Rebooting the CIA


[Nope]

The CIA of information security doesn’t cut it anymore. We have relied on Confidentiality-Integrity-Availability for so long, that even ‘managers’ in the most stale of government departments now by and large know of the concepts. Which may tell you that very probably already by that fact, the system of thought has been calcified into ineffectiveness.
At least we should reconsider where we are, and where we’d want to go.

Lets tackle Confidentiality first. And maybe foremost. Because it’s here that we see the most clear reflection of our deepened understanding of the value merits of information not being in line with the treatment(s) that the information (data!) gets. Which is a cumbersome way to formulate that the value estimation on data, and the control over that data, is a mess.
Add in the lack of suitable (!) tools. User/Group/World, for the few among you who would still know what that was about, is clearly too simple (already by being too one-dimensional), but any mesh of access as can (sic) be implemented today, makes a mess of access rights. Access blocks? Access based on (legitimate, how to verify) value (s), points in time, intended and actually enabled use, non-loss copyability, etc.?
But what is the solution ..? Continue reading “Rebooting the CIA”

Data doesn’t Know


[Unseen Rotjeknor]

In the stories on Big Data et al. (predictive analysis, … , you name it), I often see a big confusion about terms. Some even mix up data and information, or only pay lip service to the fundamental difference..!

Oh yes, many come up with the Information Pyramid; in a most basic picture I took from wipo.int:

* sometimes, Knowledge is bracketed between Data and Information; more on that below.

But there’s something fishy with the way the picture is being used, commonly.
For one thing, any action that produces meta data (i.e., just plain flat derivative data !!) is considered to be ‘enrichment’ onto Information. But that’s wrong! All the aggregation, the averaging, the abstraction that you do, only delivers other data, with the (near-mathematical) translation functions still intact – although also, information gets lost..! Yes, the details count, and have their own ‘information’; a full description of all data points in a set would require at least all the data points themselves, or miss something when they’re described, circumscribed otherwise.
The problem is; no-one really knows how to get from Data to Information as we intuitively (heh) understand it. Information seems to be detached, or separated from Data by a chasm that we do not know how to cross, probably because our understanding of what Information is, and our definitions, are so weak.
Oh, and putting a layer of Knowledge in between Data and Information, doesn’t help anything, either. Even worsens the problem. As it is above, it doesn’t say much either. And instead of Knowledge, above one could also fill in Understanding, or Insight (which would come closer to but remain separated from Wisdom). And above the peak, is there Nirvana? Smells like blog spirit.

So, all the efforts of NLIQ and MITIQ may be fine, as for data analysis to try to achieve predictive analysis (nice pun, the contradictio in those terms!), but as long as Data and Information are used arbitrarily (see the list of publications and the actual articles contents …), one will remain stuck in data analysis and not reach the next level of Information. Or Knowledge, let alone Understanding, Insight or even Wisdom.

But I keep running in circles. Yes, I know, and I also know that in order to advance, we’ll need to get a grip on two things:
1. Definitions, in the traditional sense or by way of aspect/category/label/hermeneutic quality descriptions, of all the levels we may distinguish;
2. Definitions, in both ways, too, of the transitions and transition methods, tools, etc., we may construct theoretically and practically.

I’ll do some work on this, but your help is appreciated..!

Fuzzy risk language


[Antwerp. Seriously.]

In some previous post, I posited that we should move from quantitative (quod non) to qualitative or even intuitive risk management.
And how that may be difficult. ‘cause it is.
As an intermediary step, I propose to build a better language with which to communicate, discuss and calculate (sic) with qualitative risk management.

Because I see a place for a combination of fuzzy logic and wavelet theory, including neural network signal combination functions.
As my time is limited, this time of year, would anyone have pointers to what’s already out there in papers, practical applications, etc..? That could kickstart the discussion. And I’ll return with more, better, more extensive, more thought out stuff on the subject later.

