Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

How to Lie with Statistics, Information Security Edition

181 Aufrufe

Veröffentlicht am

Slides from Tony Martin-Vegue's presentation at CircleCityCon 5.0 (Indianapolis, IN) on June 2, 2018

Abstract:

Stiff statistics, prismatic pie charts, and questionable survey results drown the Information Security space in a sea of never-ending numbers that can be difficult to sift through. Have you ever finished reading a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

This critical subject was first examined over 60 years ago, when Darrell Huff first published the groundbreaking book “How to Lie with Statistics,” over 60 years ago. This presentation takes the foundation Huff created and updates the core concepts for the contemporary Information Security field.

Most people would be shocked to find that data is often manipulated to lead the reader to a particular conclusion. Several areas are examined: bias in vendor-sponsored security reports, data visualization misuse and common security fallacies.

There is a silver lining - once you are aware of the subtle ways data is manipulated, it’s easy to spot. Attendees will walk away with a new understanding of ways to identify and avoid unintentionally using some of the methods described.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

How to Lie with Statistics, Information Security Edition

  1. 1. How to Lie with Statistics… Information Security Edition #circlecitycon
  2. 2. About me Contact me: @tdmv
  3. 3. …1954 Edition There is terror in numbers. Perhaps we suffer from a trauma induced by grade- school arithmetic. Darrell Huff “ ”
  4. 4. Survey Says! 9 out of 10 Households Agree That Surveys Are Bad
  5. 5. Components of a Survey
  6. 6. The Wrath of Graphs
  7. 7. Security Incidents in 2017 Lost/stolen laptops 12 Lost/Stolen mobile devices 40 Hacking 3 Payment card fraud 21 Unintended disclosure 10
  8. 8. 12 403 21 10 Lost/stolen laptops Lost/Stolen mobile devices Hacking Payment card fraud Unintended disclosure Security Incidents in 2017
  9. 9. Lost/stolen laptops Lost/Stolen mobile devices Hacking Payment card fraud Unintended disclosure Security Incidents in 2017
  10. 10. Lost/stolen laptops Lost/Stolen mobile devices Hacking Payment card fraud Unintended disclosure Security Incidents in 2017
  11. 11. Lost/stolen laptops Lost/Stolen mobile devices Hacking Payment card fraud Unintended disclosure Security Incidents in 2017
  12. 12. Source: Yougov.co.uk
  13. 13. Source: Godaddy.com
  14. 14. Source: Reddit.com | You had one job!
  15. 15. Source: http://junkcharts.typepad.com/.a/6a00d8341e992c53ef016300bba0da970d-pi
  16. 16. Source: MacWorld 2008 Keynote
  17. 17. Which line is longer? HINT: It’s a trick question
  18. 18. Source: http://marchelassociates.com/data-breach-causes/ Data Breach Causes
  19. 19. 400 420 440 460 480 500 520 Malware Infections Malware Infections: 2017 0 100 200 300 400 500 600
  20. 20. Source: Photo, TheVerge.com
  21. 21. Source: Data, Apple.com Photo, TheVerge.com; extra visualizations, qz.com
  22. 22. Reported Social Engineering Attempts 2013 - 2017 200 210 220 230 240 250 260 270 280 290 2013 2014 2015 2016 2017 0 50 100 150 200 250 300 2013 2014 2015 2016 2017
  23. 23. Source: https://www.techradar.com/reviews/amd-ryzen-threadripper-1950x
  24. 24. Source: https://www.techradar.com/reviews/amd-ryzen-threadripper-1950x
  25. 25. The Semi- Attached Figure
  26. 26. with Retsyn!
  27. 27. Did you know…. Source: Kaspersky Security Bulletin 2016
  28. 28. Did you know…. Source: Kaspersky Security Bulletin 2016 • 80% of SMB’s who pay the ransom get their data back 4 out of 5 SMBs who pay the ransom always get their data back
  29. 29. You can’t imply causation with correlation!
  30. 30. Number of people who drowned by falling into a swimming pool correlates with Number of films Nicolas Cage has appeared in Source: Spurious Correlations; www.tylervigen.com
  31. 31. 10 12 10 11 13 20 25 40 45 41 40 50 0 10 20 30 40 50 60 0 100 200 300 400 500 600 700 800 900 Lost/Stolen Mobile Devices # users completed security training 2017 Reported Lost/Stolen Mobile devices and Number of users that completed security awareness training
  32. 32. Conclusion: Statisticulation
  33. 33. Further Reading • “How to Lie with Statistics” by Darrell Huff • “The Visual Display of Quantitative Information” by Edward Tufte • “How to Measure Anything” by Douglas Hubbard

×