Yup it’s time for one of those again. First, for the Dutch among us:
Then, for whiners in the 51st State of North ‘murrica:
[Get over it.]
Category: Information Security
Your valued info at risk
Ah, just noted: A great many of you may have switched (or, c’mon don’t be a laggard or too late, will soon switch) to self-assessments of risks, even to the level of detail of data security (as part of information security, part of IRM, part of ORM, part of ERM, part of just-freakin’-perfectly-normal-or-are-you-kiddin’-me mundane run-of-the-mill average daily management of which ‘governance’ is the most preposterous windbag label).
Which is all very well, to determine at the shop floor levels, that apparently are the last hold-outs of actual business knowledge beyond the mumbo-jumbo of meddle management (sour joke intended), what the risks, and particularly also, Value of information (data…) processed might be.
But … You’d miss half or more of the picture, then. The value you attach to the info, may very well be what you’d be prepared to fork out to protect it (balancing estimated frequencies of intermittent losses versus continuous costs flying out the window), but you then forget that the attacker isn’t after the value you attach, but the value to the cracker. Which may be completely different. Think, e.g., Sony (and the many others alike): comparatively, there was hardly a nickel value in the ‘stolen’ (exfiltrated, or egressed since it was lying around so obviously) data from the Sony perspective. But the value was enormous from the hacker perspective — whatever the innocuous data was, the mere exposure was of such import that APT’ ing around apparently was worth it.
Now, how’zat (women have deliveries, men have Balls) for all the other info throughout your glocal enterprise/empire ..? Similar to same, I presume.
So, … what about the budgets to be made available to counter data theft/robbery/whatever comparison to physical-world expropriation you’d like to use? And still not trying to overshoot in comparison to the value you yourselves establish for yourselves by yourselves, or you’d run the risk (chance close to 1) of splattering any flexibility and usability under tons of ‘controls’ (quod non, BTW). But then, not protecting ‘regular’ data enough, might expose it too easily — which might be rational but will cost you, e.g., through EU data protection fines … ;-|
So, you’ll not only have to do the multiplication of this and this, but extend in other dimensions as well…
Oh well, the world gets more complicated every day… and:
[Your data protection; Noto]
Information does(n’t) Matter
Another consequence of the analysis mentioned before about answers flowing upward through infosystems and command and inquiries/questions flowing down: When the latter get viewed as anti-data or even anti-information, we see Information Theory in action.
Where without the creation of potential (difference) by an inquiry standing ready at, say, a sensor [abstracting for a tiny moment away from the complexity that could be in any sensor, assuming it a math point] to capture some data it may produce, the potential may not pull away the data created by a Heisenbergian creation (-by-measurement ..!?) of the data/anti-data pair. Leaving the anti-data, the uncertainty behind. Is this the creation, the maintenance, or the destruction of a Schrödinger’s measurement ..?
More operationally: In what way does this interpretation induce metaphoric (?) insight into the connection between physical world, ‘signals’ (as in Shannon and other Info Theory), and continuous (!?)/discretised sensor-data streams..?
[For once skipping the bullying of those not understanding the fundamental nature of the continuous/(math-)discrete divide]
Well, there’s also this:
[The gift of far-sightedness. SE Sicily you recognize of course]
A horse needn’t be a horse off course
Maybe @DARPA can elucidate … Why would anyone need four-legged soldier-helpers ..? First there was robodog, then LS3 that failed so may end up in your next indeterminableoriginmeat-burger. Next, maybe, a fully armoured full exoskeleton.
Which might do away with the humanoid innards in the near future (after that), losing some great many pounds of ballast (similarly, are drone pilots as physically fit as the bunch out there in the air on their weapons platforms ..?) and also losing a great deal in time- and otherwise (situational-closeness hence -fine-granularity) challenged ethical perspective. I.e., no weak knees anymore just shoot whatever moves.
