Tag: controls

Get them ..?

The effectiveness of any system of limitation of random liberty for the common wheal, like, errm, traffic speed limits, where the enforcement hinges on individuals’

  • Weighing of necessity to break, either by being pressed (to arrive in time, or other coercion by others), or by an innate need to show off one’s [purely hypothetical; the more claimed, the more clearly emptily overshouting in vein] individuality;
  • Probability of detection, where of course society needs to balance total surveillance against freedom of movement — without interference even by blanket self-censorship;
  • Leniency of prosecution, i.e., whether one has boobs and cleavage (works with straight male and other-than-straight female cops, I guesstimate) and the happenstance happiness level of the state trooper (F/M/~), squared of course with how much over the limit you were and
  • Penalty — how much you’re charged for if at all

— with the overall effectiveness being helped most, it turns out, by #2 [Used ul in stead of ol on purpose, yes]. Making the societal weighing thing much more serious, (un)fortunately.

But also; how could this help in #ditchcyber space ..? Many more raps on the knuckles …? How? By enforcing time-outs on the use of the (=?) Internet? That would be quite some latter-day equivalent of shutting people out of global society by solitary imprisonment … (way beyond mere forced exile to wastelands (inclusive)or ‘Strailia). Calling to question the humanity of it. Or would it provide a (suggested limit:) day’s worth of re-education on the subject of life out there?

I’d want the latter for the great many … Time for some Multi-million scale entrapment…?

Oh, and:
[Yep that’s the panipticon at work in Penn’s Eastern State Pen — be it Al’s cell all nicely decked (with the wrong radio!); worth a visit ..!]

Explicitation of Risk — scaring yourself into victimhood

As may be clear, Sloterdijk’s explicitation ideas don’t hold on metaphysics levels of abstraction alone.
It works for all the mundane stuff like ‘risk management’ [disclaimer for the contradictio], too.

And, by making explicit what previously was ‘there’ already, but implicitly and hence not in any beholders’ eyes, in this case all one gains is not understanding (per se) but especially, systemic, existential scare.
Because the Unknown is identified, explicitised into existence. The Unknown that is, by (now) definition, the primordial Chaos contra the Order of Zeus and Apollo in his wake. In turn turning your existence into some degree of insecurity. [In a practical sense, not in the Schäume/Über-sphere sense of Peter Big-S]
And then, ‘risk management’ is the continuation through treatment of that Uncertainty with the addition of other means. [Italics mine, to correct towards the Original quote.] Because, you see, ‘managing’ the risks, even if for the moment we purely hypothetically consider that to be the case in any above-absolute-zero factual degree even for the most trivial, operational form, means having to acknowledge the fundamental impossibility of it. The harder ‘modelling’ types throw their weight [ah, yes, a very-big-if assumption, Pinocchio/Calimero’an again] against the uncertainties, the bigger the resistance is; the harder the chaos-theoretical unpredictability of the future bounces back. The further pushed, the more the full weight of the Universe pushes back.

You get that drift.

Well, then. What remains in nearby sight is the loss of naïvety that would give room for human growth. No guts, no glory! Where the guts are taken out of the picture, when they once were the area where gut feelings pro and contra any action or inaction were properly weighed, now only stupidly-crippled-rationality weighted.
But on the other hand; believing in the efficacy of ‘risk management’ in principle, will lull to sleep in a most blue pill sense.

Just don’t force all to take that colour; some actually want to succeed in Life.
And:
[Aim for clarity, deal with reality; Amsterdam (Lights Festival tour)]

Being Creative with Trust in Identities

… seems impossible to get right. Since for sure, Identities that can be Trusted are so stable that all Creativity is impossible ..?

What does society-at-large want? If you think about the bandwidth above: Aristoteles’ true middle..! But would you know where that is, in this? Would it be sufficiently on the Fixed side to be able to be used as trustworthy Identity? Or would it be a matter of good-enough reliability, for the task at hand?
Possibly we should like Activity-Based Access Control to pair to this Task-Sufficient Identification ..?

A lot on this will have to be developed further, I’d say, but this could be the beginning of a beautiful friendship
Plus (skewed ‘horizon’-ID intentional…):
[All the ID theft may not get you here…; Amsterdam]

Nog een / One more on audit culture

U zult weinig genoegen scheppen in zang, dans of vechtsport als u bij de zang de harmonie van de muziek ontleedt in haar verschillende klanken en u bij iedere toon afvraagt: ben ik hier nu echt van onder de indruk? U zou u voor zoiets schamen. Hetzelfde geldt voor de dans, wanneer u elke beweging en houding apart beoordeelt, en voor de vechtsport.
Which translates to, anachronistically:
A pleasant song or dance; the Pancratiast’s exercise, sports that thou art wont to be much taken with, thou shalt easily contemn; if the harmonious voice thou shalt divide into so many particular sounds whereof it doth consist, and of every one in particular shall ask thyself; whether this or that sound is it, that doth so conquer thee. For thou wilt be ashamed of it. And so for shame, if accordingly thou shalt consider it, every particular motion and posture by itself: and so for the wrestler’s exercise too.

