The problem of securing a system has many facets, a very important of which is training programs all over the respective organisations. Sadly, the security mindset is quite opposed to how humans usually tend to think, and the problmes seem abstract and distant enough that many people are not aware that their actions are an important building block in implementing a security policy.

Awareness alone, however, is not sufficient – if it where, softdrink companies would be bankrupt and medical doctors the most healthy people around. Especially in the digital area, awareness is often used to shift the blame from poor security design to the end user – its their own fault if they can’t remember 20 character long passwords (a totally different one for each account), open PDF files, read their mail, or use USB sticks. In addition to training the end users, it is therefore also necessary to train management in establishing usable yet secure procedures, to get an understanding what can be expected from various people and technologies, to integrate security into their business flow (it should already start with the use case definition), and to prepare a working contingency plan in case something goes wrong. Experience from red-blue trainings (where the students have to operate a simulated company while it comes under attack) is that the primary cause for the defenders to loose is not technical deficiencies, but management errors while facing a crisis.

Past Trainings and Presentations

ICS Security for the Boardroom

ICS Security overview

ICS / SCADA for Academics

Introduction to Modern Cryptography

The Science of Blockchains

Security in Organisations

Contingency Planning

Introduction to Research Methods