I once took a class where I had to create an Issue Specific Security Policy (ISSP) for home use. Since I'm the fun sort of person who brings up Multi-factor Authentication at football tailgate parties this was right up my alley!

I've always thought it is useful to think of one's household as a business - whether that is one person, or one person and a pet, or two people who are roommates, or a romantic couple, or a romantic couple with children, or even a romantic couple with or without children who are also taking care of an elderly adult and a pet - I think I've listed a few sitcom plots right there...actually, my friends and family at this point think my idea of having an authentication credential policy for a household is a sitcom waiting to happen - and that's after I deleted all the items about picking usernames and just left in the password details.

Hey, at least I didn't bring up death! :-D

(to be fair, I wanted to, but thought that would have to be its own issue specific security policy and while SANS has a great pandemic template, I didn't see one for death - maybe the disaster recovery one could work...)

The way that technology is ubiquitous in our lives means that homes have to think of information security the same way any business would and at least consider having plans for their technology and its uses. (Homes also need to think of fiscal issues like any business would, starting with "what business problem are we trying to solve?" whenever a new purchase is being decided on, and identify all stakeholders, but that's another post for another time.) I read recently from a security awareness expert, Lance Spitzner, of SANS' Securing the Human organization, that if you can convince people of the utility of information security for their own personal lives they're more likely to understand why it matters at work. An organization could kill two birds with one stone by encouraging employees to think about their at-home security.

My ISSP was predicated on there being at least one Technical Adult in the house, who was then part of the Lead Technical Adult (LTA) team. (I specifically mentioned "adult" because studies have shown the good-decision-making parts of the brain are not fully formed until after age 25; a teen may understand the technology, but is a teen consistently capable of making good decisions?) There might not be such a technical adult in the household. The nearest technical adult might be a grown child or grandchild, or perhaps someone from the community who does nice things out of the kindness of their heart. Or, it might be someone from down the street who seems nice and is really just playing the non-technical adults in order to win their trust so they can get scamm...oops, sorry, my white-ish cat just jumped into my lap and I went all evil for a moment. She's jumped down now :-) 

I suppose I open an entire can of worms by pointing out (which I have done in other venues) that technology products are not necessarily non-technical user friendly. Imagine for a moment someone who cares nothing about the ins and outs of technology and security, because they're busy doing other things like operating on people in an emergency room, or building houses, or teaching kindergartners. Imagine them setting up a new router to provide wireless service to the plethora of mobile devices they and their family members and any guests might have. (Okay, stop shouting at the monitor - you know the people in the movies can't hear you and they are going to open the closet door, anyhow.) Router setups have come a long way since 2003, when I set up my first wireless access point, but there are things that people who have nightmares about security failures - it's no coincidence that IT and that evil clown have the same characters in their name, is it? - know about securing home networks that non-technical people don't even know that they don't know. I can't suggest that vendors supply a complimentary technical adult with every purchase (well, I could, but that wouldn't be practical), but how are we going to solve the problem of people bringing home a shiny new baby technology toy and being left at home with it when they haven't the first idea what to do with it? If we don't start thinking of household technology and the security that implies in a structured way that will lead to chaos.

(Yes, I just argued for structure. Shhhh, don't tell anyone 😏)

Security policies aren't only for businesses, and they aren't only for the super-geeky. It's possible to help non-technical users get a handle on managing their technology even when they don't have ready access to a technical adult. Issue-specific security policies can help.

"Because I could not stop for Death – He kindly stopped for me..."  - Emily Dickinson

Small talk is not a skill I possess. I prefer big talk...important things, like, say, death. Death is a favorite topic of mine. Not that I want to die anytime soon, nor because I take pleasure in others' deaths (well, generally :-), but because everyone seems so unwilling to talk about it and they really need to. Death, you see, in the realm of contingency planning is an adverse event - it has the potential to really mess things up. When someone dies death goes from being an incident candidate to a full-blown incident. Death, being inevitable, needs an incident response (IR) plan to go along with it. 

Okay, how is death relevant to an infosec blog?

It's an attack against information assets - what you know, including how what you know gets you into more information assets, is gone after death happens. Death is pretty efficient when it does its thing so its chance of success is high. Death definitely threatens the availability of your information assets, although one could make an argument for enhancing the confidentiality of them. 

It's important for an organization to plan for deaths of its employees, from the C-suite to the cleaning crew. No, not plan to kill them (although one wonders sometimes...), but a plan for how to react and recover after death occurs. From an obvious perspective, at the very least whatever tasks the person was assigned to do will not be getting done and someone else will have to do them. It's easier to respond when a plan is in place than make things up on the fly - and if the death is of someone close to the people making the decisions their thinking will be affected, even if the death is expected. The story of how a small organization handled the death of one of their founders provides a good foundation for planning on that level: http://www.smallbusinesscomputing.com/tipsforsmallbusiness/business-survival-after-death.html

