
Shostack + Friends Blog
Posts in category “usability”


Hoarding, Debt and Threat Modeling
The psychology of getting started threat modeling

Patching in 2024
In late 2024, people are being offered a choice of features versus security.

Phishing Defenses
Phishing behaviors, as observed in the wild.

Usable Security and Privacy for Engineers
The new IEEE S+P is all about usable security.

Fast, Cheap and Good, Redux
A new paper on how fast, cheap and good can combine into something we usually discount.

Usable Security Matters
Usable security matters

Authentic Thoughts About What Can Go Wrong
Threat modeling doesn't need to be big and complex

Fast, Cheap + Good Whitepaper
Threat modeling doesn't need to be a slow, heavyweight activity!

This is the blog you're looking for
Making it easier to check feed updates

Threat Model Thursday: Technology Consumers
“It depends on your threat model...”
Stencils and Sketch Books
Going beyond the whiteboard.

Elevation of Privilege In The Time of Cholera
How to play in person games while maintaining safe distances.

Better Taught Than Caught!
Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means.
Contextualisation of Data Flow Diagrams...
Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed.

Answering 'What Are We Working On' When Remote
How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely?

Threat Modeling with Questionnaires
This post comes from a conversation I had on Linkedin with Clint Gibler.
Passwords Advice
Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4.

Polymorphic Warnings On My Mind
The more we see it, the more we ignore it.

Promoting Threat Modeling Work
Some thoughts on promoting others’ threat modeling work.

The White Box Essays (Book Review)
A resource for those developing games.
Incentives and Multifactor Authentication
What if we gamified security?

Pivots and Payloads
A new game from SANS for understanding pen test methodology, tactics, and tools.
John Harrison's Struggle Continues
[no description provided]
BlackHat and Human Factors
[no description provided]
“The Readability Of Scientific Texts Is Decreasing Over Time”
[no description provided]
Interesting Monday Reads
Each of these is long and thought-provoking and worth savoring.

“Comparing the Usability of Cryptographic APIs”
[no description provided]

How Not to Design an Error Message
[no description provided]
People are The Weakest Link In Security?
[no description provided]