Bit coin: Money bytes sovereignty


[Berlin again, tucked away, much underrated]

Bitcoin’s hopping up and down in ‘real’ currency terms and everyone is happy to declare it all a pyramid game.
It is, but so is any other currency issued on the promise of maybe some future repayment in … the same or another currency. The underlying value of any currency depends on the future income stream of the issuing entity, or intermediate trade for … other currencies, services, or goods. Exactly like Bitcoin.

Except, of course, that ‘normal’ currencies are issued by governments, geography-based entities from the past when geography mattered.
But does it, still, today, much ..? And will it in the near future? Aren’t we already in a blended world, a blended society, where for the lower layers of Maslow’s pyramid we’re still physical entities and hence geography-dependent (safety, water, food, shelter, etc.) but for the higher layers (group belonging, recognition, self-actualisation) we don’t care from where it comes ..? Once our (developed) world develops further, with so much more automated, silicon- rather than carbon-based, intelligence and sentience becoming available, will the importance of the lower layers not diminish ..?
Up to a point, I know, we can’t ‘shed’ the lower layers. Though the Singularity could, almost, and could at least do without us…

But that’s not the point. the point is that if the sovereignty of nations, understood here in the narrow sense to regard the right and possibility to create and issue money at will, backed by a grossly overestimated guarantee (would you dare to guess how often governments have declared insolvent, in the past few centuries alone ..? On the principle, they all were and are equals…), is lost because others can have the same sovereignty and other sovereignties previously reserved for nation-states, why would we still regard nation-states as the highest entities ..?
[You will now point out that some nations of nation/states spring up, e.g., USofA (sic), EU, UN; right, but their structure is just an amalgamated mesh of more of the same]

And, why would we regard what we previously had, as currency, while not understanding Bitcoin and the many others around (see this and that, possibly incomplete), as such, too ..? Or would we need a ‘real’ economy to underpin a currency; where would you draw the line, then..? What would be the link between a currency and its ‘underlying’ economy, what would be the boundaries of the economy, what definition of sovereign debt would we include or not (there’s many definitions; e.g., would we include guarantees?), how would we establish a ‘value’ in what other ‘currency’..? Gold has been dethroned, remember?

So, we need to study harder, and all of us need to understand more, about the nature of money altogether and only then take a look at digital currencies and their merits (or non-). Would anyone have pointers to good in-depth on-line courses or so ..?

The Compliabullies


[Berlin at dusk]

Just a thought: Would investigation and analysis show that the kids that were bullied in prep school and / or (separate hypotheses…) high school, in later life be the ones that end up in Compliance and Risk Management (not being management of risks…!) departments, to take eternal revenge on those that bullied them..?
Because the latter will not have noticed too much the damage they did (they were kids back then) and have merrily gone their own way as they were allowed to be prepped to do. Now, they find themselves being caught in a web by the ones that have frustration embedded deep in their brains at the lower levels that (truly) developed early on, the ones that want to get even by tossing around and beating the innocent puppets into ill-understood compliance with stupid rules.
The bullying instigators, of course, the ones that were behind the scenes, are the big stingers that happily fly straight through the web that catches only the little bugs.

If so, will there be a fix, so much needed, to the totalitarian bureaucracy explosion of the last decade or will the ossification have to go even further before the current economic structures collapse under the weight of their overhead and inproductivity ..?
Sometimes I’m optimistic that the cycle has already reached its peak (see some earlier posts). Sometimes I’m not, and would appreciate your ideas…

Slight update: From Qual to Intu

A slight update to the previous post: What I propse in the end isn’t as much a shift to qualitative risk management as such, but an even further step to intuitive risk management. Yeah, that’s fuzzy. But doable. And will boil down to the sort of ‘real’, normal management that leaders-managers have already practiced throughout the centuries (and certainly in the better parts of the 20th century).
So no worries, the future isn’t all certain but that makes it fun, right ..?

