Tag: controls

Poor bungler has no Scandinavian example to make his point

Gerald jeered in dinner discussion
August 19, 2016 by Karen Mikkelsbergen

Gerald Waterson badly lost a series of discussions with his friends last Thursday. The 36yr (old) county clerk of Decatur, IL, didn’t have a Scandinavian example for any point he wanted to make.

During dinner, Gerald proposed e.g., that social security could not continue in its current form with the lax immigration policies, that a fully sustainable energy supply were feasible, that only college grads should be allowed to teach at high schools, that longer prison terms don’t increase general security and that tomato is a vegetable.

“Those were interesting proposals,” Dean Farmour (35) remembers. “We were honestly interested to have ourselves convinced. His arguments however were lacking every time again. Gerald only had a huge stack of scientific reports at hand and a slew of scientific theories. But he did not have one single example from Scandinavia. Not one!”

Megan Drimble (36) too, was disappointed by the defective argumentation of Geralds vision. “If you’re so sure that longer prison terms don’t work, then you’d better have something more than just fifty years of data from a number of countries. I’d like to have data from just one Finnish province, please!”

Megan herself successfully defended that the hunt for moose would need to be deregulated in Georgia: “Isn’t it crazy that the state legislature doesn’t just allow it? In Sweden, the moose hunt accounts for the prevention of many traffic casualties and of serious damage to forests.”

Gerald now knows what to do. “I always thought that I had studied sufficiently on any subject I thought to know but I was jeered at for that. Next time, I’ll make sure to always have some obscure Scandinavian research at hand. The Danish psychologist Sören Larsen showed, by the way, that to give me a far more convincing posture, too.”

discussie

[Original, in Dutch, on the Speld; translated with permission]

Rio per capita

… Is the medal list per capita out already ..?
[Spoiler: next Thusday’s post has some results for the below…]
For surely, just adding up medals per ‘country’ is ridiculous. When some country may send two athletes (four?) to some contest and can pull from, e.g., 10M citizens, how much infrastructure (economically, culturally etc.) can it muster, compared to some country that has a potentials pool of, e.g. 300M ..?
[Including that some form of compensation should be available for the very fact that population- and surface-wise smaller countries have a much lower ‘pyramid’ of local contestants challenging each other for better performance, and less physical room for training/contest facilities, uniform marketing hence sponsoring, and societal recognition to be had — if at all, see the following.]

Bragging about some idiotic sort of ‘we’ that has collected 1000 medals over the decades, is double nonsense. How many of the medal winners were allowed to procreate so prolifically that, genetically, the ‘we’ is now justified, gene pool wise? Or rather, how many of the medal winners were neglected by society so that they died in ignominy and often even poverty ..!? That’s quite contrary to the ‘we’, those medals should be discounted from any total …

So, where is it, the Per Capita medals list of, e.g., Rio’16 ..?

[No, the Netherlands wouldn’t climb very much higher; close to median in population as it is, and same qua performance (?).]

Next, what would a handicap system look like ..?

And:
20150311_122327_HDR[1]
[a.k.a. ‘The Medal Race’ — or is it a commentary on the financial industry in the midst of which it lies beached ..? [spoiler: yes it is]; Zuid-As Amsterdam]

Own rules

When ‘Compliance’ are the Spanish Inquisition, keep them to their own rules. Leviticus, in particular; 19:19, 19:27, 24:10-16 and others (note :4 for the commoners outside the C department), and Deuteronomy, e.g., 22:11. Exodus 21:7, too.

We’re looking at a lot of pink slips, and clawbacks, if we’d be too (sic) lenient.

Oh well:
20160805_160230[1]
[Compliance through the looking glass; GlassFever Dordrecht]

Risk Chagrins

It’s just a matter of Karma

As long as ‘risk’ ‘managers’ deal with negativity (admit it; focusing on the negative is even written into quite a number of definitions involved ..!), they’ll become the sourpusses they want to see all around (remember, the “passing back risk management to the ‘first’ line” ..?), and according to which they’ll behave ever more, finding evidence everywhere they’re on the ‘right’ track.
Quod non, but conspiracy theorists as they are, they will not listen

Oh, and this:
20150109_145912
[Your ‘risk’ ‘heat map’, accurate picture]

Plusquote: Materiality

Discussions about materiality are not material.

This, after realizing that all too often, the discussions about materiality were/are either by Eager Beavers (not having grown above box checking zealots), or by outsiders qua experience and expertise, e.g., lawyers (q.q.) and ‘governance’ bubbletypes.
Whereas, when ‘materiality’ (or its twin-at-a-right-angle, ‘significance’) its pass-or-fail boundary is discussed, not the precise measure (and hence, rigorous definition) counts, but the very fact that there is a discussion in the first place. That is material, that points at an issue. Wise minds (q.q. probably not directly involved ..!) understand this point and will not want to join the discussion, leaving the latter to the nonderstandables.

Think about it — when the discussion arises for whatever reason, that mere fact already is a signal, which can simply be reported as such, together with all its glorious detail. Must. For it is material significant oh whatever…

Leaving you for the weekend with:
20150109_150127[1]
[“It’s only a model” it aint ..! in Rotterdam — oh wait that’s a scaled re-build…]

ChainWASP

… With all the blockchain app(lication)s, in all senses, sizes and seriousnesses if that is a word, growing (expo of course) everywhere,
wouldn’t it be time to think about some form of OWASP-style programming quality upgrading initiative,

now that the ‘chain world is still young, hasn’t yet encountered its full-blown sobering-up trust crash through sloppy implementation. But, with Ethereum‘ and others’ efforts to spread the API / Word (no, no, not the linear-text app…) as fast and far and wide as possible, chances of such a sloppy implem leading to distrust in the whole concept, may rise significantly.

