
Long Term Security Attitudes and Practices Study - ironfog
https://www.liquidmatrix.org/blog/2018/09/29/long-term-security-attitudes-practices-study/
======
ironfog
OP here...

TL;DR: I need participants in a long term study I'm launching to understand
how security professionals make decisions.

A few years (at a prior job) ago a non-security colleague asked me "what's
good enough" when it comes to security in a product. I knew what I wanted for
the product we both worked on and I knew what the standards said but I
couldn't answer that question on behalf of other security practitioners.

Proof by construction: security practitioners at our customers were willing to
accept less than perfect standard's compliance but what was acceptable and
what wasn't varied considerably across hundreds of organizations. That
question has stuck in my head for years. What's good enough really means to me
what makes a security practitioner tick?

Is it risk tolerance? business pragmatism? deeper security knowledge? type of
business? The list goes on as to what might drive the decisions a security
professional might make in a given context. I'm hoping to answer those
questions and so I'm launching a community based (no vendors or sponsors) long
term study to figure out what makes security practitioners tick. Data and
analysis will all be open (but anonymous).

If you're interested in participating (or the idea itself) please read the
linked article. Sharing with folks you think might be interested in
participating would be appreciated as well.