The 15.5 risk

Your 15.5 risk is of no interest at all! I have a 15.6 risk! Hm, I only have a 13.1
Seriously.
You know you’re doing that. But will you admit it, and learn, and move to something better ..?


[Hi, DC!]

There’s a lot wrong in risk management today. I mean, not only can one still rant about the ‘three lines of defense’ (quod non) as I do regularly on this blog, but one can also dive into the details of how risks are managed, if not when, and find a lot of systemic error and particularly, non-thinking all around.

Let’s start with one core element: weigh(t)ing and comparison of risks. With my guesses, based on decades of experience and science/literature:
Do you include all risks, or just the tiny fraction that your mind can get a hold of? My guess is: The latter. So you miss the vast majority of the risk universe and will be grossly incomplete.
Do you include upside potentials (actions unthought of, and uncontrolled/unsmashed by measures) too? My guess is: No, again you’re incomplete, but also you’re so biased I can’t trust you anymore.
Do you use High-Medium-Low for impacts? My guess is: Yes. Or you use 1-5 scales or so, maybe (sic) even with sort-of indicator thresholds or brackets to determine what goes where. But you don’t realise that impacts can vary, very much so and in time, too. Averages will not do in subsequent calculations or other analysis! You must have (continuous!) impact functions of time and chance. If they’re hard to establish (I’d say: Impossible, given the scarcity of data!), that’s your bad.
Do you use High-Medium-Low for probability (frequency expectations)? My guess is: Yes. Or you use 1-5 scales or so, maybe (sic) even with sort-of indicator thresholds or brackets to determine what goes where. But you don’t realise that probabilities can vary, very much so and in time, too. Averages will not do in subsequent calculations or other analysis! You must have (continuous!) probability functions of time and impact. If they’re hard to establish (I’d say: Impossible, given the scarcity of data!), that’s your bad.
Do you know the difference between statistics and chance calculus? I guess not. Hah, and then you still abuse both ..? Do you know the difference between discrete and continuous mathematics (functions)? If not, you’ll make errors all around. How would you arrive at a 15.5 score when all choices are discrete 1-5 …?
And if you notices the duality of impact functions of probability, and probability functions of impacts; you’re welcome. And if you noticed that on top of this all, you should also calculate (sic) for the cost (impact) of pre-emptive, detective, corrective etc. measures, and the chances of their partial or full (in)effectiveness, in a mesh of cause and effect.
Do you use Impact X Chance to establish severity of risks? Guessed so. But unless you take the whole continuous (!) two-dimensional landscape of every risk into account, you’re gonna fail with certainty.
Do you compare relative risks by their combined scores? Yeah, that indeed was the whole purpose of your exercise. But you failed already on so many points, the results are both literally and figuratively ridiculous
And you continue by considering a ‘15.5’ risk to be worse or higher than some ‘15.4’ risk….

And you don’t consider the enormous mesh of causes and effects (just one by one, or per single event only) with all sorts of feedback and feedforward loops, and the mesh of ‘preventative’, detective and corrective mitigating measures in between, all with their distinct cost(impact!)s, mutual reliance, reinforcements or and other influences, all with their inefficiencies and ineffectiveness (sic) levels – in percentages? In number of incident elements caught and missed?

We may continue. But it’ll lead to more of the same; you’re fooling yourself, and fooling decision makers. Didn’t know that that was in your job description. What would you think would happen if the decision makers would find out?
And oh yes they will! You lead them astray so much, that they will find (you) out about plain wrong negative impact times frequency totals in Write-Offs, and when (not if) they’ll dig deeper, find quite a lot of unnecessary, inefficient and ineffective Risk Mitigation Measures Overhead Cost.

