Tag: controls

Data Science, yeah man!

Some of you may have noticed I like 4-way Venn diagrams.
That’s why (not) I’d like to link you to this.

In particular, see the information flow diagram of Science versus Engineering. Yes this is what people got their PhDs on – since academia were so often frustrated that the few times they got advisory assignments (on the side, for anything resembling real income for the department), their advice was considered much too late and wasn’t implemented whereas when the same assignments were done by commercial consultancies, the budgets were way higher and the results very unscientific but implemented. Turned out: academia lost themselves in endless analysis paralysis and beautification (in the immediate sense) of models and modeling; business just delivered a nicely coloured report with actionable advice regardless of its scientific defensability (who’d care?).

To return now to the subject: Let’s better focus on the details of the Venn diagram and make those specialisations happen (by way of recognition by employers, long and short-term), not try to maintain the über-image [no reference intended].

That’s all, and:
[In a pic, like in a job, you can’t have everything. It has flowers so it’s OK; Bayeux]

Parental Control – Surveilling your parents … Ew!

There you have it: Parental Control is needed more than ever, in a subtle way (I’d suggest you would do best to re-study The Cyber Effect; as I do), given the ever increasing (sic) risks online for the smaller than you.

But what about the more grown-up than you; your parents …? They either are only now, slowly, coming online, or they have been there already longer and have practiced but now are becoming older and mentally less capable or acute.
Hence, would we need to instate parental control to (also) mean: control over your parents (‘ their online behaviour)? And how would we have to arrange that; the norms for what e.g., appropriate content would be, are, ahem, not so clear. When a child would want to explore a vast portion of the Internet / its traffic, many agree that this would be either to be forbidden or a serious learning opportunity qua acceptability. When the one(s) that taught you about the birds and the bees would want to visit such sites, well, ew! but on the other hand…
Similar, qua gambling sites, hooliganism, et al. — not forbidden for any adult but where do things get out of hand, squared with how the capacity to operate in society may deteriorate with the elderly and where the thresholds might be.

Yes, in Europe, when you die your data (on socmed etc. too!) belongs to the government and your family has no rights over them. By consequence of some weird interpretations of obscure articles, contra reasonable moral and ethical expectations by relatives (either biologically/family-related or qua social media ‘friends’..?).
But for bank accounts et al., there have been practical rules and protocols already a long time, so that children (come of age) slide stepwise into custodianship. Would we need something similar for parents’ online behaviour? What would the rules of thumb look like, and could they be enforced somehow, to protect the weak against abuse ..?

Let’s discuss. And:
[Bridge too far? Cala aging again; Sevilla this time]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the problem organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

1. Train like you BCM

Isn’t it strange that one of the most prominent success factors of Business Continuity Management, actually training for eventualities of all kinds and sizes, is so little done?
Or has the basic tenet Train like you fight, then you fight like you train been forgotten?

Or not even learned in the first place. Shameful.

And, by the way, it’s true. When you train (well, as serious as if you’d actually be in a ‘fight’ for survival), you get experienced. Surely no trained scenario will play out in the unlikely event of an emergency of any kind that your BCM aimed for, but you will be experienced to handle such unknown situations, be flexible, and have the acumen, courage, and wit to come up with a solution, no sweat, right ..? Because you know you can, no sweat, and hence, clear thinking about the right things.

So, … have fun shooting down the bogeys. And:

[Hey,, that’s a pic from a scanned slide (physical, Kodak), of the bitches of South, at Twente (no more)…]

Panoptic business

Recently, I heard the gross error of thinking again “When people use their business IT for private purposes, they have no right to privacy” – rightly countered from the room that standing European law most clearly has the opposite: Employer has zero rights to see anything unless there’s prior evidence of some malfeasance or malfunctioning (e.g., performance problems – of the employee, not of the infra…). So, blanket or categorical surveillance (or blocking, which presupposes monitoring how the heck else would you detect the to-be-blocked URLs..!?): No sir.

What about the recent spat where a bank blocked Netflix because employees’ use of it at home, using company laptops that Citrixed back to the bank and from there onward, overloaded networks of sad (typo not said, intended to characterise the) bank? Well, a. how dumb can you be to Netflix over Citrix etc, or is one so incredibly cheap (hey, works at bank; apart from the exceptions you know, go figure) that bandwidth cost is an issue? Then maybe you’re too scroogy to be allowed to wok at a bank in the first place; monumental failure of ethics wise, b. in this case, clearly there are performance issues – when it’s noticable on the company network level, certainly it goes for a number of individuals, even if only by disturbing the performance (bandwidth availability) of others. c. there’s no absolutes in what employers cannot do.

But clearly, in just about every case considered today where categorical blocking by blacklisting would be attempted because managers sideways involved in HR stuff would understand what the URL is about, i.e., not-business-related entertainment however SFW or N-, skipping the blacklisting of the really to be blacklisted sites (torrents, malware shops and other rogue tooling),
we have again the panopticon argument of “observation changes behaviour” – and in these times of clueless managers (the less they know that of themselves, the worse cases they are!), you need in particular those ‘users’/employees that go beyond monkey typing away to be creative in their work and find new revenu / cost reduction directions. Which means that when you observe, or only log to be able to observe, you squelch productivity and profitability… Way to go!

