.verizon.com/business/resources/reports/dbir/) — which I do read and also enjoy. But yes, it's not on the same scale: the mountaineering community has done an amazing job creating a culture where people self-report accidents really consistently, to the point where AANAM is as close to comprehensive as you could want. The security community, unfortunately, tends a lot more towards minimizing and covering up.

1
0
0

@jacob I appreciate that it covers the gamut for consequences from death to “almost got bit by an animal in a hold”, and that you generally want to use the same precautions regardless since you can’t predict whether the consequence will be, well, inconsequential or not.

1
0
0

@alpha this is super important! If we only hear about the "big" accidents/breaches, we tend to overindex our safety measures on scenarios that make the news, and thus overexpose ourselves to risk from more likely but less consequential scenarios.

0
0
0

On only really getting incident reports for pretty major incidents from big companies in our trade, compared to Accidents in North American Mountaineering, which provides a much fuller picture that’s applicable to more than just at the extreme end.

RE: https://social.jacobian.org/users/jacob/statuses/111977176806754997

1
0
0

@alpha and one of the greatest periodicals of all time

0
0
1