Is there another way? Yes of course.
But it’s not easy. It takes the European (vis-à-vis the wrongly dubbed Anglo-Saxon) approach where the focus is not on data but on qualitative scenarios. As with data, these can be had externally, or internally from experience and insight. As with data, external inputs can be of doubtful relevance and fit. As with data, internal input may (in case of data: will!) be (much) too limited to work with. And yes, going through the motions to determine some risk on all four areas (external vs. internal, data vs. scenario) and finding some gross common denominator, one can get a balanced view on things. But it’ll be balanced over four erroneous outcomes; way to go!
If the outcomes will be understood at all. Value At Risk being the case in point, that would better be called Amount of Company Value Not Being Lost At Some Random Probability. Or so, depending on your working definition and working understanding of VaR…

The only solution seems to be to stop using a quantitative approach and switch to a radical qualitative approach. This may be awkward, but quantities are just so much too weak to describe reality that they are a fly in the face fraud.
And indeed, we we don’t know how to do organisation-wide qualitative risk analysis and management let alone how to do it for meso- and macro-levels, let alone how to communicate, understand and argue about one risk to the next. But we have nothing else that can work; we must. And, it may fit better with the way humans, the human brains, work, with all their psychological ‘flaws’ (quod non!) in the management of risks. Kahnemann, remember? Well, maybe to align with what our brains have gotten used to handle over the aeons, from the savannah to our latter-day deserts of cubicle offices may be the best way to go. And why not? Do you really want to argue that today’s offices differ from hunter-gatherer tribes batteling the elements, predators and prey, and other tribes?

So, qualitative management of risk it is. Any takers?

Fraud, try angle it differently

The fraud triangle should be not more. For too long, the simpleton representation of fraud occurrence possibility has dumbed down the discussion about countermeasures too much, leading to an unwanted, unwarranted, inefficient and ineffective approach difference from various sides.

[For those who know where this is: This is unconnected to the story ;-]

Point being: The fraud triangle, being one where the three factors Motive (or Pressure), Rationalisation, and Opportunity are presented as if present at the same time, and banding together. Take one of the elements out of the equasion and you’re good. But the three factors do not play out at the same time.

Rather, they play out consecutively, leading to a false sense of security when only one is addressed as even the wiki page on fraud deterrence suggests.
Wrongly! Because e.g., when Opportunity is taken away, as if most often the ‘easy’ solution in organisations, Motive and Rationalisation (the formers start it, the latter coaches it) will find another way as the pressure of Motive will rise and rise until somewhere else than the valve installed, some crack or so may burst, or the whole kettle may explode.

[Damn! Here, I had a perfect, really perfect two A4 pages full of text that disappeared in a glitch… The rest you see here, is just a bleak re-do missing the brille of the original… No, the re-write is not better than the original. Thanks, Tumblr! [Insert hard expletives here]]

As Motive is the thing that comes first, it should also be the first thing to address. It starts with not giving too much motive, which is the same as giving all your employees a reasonable compensation for their efforts that starts with the paycheck. In particular in hard economic times, some or many of your employees may heed more to their ethics (!) and provide for their family before sticking to stupid rules of some big anonymous organisation that doesn’t really know who they are and what their pligh is. Ethics, yes, that thought discipline that is about having to decide between the conflicting rules of various groups that any human is part of. Family, friends, etc., and the organisation one might feel part of – or not, or not enough to let organisation group belonging outweigh familiy group belonging when it comes to a showdown, e.g., when they feel they don’t get their due but just the alms you so graciously hand them for your own grandeur only.
And if you’re visible to the public at large (and you will be, however you try to protect your image) as having so much more than your staff has, family etc. may start to actively pressure your employees to get up close to that level. You’re pushing them yourselves! Inequity forces (no, not less than forces) employees into a getting-even motivation..!
Both ‘hard’ and ‘soft’ pressures to get even, play out in the Motive element, but also in the Rationalisation element. Rationalisation is nothing else than the rationalisation of the ethical decision that your unconscious mind already made, for when your consciousness might turn up again later.
Let alone that it may not only be such ethics that force employees into less following the organisation’s stupid little rules. Think of what would happen if a family health or life is threatened by rogues; this happens all the time. But you can’t have all your employees and their family being secured all the time; they will leave you all as no-one can life under such circumstances of total siege.

