Forever on Page 50

With all the talk about whatever ends up on the Internet, will be around to be found forever, there’s a couple of things:
 

  • It may be on the Internet still, however erased according to the Right to be Forgotten, but that doesn’t mean it can be found. When you’ve taken care to not re-raise attention too much, your shame-news will be on search results page 50+ and nobody will ever go there;
  • But then, if someone took care to actually download the items to some off-line storage, you’re doomed indeed. Yes I too have a lot of electronic files from 1-1-1980, a slew of them actually from around that time. Barely readable qua format but of course easily upgradable, script-wise.
  • Bots may be deployed, to compromise any site or so that has your want-disapperable info; may not be legal in all cases (could be, when an offline court ordered to be Forgotten…) but when the attention dies down, so few will want to restore your info once outdated. Society-beneficial to deploy ransomware on xyz-old site/db data ..?
  • Oh and the title certainly refers to your reading of Sloterdijk’s Spheres Part III as well, probably. Have past that point handsomely, but with considerable effort. Applies to Musil’s Man Without Qualities Part III (Vol. II) also.

But then:
??????????[A Cordoníu — note the accent! — may ‘save’ your sanity by unsaving your memory]

Book by Quotes: The Sarick Effect of Originals

How Original is that.
By Adam Grant. Well, it turns out to be (p.77). A very limited sample of quote-worthy lines, commented, from much more that one should live by:
”The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.” [George Bernhard Shaw] (p.1)
[Quite a theme, and motto for a happy life]

In adulthood, many child prodigies become experts in their fields and leaders in their organizations. Yet “only a fraction of gifted children eventually become revolutionary adult creators, “… Most prodigies never make that leap. [to remaking a domain; ed.] They apply their extraordinary abilities in ordinary ways, mastering their jobs … without making waves. … Although we rely on them to keep the world running smoothly, they keep us running on a treadmill. (p.10)
[So, there’s hope for all of us, and less so for the few ones that were winning early on]

In the face of uncertainty, our first instinct is often to reject novelty, looking for reasons why unfamiliar concepts might fail. … As we gain knowledge about a domain, we become prisoners of our prototypes. (pp.40-41)
[Stay fresh! Refuse your own ‘regulatory capture’!]

When we’re trying to influence others and we discover that they don’t respect us, it fuels a vicious cycle of resentment. In an effort to assert our own authority, we respond by resorting to increasingly disrespectful behaviour. … But when power holders learned that their peers looked down on them, they retaliated … Just being told that they weren’t respected nearly doubled their chances of using their power in ways that degrade others. (p.66)
[This, of course is key to understand dictators in cold war power countries on all sides, and re the lesser countries with authoritarian ‘leaders’ (quod non), too. Vicious cycle, indeed…!
And do notice the ‘we’ in all of this; if you think you’re above this, or humble enough, forgettaboutit you only fool yourself!]

”Prophets of doom and gloom appear wise and insightful,” Amabile writes, “while positive statements are seen as having a naïve ‘Pollyanna’ quality.” (p.73)
[Indeed what, falsely often, appears to be happy-go-lucky is mistaken for lack of insight — even when simple doom and gloom may be the opposite, lazyness of the mind to think rationally about chances.]

This is why we often undercommunicate our ideas. They’re already so familiar to us that we underestimate how much exposure an audience needs to uderstand and buy into them. (p.76)
[Yeah baby, look at the dismal readership stats of this blog; certainly I’ll have to much more vehemently restate my Original ideas…]

It is often the prickly people who are more comfortable taking a stand against others and against convention. As a Google employee put it, disagreeable managers may have a bad user interface but a great operating system. (p.81)
[May have a great OS; all but certain … And I feel with the prickly, non-coast-along stand-takers.]

