Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
Learn about STRIDE
Article
STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories: Spoofing Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of service Elevation of privilege
Learn about the NIST Cybersecurity Framework
NIST Cybersecurity Framework
Framework Overview
The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Play the Citadel Programming Lab from CyBOK
Training
The Citadel Programming Lab is an online virtual secure coding game-based computer lab. The Lab combines a tower defence game with 6 security programming tasks. The lab is based on a serious game approach to join learning and playfulness. The lab’s platform combines a Unity game linked with a coding environment based on an instance of GitLab. The game elements and coding exercises are linked to CyBOK, the Cybersecurity Body of Knowledge, to map its cybersecurity content.
Play the Elevation of Privilege game
External link
Elevation of Privilege (EoP) is the easy way to get started threat modeling. It is a card game that developers, architects or security experts can play.
Read about a NIST cyber security standard e.g. 800-53
NIST Special Publication 800-53 provides a catalog of security and privacy controls. It is published by the National Institute of Standards and Technology (NIST). NIST develops and issues standards, guidelines, and other publications.
Read an NCSC guidance document
The UK's National Cyber Security Centre (NCSC) publish guidance and reports across a wide range of topics. Reading one of these guides will give you insight into the challenges faced in the real world.
Read PagerDuty's 'Security Training for Everyone'
This is an open-source version of "Security Training for Everyone", PagerDuty's internal employee security training, given to all PagerDuty employees as part of our annual security training program. The main topics covered in this training are: Social Engineering - Primarily phishing and how to detect and report such attacks. Passwords - A crash course in how passwords are cracked, and why it’s important to have strong passwords. Physical Security - Guidelines for maintaining the security of our offices and equipment. Data Handling - The different types of data we have and how to properly handle that data. Compliance - How compliance affects our day-to-day operations.
Read the CyBOK Risk Management & Governance Knowledge Area introduction
The Cyber Security Body Of Knowledge is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector. The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. The project, funded by the National Cyber Security Programme, is led by the University of Bristol's Professor Awais Rashid, along with other leading cyber security experts - including Professor Andrew Martin, Professor Steve Schneider, Dr Yulia Cherdantseva, Dr Rod Chapman and Dr Marina Krotofil.
Use Cairis to create personas and model data flow
CAIRIS
CAIRIS stands for Computer Aided Integration of Requirements and Information Security. It is an open source platform for eliciting, specifying, and validating secure and usable systems. It was built from the ground up to support all the elements necessary for usability, requirements, and risk analysis.