Which might, possibly, hypothetically, be mitigated by an early adoption of … central … Oh No! control mechanism of e.g., code reviews by trusted (huh?) third parties (swarms!) where the code might still remain proprietary and copyrighted.
Or at least, the very least, have some enforceable set of coding quality standards. Is that too much asked …??

I know; that’s a Yes. So I’ll leave you with the thought of a better near-future, and:
20150109_145839
[Horizontal until compile-time errors made adjustments necessary (pic); beautiful concept — other than Clean Code, actually executed to marvelous effect]

Reverse firing squad (LIBORgate et al.)

When designing cross-organizational processes ‘hence’ including cross-organizational control structures, who will be accountable to look after the controls in question?

Take LIBOR(gate). Someone(s) dreamt up a structure of ‘self-regulation’, which even the most brief moronically-superficial gleaning over history will tell will fail, and then forgot one’s accountability for putting in place such a sure to fail thing.

’cause only accountability will force ‘taking’ responsibility and actually doing both parts of Trust But Verify.
No, the latter part was not taken up by the individual banks involved. Because they had perfect (O)RM in place. That, by perfectly sensible, justified, and objective achievement-perfecting arrangements, focused on the risks to the own organisation only as they were, are, internal departments working for the optimization of the organisation (taking into account local Board’s risk appetites and attitudes, risk estimations, budgets, cost/benefit analysis and what have we); nothing more or they would bordering-on-(?)-the-illegally overstep their remit. Hence, intra-organizational conspiracy was not something any individual bank’s (O)RM department, or manager, had to worry about let alone be actively fleshing out as a potential risk.

The supra-organizational oversight required, the level where the scheming took place (huh I mentioned ‘supra’ not for nothing..!), could technically, operationally, tactically and strategically only have been envisioned at that same supra level, with the regulator(s) at that level, that instated the L-scheme. [Oh I could add a ton here on how any ‘lower’ level cannot in any logical way have ‘seen’ the risk(s)] So, accountability and responsibility, for setting up a scheme that was prone to the risk(s) in the first place and for not applying due control and oversight (from the strategic all the way to the operational/technical levels!), was and still is with those regulator(s).

How then have they escaped being kicked and imprisoned ..? By claiming ‘temporary’ insanity where Reality in the L-process and elsewhere, is only a string of ‘temporary’ moments ..? The lack of competence is appalling. But drowned in the finger-pointing flying all around except in the right directions.

Uch. One could get very depressed, and/or feel belligerent. Or see the mirror of a firing squad. In the latter, a number of soldiers fire, with only one round not being a blank so no-one knows who did it so none can be held accountable individually for the collective shooting of some villain. [If only in some miracle world it wouldn’t be that most victims are the Honorable very much in an Aristotelian Virtue sense.] Now, we have ‘one’ regulator shooting a whole squad, and all of the squad are blamed …!?


[Just a MSc uni in Delft. Because science ..!]

The carrot won’t stick

Almost as an intermission, on my way to a full-length post on behavioral change and InfoSec: A shortie on Compliance.

Having realised that classical compliance is a hygiene thing: Nothing happens, until some factor sinks below the surface / zero; then, all heck breaks loose.
I.e., no carrot, many many sticks. Not your average well-balanced incentive scheme, right?

Classical awareness / behavioral change programs, then. Where only the winner, Employee of the Month, or less, will receive some recognition. Often, recognized among peers and colleagues ‘for being a d.ck’. The rest, that tagged along without doing anything particularly bad, or even only just arriving at the #2 spot: Not much, often Nothing.
A tiny carrot, possibly up some unsunshined place or used as pick, and not much by way of sticks.

Where is the scheme with a lot of carrots (but not for all, especially not as guaranteed sign-on bonus…!!) and a few sticks-in-private (as they should be!) …?

Just asking, maybe for an impossible thing but your considerate responses are very much welcomed… and:
DSC_0700 (2)
[‘Dagpauwoog’ i.e., back yard beauty]

Said, not enough

Here’s a trope worth repeating: Humans are / aren’t the weakest link in your InfoSec.

Are, because they are fickle, demotivated, unwilling, lazy, careless, (sometimes! but that suffices) inattentive, uninterested in InfoSec but interested in (apparently…) incompatible goals.

Are, because you make them a single point of failure, or the one link still vulnerable and through their own actual, acute, risk management and weighing, decide to evade the behavioral limitations set by you with your myopic non-business-objectives-aligned view on how the (totalitarian dehumanized, inhumane) organisation should function.

Aren’t, because the human mind (sometimes) picks up the slightest cues of deviations, is inquisitive and resourceful, flexible.

Aren’t, because there’s so many other equally or worse weak links to take care of first. Taking care of the human factor may be the icing, but the cake would be very good to perfect for making the icing worthwhile…!

Any other aspects ..? Feel free to add.

If you want to control ‘all’ of information security, humans should be taken out of the (your!) loop, and you should steer clear of theirs (for avoiding accusations of interference with business objectives achievement, or actually interfering without you noticing since your viewpoint is so narrow).

That being said, how ’bout we all join hands and reach for the rainbow ..? Or so, relatively speaking. And:
DSC_0404
[Where all the people are; old Reims opera (?)]

Maverisk / Étoiles du Nord