But, back to the Helper idea: Why ..!? Why four legs, or even two ..? Instability assured… And Nature has donned animals with legs to get over tree trunks and boulders and the like yes, but maybe only because natural evolution only happens from the happenstantial last known good configuration not the clean slate ‘we’ now have when designing <anything that may silently carry some possibly superhuman load over rough terrain>.
Which is to say: Aren’t hugely more simple (contradictio semantics intended) machines possible with … even yesterday’s technology, that can do the same with no legs or completely different configurations of them? E.g., have ‘spurious’ legs on the back to be able to roll over (on purpose!) and still walk on? Tracks ..? Number Five is Alive! Silent ops can be achieved easily, just ‘invite’ some Rolls-Royce experts…
One only needs to add a gun of whatever size, and some Autonomous in the ops, and hey presto! A possibly much lighter than average soldier (easily stacked even more uncomfortably (possible?) in some freight plane for transport to the theatre) carrying possibly more, and a bigger gun a piece. No weak knees, or remotely operated — wouldn’t limited-autonomy ‘soldiers’ be able to be steered in platoons at a time from far away (and far away from anything officer-like or mayhem may ensue [disclaimer: once briefly was one]) and have an easy development of ‘grounded-drone’ armies.
After which, the Singularity takes over these all. Or just a bunch of the most capable.
Or, nearer future, some party being more than average removed from the artificial intelligence of the S i.e., some rogue general. How to stop such a guy (F/M) ..?
OK, you know where to drop the Challenge prize money, thanks. … … Or, the whole thing’s just a hoax to throw researchers of the too democratic inclination, off path since the research into the above is already progressing impressively… And:
[Hung from not hang over though that might (??) still apply to the operator; DC of course]
Meldt uzelve, out of control
Met al die seminars en cursussen over de Wet meldplicht datalekken lijkt het wel of het meldplichtprocedurenaarbinnenrammen dé oplossing is voor al uw privacy-problemen.
Terwijl het natuurlijk niet meer is dan het perfect regelen van het naar buiten toe rondroepen van de totaal transparante schuld zodra (niet als) er iets misgaat.
Over het voorkomen dat beter is dan genezen (en dat is implementatie van de meldplicht-procedures nog verre van), horen we een stuk minder. Hooguit bij degenen die nu én zometeen de kous op de kop krijgen; dat alles anders moet terwijl het a. nu vaak al best prima geregeld is, b. zometeen niet beter zal zijn (feit bij voorbaat), c. a en b gelden binnen de kaders van de nu en dan geldende organisatorische belemmeringen van budget, tijd en wil van boven, om de zaken beter te regelen.
Het kan ook anders anders: preventief. Leest en ziet.
En ook:
[Zonder privacy, een saaie wereld …; Zuid-As maar da’s duidelijk]
Bow the Stork Tie
When analyzing the Stork methodology for EU-wide federated eID- and authentication methods and technology, again one stumbles (rather, ‘ they’ do) over the bow tie of CIA, mostly C, controls. Too bad. Usually, ENISA(-involved) stuff is Great quality. Now, quite too much less so.
Which is too bad. To note, we already commented on the classical CIA rating (incl the bow tie fallacy) before. Now, the CIA seems to have something to bring to bear on CIA as well. Better study hard …!
Oh well …:
[Weaving transparency and stability, Cala at Hoofddorp again]
RCSA is close to BAU
Close, as in no cigar yet (has the US ban on Cuban import been lifted already?).
But definitely, Risk Control Self-Assessments would, if carried out properly, be that major part of management’s daily (sic) chores that wouldn’t need annual get-togethers coaxed by outsiders (sic) but would be Business As Usual in operational practice. Maybe needing some periodic (weekly? monthly? certainly more than as now weakly annually) departmental review gathering but not a stage show as if this is the holy grail of business information flow. After which the ‘second line’ (as the back not even middle office function) receives the (right) info and acknowledges that the ‘first’ line has so much better sensors since they’re the first line par excellence, integrates the info into the upward report flow and reverts to fine-tuning the tools they provide to first-liners, and furthermore does … nothing. Second line is helpers, not dictators-by-soft-smothering. When it would turn out that all the high-quality hence qualitative (the reverse for quantitative) risk pics cannot be easily integrated into one pic, that’s too bad for the integrators but an appropriate (!) reflection of reality.
