Exploring Thermodynamics: How can we use concepts for everyday life?

Free image/jpeg, Resolution: 2144×1413, File size: 1Mb, mysterious planet on fire background

How did I get here? What made me start to look at the Laws of Thermodynamics? You can blame Charlie Munger for that.

The name Charlie Munger might not ring a bell to many of you, but it probably should. He is the silent partner of Warren Buffet, and really only speaks at the annual shareholders meetings for Berkshire Hathaway and some other companies that he partially owns. Whenever he speaks though, his correlations between business, science, mathematics, philosophy, and psychology cause people all over the world to fight for a seat in the audience. Charlie talks about how he uses mental models from nearly all disciplines and walks of life to aid him in his investment decisions. One of these models is Thermodynamics, so I figured it wouldn’t hurt to look it up.

The word Thermodynamics seems like it would have to do with heat, but it is more than that. It talks about how heat, energy, and work function, and also how they relate with each other. It then goes more broadly in talking about how objects and systems in the universe behave with each other and within themselves.

There are four Laws of Thermodynamics, which I will explain just a bit below. First and foremost though, I have to mention that the Laws of Thermodynamics are considered “universal”, meaning that they even apply outside of our Earthly environment. This is an important aspect and probably what inspired me to keep researching.

First Law of Thermodynamics

The First Law of Thermodynamics states that heat is a form of energy, and thermodynamic processes are therefore subject to the principle of conservation of energy. This means that heat energy cannot be created or destroyed. Think of a car’s engine. You put gas in, which contains a certain amount of energy. As it burns, that energy will turn into heat. The heat is used to make pistons move, so it is converted one more time into what scientists call work (when the car moves).

In life, we can keep this in mind when working to achieve our personal and professional goals. As we put energy and attention toward a task, no matter how small, the accomplishment of that task will build momentum and provide inspiration to seek the same accomplishment in another task.

US Navy Admiral William H McRaven speaks and writes about this idea as well, by stating that if you can change the world, you should start by making your bed. This small and easily-achievable task starts building that energy momentum for your day and allows you to continue achieving until you go to sleep.

There is also a Japanese concept called Kaizen, which means to continuously make small improvements over a long period of time. In our house, we describe this idea by asking “How do you eat an elephant?” As any of my kids can tell you, the answer is “One bite at a time.”

Second Law of Thermodynamics

The Second Law of Thermodynamics is about the quality of energy. It states that as energy is transferred or transformed, more and more of it is wasted. This introduces the concept of entropy. Entropy is wasted energy, and this is where the scientists came back down to earth and recognized that there are no perfect systems, as the first law talks about. Energy will gradually fade away.

The best example of this statement can be a hot cup of coffee left on a table. The coffee will eventually cool down, showing that heat only flows from high temperature to low temperature without the aid of something external adding heat (like a microwave).

This is a very importance concept for us. People will often say that you need to take some time to reset, recharge, or relax. This is especially the case right now, when many of us are working from home and putting in far more hours than we normally would. If we keep grinding day in and day out without some sort of external source of energy, we experience burnout. As an example, I enjoy getting involved with my kids’ sports, trying not to burn things on the grill, and fixing stuff around the house. If you noticed, those activities almost never involve IT or security.

Third Law of Thermodynamics

The Third Law of Thermodynamics states that entropy of a system approaches a constant value as its temperature approaches absolute zero.

There are no practical examples of the Third Law of Thermodynamics, but it makes sense when you think of it abstractly. When the willpower and motivational “fire” run out, we become stagnant and the likelihood that we will change becomes less and less. Think about this. The longer we sit in a chair, the less likely we are willing to get up. The longer we get into a bad habit, the less likely we are to change it.

In the Army, we called this “short-timer’s syndrome”. It meant that as soon as you accepted the fact that you were about to leave (changing stations, separating, retiring), there was high likelihood that you were going to skate by and do the bare minimum for the remainder of your time. What we can do with this information is to recognize when our motivations start to dwindle and find one of those external sources that we’ve already covered.

Zeroth Law of Thermodynamics

Zeroth? What’s that all about? Scientists consider the fourth law so essential and universal to Thermodynamics that they thought it should come before all the others. And instead of renumbering them, scientists decided to call it the Zeroth Law.

The Zeroth Law of Thermodynamics states that if two thermodynamic systems are each in thermal equilibrium with a third one, then they are all in thermal equilibrium with each other.

