Lesson-learning workstream


Accidents happen. How we learn from them — or fail to — is one of the defining features of a complex system. I've been very interested in what we do and don't learn since at least The New School of Information Security.

How to Stand Up a Major Cyber Incident Investigations Board (2022)
As we wrote the report on Adapting Aviation Safety Models, we also worked on a how-to guide. We realized that many of the lessons and tradeoffs that we learned about or crystalized as we worked on that were worth capturing because listing and explaining them helps people who want to stand up an investigations process move faster and more predictably. The report, How to Stand Up a Major Cyber Incident Investigations Board. We took the name from Steve Bellovin's work to avoid confusion with the newly created CSRB. Suggested citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity (2021)
Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
That Was Close! Reward Reporting of Cybersecurity 'Near Misses' (2017)
From the abstract: "While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data... An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue)
Input to the Commission on Enhancing National Cybersecurity
Steven M. Bellovin, Adam Shostack, Input to the Commission on Enhancing National Cybersecurity. September 2016.
Select news coverage

Incident databases

There are an increasing number of incident databases. The best have explicit perspectives on what they track, what data elements are tracked, and the use cases or people they expect as users.

Cybersecurity incident/event databases

AI incident/event databases