Note: If you are using the Firefox browser, clicking on the buttons
will only download the files, not allow you to view then directly.
will only download the files, not allow you to view then directly.
Roger G. Johnston Papers & Talks
Vulnerability Assessment: The Missing Manual for the Missing Link
Contents
Introduction
Chapter 1 - What are VAs And What are They Not?
Chapter 2 - The Purpose of VAs
Chapter 3 - How to Do Effective VAs
Chapter 4 - Who Should Do the VA?
Chapter 5 - Brainstorming and Creativity in VAs
Chapter 6 - The VA Report
Chapter 7 - Cognitive Dissonance & Intellectual Humility
Chapter 8 - Sham Rigor & The Fear of VAs
Chapter 9 - Security Culture & Security Theater
Chapter 10 - Security Metrics, the Fallacy of Precision, and Marginal Analysis
Chapter 11 - Insider Threat Mitigation
Chapter 12 - Security Reasoning Errors
Chapter 13 - Attacks on Security Hardware
Chapter 14 - Other Security Tips
Appendix - Security Maxims
The author has over 3 decades of experience as a Vulnerability Assessor.
Along the way, there are lots of tips for better security.
Available as a book or e-book on Amazon.com
Contents
Introduction
Chapter 1 - What are VAs And What are They Not?
Chapter 2 - The Purpose of VAs
Chapter 3 - How to Do Effective VAs
Chapter 4 - Who Should Do the VA?
Chapter 5 - Brainstorming and Creativity in VAs
Chapter 6 - The VA Report
Chapter 7 - Cognitive Dissonance & Intellectual Humility
Chapter 8 - Sham Rigor & The Fear of VAs
Chapter 9 - Security Culture & Security Theater
Chapter 10 - Security Metrics, the Fallacy of Precision, and Marginal Analysis
Chapter 11 - Insider Threat Mitigation
Chapter 12 - Security Reasoning Errors
Chapter 13 - Attacks on Security Hardware
Chapter 14 - Other Security Tips
Appendix - Security Maxims
The author has over 3 decades of experience as a Vulnerability Assessor.
Along the way, there are lots of tips for better security.
Available as a book or e-book on Amazon.com
Devil's Dictionary of Security Terms
Why go through your entire security, law enforcement, or intelligence career being confused? Here, at
last, is an 850+ word dictionary to clarify all that confusing security jargon, by giving you the TRUE
meaning of various terms, never mind what the experts think!
Available on Amazon.com
Some Invited Talks by Roger Johnston:
“Vulnerability Assessment”, Interview on Andrew Lanning’s Security Matters Video Program, ThinkTech Hawaii, September 8, 2020, https://youtu.be/KesyK1KKMHk and http://thinktechhawaii.com
“Vulnerability Assessment, Keynote speaker for a Webinar by the World Institute for Nuclear Security (WINS), August 24, 2020. https://app.livestorm.co/world- institute-for-nuclear-security/effective-vulnerability-assessment-the-key-to-organisational-resilience
"Insider Threat Mitigation: A Vulnerability Assessor's Perspective", iThreat Webinar, July 22, 2020, https://ithreat.com/insider-threat-mitigation-a-vulnerability-assessors-perspective-roger-johnston-with-mike-gips/
Keynote Address: "Three Decades of Defeating Physical Security", OzSecCon 2019, Melbourne, Australia, June 14-16, 2019.
"Cyber Security is Everybody's Business", TSPi, Reardon, VA, October 14, 2015.
"Vulnerability Assessments: Missing in Action?", SOCOM, Fort Bragg, NC, April 28, 2015.
"A Marginal Approach to Security Assurance, Metrics, and Vulnerability Assessments", WINS Workshop on Security Management Metrics, London, England, March 9-10, 2015.
“Focusing on the Threats to the Detriment of the Vulnerabilities”, NATO Advanced Workshop on Preparedness for Nuclear and Radiological Threats, Los Angeles, CA, November 18-20, 2015.
Course Instructor and Curriculum Developer for the NNSA Training Course on Integrated Management Systems (Safety, Security, and QA/QC) for Nuclear Facilities, Rabat, Morocco, January 27-30, 2014.
“Vulnerability Assessments”, Course Instructor for the IAEA Course on Essential Elements of Nuclear Security, Argonne National Laboratory, October 2011, May 2012, and June 2014.
"Seals, Counterfeiting, and Some Security Lessons Learned", Document Security Alliance, Washington, D.C., June 6, 2013.
“Introduction to the Vulnerability Assessment Process”, Modelling and Simulation for Design and Assessment of Nuclear Security Systems, Vienna, Austria, May 14-16, 2013.
