Tag: Applicable to business

Goldielocks versus information security

If you expect some fable about budgets; not so much.
This post’s about the generation thing called the Goldielocks syndrome – every generation (aren’t they ever shorter, these days?) believing that they had it, and made the society they ‘created’ no less, better than any generation before and after them.
For many generations, tech is still something that ‘came in later’ [venturing that even the newest ones, will see major tech-driven societal / tools changes in their lives], and information security nitty-gritty stuff is a major part of what they experience of that technology.
And ‘we’ (all) have done a very poor job of making it easier, actually improving over what was, to take away rational arguments for the G syndrome. We rather have heaped tons of infosec micromanagement of the worst kind onto the mere use of the technology, not even mentioning the troubles in the content where automation turned into change and inefficiencies of the polished work that was, and all that to cope with issues not in the actual work but in the operation of that very technology and its (sometimes gross) imperfections that didn’t exist before.

So, we may have to re-strategise and re-implement about all that we have, qua technology and qua information security dyeing on top and after it.

There’s other reasons, too. And:
[When defences were, quite, a bit less buggy; Haut Koenigsbourg]

Data Science, yeah man!

Some of you may have noticed I like 4-way Venn diagrams.
That’s why (not) I’d like to link you to this.

In particular, see the information flow diagram of Science versus Engineering. Yes this is what people got their PhDs on – since academia were so often frustrated that the few times they got advisory assignments (on the side, for anything resembling real income for the department), their advice was considered much too late and wasn’t implemented whereas when the same assignments were done by commercial consultancies, the budgets were way higher and the results very unscientific but implemented. Turned out: academia lost themselves in endless analysis paralysis and beautification (in the immediate sense) of models and modeling; business just delivered a nicely coloured report with actionable advice regardless of its scientific defensability (who’d care?).

To return now to the subject: Let’s better focus on the details of the Venn diagram and make those specialisations happen (by way of recognition by employers, long and short-term), not try to maintain the über-image [no reference intended].

That’s all, and:
[In a pic, like in a job, you can’t have everything. It has flowers so it’s OK; Bayeux]

M, and A, and G, D, P and R

Now that you have finally got something going qua GDPR compliance – way short of what you’d want but still, at least something, better than the Nothing to which you were limited so far – there is a new twist to the requirements…
To be clear; by now you should at least have the requirements clear, and also possibly have some upsides lined up (if not, go shop with some vendor consultancy (and others); they’ll tell you about the benefits of data minimisation, the unstress of having your house on order, etc.). And have something going qua reconnaissance, though not armed recce or recattack.

But now, you may have to rethink. A bit. About what you’d have to have prepared when you land in M&A territory, or even in Chapter 7/11/13- (and 9-!) or any glocal receivership. Because … well, the idea sprang from this thing with de-anonymising data from sperm banks (in NL); until now most highly classified secrets (qua donorship). Turns out that not all clinics have the old data, still, because previously the secret was to be eternal hence best secured by throwing away the data.
But more seriously, not all clinincs exist anymore and there is no way to know where the data went, if anywhere.

And that’s where you organisation comes in. Not qua LoB but qua existence, now and in the future. Will you buy, take over, integrate some other org, or be on the receiving (uh…) end of the turmoil? You may want to make sure that the “GDPR” record of the other party is impeccable… Or end up with a mixed compliance bag which is equal to no compliance…
Possibly, you may have to prepare for some form of end-of-organisational-life where there is no body to take over your data and you might have to prepare for that ..?

Well, we’ll see what WG29 comes up with. At least, it will be additional stuff.
Plus:
[In a weird twist of interpretation, this complex of buildings could have housed a private bank of said kind…; Sevilla BTW]

Solar panels, water, plants

Wasn’t it that through carefully placed cloth, one could capture night’s (?) air moisture in a desert?
What if we could use solar panels to provide the shade underneath which, such moisture is catured, and/or immediately applied to plants (crop!) growing straught under the panels, so they survive due to temparatures not boiling them but being in the shade, they’re OK and can provide food and income, whilst providing electricity to … the rest of the world ..? Plant up the Sahara!

On a related note; how much desert surface woud one need, to a. lessen the world’s dependence on oil quickly by turning to the electricity generated, b. cooling the earth straight away by not letting the soil be heated by the sun but soaking up that heat in the panels, into … right.

And/or, whatddabout using the electricity to desalinate sea water, providing clean drinking/plant water to any land even remotely close to the sea ..?

