Create planning_guide_outline.md

[deansaxe]

Following our last meeting, I've created the first version of the outline of the cybersec awareness month planning guide.

[seanmillerrsa]

Great doc!

[deansaxe]

I addressed the initial feedback from @jeankaplansky and @seanmillerrsa in the latest version.

[xmlgrrl]

Great outline. We can iterate as we get exposure to more feedback in CG meetings and the like. My only feedback for now is that it might be useful to stress what not to do, e.g., don't write down all your passwords in a notebook. (An elderly family member had hers stolen!...)

[jeankaplansky]

Great outline. We can iterate as we get exposure to more feedback in CG meetings and the like. My only feedback for now is that it might be useful to stress what not to do, e.g., don't write down all your passwords in a notebook. (An elderly family member had hers stolen!...)

Agreed. OTOH, getting a stubborn elder family member to use password management software can be challenging. Many older people will change their passwords if they don't remember them, and they will willingly forget about password management apps. The other issue is getting the same older people to update password management apps if they are cognitively blocked from remembering that the password management app even exists.

Learned experience: Some older people need a human password manager AND an app.

[deansaxe]

Thank you @xmlgrrl and @jeankaplansky. I love what this conversation is exposing.

Personally, I think writing down your passwords is fine behavior for many people who's threat model is not the same as mine. Loss of that book could be devastating, but it is hopefully less frequent than account takeover due to reused passwords.

@jeankaplansky One of my biggest concerns with passkeys is exactly what you're pointing at. Password managers can be challenging. Interfaces are inconsistent. Access to the credentials after the owner has passed away could be impossible if the provider doesn't allow legacy contacts access to the data.

This is giving me a lot to think about for how we frame this guidance, especially regarding how it's framed for someone who is not like me. Someone who is not comfortable with technology and all of the decisions that have to be made will approach this in a very different manner.

[jeankaplansky]

Thank you @xmlgrrl and @jeankaplansky. I love what this conversation is exposing.

Personally, I think writing down your passwords is fine behavior for many people who's threat model is not the same as mine. Loss of that book could be devastating, but it is hopefully less frequent than account takeover due to reused passwords.

@jeankaplansky One of my biggest concerns with passkeys is exactly what you're pointing at. Password managers can be challenging. Interfaces are inconsistent. Access to the credentials after the owner has passed away could be impossible if the provider doesn't allow legacy contacts access to the data.

This is giving me a lot to think about for how we frame this guidance, especially regarding how it's framed for someone who is not like me. Someone who is not comfortable with technology and all of the decisions that have to be made will approach this in a very different manner.

I use passkeys and biometrics on mobile devices. I never tried to explain either passkeys or biometrics with my dad. He didn't use his phone as wallet (I do), and he had enough problems with passwords and differentiating between bank apps and bank web apps.

We need to be ready for people like my dad.

[rkzack]

Great. But, one thing to consider: I advise caution when collecting and storing account names/logins in an insecure way, as generally speaking, that information is also considered sensitive or protected per most security frameworks.

Why? In practice, the vast majority of people still re-use passwords across accounts, usually having 3-4 primary passwords they re-use. So having a list of their account names increases the risk of greater compromises in the event one of those passwords is compromised.

Ideally, step 1 should be that all this info should be recorded in a secured, encrypted location, accessible only to fiduciaries when the time comes.

[gffletch]

This feels like we need a risk model for this topic :-) At the end of the day, the mechanism mostly likely to be kept up to date by the human is probably the best option.

[gffletch]

Do we need to pull in concepts like a revocable living trust? Does that change anything?

[gffletch]

I am a little surprised that utilities come before financial accounts

[deansaxe]

I am a little surprised that utilities come before financial accounts

Just my first best guess. None of this is fixed in stone, it's a place to start talking.

[deansaxe]

Merged, I'll queue this up for the next agenda on Friday's meeting.

[mdes206]

There is a whole forward-looking aspect that can be included here as relates to how someone wants their "personhood" preserved and/or their content used posthumously. To me it's the extension or inverse of the living will.

Thinking - reanimation, use of content to fuel grief bots, etc. The law hasn't really caught up here but the more we can encourage people to try to envision what they protected as relates to their identity and legacy, the better. Elders right now won't have as much to say, but anyone middle age and younger at minimum should be considering this.

[mdes206]

To the point I made above about posthumous digital personhood, what does it mean for someone to manage your full digital legacy/personhood? What's the amount of time someone could/would do that? Does it matter if your intentions are forgotten in fifty years when no one you knew is around regardless?

[mdes206]

This is such a robust dilemma. Account identities need to be protected at all costs all the time, except for that one time when you are incapacitated or dead. There has to be an easier way to solve this. Biometrics are useful but to another comment, not prevalent for elder people especially. Like having a virtual vault that opens on command to only one person when conditions are met.

[deansaxe]

I like the way you're thinking. In the identity world we're starting to discuss this as a concept of "delegated authorization" where the delegation includes some conditionals such as whether a person is deceased. @gffletch and others are actively working on/thinking about these issues.