The easiest example of this law is to think of a thermometer. In the old days we primarily used mercury thermometers to check the temperature. We don’t use them as much now because if the glass holding the mercury became broken or started leaking, the mercury would contaminate the air and poison us. Obviously you would be cautious about putting such a device in your mouth. However, let’s say we did use a mercury thermometer to check our temperature. Our body, through our mouth, heats the glass, then the glass in turn heats the mercury, causing it to expand and showing what our temperature is. Our mouths and the glass get to a state thermal equilibrium, while the glass and the mercury also get to a state of thermal equilibrium. Even though our mouths and the mercury aren’t touching or directly exchanging heat, we know that they are also in thermal equilibrium. 

It may be a stretch, but I like to think of the Zeroth Law of Thermodynamics in the same way that I think of the Six degrees of Kevin Bacon. When we think of those systems as people, we can use this principle to remind ourselves that no matter what we are struggling with now, someone else either has or is struggling as well. There is always someone out there who we can lean on or share our troubles with. Nobody is alone. This is especially important in the information security community.

Thank you for bearing with me and the science. If you’ve made it this far, you have both my congratulations and my condolences. I sincerely hope that you were able to get something out of these thoughts and observations.

The 4 Pillars of Insider Threat Protection

You can find the complete Insider Threat Protection Framework here.

You wake up on Monday morning, get ready, pour yourself a cup of coffee and sit at the kitchen table for your daily dive into your work phone to see what sort of meetings you have planned for the day. The number of notifications on your lock screen instantly alerts your senses. Reading the top email, you find out that full account details for many of your customers have been leaked on the dark web and that you have additional emails and missed calls from members of the Department of Homeland Security. You rush to work, talking to members of your team during the entire commute.

How could a hacker have gotten in? You immediately enact your incident response plan, with a focus on finding out where the attack originated from and how it can be contained. Days go by and you’ve spent long days and longer nights looking through logs before discovering that everything points to a single workstation – yours. You suddenly remember a vendor invoice attachment from the week before that wouldn’t open, even after saving it to your desktop. The cause of those late nights, endless stress, and the loss of your company’s reputation, was one seemingly insignificant moment of inattention.

We’ve heard about similar situations and some of us have even experienced it ourselves. What could have been done differently? How can your organization ensure that something like this doesn’t happen? Insider threat is something that many organizations are worried about today. Studies have shown that it is the cause for the majority of security breaches and according to several surveys, business and IT executives count it among their top concerns.

Insider threat protection consists of four primary pillars – technology, policy, training, and culture. Keep reading to learn more about how to improve these pillars and help to keep the ceiling from falling in on you.


There are several existing and emerging technical controls and tools specifically aimed at addressing insider threat concerns. The most common technical solutions mentioned today are for monitoring user behavior and creating actionable security intelligence. These can be categorized in two different ways. Some solutions simply record user actions through logs to make it easier to audit them, while others analyze the data to establish baseline behavior models and notify the security department when behavior becomes anomalous. Finally, some user monitoring solutions also record screenshots or video of user workstations, keystrokes, and mouse clicks in an attempt to make it easier to view user behavior both in real-time and in the course of incident response. These solutions do well for detecting and responding to malicious insiders.

Another type of technical solution is those that provide isolation in some way. They create sandbox environments where user actions cannot have a negative impact on the system they are using or other network devices. I covered one of those in a guest interview on the podcast recently, but I am going to try to keep this as vendor agnostic as possible. The idea is that when users click on links or open attachments, as well as when they just browse the web in the course of their job, they operate in a completely isolated environment that either simply separates their session from the workstation they are working on or the solution takes the website and translates it to a version that essentially makes any malicious code or scripts ineffective. A longtime existing and ever-growing concern is that advertisements on legitimate websites have the ability to compromise systems or even scam users into thinking they have malware on their workstations and trick them into paying for unneeded products and services.

A more costly solution that addresses phishing campaigns is to automatically append text to links in emails or subject lines for messages coming from external sources. This can be accomplished through both home-grown and commercial solutions and applied to the email server. If a user can see that an email came from outside the organization, they might be more aware of potential phishing. If they are forced to copy and paste a URL into their browser because links have been disabled through appended text, they could more readily notice that something in the path is suspicious. The drawback from these solutions when compared to commercial isolation methodologies is that by themselves they do not protect users from malicious email attachments, other than a potential notification that it came from an external source.