“Boxing Outside the Think: Conducting Creative Vulnerability Assessments”, CSO Security Confab, Braselton, GA, April 2-3, 2013.
“Too Many Wrong Mistakes”, ASIS Chapter 140, Ottowa, Canada, January 16, 2013.
Course instructor for the IAEA Regional Training Course on Physical Protection Against Sabotage, Beijing, China, May 14-18, 2012.
“Tags, Numeric Tokens, and Product Authenticity Issues”, DHS/CPB Workshop on Product Counterfeiting, Washington, D.C., April 7, 2012.
“Potential Countermeasures to the Insider Threat: Under-Utilized Concepts from Psychology, HR, Crime, & Common Sense”, Stanford/CISAC Workshop on the Insider Threat, December 5-7, 2011.
“You Don’t Need Cyber to Beat Cyber”, Cyber Defense and Disaster Recover Conference, Springfield, IL, March 9, 2012.
Keynote Address: “A Cynical View of Security: The Importance of Not Being Earnest”, Security in Government Conference (SIG 2011), Canberra, Australia, July 25-27, 2011.
“Product Authenticity Issues”, White House Working Group on Product Counterfeiting, Washington, D.C., June 15, 2011.
“Mitigating the Insider Threat (and Other Security Issues), NRC, lisle, IL, May 10, 2011.
“Magical Seals, Secure Voting Machines, and Other Fantasies”, Election Verification Network Conference, Chicago, IL, March 24-26, 2011.
Keynote Address: “Proving Voltaire Right: Security Blunders Dumber than Dog Snot”, 19th Annual USENIX Security Symposium, Washington, D.C., August 11-13, 2010.
“Physical Security vs. Cyber Security”, Microsoft Headquarters, Redmond, WA, October 22, 2010.
“Vulnerability Assessments on Tags and Seals”, Product Authentication & Brand Security Conference (PABS10), Chicago, IL, October 4-5, 2010.
“Effective Facility Vulnerability Assessments”, 2010 U.S. Coast Guard Facility Inspector Workshop, Santa Barbara, CA, April 13-14, 2010.
"Security Against Theft, Tampering, and Counterfeiting”, Pharmaceutical Security Institute, Mclean, VA, October 28, 2009.
Keynote Address: “Smirking & Vulnerability Assessments”, SecureWorld Expo, Atlanta, GA, April 29-30, 2008 and Chicago, IL, May 21-22, 2008.
Keynote Address: “The Importance of Not Being Earnest: Finding Security Flaws with Method Acting”, SecureWorld Expo, San Francisco, CA, September 19-20, 2007.
“Pharmaceutical Security & Authenticity”, TRAX: Pharamaceutical Supply Chain Integrity, Baltimore, MD, April 25-27, 2007.
“Vulnerabilities & Limitations of RFID and Contact Memory Devices”, Technical Meeting on Sealing Systems and Containment Verification Methods, Vienna, Austria, February 12-16, 2007.
“Countermeasures to Wishful Thinking”, ASIS International Middle East Security Conference, Manama, Bahrain, December 4-6, 2006.
“Countermeasures for Pharma Tampering & Counterfeiting”, Pharmaceutical Security Institute General Assembly, San Diego, CA, October 18, 2006.
“Vulnerability Assessments on Tamper-Indicating Seals”, Joint US-Russia TID Working Group, Moscow, Russia, September 13-14, 2006.
“Research on Improving Cargo Security”, 5th North American Cargo Security Forum, Washington, D.C., September 6-7, 2006.
“Vulnerability Assessment”, Interview on Andrew Lanning’s Security Matters Video Program, ThinkTech Hawaii, September 8, 2020, https://youtu.be/KesyK1KKMHk and http://thinktechhawaii.com
“Vulnerability Assessment, Keynote speaker for a Webinar by the World Institute for Nuclear Security (WINS), August 24, 2020. https://app.livestorm.co/world- institute-for-nuclear-security/effective-vulnerability-assessment-the-key-to-organisational-resilience
"Insider Threat Mitigation: A Vulnerability Assessor's Perspective", iThreat Webinar, July 22, 2020, https://ithreat.com/insider-threat-mitigation-a-vulnerability-assessors-perspective-roger-johnston-with-mike-gips/
Keynote Address: "Three Decades of Defeating Physical Security", OzSecCon 2019, Melbourne, Australia, June 14-16, 2019.
"Cyber Security is Everybody's Business", TSPi, Reardon, VA, October 14, 2015.
"Vulnerability Assessments: Missing in Action?", SOCOM, Fort Bragg, NC, April 28, 2015.