Social scientists have long demonstrated this middle-status conformity effect. If you’re perched at the top, you’re expected to be different and therefore have the license to deviate. Likewise, if you’re at the bottom of a status hierarchy, you have little to lose and everything to gain by being original But the middle segment of that hierarchy — where the majority of people in an organization are found — is dominated by insecurity. … To maintain and then gain status, you play a game of follow-the-leader, conforming to prove your worth as a group member. (pp. 82-83)
[Ah, license to deviate, but very probably still fearful as so many aren’t real leaders but still fearful, meek stool pigeons. Liekwise, … at the bottom, when not if one still permanently fears for one’s job contract as is common these latter decades, one has much to lose and keeps quiet despite seeing so much conformity-stupidity all around…]

If creative procrastination, selectively applied, prevented Leonardo from finishing a few commissions — of minor importance when one is struggling with the inner workings of the cosmos — then only someone who is a complete captive of the modern cult of productive mediocrity … could fault him for it. Productive mediocrity requires discipline of an ordinary kind. It is safe and threatens no one. Nothing will be changed by mediocrity… But genius is uncontrolled and uncontrollable.” (p.96, quoting William Pannapacker)
[Note ‘captive’, ‘cult’ and especially ‘mediocrity’. Ugch! How very rightfully pejorative!]

”… I cannot refrain from expressing my regret and astonishment that you … should have taken such leave of good sense as to be traveling companions and associate lecturers with that crack-brained harlequin and semi-lunatic, … You will only subject yourselves to merited ridicule and comdemnation … He may be of use in drawing an audience, but so would a kangaroo, a gorilla or a hippopotamus.” (p.126f, quoting William Lloyd Garrison)
[Oh how far-fetched the comparison with just yesterday’s important-election circus, where one party attached itself to such a three-in-one combined wildlife figure, only to see him take over the reigns.]


What happened when the undermining colleague was also supportive at times? Things didn’t get better [than in the undermining-only scenario; ed.]; they got worse. … But when you’re dealing with an ambivalent relationship, you’re constantly on guard, grappling with questions about when that person can actually be trusted. … psychologist Uchino found that ambivalent relationships are literally unhealthier than negative relationships.” (pp.130-131)
[There’s your ‘leader’ that pushes for ever more commitment, and then not follow his (sic) own rules while punishing actual performance improvement commitment and tolerating coasting and apathy.]

Our instinct is to sever our bad relationships and salvage the ambivalent ones. But the evidence suggests we ought to do the opposite: cut our frenemies and attempt to convert our enemies. (p.131)
[Just the question of how, then.]

… an important distinction between ordinary nemese — adversaries who might become allies — and archenemies. ”You kind of like your nemesis, despite the fact that you despise him. If your nemesis invited you out for cocktails, you would accept the offer … But you would never have drinks with your archenemy, unless you were attempting to spike his gin with hemlock.” (p.132)
[The distinction may be important, but still: how to tell them apart — better be safe than sorry and spike all their drinks. And assure yourself that hemlock leaves no trace or their last act might be to rat you out; they’ll double cross you when they can even after death…]

First, we need to think differently about values. Instead of assuming that others share our principles, or trying to convince them to adopt ours, we ought to present our values as a means of pursuing theirs. It’s hard to change other people’s ideals. It’s much easier to link our agendas to familiar values that people already hold.
Second, … transparency isn’t always the best policy. As much as they want to be straightforward with potential partners, originals occasionally need to reframe their ideas to appeal to their audiences.
(pp.140-141)
[But thirdly, break your own rules every now and then — note the isn’t always … The co-opt thing however is Valuable …!]

If it’s not original enough, it’s boring or trite. If it’s too original, it may be hard for the audience to understand. The goal is to push the envelope, not tear the envelope. (p.141, quoting Rob Minkoff)
[Indeed, but can you expect nothing of your audience ..!?]

To build coalitions across conflict lines, Kelman finds that it’s rarely effective to send hawks to negotiate. You need the doves in each group to sit down, listen to each other’s perspectives, identify their common goals and methods, and engage in joint problem solving. (p.143)
[Check, again. The hawks have no interest in progress as that impinges on their power position with the affable zealots.]

Dissenting opinions are useful even when they’re wrong. (p.185)
[Wow, this may be one of the core take-aways of this book …]

Although the company manages money, the principles don’t contain a word about investing. (p.188)
[Oh did I learn of and from these principles, here in downloadable format, too!]