And if, on the other hand, first-liners need to be taken away from their actual productive work to sit in some song-and-dance by second-liners because it was so decreed by ‘governance’ levels (emperor’s clothes!), the very objectives will not be achieved. Since the ‘do something’ by deep-lying incompetence has lead to the wrong turn into a blind alley whereas the broad avenue (something like Younge Street) between wilderness and high (?) culture.
[I scheduled this post a couple of weeks ago for release in a couple of weeks but new developments seem to speed things up. For my many posts against Form over Substance … just search this blog for ‘TLD’ or bureaucracy …]
Won’t rant (too much) on; keep it to RCSA = BAU + quite some ε still, and:
[Distorted? Only your picture is, here for a change, by standing too close; true reality is not at the Edinburg Royal Mile!]
One IoTA FYI
To close off [almost, since @KPN fraud themselves away from bankruptcy by series of outright lies to customers and tort] the year with a wild shot, ahead:
There is value in the information analysis in IoT, as described in Gelernter and many since, of the two-way flow of information. One, flowing up are information in the form of answers as aggregations or pattern matched tuples(ets); the other going down, being both commands and inquiries/questions.
This fits the IoT world snugly, and should be taken into account when developing IoTAuditing frameworks:
What we’re after of course in all of auditing — and this we consider self-evident or else go back to study auditing fundamentals, from agency theory! — is the controls that keep the quality of the back/forth i.e. down/up information flows within (client-!)required margins. No more! But be aware of who the client really is, not the one doing the actual paying. So, we may focus on the integrity of the information flows first and foremost, then the continuity (availability), and then confidentiality as an afterthought.
With neat break-downs to isolation, appropriate input/output buffering (anyone still aware of the difference between an interrupt and a trap? If not, take a hike and learn, and weep), integrity controls above all. And some thing on (establishing) the quality of aggregation and of the questions being pushed down — when the wrong questions get asked e.g. by lack of understanding of the subject matter (sic), as is so very commonplace in the vast majority of organisations today, the wrong results will turn up from within the data pool (reporting ‘up’wards).
And of course there’s the divide between
the operational world where actual business is done (either administratively in offices though one could argue (i.e. proof beyond recovery) that this isn’t actually doing anything worthwhile, or producing stuff), and
the busybodies world ‘above’ (quod non) that, which thinks (wrongly) to be able to ‘control’ and ‘steer’ the productive body, sometimes rising itself into the thin air levels of absolute ridicule (by) branding itself ‘governance’.
But do re-read all of last year’s posts and weep. But do also see the implications for variance in the integrity, availability, and confidentiality needs at various (sub)levels.
And:
[The 2016 way is up; Cala at Barça]
Mobile vision
Twas bryllyg, and ye slythy toves / Did gyre and gymble in ye wabe
The brilly side has deteriorated, unfortunately, due to the great many that don’t avail themselves of the proper tools for the proper usage. [A CEO with you, is still a CEO]
No, really: when the ultrahyperventilating crowd decided to warp-speed run after the ‘any platform’ and subsequently ‘mobile first’ crazes (duly so identified), they forgot that when something’s meant to be visually interpreted, all the visual clues need to be clearly enough visible in the first place. Which goes better on a large screen than on a little one, unescapably. In the same way that the humongously dumbed-down ‘models’ that bankers and like w…kers use, are over by a stretch in their simplification of reality (and, stupidly, then taken as normative, prescriptive rather than descriptive in intent), visual interfacing for the mob-ile users are oversimplified to the uselessness side. Why??
Because [ I say so ] and [ hypes go that way ]. Lazy evaluation.
Which leads to: Not one size is too small to fit any, but all sizes are made fit for the content purpose. Maybe not even display when the deep message can’t be captured in too small a message display ..?
A bit deep, or dense, maybe. Hence:
[Circus, b/c you need bread; Oak Park old analog pic]