Note that we would probably not need the latest, most expensive solar panels; cheap ones with “low” efficiency will do when sun is abundant. Could one bootstrap a factory that makes solar panels on the sort-of spot, using the electricity generated by some seed panels? Maybe not many, by #jobs-generated, too. Or have a look at this, though maybe a coupled, on-grid thing may scale even better.

And then, there’s this. Paint that generates hydrogen fuel — burn it, and you have clean water and (the heat to, if you’d need that) power engines. All in one; bring it on!

Also, creating less drought-related wars (as they are, all around! fact.), less mass people deplacements, refugees, -disasters (what they are, almost always), etc.

One can dream and/or ask, right? I just would want to see estimates – possibly they could be interesting to investors…

Oh, and:
[Less global heating, less washed-up pirates; Dutch coastline ;-]

Colluding AI

As more and more grunt work (like, so much that’s done in the intenisve people farms called ‘offices’) is replaced with AI, how soon will we find that some decision by a human, hardly in control anymore but totally reliant on the precooked algorithmic outcome provided by AI, will be contested in court – that will be presided over by a judge, hardly in control anymore but totally reliant on the precooked algorithmic outcome provided by AI, and the two colliding against humans’ interests…

Note that “of course”, there will be humans nominally handing out the final verdict(s), because so many (not yet) fought so hard (not enough yet) to keep a ‘human in the loop’. But having achieved not much more than the nominal thing, and there quickly being far too little humans with enough experience (how would they gain that, when they haven’t gone through the grunt work themselves, including being allowed to err sometimes or how would they otherwise have learned ..?) to be able to usefully overrule the AI. Usefully, in the sense that the AI will have all the better, rational even if outlandish arguments… No more gut feelings … That may be part of what makes us human; whaddabout Kahnemann’s 90% System 1 ..?

And then, still, what when AI finds it rational to re-introduce the death penalty ..? Swiftly executed, to preempt appeals?

Oh how bright is our future! Also:
[There was supposed to be a shut-down button somewhere in one AI/pillar at least… Now they switch each other On again …; Córdoba]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the problem organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Car disruption

Have governments gone insane?? They penalise anyone (but certainly not everyone) going over some completely [?] arbitrary speed, whereas my car can do double that, easily. This needs to be disrupted! Just drive as fast as you can handle, don’t care about the ‘others’ that stand in the way of you in your fundamental rights to freedom and the pursuit of happiness, and fight government in courts when they go after you – they are the stupid ones! They can’t stand you disrupting the traffic market by being quicker than the stupid sheeple [or is that you disruptor-user ..?] from A to B! People will die in traffic (e.g., by being so stupid as to always stay on the pavement but wanting to cross the road at a pedestrian crossing; fools. Children will veer off onto the streets; too bad. There will always be some less lucky and they take themselves out of the gene pool, just let them not hinder the Winners.

I’m into privacy. Which is of course completely different? from traffic ‘markets’ where the road is a commons, bound by rules (like, one doesn’t have priority but should give it to others when due) to make it reasonably safe for anyone (as a commons: no over-use till Tragedy Of). Just like hotels having to live by all sorts of safety rules (training staff, smoke alarms, hygiene, etc.etc.) for a reason. The same reason (or worse, given casuality of visitors) that goes for the V-sign company?
So, privacy in public space, the more virtual the more so [at least, no bit less so], can one (ab)use it when in breach of laws of common decency – that go much beyond mere laws or constitutions ..?

Not even a personal thing, the above … and:

[Perfect space for street racing…? Wouldn’t even hit too many ‘innocents’ here…; Zuid-As Ams]

Top 5 things that Awa isn’t

When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.

Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?

No you don’t.

Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:

[Your kindergarten Board wish they could ever obtain such a B-room; Haut Königsburg]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

Knitting against Cyberrrr…

This here piece, being the explanation why hiding in plain sight beats overtly-crypto tools. Quite enough said, right, apart from the note that the solution is a form of arms’ race flipping, as predicted. Would only wonder (again) how many cat pics out there, have stego messages, and how many TLAs are constantly scanning all Pinterest- and others- uploaded pics for nefarious content. Where the sheer volume created by innocent users, helps the bad guys (girls…!) to escape (timely) detection, or what?

Maybe sometimes human interaction can still help, like with this. Of quite another category but deserving massive global support nevertheless. Can ABC’s and Facebk’s image recognition engines be sollicited, or are we looking at the hardest pics still eluding the strongest AI-yet ..?

Back to knitting-style help it is … And:

[If you recognise this’ your country, you just got an interesting PM story… (truly congrats)]

Maverisk / Étoiles du Nord