And you do need to care for all employees, as all have access to possibly Opportunity-instrumental information. Do not think that you org chart or top-down approach may work, at all. That would miss (literally) 99% of all the information flow that goes through your organisation, and 99% of the paths that the information takes. You think your ‘processes’ are your organisation? Think again, think the opposite!

Which ties in with the Opportunity part. The Opportunity may be everywhere, at all organisation levels, in all sorts of combinations of petty-little-rule breaking or ‘sticking to the little rules so you can break the big ones’. You simply cannot know all the ways and places, and times, that Opportunity for fraud may exist. If you think that simple things like encryption may help then yes, they may help, but so little, so very, very little. As if IT staff, and masses of others, would not know their way around it. And any dam creates its lake that will overflow and create much more damage; the pressure is not diminished by the dam!

So, you can’t do much about Motive, Rationalisation, or Opportunity. Not much, a little bit.
Which is where we may take a look outside of the totalitarian control bureaucracy world I led you into above, which is typically today thinly veiled under a ‘Risk Management’ layer (just this morning saw an article discussing that we don’t need Risk Management, we need management of risk…!], or under the label ‘risk-driven information security’ etc. All wrong approaches, panicky seeking total control.

All we can do, then, is to sand off the rough edges. Which is what is done already, by (physical) Security as it has been done through the ages. Just take a look at a sample table:

It’s easy to see how this can be filled in to cover many more angles and available tools of information security, and can be expanded to cover much more of your organisation’s business. And it’s also easy to see that e.g., not all information security should be had only from IT measures, and not all process/procedural opportunity should be lessened by procedural refinement only. Cross-discipline measures could keep it all much lighter!

But just look at the last five column headers… Much better to approach fraud prevention through those than just sticking to Motive, Rationalisation, Opportunity, right? These ‘solutions’ may not prevent each and every fraud, but they keep things in check. If that’s the most you can get, then be happy with it!

More, maybe, later, on filling out the table in all sorts of situations.

Why not Necker ..?


[Surprise in the (business) heart of Paris La Défense]

With all the hype about BYOD and the New Way of Working, flexible work place etc. having died down almost to zero, why are we still in offices ..? Why aren’t we all (…?) more like @richardbranson also for our working lives?
We certainly had the time to build a suitable infrastructure where there was none, if only under the guise (as it often is) of helping development (to the ideal level of material-only development that we have ..!?). I mean, cheap or free fast WiFi on any and all tropical beaches. Then, we could al have moved there and live a re-engineered happy life.

Oh, and we would have had to change the way we organise, and manage and control, work. Just a detail. The question seems to be: Why haven’t we?

Probably because of massive societal (level) fear of the Unknown. No, not fear of losing control, that’s just part, and one side, of it. We fear the loss of our warm, established social environment more than the gains of a warm, physically beneficial environment. Even if the gains are larger than the losses (that may be partial or replaced, in this case), fear drives more than hope (risk aversity).

Which may be overcome by the individual, by the minority that does venture out of the cave (see some earlier blog entry). But there, one might fear being the single odd one out, losing before gains could be had. Hm.
Or we could consciously take it step by step, starting with actual telework, videoconferencing etc. not immediately on a massive scale, just one by one (huh) or in small organisational communities. We need more of these dust grains in a supercritical fluid!
And at the same time, organise work better, bottom-up, in a sea of temporary collections of independent professionals banding together for a common goal (and with respective gains distributions) and then dissolving once the job’s done (project over, even if the project lasts decades like even blue chips are on average gone in half a century), to new ventures elsewhere.

Will we return (?) to a world where work is no longer life’s almost-single purpose but is maybe something bothersome just to earn the money to buy breathing space all the way down and up Maslow’s pyramid, and is something that caters to the higher levels of that so that all talent is expressed and rewarded ..? Looks like a ‘first world problem’ — hence one that can be solved!

Maverisk / Étoiles du Nord