In finance, a concept called mosaic theory says that non-material information in sufficient quantities can be combined to constitute useful information. Investment analysts using this principle combine non-material information to develop significant insights into companies’ upcoming results without verging into insider trading. In other words, a lot of insignificant details, like you might include in your documentation or share to social media, can be combined to deduce significant aspects of your or your organization’s private data. In non-financial information security, a similar principle applies. Small divergences from usual patterns can, when combined together, give a competitor or potential attacker hints about your organization’s strategy, upcoming product launches, or your private personal information. In this talk, we discuss types of information you want to avoid posting about yourself or your organization to avoid unintentional disclosures.

1. Mosaic Theory of Information
Security
For Technical Writers
1
Margaret Fero
For SF Bay Chapter of the STC, November 2020

2. FIRST: Disclaimers
SF Bay Chapter of the STC, November 20202
I’m not a lawyer, a financial advisor, the SEC, or in any way entitled to make expert
judgements on what is or is not legal or insider trading. This whole talk is provided
without warranty or guarantee. This is not legal advice. This is not financial advice.
I’m going to talk about how legal and financial concepts work in a general sense based on
a layperson’s understanding so we can all have a shared basis from which to discuss their
applicability to information security. Do not make financial or legal decisions based on any
information in this talk. Talk to actual experts if you feel inspired to make financial or legal
decisions after watching this talk, do not rely on my information here.
I am not an Expert on insider trading regulations, but I have enough of a general idea to
use them as an allegory for a security problem.

3. "Cat on a wall" by digitaltemi is licensed under CC BY 2.03

4. 4
About Me
● Currently a Software
Engineer with a focus on
Security at a small startup
● Previously a Principal
Technical Writer at
Degreed, and overall a
technical writer for over a
decade, the last 6 years of
it full-time
● Hold security certifications
including the GSEC,
GCIH, and GCIA

5. About Mosaic Theory
Agenda
1
2
5
3
Some Examples, General and Specific to TechComm
What To Watch Out For
4 Conclusion
5 Questions

6. About Mosaic Theory
6

7. Why mosaic
theory?
7
Money Stuff by Matt
Levine
https://www.bloomberg.com/opinion/articles/2018-03-18/equifax-exec-sold-stock-after-hack-was-it-insider-
trading

8. What’s Insider Trading?
8
https://www.investor.gov/additional-resources/general-resources/glossary/insider-trading

9. What’s Insider Trading?
9
https://www.investor.gov/additional-resources/general-resources/glossary/insider-trading

10. Every day, professional investors and
research analysts work the phones to
ferret out information about companies that
can’t be found by simply reading news
releases.
10
Andrew Ross Sorkin
New York Times Dealbook Column
November 29, 2010
https://dealbook.nytimes.com/2010/11/29/just-tidbits-or-material-
facts-for-insider-trading/ ;
"Puzzling" by byzantiumbooks is licensed under CC BY 2.0

11. ● “Material” information
direct from a reputable
source
● Information comes
packaged together
● Information is useful alone
What counts as insider trading?
11
● “Immaterial” information
from multiple sources
● You combine information
to create useful packages
● Individual pieces of
information are not as
useful as the whole
Insider Trading
(Bad)
Skilled
Financial
Analysis (Good)

12. Some Examples
12

13. Insider Trading
This is bad.
13 https://www.sec.gov/news/press-release/2020-27

14. Another Example of Alleged Insider Trading
This one still hasn’t gone to trial, so it may be okay, but it also sounds bad.
14 https://www.sec.gov/news/press-release/2020-228

15. Skilled Financial Analysis
This is good!
15

16. To Review
Insider
Trading
Bad.
16
Skilled
Financial
Analysis
Good, actually!

17. 17 "Frank, September 4, 2011 - keyboard" by pat00139 is licensed under CC BY 2.0
Why should I care as a
technical writer?

18. You also have information.
18
Material non-
public
information
● Details of unreleased
features
● Internal approvals or QA
processes
● Product roadmaps
● Usage data
● Company costs
Immaterial or
public
information
● Press release archives
● Job ads
● Your company’s website
● Your colleague’s lunch
preferences
● Published documentation

19. Material
Information
19
This is bad to release.
https://www.darkreading.com/cloud/hotelscom-and-expedia-provider-exposes-millions-of-guests-data/d/d-id/1339407

20. Immaterial
Information
20
● Travel opportunities
● Employee
sabbaticals
● Employee travel
● Onsite/Offsite timing
● Food preferences
● Release schedule
This is good to release!
...right?

21. What should I watch for?
21

22. 22
High-Risk Categories
Job Posts &
Resignations
Employee
Sentiment
Feature
Details
Tooling Compliance
Changes
"Sharpest tool in the shed" by Lachlan is licensed under CC BY 2.0; "Slides Box Paperwork" by cdsessums is licensed
under CC BY-SA 2.0; "Job Listings" by flazingo_photos is licensed under CC BY-SA 2.0; "Thumbs Up" by Learn4Life is
licensed under CC BY-SA 2.0; "Project Management Plan" by perhapstoopink is licensed under CC BY 2.0

23. Disclaimer
(again):
23
The tools I’m about to
mention are risky
because they’re useful!
Banning these tools is
not a good mitigation
strategy.
"Lego bricks" by EEPaul is licensed under CC BY 2.0

24. ● Job post contents
● Employees’ role descriptions on LinkedIn or networking sites
● Meetup membership or attendance
● Vendor forum membership
● Event or networking conversations
Tooling
24

25. 25
Compliance Changes
● LinkedIn posts
● Conference attendance or course completion
● Forum posts
● Meetup membership or attendance
● Job postings
● Joining professional organizations or networks

26. 26
Job Posts & Resignations
● Your career site
● Your ATS or company LinkedIn page
● Recent alumni’s LinkedIn or social media accounts
● Your company or product blog, or individuals’ blogs
● Networking conversations

27. 27
Employee Sentiment
● Social media
● Press mentions
● Glassdoor reviews
● Networking Slacks and Discords
● Conversations on public transit (someday...)
● Conversations near your office (someday...)

28. 28
Feature Details
● “Coming Soon” listings or sections
● Company blog
● Descriptions of what individual employees are working on
● Documented defaults
● Documented settings
● Documented procedures, processes, and overrides

29. 29
Other Information You Have
● Instagram posts
● Vacation responders
● Individual Preferences

30. What Now?
30

31. Don’t despair, just
be aware!"Full Rainbow at Sunrise at Columbia River in Washington" by Landscapes in The West is licensed under CC PDM 1.0

32. Thank you!
Questions?
@maggiefero
Linkedin.com/in/margaretfero
Degreed.com/maggiefero
32