”Dissenting for the sake of dissenting is not useful. It is also not useful if it is ‘pretend dissent’— for example, if role-played,” Nemeth explains. “It is not useful if motivated by considerations other than searching for the truth or the best solutions. But when it is authentic, it stimulates thought; it clarifies and it emboldens.”
The secret to success is sincerity, the old saying goes: Once you can fake that, you’ve got it made. In fact, it’s not easy to fake sincerity. For devil’s advocates to be maximally effective, they need to really believe in the position they’re representing — and the group needs to believe that they believe it, too.
(p.193)
[True and true. A reason to hire me, par excellence.]

Hofman found that a culture that focuses too heavily on solutions becomes a culture of advocacy, dampening inquiry. If you’re always expected to have an answer ready, you’ll arrive at meetings with your diagnosis complete, missing out on the chance to learn from a broad range of perspectives. (p.197)
[Indeed don’t bring me problems, bring me solutions overturned very rightfully.]

”Democratic decision making — one person, one vote — is dumb,” Dalio explains, “because not everybody has the same believability.” (p.199)
[Which links to this, and is true also because ‘believability’ has a strong component of ‘ability’, which is spread out so thin as to make only a handful capable to handle such issues — and those few are seldomly in the ‘elite’ however identified, self- or other.]

We have lots of categories to describe people’s personalities, but few frameworks for describing the personalities of situations. (p.206)
[Another important take-away: How’zat for your employee staff colleague hiring process ..?]

”Shapers” are independent thinkers: curious, non-conforming, and rebellious. They practice nonhierarchical honesty. And they act in the face of risk, because their fear of not succeeding exceeds their fear of failing. (pp.208-209)
[Hey that describes me perfectly, though the former part I can be verrry diplomatic with — you’ll hardly if at all notice that I’m at it ;-] — and the latter, I still take as the core job of any true (IS) auditor…]

Psychologist Julie Norem studies two different strategies for handling these challenges: Strategic optimism and defensive pessimism. Strategic optimists anticipate the best, staying calm and setting high expectations. Defensive pessimists expect the worst, feeling anxious and imagining all the things that can go wrong. … Most people assume it’s better to be a strategic optimist than a defensive pessimist. Yet Norem finds that although defensive pessimists are more anxious and less confident in analytical, verbal, and cretive tasks, they perform just as well as strategic optimists. “At first, I asked how these people were able to do so well despite their pessimism,” Norem writes. “Before long, I began to realize that they were doing so well because of their pessimism.” … When self-doubts creep in, defensive pessimists don’t allow themselves to be crippled by fear. They deliberately imagine a disaster scenario to intensify their anxiety and converty it into motivation. [etc.; ed.] (pp.212-213)
[Which is the precautionary principle of True Auditors, and a good plan in life. I’ve already read somewhere else that bracing yourself for ‘the worst’ is good risk management, or is it risk management outright to shave off the roughest edges while not chaining motivated staff to do their best within the boundaries set very, very broadly ..?]

As you’ll see, defensive pessimism is a valuable resource when commitment to the task is steadfast. But when commitment flutters, anxiety and doubt can backfire. (p.214)
[Ah, the counter-point. Indeed. So notice that in your business, you have demotivated staff to the extent that they’ll be committed only to their next pay check; leaving you with the detriment of performance…!]

Neuroscience research suggests that when we’re anxious, the unknown is more terrifying than the negative. … once people have imagined the worst, they feel more in control, in some sense, they’ve peaked in anxiety before their actual performance. By the time they get to the event itself they’ve taken care of almost everything. (p.217)
[Yes the Boy Scout motto: Be Prepared. When prepared for the worst, reality is just a sunny day. And the first line of this… So well-known throughout organisationland …! The ‘suggests’ instead of ‘proves’ aside, we all know why it’s so utterly impossible to get ‘people’ (underlings) to change; fear of Tomorrow, the great Unknown that can’t possibly be even the slightest better than today — the very best the world might turn out to be, is Pareto-optimally the same as today so bugger off with your bright pictures of a profitable organisation once lay-offs have squashed motivation and driven out the last with any potential who still could leave on their own.]