"A Marginal Approach to Security Assurance, Metrics, and Vulnerability Assessments", WINS Workshop on Security Management Metrics, London, England, March 9-10, 2015.
“Focusing on the Threats to the Detriment of the Vulnerabilities”, NATO Advanced Workshop on Preparedness for Nuclear and Radiological Threats, Los Angeles, CA, November 18-20, 2015.
Course Instructor and Curriculum Developer for the NNSA Training Course on Integrated Management Systems (Safety, Security, and QA/QC) for Nuclear Facilities, Rabat, Morocco, January 27-30, 2014.
“Vulnerability Assessments”, Course Instructor for the IAEA Course on Essential Elements of Nuclear Security, Argonne National Laboratory, October 2011, May 2012, and June 2014.
"Seals, Counterfeiting, and Some Security Lessons Learned", Document Security Alliance, Washington, D.C., June 6, 2013.
“Introduction to the Vulnerability Assessment Process”, Modelling and Simulation for Design and Assessment of Nuclear Security Systems, Vienna, Austria, May 14-16, 2013.
“Boxing Outside the Think: Conducting Creative Vulnerability Assessments”, CSO Security Confab, Braselton, GA, April 2-3, 2013.
“Too Many Wrong Mistakes”, ASIS Chapter 140, Ottowa, Canada, January 16, 2013.
Course instructor for the IAEA Regional Training Course on Physical Protection Against Sabotage, Beijing, China, May 14-18, 2012.
“Tags, Numeric Tokens, and Product Authenticity Issues”, DHS/CPB Workshop on Product Counterfeiting, Washington, D.C., April 7, 2012.
“Potential Countermeasures to the Insider Threat: Under-Utilized Concepts from Psychology, HR, Crime, & Common Sense”, Stanford/CISAC Workshop on the Insider Threat, December 5-7, 2011.
“You Don’t Need Cyber to Beat Cyber”, Cyber Defense and Disaster Recover Conference, Springfield, IL, March 9, 2012.
Keynote Address: “A Cynical View of Security: The Importance of Not Being Earnest”, Security in Government Conference (SIG 2011), Canberra, Australia, July 25-27, 2011.
“Product Authenticity Issues”, White House Working Group on Product Counterfeiting, Washington, D.C., June 15, 2011.
“Mitigating the Insider Threat (and Other Security Issues), NRC, lisle, IL, May 10, 2011.
“Magical Seals, Secure Voting Machines, and Other Fantasies”, Election Verification Network Conference, Chicago, IL, March 24-26, 2011.
Keynote Address: “Proving Voltaire Right: Security Blunders Dumber than Dog Snot”, 19th Annual USENIX Security Symposium, Washington, D.C., August 11-13, 2010.
“Physical Security vs. Cyber Security”, Microsoft Headquarters, Redmond, WA, October 22, 2010.
“Vulnerability Assessments on Tags and Seals”, Product Authentication & Brand Security Conference (PABS10), Chicago, IL, October 4-5, 2010.
“Effective Facility Vulnerability Assessments”, 2010 U.S. Coast Guard Facility Inspector Workshop, Santa Barbara, CA, April 13-14, 2010.
"Security Against Theft, Tampering, and Counterfeiting”, Pharmaceutical Security Institute, Mclean, VA, October 28, 2009.
Keynote Address: “Smirking & Vulnerability Assessments”, SecureWorld Expo, Atlanta, GA, April 29-30, 2008 and Chicago, IL, May 21-22, 2008.
Keynote Address: “The Importance of Not Being Earnest: Finding Security Flaws with Method Acting”, SecureWorld Expo, San Francisco, CA, September 19-20, 2007.
“Pharmaceutical Security & Authenticity”, TRAX: Pharamaceutical Supply Chain Integrity, Baltimore, MD, April 25-27, 2007.
“Vulnerabilities & Limitations of RFID and Contact Memory Devices”, Technical Meeting on Sealing Systems and Containment Verification Methods, Vienna, Austria, February 12-16, 2007.
“Countermeasures to Wishful Thinking”, ASIS International Middle East Security Conference, Manama, Bahrain, December 4-6, 2006.
“Countermeasures for Pharma Tampering & Counterfeiting”, Pharmaceutical Security Institute General Assembly, San Diego, CA, October 18, 2006.
“Vulnerability Assessments on Tamper-Indicating Seals”, Joint US-Russia TID Working Group, Moscow, Russia, September 13-14, 2006.
“Research on Improving Cargo Security”, 5th North American Cargo Security Forum, Washington, D.C., September 6-7, 2006.