Threat Environment:

  1. Click Here to Kill Everyone, (Bruce Schneir, January 27, 2017)
  2. Everyone's been hacked, now what? (Kim Zetter, Wired 05-04-12)
  3. Hack Back (A DIY anatomy of a hack)

Threat Environment (Optional):

  1. I am calling you from Windows Tech Support (Bruce Schnier)(Nate Anderson, Ars Technica, 10-12-2012)

Aaron Swartz:

  1. Here and Now segment on the MIT/JSTOR exploit (July, 2011)
  2. JSTOR - Open Access Advocate is Arrested for Huge Download NY Times, July, 2011)
  3. More on the JSTOR crime from an expert witness (Boing Boing, January, 2013)
  4. More Aaron Swartz

IT Controls and SOX Readings:

When reading these articles focus on the thesis and findings, some of them use pretty esoteric statistics and this isn't a Ph.D. seminar so I'm not going to focus on that and you shouldn't either.

  1. Information Security and Sarbanes-Oxley Compliance: An Exploratory Study (Wallace, 2011) (this is the same file in case the first one does not print, if so use this one).
  2. SOX 404 reported internal control weaknesses: A test of COSO framework components and information technology (Klamm, 2009)
  3. The effect of IT controls on financial reporting (Grant, 2008)
  4. IT internal control weaknesses and firm performance: An organizational liability lens (Stoel, 2011)

Optional Additional Readings:

  1. PWC Eye of the Storm: Key findings from the 2012 Global State of Information Security Survey:
  2. IT control weaknesses undermine the information value chain (Klamm, 2011).
  3. From Phishing to Advanced Persistent Threats: The application of Cybercrime Risk to the Enterprise Risk Management Model
  4. A content Analysis of auditors reports on IT internal control weaknesses... (Boritz, Hayes, and Lim, 2013) ,

Cryptography Readings:

Digital Certificates and Certificate Authority Readings:

  1. Encryption Working Group Final Report

(Public/Private Key)

  1. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Rivest, Shamir & Adleman, 1983) - This is the seminal article explaining public/private key encryptions, it's a bit technical so just scan it and don't worry about the math but try to understand it conceptually.
  2. Security by Obscurity(Bruce Schneier, May 15, 2012 - Now referred to as Obscurity is no Security)

Password Readings:


Password Vulnerabilities:

  1. Why Passwords have never been weaker and crackers never stronger (Dan Goodin, Ars Technica, August 20, 2012)

Storing Passwords:

  1. A Salt-free diet is bad for your security(Agilebits Blog, June 6, 2012)
  2. ARS was Hacked (read the comments as well)
  3. Threshold Cryptography (RSA Password storage) RSA white paper

Password Usage:

  1. Improving information security management: An analysis of ID–password usage and a new login vulnerability measure (Bang, et al, 2012)
  2. Of Passwords and People: (2011); (Summary by ArsTechnica, June 2013)

Why do we keep making the same password mistakes?:

  1. Why it Pays to Submit to Hackers (, Ryan Tate, August, 2012)
  2. How to get Hacked in 5 easy steps (David Pouge, Yahoo Tech - this one's funny to read).

New Kinds of Authentication/Better Passwords:

  1. Active Authentication (the future?) Slides from DARPA:
  2. Learn a password subconsciously (Extreme Tech, July 19, 2012)
  3. Choosing Secure Passwords
  4. Beyond Passwords
  5. Video Clip of Talk mentioned in Article:

How Many Logins/Unique:

Software Security Readings:

  1. The Buffer Overflow
  2. SQL Injection
  3. Patch Compliance

Incident Response Readings:

  1. CF Disclosure Guidance: Topic No. 2 S.E.C. (This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents)
  2. The Future of Incident Response, by Bruce Schneier

SEC Readings:

    1. Cyberattack's abound yet companies tell SEC losses are few By Chris Strohm, Eric Engleman and Dave Michaels - Apr 3, 2013)
    2. Companies Hacked by Chinese Didn’t Disclose Attacks to Investors By By Chris Strohm, Dave Michaels and Sonja Elmquist - May 21, 2014)
    3. SEC Cybersecurity Roundtable Archive Webcast
    4. SEC OCIE Cybersecurity Initiative (April 15, 2014)