Oh, and:

[Not the one mentioned above; HypoVereins München on a heat-hazy day]

Simply laborious

After some post recently, I was triggered to summarise – and expand …
Since there is a bit of history missing. Being the Theory of Firm. Which is, among other stuff but au fond, about the creation of the manager. As the go-between of ’employees’, as the go-between between the workforce and Capital. As the foreman, the one in charge of coordination – when the people come together because they can achieve more in cooperation than the sum of their individual efforts, through specialisation of labour, those specialised contributions need coming together in one way or another, and the provider of capital (the thing that other raw materials are paid with hence the about-only thing to receive deferred payment; don’t get me started on the so absolute quod-non of the ‘inherent right’ to rent above trivial liquidity and risk compensation…) will want to talk to just one. Originally, sometimes capital provider and leader/cooperation-initiator/manager were one, until external capital was required from parties that extorted control. Big sic there.
Well, now don’t go blaming me that it is on the capital provider side that criminally biased rules and regulations have crept in. Flash capital, extortionist locust ‘capital management’ groups, et al., have forced their mob ways into ‘normal’ conduct — almost; the Rheinland model [first, learn to pronounce that correctly, then, get to understand it fully, then, return and prostate and happily receive your life sentences for your transgressions] still holds sway, and sometimes veers back a bit. A bit.

So yes, to the latter, that is criminal, and the cause of cushions called management layers, ever more wrongly devised and developed. And yes, we would need some totalitarian revision of organisational structures to cure it all. Including, starting with, the redefinition [i.e., throwing away all that function there smoothly now, as they denounce their incapacity to really do what’s really required] of middle management and refilling the positions. Also capping CEO pay to, say, something like 10 times the average pay of the bottom 10% of the workforce. All contribute, and a CEO may need a little compensation for when [not if; should be law..!] something goes wrong, his (sic) head rolls. But not too much. When the CEO is sacrificed, something went so wrong that many will get hit; the CEO being in the best position to survive it, qua social and economic strata he should be in. Workers, much less so; much less opportunity to have built buffers, capice?

But maybe not absolute only Owners and Professionals. That will simply not work. Both sides would, even in an ideal world of perfect information everywhere, be buried under control information to the mountainous levels that they wouldn’t have time left [if you’d need more than 25 hours a day to do your work, just work that little longer!] to do their primary jobs…
But a revisit of Galbraith’ four information processing capacity increasing routes, as here, is desperately necessary… Surely, herein lies the way forward to much better organisational design, integrating the latest of possibilities qua information processing and internal and external networking, making possible the creation of true networked organisations and individuals…?

Oh, and:
[Completely undoctored, also unsmoked, pic from Toronto]

Surge ethiconomics

There was already quite some debate about surge pricing, in particular re [illegal] taxi services.
What I missed so far, are discussions about the economic or raher ethical character of abusing surges and their price tag instabilities. Like, how would you depict such developments in price elasticity graphs; shooting up and down on-curve, and curve shifts included. Is orderly society permissive of such hog cycle disruptions ..? [Term pointing at the characterisation of the CEOs that not want to see anything in/human in what they do]
The asymmetry (shooting) on the curve, is market imperfection; the curve shifts in the long run, are better captured by ‘classical’ economics. Again: the ethical ramifications aren’t value-free (tauto), aren’t of uninterest to anyone that values freedom — as that requires markets to function, which is done by regulating them. The latter is proven so many times I don’t even want to discuss it here.

Stock markets, and stocks, are capped qua max change (volatility spikes), the most extreme competitive markets out there;
why wouldn’t other markets have the same ..?

Your contributions in comments, please… Plus:

[Stable, safe, cleared for use; Madrid]

Per vertical lines of defense

What if … Lines of Defense aren’t three (or four or five) ‘horizontally’, but vertical, like actual protection against things getting out of bounds ..?
Wouldn’t that return the whole concept of 3LD, TLD, Three LoD or what’s your favourite abbreviation, to the already tried and tested process control models of yesteryear and when not if Yes, wouldn’t you be found out to be a sort of bumbling eager beaver when you think you’re still doing great and are Really Important and a GRC star and don’t see your kindergarten Importance is called out to hang high ..?

Because then, you’ll need no more big Risk departments with all the procedural justice, compliance on paper (and actual (operating) effectiveness nowhere!), etc., just some nimble support structure. Then, a major part of the conzulting industry would collapse and core management capabilities would have to be returned to formal and practical education and experience-training.

Oh well, one can dream, can’t one?
And:

[A lot of science and engineering there, inside and out, and how beautiful it is (for it); Valencia]

Appetite for destruction ..?

Not even referring to the Masterpiece. On the contrary, we have here: … Well, what?
Interested as we all are in the subject, since it is defined still so sloppily, we all look for progress, I started. But stopped, when it turned out … risk appetite is defined in hindsight, with a survived disaster being the appetite threshold. Nice. So you’ll know what your appetite is when it hit you and were lucky enough to survive. If you didn’t survive, you now know you passed the threshold. Same [?] with projects: Only if it fails, do you have to write off the investment. The idea of sunk costs may be an enlightenment..?

Etc.

I believe the CRISC curriculum has other, actually somewhat useful, information on this, and on risk tolerance ..?
Your comments, please.

Plus:
[For 20 points, evaluate the risks, e.g., qua privacy, bird strikes, value development; Barça]

Maverisk / Étoiles du Nord