Innovation (technologicallly driven) – Page 19

Some quick notes on Audit / service development

An invitation for co-development or I go it alone…
[This also being a copyright / idea claim]

Undecided what name will stick; either
Ethics Test Services, or
Autonomous Judgement/Decision Analysis Services;
Because it is about checking the morality baked into, or emerging from, algorithmic decisions and/or decisions and conclusions from autonomous and self-learning systems;
Contra “Computer says No”, obviously.
If you’d want to learn what that refers to; see here;
[Intermission] Whereas some in European politics (sic) discuss to impose a limit where autonomous systems without one human in the loop anywhere would have to have an ‘explanatory’ function that can display in layman’s terms how it arrived at some decision, and that being contestable. But the questions are: What if the ‘system’ were hosted outside the EU (and just like inflation, Gresham will obviously apply), and what if (maybe ‘when’; we’re talking politicians here) such a very first step towards transparency may still not make it, and what if as a cheap escape trick the human would and could only click ‘OK’ — could (s)he be culpable?
Elements would be:
- Process correctness,
- Data correctness,
- Exceptions handling; essential and necessary.
This, in Standard Form and with an overall human (me; run to the hills) judgement both over process/systems quality and over moral/ethical admissability;
Will have to extend the notions of ethics, morality et al. here; e.g., how humans make decisions in the first place with all their errors of all kinds, what to do when systems/humans don’t follow morality and/or the decisions from the systems.

So, everyone (dabbling in this space from now on,) will pay me serious license fees for using the above ideas in commercial services… [note: I’m serious]
And/or all help is welcomed.

To add:

[Would deliver above services to this address for expense reimbursement only …]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:

[Modern (purpose), still also a sun dial; Barça]

Quitting a club

Where some trade association of … drum roll … chartered (sic) IS auditors declared Cybersecurity is becoming an ever bigger problem. An IS auditor should need to keep informed of the latest developments as an argument to join in some CYBER ARRGHHH! lecture,
one better leaves. I did.

Sure, I’m member of some other, global, of the same trade and tricks one might say. But to list the other arguments to quit the local (i.e., Dutch; could have characterised them as ‘provincial’ but why) one, would take ten pages (yes I have them, spelled out including various legal trespassing of the vilest kind, far from complete after some this-years developments within the club…) and I don’t want to bother you with the water under the bridge.
And sure, I re-joined yet another trade association. And try to contribute in another way, as yet not yet disclosed. And #ditchcyber.

But I’m unsure about my discretion in leaving (behind the hopeless) and would be curious about your best advice when and how (that’s two) to quit a club. Thoughts?

Oh:

[Not only T towers might need (sic) to be renamed…]

WindTalker

Right. So we have a side channel attack where your hand movements over your mobile, when typing in your key, will interfere with WiFi signal patterns in a detectable, traceable way thus revealing your key. Like this (PDF).
Would this, on a second trend note, destroy or obviate even more the need for, Active Access Control ..?

Plus:

[Mock-up for fabrics not mockery of your security; Stedelijk Amsterdam]

For members, useful insights

I’d suggest making this available widely; beyond membership only. Because it ties in so well with, e.g., this and many other issues at this.

Yes, I may be biased; just like everyone if only for having been member of this. Which (subject) plays a much more prominent role in your lives than you think, certainly in the nearest of futures. Beware.

And be aware of:

[Your ethics reasoning: All corners, leading nowhere, abandoned; Fabrique Utrecht]

First Rule of Risk

First rule of risk: Never underestimate risk. Even when you follow this rule, and even when your estimates seem ‘proper’.
Where of course, the propriety of your estimates is in grave doubt, either on the “This has never happened to us so / Come on, get real, [we’re not a target because we’re of no interest to anyone] what are the odds!? / Ho hum, there’s the boy cried wolf again”,
or on the “I’ve been reading this thing about CYBER! Arrrgh! In the Inquirer so why aren’t all staff hiding under their desk and we didn’t yet have the Marines take over and destroy the office to defend it ..?” FUD-side.
[Side note: You did have ‘consultants’ over (office (culture, motivation) destroyed, seems like a preventative measure?), but be aware that’s the opposite of Oorah]

Because when every nanosecond brings the possibility of an ‘event’ (how’s the repeat of sampling with (! … is it?) replacement over so many draws working out in your frequency estimations..!?), one can be sure that a 99% chance of something not happening, will result not in the virtually certainly not happening every time, but in the certainty that the 1% will strike, repeatedly, and a strike will endure much, much, much longer that the inception of it. The ‘event’ isn’t measured in nanoseconds, but in days, weeks, months and sometimes even years (think the, near-certain, reputational damage). So, your estimates are too low, all too low.

But since the detractors are always downplaying your estimates due to their other-directed agendas, do follow the First Rule of Risk …

[Your in-house security gurus are quite like that, yes, being the absolute rookies at the BlahBlah Seat At The Board Table — probably available only when the Board is out — or any level they’re relegated to]

Lament / Where have ‘Expert Systems’ gone ..?

Those were the days, when knowledge elicitation specialists had their hard time extracting the rules needed as feed for systems programming (sic; where the rules were turned into data, onto which data was let loose or the other way around — quite the Turing tape…), based on known and half-known, half-understood use cases avant la lettre.
Now are the days of Watson-class [aren’t Navy ships not named after the first of the class ..?] total(itarian) big data processing and slurping up the rules into neural net abstract systems somewhere out there in clouds of sorts. Yes these won out in the end; maybe not in the neuron simulation way but more like the expert system production rules and especially axioms of old. And take account of everything, from the mundane all the way to the deeply-buried and extremely-outlying exceptions. Everything.
Which wasn’t what experts were able to produce.