… that the most inspiring way to convey a vision is to outsource it to the people who are actually affected by it. (p.221)
[Yes, let the lay-offs be done by the managers that are, this round, allowed to stay on despite their utter lack of any management competence (they’ll be thrown under the bus the next time ‘round) — see how they relish in that task… (Hm, there might be many more sides to this motivation… ‘jew catchers and hunters’ among them) But what about using this in positive ways…]

The easiest way to encourage non-conformity is to introduce a single dissenter. … “The first follower is what transforms a lone nut into a leader.” (p.225)
[The first sentence is an off-putter; a single person won’t achieve anything]
… Merely knowing that you’re not the only resister makes it substantially easier to reject the crowd. (p.225)
[That, as a sort-of corollary to the previous; note the subtle differences]

Effective displays of humor are what Popovic calls dilemma actions: choices that put oppressors in a lose-lose situation. (p.228)
[But to which I’ve heard an oppressor neutralise-answering “Every answer is wrong, here” — effective]

… when teams are on the defense, they tend to play it safe, attempting to protect against all competitive threats. They search for a lot of information, but an end up overwhelmed, with confidence waning. When teams are on offense, they consider many creative possibilities, but then drill down into one or two plans of attack. (p.234f)
[Yes, asymmetrical warfare it is, certainly in the ‘cyber’ domain (#ditchcyber!). So, you’ll have to stop all the gaps, starting with the easiest gaping-hole fills… This is why social engineering is so much simpeler than hypercomplex APT attacks]

… when we’re experiencing doubts on the way toward achieving a goal, whether we ought to look backward or forward depends on our commitment. When our commitment is wavering, the best way to stay on track is to consider the progress we’ve already made. As we recognise what we’ve invested and attained, it seems like a waste to give up, and our confidence and commitment surge. … Once commitment is fortified, instead of glancing in the rearview mirror, it’s best to look forward by highlighting the work left to be done. When we’re determined to reach an objective, it’s the gap between where we are and where we aspire to be that lights a fire under us. (pp.235-236)
[Motivational, isn’t it? Think of ‘town hall meetings’ and how they go wrong on this point, per information difference between leader-quod-non and underlings-to-be-fired-at-random]

the key is to be “simultneously hot- and cool-headed. The heat fuels action and change; the coolness shapes the action and change into legitimate and viable forms.” (p.237)
[The page goes on about surface acting (keeping your cool (face) and don’t show emotions, possibly de-escalating the situation but not your retaliatory anger) and deep acting (method acting) in which you gauge and take over the opponents’ emotions to give them a positive third-way twist. Helpful, but difficult and a job on its own]
Deep acting turns out to be a more sustainable strategy for managing emotions than surface acting. Research shows that surface acting burns out: Faking emotions that we don’t really feel is both stressful and exhausting. (p.238)
[Yes, but again; we’re not all all-life-trained method actors, blowing up is allowed if rare]

Venting doesn’t extinguish the flame of anger; it feeds it. … Hitting the punching bag without thinking of the target, though, keeps to go system on but enables us to consider alternative ways of responding. Sitting quietly begins to activate the stop system. In other studies, Bushman has demonstrated that venting doesn’t work even if you think it does — and even if it makes you feel good. The better you feel after venting, the more aggressive you get: not only toward your critic, but also toward innocent bystanders. (p.240)
[With the lesson to be careful when angry… Revenge is a dish best served cold]

… when we’re angry at others, we aim for retaliation or revenge. But when we’re angry for others, we seek out justice and a better system. We don’t just want to punish; we want to help. (p.242)
[That second line is necessary to understand the first, but diminishes its direct(ness) value, don’t you think? But besides, it’s true. And recall above one can better onboard adversaries thourgh apparent alignment with their objectives..?]

Individual actions:

  1. Generating and recognising Original ideas
    1. Question the default
    2. Triple the number of ideas you generate
    3. Immerse yourself in a new domain
    4. Procrastinate strategically [Once you’ve got this one down, there’s no limit to what you can(‘t) achieve — I know; I tried and succeeded!]
    5. Seek more feedback from peers [be it you have to pick out the right ones…]
  2. Voicing and championing Original ideas
    1. Balance your risk portfolio
    2. Highlight the reasons not to support your idea [Danger! (not this kind) Reread the related chapter; one could err big time, here…]
    3. Make your ideas more familiar
    4. Speak to a different audience
    5. Be a tempered radical [Hey that’s my success formula straight away …]
  3. Managing emotions
    1. Motivate yourself differently when you’re committed
    2. Don’t try to calm down
    3. Focus on the victim, not the perpetrator
    4. Realize you’re not alone
    5. Remember that if you don’t take initiative, the status quo will persist