Finally, traditional security controls that are part of typical security hygiene or best practices can go a long way in protecting against insider threat. Role-based access controls can help to reduce a malicious insider’s ability to compromise production systems or exfiltrate sensitive data. Logs associated with user accounts can be gathered, then sent to a Security Incident and Event Management solution to allow administrators to have a better idea of what is happening in their systems. Events like security group changes and failed logins can be good indicators of abnormal or malicious activity. Identity management solutions or methodologies can be used to ensure that users are authorized to access data and applications, while also preventing former employees from being able to gain access after they have left.


Any security policy serves multiple purposes. First, it can be used to communicate acceptable use and restrictions to the users so they are not caught unaware in cases where the security rules in an organization are broken. Security policy also serves to bridge any gaps between technical controls and solutions. These are called policy controls and although they only exist on paper, they can be very effective. When it comes to insider threat policy, there are several key elements to keep in mind.

You should begin with a definition of the threat, as well as by defining the policy. Through these definitions, when properly coordinated, the organization can ensure that everyone is on the same page. One person’s idea of insider threat may well differ from another’s, but it is important that the policy offers standardization. After defining the threat and the policy, the actual rules must be provided. Most of these will be covered already in your Acceptable Use Policy, Mobile Device Policy, Access Control Policy, or others. To save time and effort for both the author and the reader, it is a good idea to only provide general overviews of these rules, then point to the specific policy that provides more detail.

When providing the “what” and “how” in policy, it is also important to explain the “why”. Security policy does not only exist for the security department, legal, or management. These are used to inform the employee-base and will be more effective if they understand the reason behind the rules. Explain how the restrictions will help them to accomplish their job tasks more effectively and efficiently.

Good security policy should also explain the ways that it will be enforced. Outline the tools and methodologies that are in use in your organization to detect and respond to deviant behavior. Doing this will make users more aware as well as provide deterrence. If they know that you are watching and have a general idea of how you are doing so, they might think again before accidentally or intentionally violating the policy. Outline the reporting procedures for anyone who suspects malicious or negligent behavior. They might not remember those procedures after first reading the policy, but they will know where to go if the situation arises.

To conclude the policy discussion, it must have support from executive management. When executives reference the policy, that means they understand the impacts of information security risk and its relationship to business risk. Subordinates will understand the importance of the policy and the effect will trickle down the reporting chain. On the other hand, if executive management ignores or speaks against the policy, it will be completely ineffective in its goal of reducing insider threat risk.


Security awareness training impacts the likelihood of insider threat in two primary ways, which include educating users on acceptable behavior in the environment as well as teaching them how to recognize and report suspected incidents. Effective awareness training can help to prevent accidental or negligent insiders, while also improving response efforts for malicious insiders. There are five elements of effective security awareness training: Purpose, Rules, Description of the Threat, Examples of the Threat, and Responding to Incidents. Some things to keep in mind with regards to the purpose are the reason that the organization is conducting the training, any compliance requirements, and the highlighting of key business functions and their associated systems that need to be protected.

The rules are concrete and should be detailed. They should reference the organization’s Acceptable Use Policy, Account Management or Provisioning Policy, Data Retention or Encryption Policies, and others that might be better related to the audience. This is where the bulk of the education should take place and employees should leave the training with a solid understanding of what they are and aren’t allowed to do on organizational systems and applications from a security perspective.

As with the policy section, you have to give the audience the “why” behind the training. This can be best accomplished through a detailed explanation of the threat as it pertains to them individually as well as the organization as a whole. Mention key business functions that impact the audience, like payroll, benefits, timekeeping, shipping, estimating, email, and other communications that the organization relies on for continued operation. The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission. To add to the threat explanation, examples can help to gain better understanding from the audience. These might contain any stories that the trainer or audience can share, real world incidents, and security incidents that could impact the audience’s personal lives. By relating the threat to the individual, there is a higher likelihood that they will understand and care about information security.

Another key element of security awareness training, as with policy, is to provide the audience with ways to detect negligent or malicious behavior, as well as the steps for reporting anything suspicious. This can be accomplished through Q&A, role-playing, or other methods that engage the audience and ensure understanding.

Some additional characteristics to keep in mind when planning and conducting awareness training are relevance to the audience, engagement, timeliness, and support. The training should be current and related to both the organization and the specific members of the audience. For example, it might not be effective to talk at length about the protection of financial information if the audience consists of shop floor workers. As soon as they realize that the information does not pertain to them or their role in the organization, they will stop paying attention. Audience participation is key and serves many purposes. It keep them awake and allows for group-think, as well as provides a method for the instructor to gauge understanding. Breaking the audience into groups for role play, quizzes, or games can have a dramatic effect on information retention.