But, let’s check the wiki and reassure ourselves we have all that (functionality) covered in “the ‘new’ type of systems”, then mourn over the depth of research that was done in the Golden Years gone by. How much was achieved! How far back do we have to look to see the origins, in post-WWII earliest developments of ‘computers’, to see how much was already achieved with so unimaginable little! (esp. so little computing power and science-so-far)

Yes we do need to ensure many more science museums tell the story of early Lisp and page swapping. Explain the hardships endured by the pioneers, explorers of the unknown, of the Here Be Dragons of science (hard-core), of Mind. Maybe similar to the Dormouse. But certainly, we must lament the glory of past (human) performance.

Also,

[Is it old, or (still) new ..? Whatever, it’s prime quality. Spui, Amsterdam]

The Risk of Human Existence

Where Risk should be in the ‘first’ line of any defense, and subsequent lines are mere (subsumed …!) support, as in the line of reasoning where Risk or rather Uncertainty [don’t start me on the semantics pure kindergarten discussions per definitional differences] is essential to do business; nay is essential to any organisation’s ‘business’ even when as non-exposed to market conditions as e.g., government departments.
Which, and this is the title reference, of course hinges on: all human endeavour seeks to eliminate uncertainty as uncertainty in the state of bare survival that humankind still is (sic; on average, and in the near future thanks to global warming [no thanks, global warming!]), would mean deterioration i.e. extinction.

Against which we (well, I; uncertain about you dear reader) have developed these whimsy precious things called brains (i.e., including the prefrontal cortex) to enable us to not only cope with the most complex of things including paradoxes, infinity et al., but also with uncertainty. Through induction and Big Data-like pattern extraction, sometimes taken to the levels at which most current Big Data analysis stands (turning spurious correlations however weak, into causation theorillets and/or rites), sometimes actually achieving something — models that ‘work’ to sufficiently accurately predict some aspects of the future (i.e., behaviour of predators) to enhance survival by staying away from the most unsurvivable situations.
Now that a precious few (??) have managed to ward off the evils of existential threats, such death scare of death has turned into a death scare of anything that doesn’t go according to our plan of doing the least possible to do nothing but eat ourselves into obesity.

Meaning, not accepting that now all reasonable threats, uncertainty, has been reduced by extreme CYA everywhere, at the same time we (not I) accept less and less that bad things just happen, and will ever more fanatically look for someone(s) to blame.

Solve the latter by ‘solving’ the former. Fight CYA!

And:

[What’s our love … but the Art of Glass; Blondie for no apparent reason, Dordrecht]

When it comes to Risk, Appetite is Tolerance

Previously, with many others I believed that Risk Appetite would have to be the starting point of discussion for anything Risk within organisatons. The appetite, following from discussions on Strategy being the choices of directions and subsequent steps that would need to be taken to achieve strategic objectives, i.e., where one sees the organisation ending up in the future. Very clearly elucidated here. Backtracking, one will find the risks associated with these possibly multiple directions and steps — in qualitative terms, as NO valid data exists (logically necessarily, since these concern the future and hence are determined by all information in the universe which, logically, cannot be captured in any model since then, the model would have to be part of itself, incurring circularities ad infinitum and already, the organisational actions will impact the context and vice versa, in as yet (for the same reason) unpredictable ways.
And then … This risk appetite, automatically equated with the risk tolerance by the Board for risks incurred bottom-up by the mundane actions of all the underlings (i.e., including ‘managers’, see yesterday’s post), then suddenly would have to be in quantitative terms… [Yes, bypassing tolerance-as-organisational-resilience-capacity]
As all that goes around in organisations, through the first 99.9% of Operational / Operations Risk, and then some 10% industry-specific risks (e.g., market- and credit- for the finanical industry), not measured but guesstimated by hitherto outstandingly some that have least clue and experience [otherwise, they would have been much better employed in the first line of business themselves… The picture changes favorably (!) where we see some organisations shift to first-line do-it-yourself risk management… finally!] with what the chance and impact figures would be. As if those were the two only quantities to be estimated per ‘event’… As if any data from anywhere would be sufficiently reliable benchmarking material — If you believe that nevertheless, you should be locked up in a treatment facility… Yes sometimes it’s taken to be this moronic… No need to flame bigger here, as that was already done here.

But wait where was I. Oh, yeah, with the bypassing of tolerance defined as what the organisation could bear. The bare fact being, that no-one can establish a reliable figure for that. What the Board can and want to bear … Considering that the Board would have to be all-in, i.e., not only all of their bonuses since ever under clawback threat, but also all of their earned income incl salaries and personal wealth — if any of the Board would not want to risk all they ever had and have, bugger off this is what you signed up to. Considering also that strategic decisions are about wagering the existence of the company on choosing right or else, this wagering the well-being and wealth of all employees however unable to bear loss by mere fact of never had the ability to create some reserves, the previous consideration isn’t exaggerated. You wager others’ very existence, you wager your own ‘first’.

Summa summarum:
Risk Appetite is what the Board lets happen as Risk Tolerated Already.

Plus:

[And away goes your grand hallway down the drain; [non-related] Haarzuilens, Utrecht]

Commoditised exploits

What was first; the exploits or the use of them ..?
When now, we have this kind of reasoning, aptly, there already was this, too.

So, … What now ..?

20161025_163321
[This being the state of (the best of … ;-[ ) Duts design nowadays. Yes the rest is worse, much worse. Law of handicap of head start; Zuid-As]