Updating best practices for managing cyber risks . I sure hope that the engineers and design managers who design the security protocols for the various systems that I use pay attention to the work of the National Institute of Standards and Technology (NIST)’s Trusted Identities Group.   Specifically, I pray that they will heed the recommendations in June 2017 release of new Digital Identity Guidelines, Authentication and Lifecycle Management ( NIST Special Publication 800-63B ), section 10.2.1 Memorized Secrets.   “Memorized secrets” are “commonly referred to as a password or PIN.”   By following these recommendations, software security folks stand to make my digital life easier and, apparently, more secure.   Complexity does not solve all problems.   Usability matters. For many years I worked for an organization that rigorously enforces computer security:   regular change of complex passwords, shut down desktop and laptop computers every n...

On July 17, 2017, Lloyd’s, the legendary London-based insurance market, released its forecasts of the potential costs of two types of cyber attacks.  The results were headline grabbing:  The July 18, 2017, Financial Times reported that “Lloyd’s warns of $120 billion bill from cyber attack on cloud provider.”  “Extreme assault,” the headline continued, “may outstrip a natural disaster.” For the past several years, the news media has been full of reports on cyber hacks:  The 2013 theft of credit and debit card data from Target, the 2014 release of stolen emails from Sony Corporation, the alleged 2016 cyber-based interference with U.S. elections now being investigated by Congress, and this year’s WannaCry and Petya ransomware attacks name only a few.  There is no doubt that businesses, nonprofit organizations, and governments benefit from interconnectivity—by access to new markets, client support, shared information, and interpersonal communications....