Leader actions:

  1. Sparking Original Ideas:
    1. Run an innovation tournament
    2. Picture yourself as the enemy
    3. Invite employees from different functions and levels to pitch ideas
    4. Hold an opposite day [Not quite like Carnival (Dutch style/roots..!) but still]
    5. Ban the words like, love and hate
  2. Building cultures of originality:
    1. Hire not on cultural fit, but on cultural contribution
    2. Shift from exit interviews to entry interviews [Oh my …! How often have I tried to convince HR people (?) of this! How moronically blank was their reaction; NIH and so utterly mistaken superiority were the only responses I’ve got…]
    3. Ask for problems, not solutions [Same]
    4. Stop assigning devil’s advocates and start unearthing them [Indeed, I’ve been around often, whereas the task wasn’t assigned to me but to some sycophant simpleton with compliance blinkers on]
    5. Welcome criticism [Huh, haven’t met the Dutch (typical manager) then, to expect them to even know in which universe this would apply]

Parent and teacher actions [Hm, relevant only for those, though a close read might reveal your boss treats you as if he understood this part even the slightest and now applies it to you as if you’re a toddler — of course demonstrating that the game-theory transaction is the very opposite…]

And now, since you’ve made it to the End:
20141027_131258_HDR[3]
[See things brighter now? Herenstraat Voorburg]

More of less

Digital cameras: The more pixels and quality-enhancing features (filters, autocorrect et al), the bigger the mass of lousy to so-so-at-best pictures taken. Selfies as case in point. The less, percentage-wise, the real art photography — squared with more picture exposure leads to more seeking out the ultimate quality / qualities by the discerning few.

The same, with management. The more of it we had, since WWII (sic), the more awful to mediocre-at-best management we had. Micro-management as case in point; intellectually at the same depth (‘level’ wouldn’t suggest the lowness of it) as selfies.
And, the less actual Leaders we see, perceive, acknowledge and laude. Unicorns notwithstanding — they may be the very build-up of a bubble that will in the end demonstrate the principle outlined here.

On this cheerful note:Photo10-4[Now there’s quality; near Racine, WI]

Tragic users

Isn’t it a tragedy that those that would most need full but fully inconspicuous, unnoticable security on socmed et al., are the ones that care the least?

This, both in careful scouring of legalese and practical settings, tools, and what have we, and qua effort to keep messaging (Email dies out hard, doesn’t it ..? Or doesn’t it due to very valid reasons..?) secure and data private ..?
On the other hand / end, not all ‘professionals’ practice what they preach to the hilt… And may do too little.
Flip side of “There exists no 100% security”: If you do only a little less, the huge costs aren’t worth it whereas if you do quite a bit less, you’re much more efficient. Hence, even reasoning from the other side, maximum security will leave gaping holes you (sic) will get caught in.

So, all are in an inverse Catch-22 of sorts… [there should be a name for that; suggestions?]

And:
Photo11[The one that checked water temp, wasn’t the one to go swimming…; Cyprus]

Plusquote: Happening

“For a moment, nothing happened. Then, after a second or so, nothing continued to happen”.
Douglas Adams, The Hitchhiker’s Guide to the Galaxy

When scientists of the most esoteric kind finally come to wrap their heads around Einstein’s “Time is that not everything happens at once” in a provable way (errm, would like to have it in a falsifyable way but how would that happen? [no pun intended when typing but now it’s there…]), i.e., to the insight that the most fundamental something that happens in the universe, underpinning and giving rise to space, time, and matter [overOxfordian?], is Information,
this Information thing may wrap up the second quote, and the official quote of the day may be what was before Information — apologies that there is no clue in there how nothing happening suddenly gave rise to Information of why it wanted to / had to do so.
Both of the latter cases to be reflected on Sloterdijk’s understanding of the Ultimate Insurance Provider sphere-wrapping The Universe And Everything.

