Social Engineering Your Metrics: Using Data Science to Provide Value in Security Reporting
About the Speaker
Senior OSINT Specialist at Qomplx, Inc.
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. In addition to offering Open Source Intelligence (OSINT) training through The OSINTion, Joe is currently a Senior OSINT Specialist at Qomplx, Inc. and previously maintained his own blog and podcast called Advanced Persistent Security. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of TripWire, AlienVault, ITSP Magazine, CSO Online, Forbes, and Dark Reading as well as his own platforms. Joe is the author of a few OSINT tools, such as WikiLeaker and the forthcoming tools DECEPTICON and INTERCEPTICON.
Presentation Resources
Reporting is generally boring. Social engineering security consultants often get wrapped up in the hustle and bustle of performing the engagement and report writing falls to the side. While the reports do go out and we meet client obligations, a serious question arises: Are we providing meaningful measurements, metrics, and advice to the client? We surely highlight the deficiencies and where to improve in a report, which is pretty standard. How do we measure the things that matter most to the client? Measuring 'opens' just tells us how many people read their email and, while risky, clicks do not always translate to negative outcomes. Instead of focusing on email opens or links clicked by users, this presentation introduces measurements rooted in statistics, data science techniques, and indicators that actually speak to the security posture and culture of the organization.