On a personal level, contingency planning for death is even more vital. This summer I had a long-distance friend die unexpectedly. No one can get into her digital assets, so her Facebook page and LinkedIn account remain open as though she is still alive. Her non-technical family doesn't even know where to begin - and no one wants to bring up the specifics of how those accounts can be closed by the vendors. (Someone did inform her employer.) Not talking about death doesn't make it go away. In the past couple of months I know of more people recently who have died unexpectedly, leaving their families to deal with digital legacies on top of the grief and expenses. No one wants to go up to the widow and say, "hey, I know you're in shock and numb with grief right now, but have you thought about how to get into your partner's digital accounts?" Not even I am that goth. (Yes, I'm thinking it, but my mother raised me better than to say it out loud :-) 

The recent Equifax breach gives criminals a chance to capitalize on their theft by making it easier to purloin the identities of the deceased: unless the deceased was receiving Social Security payments there is no automatic notification to the credit bureaus that someone has died and that their accounts should be marked that way (see http://www.bankrate.com/finance/credit/happens-dead-persons-credit.aspx for more details). My friend's credit report looks like she's alive. She's not there to notice anything sketchy coming up. Of course, she's dead, and had no dependents, so no one is being directly hurt if someone absconds with her identity, but, still.

Everyone dies at some point. This incident will occur. There are many logistical aspects of death that don't necessarily involve digital assets that need to be secured, but in our modern times nearly everyone has digital assets. We all have some sort of device, either a computer or a mobile device. We probably have email assets and social media assets. While financial service relationships typically have a physical aspect, many people access their financial service accounts digitally, with authentication credentials. How about e-commerce? Kindles? What about Alexa (who might be able to help solve the case) or Siri (who is more helpful to the perpetrator)?

I'll pause. I admit this has to be overwhelming to anyone who hasn't thought about it before. 

Because death is such a scary concept, let's talk instead about space alien abduction. There is a chance that if someone is abducted by space aliens they could return. But, while they are being entertained by the space aliens one would not have access to their digital assets unless one had a contingency plan in place. So, it's like death, but not exactly death. 

Think about how people back home would carry on with your digital activities if you were abducted by space aliens. How should they react? How would they recover? If you've planned now, before the abduction, they have a list of what to do after they have detected that the aliens have zoomed away with you. They can then focus on acquiring, preserving, and securing the assets you have left behind, for instance, your mobile device (presuming it wasn't destroyed in the abduction process).

More organizations are offering practical advice for digital contingency planning. https://www.funeralwise.com/learn/digitallegacy/ is an example. It's important to note that legislation has not caught up to digital realities. It's unclear in many jurisdictions how digital legacies are to be handled and the most obvious option, impersonation, might not be exactly legal, even if it's not exactly illegal, even if an executor is given specific authorization by the deceased space alien abductee.

Whether you plan for this adverse event, or not, it will happen. Think of setting up a contingency plan for securing digital assets in the event of death as a kindness to those left behind - a final gift.

Project failure is seriously much more interesting to discuss than project success. I think people remember bad things more than good things: a kid is more likely to remember the time they put their hand on a hot stove more than the hundreds of times they saw their parents not touch a hot stove. (Some people need to touch hot stoves more than others to get the message, but that's another topic for another time.

Real-life project failures abound, and some of them can be interesting, depending on how they're written up. Fictional project failures, though, because they can be over-the-top, are inherently more interesting, involving, say, dinosaurs, or, another of my favorites, Star Wars. I've used scenes from the Star Wars movies to discuss social engineering:

Star Wars in general is full of information security metaphors. Kellman Meghu, a Canadian security professional, did a SecTor 2012 talk, "How NOT to do Security: Lessons Learned from the Galactic Empire" (http://2012.video.sector.ca/video/51119497) It's nearly an hour long, but worth every moment. Darth Vader is cast as the CISO at one point, if you need further incentive to watch.

Another entertaining (and shorter) video presentation is from Darin on YouTube, who uses Star Wars to explain industrial control system security to people who know nothing about security: "Securing your ICS with Lessons Learned from the Death Star" 

I literally guffawed when this slide came up:

Daniel Solove, a privacy scholar, penned "If the Empire in Star Wars Had Big Data..." (https://www.linkedin.com/pulse/empire-star-wars-had-big-data-daniel-solove) as a privacy parable, but goes into data security, as well. Perhaps Equifax could learn from his tip on good data breach response.

Even the latest Star Wars movie, Rogue One, gets the information security treatment: Carol Pinchefsky's "5 lessons IT can learn from 'Rogue One: A Star Wars Story'" (https://insights.hpe.com/articles/5-lessons-it-can-learn-from-rogue-one-a-star-wars-story-1702.html) details some very relevant information security parallels, including the importance of authentication and encryption. Not to mention, was everyone else as horrified as I when they realized that there was no offsite backup of the data center on Scarif?

To tie this all back to project management specifically, Emily Bonnie did a hilarious infographic: "10 Reasons the Death Star Project Failed" at https://www.wrike.com/blog/10-reasons-the-death-star-failed/ She includes the usual project management failure suspects such as incomplete project requirements, bad risk handling, poor leadership, failure to look at alternatives, and bad resource handling, among others: