Mosaic Theory of Information Security

Presented at ToorCon San Diego TwentyOne (2019), Nov. 8, 2019, 10 a.m. (25 minutes)

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.

Seemingly-insignificant information can be combined to constitute useful information you didn’t intend to reveal. In finance, this concept is called mosaic theory. Investment analysts using this principle combine non-material information to develop significant insights into companies’ upcoming results without verging into insider trading.

Many details, like those you might post to social media or include on a public resume, can be combined to deduce significant aspects of your organization’s private data. In non-financial information security, a similar principle applies. Small divergences from usual patterns can, when combined together, give a competitor or potential attacker hints about your organization’s strategy, upcoming product launches, or other confidential or proprietary information.

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.


Presenters:

  • Margaret Fero
    Margaret is a Technical Writer with a strong interest in information security, learning and education, and interdisciplinary connections. She has spoken at conferences including Write The Docs Day: Australia, the O'Reilly Open Source Convention (OSCON), and Abstractions II.

Links:

Similar Presentations: