Bibliography - Threat Modeling: Designing for Security (2014)

Threat Modeling: Designing for Security (2014)


1.    37 Signals. “Aggressive, spiky button vs. rounded corner button,” Signal vs. Noise, April 5, 2010,

2.    Abi-Antoun, Marwan, and Jonathan Aldrich. “Static Extraction and Conformance Analysis of Hierarchical Runtime Architectural Structure Using Annotations.” In ACM SIGPLAN Notices, vol. 44, no. 10, pp. 321–40 (ACM, 2009).

3.    Abi-Antoun, Marwan, and Jeffrey M. Barnes. “Analyzing Security Architectures,” Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 3–12 (ACM, 2010).

4.    Acquisti, Alessandro, Ralph Gross, and Fred Stutzman. “Faces of Facebook: Or, How the Largest Real ID Database in the World Came to Be.” BlackHat USA, August, 2011. Draft available online at˜acquisti/face-recognition-study-FAQ/acquisti-faces-BLACKHAT-draft.pdf.

5.    Adams, A. A., and S. A. Williams, “What's Yours Is Mine and What's Mine's My Own,” unpublished draft, May 8, 2012,

6.    Adams, Scott, Dilbert cartoon, published November 13, 1995,

7.    Adida, Ben, et al. “CALEA II: Risks of Wiretap Modifications to Endpoints,” Center for Democracy and Technology, May 17 2013,

8.    Adler, Andy. “Images Can Be Regenerated from Quantized Biometric Match Score Data,” Electrical and Computer Engineering, Canadian Conference on, vol. 1, pp. 469–72 (IEEE, 2004).

9.    Akhawe, Devdatta, Warren He, Zhiwei Li, Reza Moazzezi, and Dawn Song. “Clickjacking Revisited: A Perceptual View of UI Security,” BlackHat USA, August, 2013,˜devdatta/clickjacking.pdf.

10.Alexander, Christopher, Sara Ishikawa, and Murray Silverstein. A Pattern Language (New York: Oxford University Press, 1977).

11.Anderson, Ross. Security EngineeringA Guide to Building Dependable Distributed Systems (Indianapolis: Wiley, 2008).

12._____. “Offender Tagging,” Light Blue Touchpaper blog, last modified September 2, 2013,

13._____. “Security and Human Behavior 2013,” Light Blue Touchpaper blog, last modified June 6, 2013,

14.ANSI Z535. “Brief Description of all Six Standards and Safety Color Chart,” accessed October 15, 2013,

15.Asadollahi, Yahya, Vahid Rafe, Samaneh Asadollahi, and Somayeh Asadollahi. “A Formal Framework to Model and Validate Event-Based Software Architecture,” Procedia Computer Science 3 (2011): 961–66 and

16.Asadollahi, Yahya, Vahid Rafe, Samaneh Asadollahi, and Somayeh Asadollahi. “A Formal Framework to Model and Validate Event-Based Software Architecture,” Procedia Computer Science 3 (2011): 961–66 and

17.Aucsmith, David, Brendon Dixon and Robin Martin-Emerson, “Threat Personas”, Microsoft internal document, version 0.9, 2003.

18.Barnard, R.L. Intrusion Detection Systems (Buttersworth, 1988) as cited in Anderson (2008), supra.

19.Beautement, Adam, M. Angela Sasse, and Mike Wonham. “The compliance budget: managing security behaviour in organisations,” In Proceedings of the 2008 workshop on New security paradigms, pp. 47–58. ACM, 2009.

20.Beckert, Bernhard, and Gerd Beuster. “A Method for Formalizing, Analyzing, and Verifying Secure User Interfaces.” In Formal Methods and Software Engineering, pp. 55–73 (Berlin: Springer, 2006).

21.Bell, D. Elliott, and Leonard J. LaPadula. “Secure Computer Systems: Mathematical Foundations,” MTR-2547 (Bedford: The MITRE Corporation, 1973).

22.Bella, Giampaolo, and Lizzie Coles-Kemp. “Seeing the Full Picture: The Case for Extending Security Ceremony Analysis,” Proceedings of the 9th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia, 5–7 December, 2011.

23.Biba, K. J. “Integrity Considerations for Secure Computer Systems.” MTR-3153. (Bedford: The MITRE Corporation, 1977).

24.Biham, Eli, Alex Biryukov, and Adi Shamir. “Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials.” In Advances in Cryptology --Eurocrypt'99, pp. 12–23 (Berlin Heidelberg: Springer, 1999).

25.Bonneau, Joseph. “Authentication Is Machine Learning,” Light Blue Touchpaper blog, December 14, 2012 (see in particular comment 2 by Bonneau),

26._____. “Authenticating Humans to Computers: What I Expect for the Next Ten Years,” streamed live on November 29, 2012,

27.Bonneau, Joseph, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 553–67 (IEEE, 2012).

28.Bonneau, Joseph, Mike Just, and Greg Matthews. “What's in a Name?” In Financial Cryptography and Data Security, pp. 98–113 (Berlin, Heidelberg: Springer, 2010).

29.Bovbjerg, Barbara D. “Federal and State Laws Restrict Use of SSNs, Yet Gaps Remain,” U.S. GAO, GAO-05-1016T, September 15, 2005,

30.Bowers, Kevin D., Marten van Dijk, Robert Griffin, Ari Juels, Alina Oprea, Ronald L. Rivest, and Nikos Triandopoulos. “Defending Against the Unknown Enemy: Applying FLIPIT to System Security.” In Decision and Game Theory for Security, pp. 248–63 (Berlin: Springer, 2012),

31.Bowker, Geoffrey C., and Susan Leigh Star. Sorting things outClassification and its consequences, (Cambridge: The MIT Press, 2000).

32.Boyd, Colin, and Anish Mathuria. Protocols for Authentication and Key Establishment (Berlin: Springer, 2003).

33.Brainard, John, Ari Juels, Ronald L. Rivest, Michael Szydlo, and Moti Yung. “Fourth-Factor Authentication: Somebody You Know,” In 2006 ACM Conference on Computer and Communications Security, pp. 168–78.

34.Brenner Center for Justice. “Voter ID,” last updated October 15, 2012,

35.Brewer & Darrenougue. “Minutes of the IETF 88 Plenary,” November 6, 2013,

36.Buley, Taylor. “Netflix settles privacy lawsuit, cancels prize sequel,” Forbes Firewall blog, March 12, 2010,

37.Cameron, Kim. “The Laws of Identity,” last revised May, 2005,

38.Campanile, Carl. “Dem Pol's Son Was ‘Hacker’,” New York Post, September 19, 2008.

39.Celis, David. “Stop Validating E-mail Addresses with Complicated Regular Expressions,” September 12, 2006,

40.Chandler, Raymond. Trouble Is My BusinessA Novel. Random House Digital, Inc., 2002,

41.Chen, Raymond. “It rather involved being on the other side of this airtight hatchway. . .” The Old New Thing blog, May 8, 2006,

42.Chosunilbo. “Real-Name Online Registration to Be Scrapped,” The Chosunilbo, last revised December 30, 2011,

43.Clarke, Roger. “An Evaluation of Privacy Impact Assessment Guidance Documents,” International Data Privacy Law 1, no. 2 (2011): 111–20,,

44._____. “Privacy Impact Assessment,” May 26, 2003,

45._____. “Privacy Impact Assessment: Its Origins and Development,” April 2009,

46._____. “Cloud Controls Matrix,” Version 3, September 26, 2013,

47.Cloud Security Alliance (CSA). “Security Guidance,” Version 3, November 14, 2011,

48.Convery, S., D. Cook, and M. Franz. ″An Attack Tree for the Border Gateway Protocol (Draft 1), Routing Protocol Security, expired March 17, 2004,˜zmao/eecs589/papers/draft-convery-bgpattack-01.txt.

49.Cooper, Alan, and Paul Saffo. The Inmates Are Running the Asylum (Indianapolis: SAMS, 1999).

50.Cooper, A., H. Tschofenig, B. Aboda, J. Peterson, J. Morris, M. Hansen, R. Smith. “Privacy Considerations for Internet Protocols,” RFC 6973, July 2013,

51.Cooper, Alan, Robert Reimann, and David Cronin. About Face 3The Essentials of Interaction Design (Indianapolis: John Wiley & Sons, 2012).

52.Cranor, Lorrie Faith. “A Framework for Reasoning About the Human in the Loop,” Upsec 8 (2008): 1–15.

53.Csikszentmihalyi, Mihaly. Finding flow: The psychology of engagement with everyday life. (New York: Basic Books, 1997).

54._____. Flow: The psychology of optimal experience(New York: Harpercollins, 1990).

55.Culp, Scott, and Angela Gunn. “Ten Immutable Laws of Security (Version 2.0),” accessed October 16, 2013,

56.CyberSource. “2012 Online Fraud Report,” CyberSource, Fourteenth Annual Industry Report, accessed October 16, 2013,

57.Dalek, Calum T, “Fingerprinting,” Wired, vol. 4, no. 9, page 47, September 1996,

58._____. “Covert Communications Despite Traffic Data Retention.” In Security Protocols XVI, pp. 198–214 (Berlin: Springer, 2011).

59.Danezis, George. Personal communication, 2011.

60.Debian Project. “Debian Security Advisory DSA-1571-1 openssl — Predictable Random Number Generator,” published May 13, 2008,,

61.Deng, Mina. “Privacy preserving content protection,” Ph.D diss., Ph. D. thesis, Katholieke Universiteit Leuven-Faculty of Engineering, 2010.

62.Disquss. “Pseudonyms Drive Community,” Disquss corporate blog, accessed October 16, 2013,

63.Duarte, Nancy. “How to Present to Senior Executives,” Harvard Business Review, October 4, 2012,

64.Duong, Thai, and Juliano Rizzo. “Flickr's API Signature Forgery Vulnerability,” September 2009,

65.EAC Advisory Board. “Elections Operations Assessment: Threat Trees and Matrices and Threat Instance Risk Analyzer,” Elections Assistance Commission, December 23, 2009, submitted by University of South Alabama,

66.Ellison, Carl M. “Ceremony Design and Analysis,” IACR Cryptology ePrint Archive (2007): 399.

67.Ericsson, K. Anders, Ralf T. Krampe, and Clemens Tesch-Römer. “The role of deliberate practice in the acquisition of expert performance.” Psychological review 100, no. 3 (1993): 363.

68.Espenschied, Jonathan, and Angela Gunn. “Threat Genomics,” MetriCon 7, August 7, 2012,

69.Essers, Loek. “German Privacy Regulator Orders Facebook to End Its Real Name Policy,” ITworld, December 17, 2012,

70.Ferguson, Niels, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering (Indianapolis: Wiley, 2012).

71.Ferriss, Timothy. The 4-Hour ChefThe Simple Path to Cooking Like a ProLearning Anythingand Living the Good Life, as cited in “Cheat Sheets for Everything.” Boing Boing, November 21, 2012,

72.Feynman, Richard P. “Surely You're JokingMrFeynman!”: Adventures of a Curious Character (New York: W.W. Norton & Company, 2010).

73.FIPS. “Data Encryption Standard,” Federal Information Processing Standards Publication 46–2, supersedes FPS PUB 46–1, January 22, 1988,

74.Fisher, Dennis. “Inside Facebook's Social Authentication System,” ThreatPost blog, March 8, 2012,

75.Fontana, John. “VeriSign Issues Fraudulent Microsoft Code-Signing Certificates,” Network World Fusion, March 22, 2001,

76.Friedberg, Jeffrey, et al. “Privacy Guidelines for Developing Software Products and Services,” version 3.1, September, 2008.

77.Garfinkel, Simson, personal communication, November 2012.

78.Gawande, Atul. The Checklist Manifesto (Penguin Books: 2010).

79.Gellman, Robert. “Fair Information Practices: A basic History,” version 2.02 of November 11, 2013,

80.Green, Robert Lane. You Are What You Speak (New York: Random House, 2011).

81.Giesen, Florian, Florian Kohlar, and Douglas Stebila. “On the Security of TLS Renegotiation,” 2013,

82.Goldberg, Ian Avrum. “A Pseudonymous Communications Infrastructure for the Internet.” Ph.D diss., University of California, 2000.

83.Goldberg, Ian A., Matthew D. Van Gundy, Berkant Ustaoglu, and Hao Chen. “Multi-Party Off-the-Record Messaging,” 2008,˜iang/pubs/mpotr.pdf.

84.Goodin, Dan “'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say” December 10, 2013\ ed-crypto-freebsd-developers-say/

85.Gordon, Lawrence A., and Martin P. Loeb. “The Economics of Information Security Investment,” ACM Transactions on Information and System Security (TISSEC) 5, no. 4 (2002): 438–57.

86._____. Managing Cybersecurity ResourcesA Cost-Benefit Analysis (New York: McGraw-Hill, 2006).

87.Gürses, Seda, Carmela Troncoso, and Claudia Diaz. “Engineering Privacy By Design,” COSIC 2011, last accessed October 16, 2013,

88.Haber, Jeb. “SmartScreen® Application Reputation in IE9,” IEBlog, May 17, 2011,

89.Hall, Joseph M., and M. Eric Johnson. “When Should a Process Be Art,” Harvard Business Review, March 2009.

90.Hashcat, Hashcat advanced password recovery product page,, visited December 7, 2013.

91.Hazen, John. “Delivering Reliable and Trustworthy Metro Style Apps,” Building Windows 8, May 17, 2012,

92.Heckman, Rocky. “Application Threat Modeling v2,” TechRepublic/U.S., March 7, 2006,

93.Heitgerd, Janet L., et al. “Community Health Status Indicators: Adding a Geospatial Component,” accessed October 15, 2013, Preventing Chronic Disease 2008;5(3).

94.Heninger, Nadia, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” In Proceedings of the 21st USENIX Security Symposium, August 2012.

95.Herley, Cormac. “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice By Users,” In Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 133–44 (ACM, 2009).

96.Hill, Sad. “Caution Sign Has Sharp Edges Do Not Touch,” Sad Hill News, November 9, 2010,

97.Hillebrand, Gail. “Social Security Number Protection Legislation for States,” Consumers Union, June 2008,

98.Hoffman L. Personal communication. See also the Burroughs tribute page, available at

99.Honan, Mat. “How Apple and Amazon Security Flaws Led to My Epic Hacking,” Wired, August 6, 2012,

100.      Howard, Michael. “Secure Coding Secrets,” Microsoft Security Development Lifecycle blog, November 18, 2008,

101.      Howard, Michael, and David LeBlanc. Writing Secure Code (Redmond: Microsoft Press, 2002) and also 2nd edition, 2009.

102.      Howard, Michael, and Steve Lipner, The Security Development Lifecycle, (Redmond: Microsoft Press, 2006)

103.      Huang, Ling, Anthony D. Joseph, Blaine Nelson, Benjamin I.P. Rubinstein, and J. D. Tygar. “Adversarial Machine Learning,” In Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, pp. 43–58. ACM, 2011,

104.      Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin. “Intelligence-Driven Computer Network Defense Informed By Analysis of Adversary Campaigns and Intrusion Kill Chains,” Leading Issues in Information Warfare and Security Research 1 (2011): 80;

105.      Identity Theft Resource Center. “Identity Theft: The Aftermath 2008,” May 28, 2009,

106.      Ingoldsby, Terrance R. “Attack Tree-Based Threat Risk Analysis,” Amenaza Technologies Ltd. Copyright 2009, 2010; and

107.      Jacobs, Jay. “A Call to Arms: It Is Time to Learn Like Experts,” ISSA Journal, November 2011,

108.      Jakobsson, Markus, Erik Stolterman, Susanne Wetzel, and Liu Yang. “Love and Authentication,” Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 197–200 (ACM, 2008).

109.      Johnson, Steven. The Ghost MapThe Story of London's Most Terrifying Epidemic and How It Changed ScienceCitiesand the Modern World (New York: Penguin, 2006).

110.      Jones, J. “An introduction to factor analysis of information risk (fair),” Norwich Journal of Information Assurance 2, no. 1 (2006): 67,

111.      Just, Mike. “Designing and Evaluating Challenge-Question Systems,” Security and Privacy, IEEE 2, no. 5 (2004): 32–39.

112.      Kahn, David. The Codebreakers (New York: Scribner, 1996).

113.      Kahneman, Daniel. ThinkingFast and Slow (New York: Farrar, Straus and Giroux, 2011).

114.      Kahney, Leander, “Twist a pen, open a lock,”, Sep 17 2004,

115.      Karlof, Chris, J. Doug Tygar, and David Wagner. “Conditioned-Safe Ceremonies and a User Study of an Application to Web Authentication,” SOUPS, 2009.

116.      Kelsey, John. Comment on “Think Like an Attacker?” Emergent Chaos blog, September 19, 2008,

117.      Kent, Jonathan. “Malaysia Car Thieves Steal Finger,” BBC News online, March 31 2005,

118.      Kerckhoffs, Auguste. “La cryptographie militaire,” Journal des sciences militaires, vol. IX, pp. 5–38, Jan. 1883, pp. 161–191, Feb. 1883.

119.      Kim, Gene, Kurt Milne, and Dan Phelps. “Prioritizing IT Controls for Effective Measurable Security,” IT Process Institute (2006).

120.      Kim, Gene H., and Eugene H. Spafford. “The Design and Implementation of Tripwire: A File System Integrity Checker,” In Proceedings of the Second ACM Conference on Computer and Communications Security, pp. 18–29. ACM, 1994,

121.      Klien, Gary, Sources of Power (Cambridge: MIT Press, 1999).

122.      Koblitz, Neal, and Alfred J. Menezes. “Another look at ‘provable security’,” Journal of Cryptology 20, no. 1 (2007): 3–37. And generally,

123.      Kocher, Paul, “Surviving Moore's Law: Security, AI, and Last Mover Advantage,” Usenix Security 2006,

124.      Kohnfelder, Loren, and Praerit Garg, The threats to our products, Microsoft Interface, April 1, 1999. Available at

125.      Komanduri, Saranga, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. “Of Passwords and People: Measuring the Effect of Password-Composition Policies,” In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM, 2011,

126.      Krebs, Brian, “Data Broker Giants Hacked by ID Theft Service,” September 25, 2013,

127.      Lang, Keith. “The Science of Aesthetics,” UXAustralia 2009,, and comments

128.      Laser Software.

129.      Laurie, Ben, and Richard Clayton. “Proof-of-Work Proves Not to Work, version 0.2,” Workshop on Economics and Information Security, 2004.

130.      LeBlanc, David, “Practical Windows Sandboxing” blog series, July 27, 2007,

131.      Levien, Raph. “Snowflakes As Visual Hashes,” post to “Best of Security” mailing list, May 17, 1996,

132.      Lightstone, Sam. Making It Big in SoftwareGet the JobWork the OrgBecome Great (Boston: Pearson, 2010).

133.      Lindstrom, Peter. “A Modest Proposal to Eliminate the SSN Façade,” Spire Security Viewpoint blog, April 11, 2006,

134.      Lipner, Steve. Personal communication, 2008.

135.      Lyn, Tan Ee. “Cancer Patient Held at Airport for Missing Fingerprint,” Reuters, May 27, 2009,

136.      Magretta, Joan. What Management Is (New York: Simon and Schuster, 2002).

137.      Malhotra, Vikas. “Protected View in Office 2010,” Microsoft Office 2010 Engineering blog, August 13, 2009,

138.      Marlinspike, Moxie. “The Cryptographic Doom Principle,” Thought Crime blog, December 13, 2011,

139.      _____. “The Convergence System: SSL and The Future of Authenticity,” a talk given at BlackHat, July 2011,

140.      Marshall, Andrew. “Intersystem Review: Tearing at the Seams Between Dependent Threat Models,” Microsoft internal document, January 2013.

141.      Martina, Jean Everson, and Marcelo Carlomagno Carlos. “Why Should We Analyze Security Ceremonies?,” First CryptoForma Workshop, May 2010,

142.      Masnick, Mike. “Lavabit Details Unsealed: Refused to Hand Over Private SSL Key Despite Court Order and Daily Fines,” TechDirt, October 2, 2013,

143.      Margosis, Aaron, “Problems of Privilege, Find and Fix LUA Bugs,” Technet Magazine, August 2006,

144.      Matsumoto, Tsutomu, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino. “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems,” Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, Thursday-Friday 24–25 January 2002,

145.      McCullagh, Declan, “AOL's disturbing glimpse into users' lives”, August 7, 2006 CNet,

146.      McGraw, Gary, and John Steven. “An Interview with John Steven,” Silver Bullet Security Podcast, Show 068, November 30, 2011,

147.      McKenzie, Partick, “Falsehoods Programmers Believe About Names,” June 17, 2010

148.      McMillan, Robert. “CSO says Cisco security is growing up,” Infoworld, August 6, 2008,

149.      _____. “Google Attack Part of Widespread Spying Effort,” Computerworld, January 13, 2010,

150.      McRee, Russ, “IT Infrastructure Threat Modeling Guide” June 22, 2009

151.      McWhorter, John. The Power of BabelA Natural History of Language (New York: HarperCollins, 2003).

152.      Meier, J. D. Improving Web Application SecurityThreats and Countermeasures (Redmond: Microsoft Press, 2003) or

153.      Microsoft. “Assess Your Security,” Microsoft Security Development Lifecycle (SDL) Optimization Model, last accessed October 16, 2013,

154.      Microsoft. SIR, vol. 11, Microsoft Security Intelligence Report, 2011, Last accessed October 16, 2013,

155.      _____. “The Zen of Program Management,” Microsoft JobsBlog, February 14, 2007,

156.      Microsoft SDL Team. “Appendix N: SDL Security Bug Bar (Sample),” 2012,

157.      Miller, George A. “The magical number seven, plus or minus two: some limits on our capacity for processing information,” Psychological review 63, no. 2 (1956): 81.

158.      Miller, Robert B., Stephen Heiman, and Tad Tuleja. The New Strategic SellingThe Unique Sales System Proven Successful by the World's Best Companies (New York: Business Plus, 2005).

159.      MITRE. “Attack Patterns: Knowing Your Enemies in Order to Defeat Them,” BlackHat, Washington, D.C., 2007,

160.      _____. “CAPEC-89: Pharming,” last updated June 21, 2013,

161.      _____. “CAPEC-1000, Mechanism of Attack,” last updated June 21, 2013,

162.      Moore, Andrew P., Robert J. Ellison, and Richard C. Linger. “Attack Modeling for Information Security and Survivability,” No. CMU-SEI-2001-TN-001. Carnegie-Mellon University, Pittsburgh, PA, Software Engineering Institute, 2001,

163.      Muffett, Alec. “Regulators, Password Hashing & Crypto Considered As a Branding Exercise: #bcrypt #security /cc @schneierblog @glynwintle,” dropsafe blog, June 15, 2012,

164.      Murray, Mike. Forget the ParachuteLet Me Fly The Plane (Seattle: Amazon Digital Services, 2011)

165.      Nagar, Abhishek. “Biometric Template Security,” Ph.D diss., Michigan State University, 2012.

166.      Narayanan, Arvind, and Vitaly Shmatikov. “Robust de-anonymization of large sparse datasets,” In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pp. 111–125. IEEE, 2008.

167.      Nather, Wendy. “All about ‘cheeseburger risk’,” 415 Security Blog, January 15, 2013,

168.      National Bureau of Standards. “Guidelines for Automatic Data Processing Physical Security and Risk Management,” FIPS Pub 31, 1974, pp. 12–14.

169.      Neighly, Madeline, and Maruice Emsellem. “Wanted: Accurate FBI Background Checks for Employment,” National Employment Law Project, July 2013,

170.      Neilsen Hayden, Patrick. “Please Enter a Valid Last Name,” Making Light blog, December 11, 2012,

171.      Netflix. “Lessons Netflix Learned from the AWS Outage,” Netflix, April 29, 2011,

172.      Nguyen, Duc. “Your Face Is Not your password,” BlackHat DC 2009,

173.      Nguyen, Joe. “Cookie Deletion: Why It Should Matter to Advertisers and Publishers,”, March 2, 2011,

174.      Nissenbaum, Helen. Privacy in contextTechnologypolicyand the integrity of social life (Palo Alto: Stanford University Press, 2009).

175.      NIST. “Minimum Security Requirements for Federal Information and Information Security,” FIPS Pub 200, March 2006,

176.      OECD. ″OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, updated 2013,,3746,en_2649_34223_1815186_1_1_1_1,00.html.

177.      Office of the Victorian Privacy Commissioner. “A Guide to Completing Parts 3 to 5 of Your Privacy Impact Assessment Report,” Office of the Victorian Privacy Commissioner, Australia, 2009,$file/guideline_05_09_no2.pdf.

178.      _____. “Privacy Impact Assessment: A Guide for the Victorian Public Sector,” Office of the Victorian Privacy Commissioner, Australia, April 2009,$file/guideline_05_09_no1.pdf.

179.      Ollman, Gunter. “The Opt-In Botnet Generation: Social Networks, Hacktivism, and Centrally-Controlled Protesting,” Damballa, Inc. white paper, retrieved 2010.

180.      Openwall. “ASIC/FPGA Attacks on Modern Hashes,” pg. 45, last accessed October 16, 2013,

181.      _____. “GPU Attacks on Modern Hashes,” pg. 46, last accessed October 16, 2013,

182.      Osterman, Larry. “Threat Modeling Again, Presenting the PlaySound Threat Model,” Larry Osterman's Weblog, September 17, 2007,

183.      OWASP. “2013 Top 10 List,”, last modified June 23, 2013, https://

184.      _____. “Attack Template,”, last modified May 6, 2008, https://

185.      _____. “Cache Poisoning,” last revised April 23, 2009, https://www.owasp .org/index.php/Cache_Poisoning.

186.      _____. “Category: Attack,”, last modified on August 10, 2012,

187.      _____. “XSS Filter Evasion Cheat Sheet”, last revised September 17, 2013

188.      PCI Security Standards. “PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 2.0,” 2010,

189.      Percival, Colin. “SCrypt: A Key Derivation Function,” December 4, 2012,

190.      Perlow, Jon. “New in Labs: Stop Sending Mail You Later Regret,” Official Gmail Blog, October 6, 2008,

191.      Peterson, Gunnar, personal communication 2009.

192.      Petitcolas, Fabien A. (translator) “La Cryptographie Militaire: Journal des Sciences Militaires,” Janvier 1883, last updated May 29, 2013, and

193.      Pfitzmann, Andreas, and Marit Hansen. “A Terminology for Talking About Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management.” Version 0.34, Aug 10 (2010),

194.      Pilgrim, Mark. “Avoid Common Pitfalls in Greasemonkey. How the History of Greasemonkey Security Affects You Now,” O'Reilly Network, November 11, 2005,

195.      Power, Richard. “There Is an Elephant in the Room; and Everyone's Social Security Numbers Are Written on Its Hide,” CyBlog, July 6, 2009,

196.      Provos, Niels, and David Mazieres. “A Future-Adaptable Password Scheme,” In USENIX Annual Technical ConferenceFREENIX Track, pp. 81–91. 1999.

197.      Ptacek, Thomas. “Applied Cryptography Engineering,” blog, July 22, 2013,

198.      Ptacek, Thomas H., and Timothy N. Newsham. “Insertion, evasion, and denial of service: Eluding network intrusion detection,” Secure Networks Inc., Calgary, Alberta Canada, 1998.

199.      Rabkin, Ariel. “Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook,” In Proceedings of the Fourth Symposium on Usable Privacy and Security, pp. 13–23. ACM, SOUPS, July 23–25, 2008, Pittsburgh, PA.

200.      Radke, Kenneth, Colin Boyd, Juan Gonzalez Nieto, and Margot Brereton. “Ceremony Analysis: Strengths and Weaknesses,” In Future Challenges in Security and Privacy for Academia and Industry, pp. 104–15 (Berlin: Springer, 2011).

201.      Rains, Tim. “Software Vulnerability Management at Microsoft,” post to Microsoft Security Blog, June 30, 2013, and linked white paper of the same name, July 2010.

202.      Raymond, Eric S. The Cathedral and the BazaarMusings on Linux and Open Source by an Accidental Revolutionary (Sebastopol: O'Reilly, 2001).

203.      Reason, James T. The Human ContributionUnsafe ActsAccidents and Heroic Recoveries (Burlington: Ashgate Publishing, 2008).

204.      Reeder, R. W. “Expandable Grids: A User Interface Visualization Technique and a Policy Semantics to Support Fast, Accurate Security and Privacy Policy Authoring.” Ph.D thesis, Carnegie-Mellon University Computer Science Department. CMU tech report number CMU-CS-08-143 (July 2008).

205.      Reeder, Rob, E. Kowalczyk, and Adam Shostack. “Helping engineers design NEAT security warnings,” In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), PittsburghPA. 2011.

206.      Reeder, Robert W. “Measuring Trust User Experiences,” Microsoft internal document, March 10, 2008.

207.      Reeder, Robert W., Lujo Bauer, Lorrie F. Cranor, Michael K. Reiter, and Kami Vaniea. “More Than Skin Deep: Measuring Effects of the Underlying Model on Access-Control System Usability,” In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2065–74. ACM, 2011,˜lbauer/papers/2011/chi2011-semantics.pdf.

208.      Reiger, Frank, “Chaos Computer Club breaks Apple TouchID,” Blog post 21 September, 2013,

209.      Reiner, Rob. The Princess Bride. Buttercup Films, Ltd. 1987. (DVD)

210.      Remes, Wim. “wow. . . Hotwire removes stored CC information from account upon password reset. That's actually awesome,” Twitter, July 20, 2013,

211.      Rescorla, Eric, and Brian Korver. “Guidelines for Writing RFC Text on Security Considerations,” BCP 72, RFC 3552, July 2003,

212.      Revuru, Anil. “Threat Analysis and Modeling (TAM) v3.0—Learn about the New Features,”

213.      Rice, Alex. “A Continued Commitment to Security,” January 26, 2011, and

214.      _____. “Social Authentication,” Microsoft Blue Hat, December 14, 2012,, and personal communication.

215.      Ristić, Ivan, SSL Threat Model, September 9, 2009

216.      Roberts, Paul F. “Leaky Web Sites Provide Trail of Clues About Corporate Executives,” IT World, August 13, 2012,

217.      Rosenquist, Matt, “Prioritizing Information Security Risks With Threat Agent Risk Assessment,” Intel Corporation White Paper, December 2009.

218.      Ross, Arun A., Jidnya Shah, and Anil K. Jain. “Toward Reconstructing Fingerprints from Minutiae Points,” In SPIE Proceedings Vol5779, pp. 68–80. International Society for Optics and Photonics, 2005.

219.      Rubin, Jeffrey, and Dana Chisnell. Handbook of Usability TestingHow to PlanDesignand Conduct Effective Tests2nd Edition (Indianapolis: Wiley, 2008).

220.      Ruderman, Jesse. “Race Conditions in Security Dialogs,”, July 1, 2004,

221.      Ruiz, Guifré, Elisa Heymann, Eduardo César, and Barton P. Miller. “Automating Threat Modeling Through the Software Development Life-Cycle,” XXIII Jornadas de Paralelismo (JP2012), Elche, Spain, September 2012.

222.      _____. “Detecting Cognitive Causes of Confidentiality Leaks,” Electronic Notes in Theoretical Computer Science 183 (2007): 21–38.

223.      Rukšenas, Rimvydas, Paul Curzon, and Ann Blandford. “Modelling and Analysing Cognitive Causes of Security Breaches,” Innovations in Systems and Software Engineering 4, no. 2 (2008): 143–60,˜pc/publications/2008/rrpcabISSE2008preprint.pdf.

224.      Ryan, Peter. Modeling and Analysis of Security Protocols (Boston: Addison Wesley, 2000).

225.      Saitta, Paul, Brenda Larcom, and Michael Eddington. “Trike v. 1 methodology document [draft],” July 13, 2005,

226.      Salter, Chris, O. Sami Saydjari, Bruce Schneier, and Jim Wallner. “Toward a Secure System Engineering Methodology,” In Proceedings of the 1998 workshop on New Security Paradigms, pp. 2–10 (ACM, 1998),

227.      Sassaman, Len, Meredith L. Patterson, Sergey Bratus, and Michael E. Locasto. “Security Applications of Formal Language Theory,” IEEE Systems Journal 7(3): 489–500 (2013).

228.      Sasse, Angela. Personal communication, 2012.

229.      SC Magazine. “Amenaza Technologies Ltd. SecurITree” review, February 1, 2007,

230.      Schechter, Stuart. “Common Pitfalls in Writing About Security and Privacy Human Subjects Experiments, and How to Avoid Them,” Microsoft Research, January 15, 2013, MSR-TR-2013-5,

231.      Schechter, Stuart, A. J. Bernheim Brush, and Serge Egleman. “It's No Secret: Measuring the Security and Reliability of Authentication via ‘Secret’ Questions,” Microsoft Research, May 17, 2009,

232.      Schechter, Stuart, Serge Egelman, and Robert W. Reeder. “It's Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication,” In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–92 (ACM, 2009),

233.      Schmid, Joachim. “AsmGofer,” last updated 2009,

234.      Schnieier, Bruce. “Announcing: Movie Plot Threat Contest,” Blog post, April 1, 2006,

235.      _____. “Attack Trees,” Dr. Dobb's Journal, December 1999, Schneier blog,

236.      SDL Team. “Necessary, Explained, Actionable, and Tested (NEAT) Cards” SDL blog, October 9, 2012,

237.      SeaMonster. “Security Modeling Software,” SourceForge, last updated May 7, 2013,

238.      Securosis, Mike Rothman. “The CISO's Guide to Advanced Attackers: Sizing Up the Adversary [New Series],” Securosis blog, April 16, 2013,

239.      Shachtman, Noah. “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack,” Wired online, August 25, 2010,

240.      Shachtman, Noah, and David Axe. “Most U.S. Drones Openly Broadcast Secret Video Feeds,” Wired online, October 29, 2012,

241.      Shamir, Adi, and Eran Tromer. “Acoustic Cryptanalysis: On Nosy People and Noisy Machines,” last accessed on October 16, 2013,˜tromer/acoustic/.

242.      Shane, Scott. “A Spy's Motivation: For Love of Another Country,” The New York Times, April 20, 2008,

243.      Shostack, Adam. “Adding Usable Security to the SDL,” 2011, Microsoft Developer Network, and

244.      _____. “Buffer Overflows and History: A Request” (including comments), Emergent Chaos, October 20, 2008,

245.      _____. “Elevation of Privilege,” Microsoft Security Development Lifecycle, February 7, 2013, and˜adam/Elevation-of-Privilege-BlackHat2010ShostackFinal.pptx.

246.      _____. “Elevation of Privilege: Drawing Developers into Threat Modeling,” white paper, December, 2012,

247.      _____. “Engineers Are People, Too.” Keynote at Software and Usable Security Aligned for Good Engineering (SAUSAGE) Workshop, reported in “DRAFT Report on the NIST Workshop - I3P” August 2011, (pg. 24); slides available at˜adam/Engineers-are-people-too-SAUSAGE.pptx.

248.      _____. “Google+ Failed Because of Real Names,” Emergent Chaos, January 25, 2012,

249.      _____. “Helping Engineers Design NEAT Security Warnings,” Microsoft Security Development Lifecycle, May 4, 2011, and

250.      _____. “Think Like an Attacker?” Emergent Chaos, September 17, 2008,

251.      _____. “The Discipline of ‘Think Like an Attacker’,” Emergent Chaos, September 22, 2008,

252.      Shostack, Adam, and Danny Dhillon. “Threat Modeling: Lessons Learned and Practical Ways to Improve Your Software,” RSA, March 4, 2010.

253.      Shostack, Adam, and Andrew Stewart. The new school of information security. (Boston: Addison Wesley, 2009).

254.      Shostack, Adam, and Paul Syverson. “What Price Privacy?” (2003),

255.      Simidchieva, Borislava. “Yolo County Election Process Model and Fault Tree Analysis,” Laser Library, June 9, 2010,

256.      Simidchieva, B. I., Engle, S. J., Clifford, M., Jones, A. C., Allen, B., Peisert, S., Bishop, M., et al. (2010). “Modeling and Analyzing Faults to Improve Election Process Robustness,” 2010 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, Washington, D.C. Retrieved from

257.      Social Security Administration. “Hearing on Identity Theft and Tax Fraud,” May 8, 2012,

258.      _____. “New Numbers for Domestic Violence Victims,” SSA Publication 05–10093, ICN 468615, August 2011,

259.      Solove, Daniel J. Understanding Privacy, (Cambridge: Harvard University Press, 2008).

260.      Sportsman, Nathan. “Threat Modeling,” Praetorian presentation, 2011,

261.      Stack Overflow. “Using a regular expression to validate an email address,” Stack Overflow, last accessed June 21, 2013,

262.      Stajano, Frank, and Paul Wilson. “Understanding Scam Victims: Seven Principles for Systems Security,” Communications of the ACM, March 2011, vol. 54, no. 3.

263.      Star, Susan Leigh, and James R. Griesemer. “Institutional Ecology, Translations and Boundary Objects: Amateurs and Professionals in Berkeley's Museum of Vertebrate Zoology, 1907–39.” Social Studies of Science 19, no. 3 (1989): 387–420.

264.      Stevens, James F., Richard A. Caralli, and Bradford J. Willke. “Information Asset Profiling,” Technical Note CMU/SEI-2005-TN-021. Carnegie-Mellon University, Pittsburgh, PA Software Engineering, 2005.

265.      Sweeney, Latanya. “k-anonymity: A model for protecting privacy,” International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, no. 05 (2002): 557–570.