Plus:
XcqOBO3[This guy understood; London]

From bike design to security design

You recall my posts from a couple of days ago (various), and here, and have studied the underlying Dutch Granny Bike Theory (as here), while not being put off by the lack (?) of design when taking a concrete view here.
You may also recall discussions, forever returning as long as security (control) design existed even when not (yet) as a separate subject, that users’ Desire Paths (exepelainifyed here) would inevitably be catered for or one would find continual resistance until failure — with opposition from the Yes But Users Should Be Made Aware Of Sensitivity Of Their Dealing With Commensurate (Linearly Appropriate) Security Hindrance side; things are hard for a reason and one should make things as simple as possible but not simpler. [Yeah, I know that’s a reformulation of Ockam’s Razor for simpletons outside of science and having dropped the scientific precision of O and of application to science where it’s valid and the second part is often lost by and on the most simpletons of all short of politicians which are in a league of their own.]

I feel there may be a world a.k.a. whole field of science, to be developed (sic) regarding this. Or at least, let’s drop the pretension of simpleness of cost/benefit calculations that are a long way on the very, very wrong side of but not simpler.
Anyone have pointers to some applicable science in this field?

Oh, and:
DSCN3655[Applicable to security design: “You understand it when you get it” © Johan Cruyff; Toronto]

The 46th

When Ford can launch the 2018 model of the Mustang already in January 2017, wouldn’t the People of the US not be able to already launch the improved-at-about-all-points 46th president, please ..!?
Similarly, I’d be happy already when someone(s) could have their infosec product / methodologies for 2018 out indeed per Jan ’17, so one’s protected against current threats rather than have to wait till next year before being able to be protected against the threats of today; always lagging.

Similarly, this:
DSC_0042[Gloomy and unprotected, ravaged, by not having the 46th yet; NY]

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.
Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069[An optimal mix of complexity with clarity; Valencia]

One extra for Two AI tipping point(er)s

To add, to the post below of a month ago.
This here piece, on how AI software is now writing (better) AI software. Still in its infancy, but if you recall the Singularity praise (terroristic future), you see how fast this can get out of hand. Do you?

The old bits:

You may have misread that title.

It’s about tips, being pointers, two to papers that give such a nice overview of the year ahead in AI-and-ethics (mostly) research. Like, this and this. With, of course, subsequent linkage to many other useful stuff that you’d almost miss even if you’d pay attention.

Be ware of quite a number of follow-up posts, that will delve into all sorts of issue listed in the papers, and will quiz or puzzle you depending on whether you did pay attention or not. OK, you’ll be puzzled, right?

And:
DSCN1441[Self-learned AI question could be: “Why?” but to be honest and demonstrating some issues, that’s completely besides the point; Toronto]

You Don’t Call The Shots

I.E., You Are Not In Control !

This, as a consequence of the ‘In Control’ definition. Where the controlling and ‘steering’ (what Steering Committees are about, if properly functioning … ) are the same.
But as explained previously, such steering doesn’t happen (is impossible) already in a Mediocristan world its complexity, let alone the mix-in (to say the least) with Extremistan that you’ll find everywhere and certainly in your business.

NO you can risk-manage your business to the hilt, or even make it extremely brittle, antiresilient by totalitarian bureaucracy that leaves no human breathing space but switches to full 100% bot-run enterprise, DAO-style ops (hence will fail with complete certainty when interacting with humans like, e.g., your clients),
because complete risk-managed stuff still weighs costs so is imperfect or isn’t…
And of the imperfection of fully-reactive quod non-‘security’, see the above and many of my previous posts…

So either way, things will happen that you didn’t order. Estimates run from 50-50 (where you have zero clue about which 50 you do control) to 90%, 95%, 99% not-your-call shots. The latter category since your brain is not wired [link: huh] to deal with more than 10% ‘free will’ and the rest is, as scientifically determined, reactive to the environment however clever and deep-minded you think yourself to be (the more the latter, the less you are … If you have to say you are wise, you aren’t). Which make the majority of what happens to you and your organisation, accidental and from the outside. Which is by the very definition not you being ‘in control’.

Despite all the ‘GRC’ liars that should be called out for that quality.

[Edited after scheduling, to add: In this here piece, there are very, very useful pointers to break away from the dismal Type I and II In Control (quod non) Statements of all shades. Should be studied, and seen to refer back to the foundations of auditing ..!]

Oh, and:
DSC_1033[Designed to belittle humans — failing since they’re still there…; DC]

Maverisk / Étoiles du Nord