»Mosaic Theory of Information Security«
2019-11-08, 10:00–10:25, Blue Day

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.

Seemingly-insignificant information can be combined to constitute useful information you didn’t intend to reveal. In finance, this concept is called mosaic theory. Investment analysts using this principle combine non-material information to develop significant insights into companies’ upcoming results without verging into insider trading.

Many details, like those you might post to social media or include on a public resume, can be combined to deduce significant aspects of your organization’s private data. In non-financial information security, a similar principle applies. Small divergences from usual patterns can, when combined together, give a competitor or potential attacker hints about your organization’s strategy, upcoming product launches, or other confidential or proprietary information.

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.

See also: Slides from the talk