Timeliness is another factor that should be taken into consideration when planning the information security awareness program. Some organizations have compliance requirements that stipulate the minimum frequency of training. Most of these are annual. The key when defining the frequency of training is to get the members of the organization to be thinking about security at all times, not just the 20 minutes each year that they are taking a test or sitting in a classroom. Another tip might be to have someone from executive management stop by at the beginning of the class and offer endorsement. This simple act shows that they support the program and that it is important to the entire organization.


Security culture is the culmination of the other three pillars and represents the actual effectiveness of your organization’s insider threat protection program. It consists of the technological investments that have been implemented in the operating environment. It uses policy to inform the users of what actions are and aren’t allowed to take place on organizational assets, as well as fills any holes that cannot be filled by technology. Training is also used to communicate the rules of behavior and engage users in a more social setting. While some employees may choose not to read the policy, they will still get the information from mandatory training. There are additional ways that security culture can be improved outside of those highlighted in the other pillars, however.

Employees should feel comfortable and obligated to report suspected insider threat incidents. Management should try to encourage such reports and offer praise or reward for accomplishment. An email going out to the entire firm thanking an employee for their report can have lasting effects. Not only will that particular person feel appreciated for their efforts, but every other employee will see the importance of constant vigilance. Corporate newsletters can contain a section on information security, which includes warnings about current attach methods and techniques, reporting procedures, and examples of other organizations in the same industry that were compromised.

Bring the topic of information security into everyday business conversation. Managers at the lowest level can send out a daily or weekly question to their teams related to the discussion and grade their subordinates on both their participation and correctness. It doesn’t matter if coworkers work together or otherwise “cheat” to get their answers. The point is that they are talking or reading about information security.

Finally, the success of the insider threat protection program can be measured and the results can communicated for further improvement. The organization can measure the number of insider threat incidents, as well as the number of reports. The scoring method for this measurement will be unique to the organization, but shouldn’t be dependent upon the number of incidents as those will remain in a constant state of flux.

Through proper use of the four pillars of insider threat protection, its associated risk can be managed and reduced.

You can find the complete Insider Threat Protection Framework here.

Building a Cybersecurity Safety Net

Originally published at TheCybersecurityPlace.com
A circus might employ the best clowns, magicians, and performers in the world. The big attraction however, are the trapeze artists. These brave souls sour high above the crowds, performing aerial stunts that defy gravity. The nature of their craft is inherently dangerous, and no matter how skilled the trapeze artists are or how much the circus spends on training and roped bars, there is always a chance that a mistake or other unforeseen event could cause them to fall. Even though much time and effort is spent on making sure that the trapeze artists stay in the air, there is always a net to catch them.
There has been a continuous shift over the last year in the cybersecurity strategies of large organizations. With the high-profile attacks on Sony, Home Depot, the United States Office of Personnel Management, the White House, and others, executives are no longer trying to determine if they will be attacked, but when.
Until recently, the focus of security strategies has been to reduce the likelihood of a successful attack through perimeter defenses. As a result, even organizations that spent their entire IT budgets on the newest and greatest intrusion detection/prevention systems, firewalls, and vulnerability management tools, but they became fact victims due to a zero-day exploit module downloaded by a teenage amateur “hacker” or an unaware employee clicking on a link or opening an email attachment. Now we see large organizations reallocating a portion of their money into a cybersecurity “safety net”, which we can revisit shortly.
It is important to understand and remember the primary purpose of cybersecurity when making investment decisions and plans. Cybersecurity isn’t about “keeping the bad guys out” or even safeguarding information. It isn’t about making sure that all the blocks are marked on a compliance checklist or maintaining access control lists. The purpose of cybersecurity is to protect key business processes and capabilities. All the other bits and bobs that we trouble ourselves with are just popular methods to address that purpose.
In line with that thinking, and getting back to the topic at hand, organizations are looking beyond technical controls to protect their processes and capabilities, and instead are focusing on ways to minimize impacts of potential or expected cybersecurity incidents.
There has been a fairly recent increase in marketing for cybersecurity insurance programs. Other safety net methods being entertained are not new, but simply reinvigorated approaches to incident response and business continuity. The biggest difference today is that these approaches incorporate newer technology and there are numerous third party organizations willing to do it all for you at a premium cost. The trend, if it wasn’t clear, is that organizations are starting to outsource their incident impact reduction efforts.
This is not to say that organizations are not concerned with traditional security controls and methodologies – they are just dedicating a larger portion of their budget to an arguably more effective approach to addressing cybersecurity concerns.
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.