The security community knows, the weak link is the human factor - from the project manager deciding that "security costs too much," to the operational bypassing its own company security measure, passing through the end user believing that nobody will ever think how he is using its cat's name as a password or a developper not following best practices.
We all arrive to the same conclusion - we need to train people to the computer security stakes. According to the author's experience, standard Security training is focused on the technical context (what a password is, how does a computer work etc.) and tends to bore or scare a neophyte audience.
This briefing will propose a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes. The presentation will focus on the main feature of the training, and a white paper explaining how to conduct such a training will be available.
Tiphaine Romand-Latapie has just joined Airbus Group Innovation as a ResearchTeam leader. Prior that, she has worked five years as an engineer in appliedcryptography, and another five years in embedded security. She has passed thelast years in convincing top management, vendors, developer etc. in Orange tofollow security teams recommendations. She like crypto, hardware security,secure boot and system security but is curious about a lot of topics. As ahobby, she logs the most absurd quotes she hears in meetings. She also tweetsas @Flutsunami.