InfoSec Philosophies for the Corrupt Economy

Conference:  BlackHat USA 2018



The talk discusses the challenges of implementing information security in corrupt economies and the limitations of security frameworks designed by contributors from stable nation states.
  • Security frameworks and operational routines are often created with assumptions that do not apply in corrupt economies
  • Interviews with people involved in corruption were conducted to gain insights on the realities of corruption
  • Challenges of implementing information security in developing countries were discussed
  • Cognitive biases and assumptions about insider threats were also addressed
The speaker used Star Trek as an analogy to illustrate the poor security in commercial enterprises and how security is often an afterthought. He also asked the audience if they have experienced any type of institutionalized corruption or corruption in their workplace, and shared his personal experience of conducting interviews with people involved in corruption.


The majority of systematic approaches to information security are created by contributors from stable nation states, where the design assumes that the originator is wholesome and true, the playing field is lush and green and the children frolic care-free making daisy-chain bracelets. This talk discusses the realities of corruption, with real-life anecdotes from interviews conducted with real criminals and victims. This talk also explains the challenges and differences between trying to 'do' information security in developed and developing countries, where often corruption can derail security efforts and the people put in place to run the show are working against you. I also discuss typical challenges of working in difficult climates, how this can impact us (as security warriors), with first-hand accounts from those involved and some of the things we can do to combat corruption. A basic understanding of threat modelling and a slightly dark sense of humour are advantageous in getting the most out of this talk.



Post a comment