266.      Swiderski, Frank. “Threat Modeling Tool Revealed,” Channel 9, July 9, 2004, last accessed October 17, 2013,

267.      Swiderski, Frank, and Window Snyder. Threat Modeling (Redmond: Microsoft Press, 2004).

268.      Swire, Peter. “A model for When Disclosure Helps Security: What Is Different About Computer and Network Security?” Journal on Telecommunications and High Technology Law 2 (2004).

269.      Swire, Peter, and Casandra Q. Butts. “Addressing the Challenges of Identification and Authentication in American Society,” Center for American Progress, June 2, 2008,

270.      Sydney Morning Herald. “Woman Fools Japan's Airport Security Fingerprint System,” The Sydney Morning Herald, January 2, 2009,

271.      Syverson, Paul. “Sleeping Dogs Lie in a Bed of Onions But Wake When Mixed,” Fourth Hot Topics in Privacy Enhancing Technologies (HotPETs 2011),

272.      TASM Toolset. “Specification, Simulation, and Formal Verification of Real-Time Systems,” ACM Digital Library, 2007,

273.      Thorsheim, Per. “Why History May Be Bad for You,” Security Nirvana, November 26, 2009,

274.      ThreatModeler. “Getting Started with ThreatModeler,” “Quick Start Guide,” and “Data Sheet,” MyAppSecurity, 2013,

275.      Torr, Peter. “Guerrilla Threat Modelling (or ‘Threat Modeling’ if you're American),” Microsoft Developer Network, February 22, 2005,

276.      Towle, Holly K. “Personal Data as Toxic Waste: A Data Protection Conundrum.” Privacy and Data Security Law Journal, June, 2009

277.      Trike. “Trike Tools,” Octotrike, last accessed October 17, 2013,

278.      Ur, B. P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor. “How does your password measure up? The effect of strength meters on password creation.” USENIX Security 2012.

279.      US-CERT. “Risks of Using the Intelligent Platform Management Interface,” US-CERT Alert TA13-207A, July 26, 2013,

280.      _____. “State-Based Firewalls Fail to Effectively Manage Session Table Resource Exhaustion,” CERT Vulnerability Note VU#539363, October 15, 2002, last revised January 6, 2003,

281.      Van Dijk, Marten, Ari Juels, Alina Oprea, and Ronald L. Rivest. “FlipIt: The Game of ‘Stealthy Takeover’,” Journal of Cryptology (2012): 1–59.

282.      Van Duyne, Douglas K., James A. Landay, and Jason I. Hong. The Design of SitesPatterns for Creating Winning Web Sites (Boston: Pearson, 2007).

283.      VeriSign. “VeriSign® NetDiscovery Lawful Intercept Compliance Solutions,” White paper 00017651, November 28, 2007,

284.      Verizon. “2013 Data Breach Investigations Report,” Verizon, 2013,

285.      Visual Paradigm. “Data Flow Diagram,”, December 4, 2006,

286.      Von Neumann, John. “Various techniques used in connection with random digits,” Applied Math Series 12, no. 36–38 (1951): 1.

287.      Ware, Willis H. “Records, Computers and the Rights of Citizens,” No. P-5077. Rand, 1973.

288.      Wells, Joseph, Corporate Fraud Handbook. 3rd Edition (Indianapolis: Wiley, 2011).

289.      White, Dominic. “Corporate Threat Modeler,” SensePost, update 2010,

290.      _____. “Threat Modeling Workshop,” SensePost, update 2010,

291.      Whitehouse, Ollie. “Real World Application Threat Modeling By Example,” 44Con 2013.

292.      Whitten, Alma, and J. Doug Tygar. “Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0,” In Proceedings of the 8th USENIX Security Symposium, 1999.

293.      Wikipedia. “Battle of Midway: Allied Code-Breaking,”, last modified October 7, 2013,

294.      _____. “Birthday Problem,”, last modified October 1, 2013,

295.      _____. “Data Encryption Standard,”, last modified October 5, 2013,

296.      _____. “Evaluation Assurance Level,”, October 11, 2013,

297.      _____. “GOMS (Goals, Operators, Methods, and Selection rules),”, last updated August 7, 2013,

298.      _____. “Kerkhoffs Principle,”, last update October 12, 2013,

299.      _____. “Responsibility Assignment Matrix (RAM),”, last modified October 15, 2013,

300.      _____. “Syn Flood,”, last modified September 16, 2013,

301.      Williams, Laurie, Michael Gegick, and Andrew Meneely. “Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer,” In Engineering Secure Software and Systems, pp. 122–34. (Berlin: Springer, 2009).

302.      “Windows 8 Integration,” Mozilla Wiki, last modified on July 29, 2012,

303.      Yanisac, Alex, Harold Purdue, and Jeff Landry. Personal communication, 2012.

304.      Young, Rupert. “How Often Do Users Reset or Delete Their Cookies?”; comment on thread,, Jan 26, 2011.

305.      Yu, Persis S., and Shanon M. Dietrich. “Broken Records: How errors by criminal background checking companies harm workers and businesses,” April 2012, available at

306.      Zalewski, Michal. “Add a Security Delay to the Main Action of Popup Notifications (Bug #583175),” Bug report and discussion, July 29, 2010,

307.      _____. The Tangled WebA Guide to Securing Modern Web Applications (San Francisco: No Starch Press, 2011).

308.      Zhang, Yinqian, Fabian Monrose, and Michael K. Reiter. “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis,” Proceedings of the Seventeenth ACM Conference on Computer and communications security, pp. 176–86 (ACM, 2010).

309.      Zooko. “Names: Decentralized, Secure, Human-Meaningful: Choose Two,”, last updated January 30, 2006,