Bio

I'm an entrepreneur, technologist, author, game designer, focused on improving security outcomes for my customers and the industry as a whole. I helped create the CVE and got autorun fixed. I create a wide variety of companies and organizations, software, new analytic frameworks, as well as books, games and other forms of communication. I've built these at tiny startups and at Microsoft. I'm an affiliate professor at the University of Washington. At Microsoft, I was responsible for threat modeling tools and techniques, and have shipped two tools (one software, one a card game) to help software engineers analyze their software designs for security flaws. In that role, I was a key driver for Microsoft's Software Development Lifecycle. I also worked on human factors in security, including usable security and measuring how our customers'​ computers were compromised. I'm the author of Threats: What Every Engineer Should Learn from Star Wars (Wiley, 2023), Threat Modeling: Designing for Security (Wiley, 2014) and the co-author of The New School of Information Security (Addison-Wesley, 2008). Before Microsoft, I was a leader in 3 successful startups, including Netect (vulnerability management), Zero-Knowledge Systems (privacy) and Reflective (software security). I also helped drive the CVE project, launch the International Financial Cryptography Association and the Privacy Enhancing Technologies Symposium. Specialties: Information security and privacy, especially at the intersection of technology and people. Serious games. Systems design and architecture. User experience design.