Which in turn brings back the discussions on the auditors being of a stratum or subclass that abhors the Cultural stuff, runs away from the Arts. Contrary, statistically, to e.g., lawyers and notaries-public. This was researched some years/decade back here in NL: auditors don’t read books. Don’t go to theaters. Don’t go to concerts. The bores, the bereft of exposure to the Classics, in classical or latest-modern form. They just don’t delve into anything moral, or consider Advanced Excel the ultimate they’ll go to.

As POTUS of the Western world — military and culturally, not just the latter or, much degrading, economically only — Marcus Aurelius saw it right (yes the above is from his Meditationes, book XI / II): Those that focus only on the analytical, tracing the veracity of the True and Fair View to the detail only and not do (moral/ethical-Value) synthesis, are of an ethically overly impoverished, plebeian folk; worth to be (wage) slaves.
Those, on the contrary, that use the nitty-gritty to arrive at some grand, eloquent plea like lawyers do [should do; ed. – yeah that’s me myself ;-] even when not fully in compliance AAARGGGH! Yes I’ll go rinse my mouth with green soap   with the Original “ISO” standard for that, will see their Virtue strengthen…

Never thought that I’d prefer lawyers over … anything.

But it does also refer back to my post of a couple of weeks ago in which I explained the difference between dispassionate conformity checking and invariable fault finding, the robotic way, versus compassionate improvement-issue formulation and risk-based prioritisation, the nothing-like-robotic way.
Now imagine which side I prefer to be on …

Plus:
[Ah, Culture and heritage, much over, higher, than mere systems of record; Edinburgh]

Meta / Attrib-ShareAlike- … Commercial

For the following, one would best resort to …
Who are we kidding; are there still believers out there apart from te truly stupid-to-beyond-dysfunctionality-capacity defenders, that metadata is something less bad than just privacy-sensitive data points outright? Well, <spoiler> it’s the other way around— as is exemplified in this here piece. From which I’ve blatantly copied:

  • They know you rang a phone sex line at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
  • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
  • They know you got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour. But they don’t know what was in the email or what you talked about on the phone.
  • They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion.
  • They know you called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about.

So blatantly I might as well add:

But then the Non element in there warps things. Nevertheless, I’ll use the example in my upcoming pres.

And I’ll leave you for now with:
[Full of info, too, innocious that aint but no invasion on you; Prague]

Is the EU repivoting ..?

Just a question; is the EU repivoting its society / economy ..?

Like, it stays away from the troubles of off-shoring / de-industrialisation versus global oil struggles versus growth hacking for the purpose of masses’ employment. It’s just not into anything, it seems. Also not qua the way society is organised.
So, is it quiet(ly) (sic) re-pivoting to something altogether totally new, or is it just dumb and silent (as the world rages towards improvement for All) …?

One wonders; sage or stupid… and:
DSCN8357
[Times almost immemorial, when the EU was into the New things…; you-(should by all menas!)-know-where, Rotterdam]

More of less

Digital cameras: The more pixels and quality-enhancing features (filters, autocorrect et al), the bigger the mass of lousy to so-so-at-best pictures taken. Selfies as case in point. The less, percentage-wise, the real art photography — squared with more picture exposure leads to more seeking out the ultimate quality / qualities by the discerning few.

The same, with management. The more of it we had, since WWII (sic), the more awful to mediocre-at-best management we had. Micro-management as case in point; intellectually at the same depth (‘level’ wouldn’t suggest the lowness of it) as selfies.
And, the less actual Leaders we see, perceive, acknowledge and laude. Unicorns notwithstanding — they may be the very build-up of a bubble that will in the end demonstrate the principle outlined here.

On this cheerful note:Photo10-4[Now there’s quality; near Racine, WI]

From bike design to security design

You recall my posts from a couple of days ago (various), and here, and have studied the underlying Dutch Granny Bike Theory (as here), while not being put off by the lack (?) of design when taking a concrete view here.
You may also recall discussions, forever returning as long as security (control) design existed even when not (yet) as a separate subject, that users’ Desire Paths (exepelainifyed here) would inevitably be catered for or one would find continual resistance until failure — with opposition from the Yes But Users Should Be Made Aware Of Sensitivity Of Their Dealing With Commensurate (Linearly Appropriate) Security Hindrance side; things are hard for a reason and one should make things as simple as possible but not simpler. [Yeah, I know that’s a reformulation of Ockam’s Razor for simpletons outside of science and having dropped the scientific precision of O and of application to science where it’s valid and the second part is often lost by and on the most simpletons of all short of politicians which are in a league of their own.]

I feel there may be a world a.k.a. whole field of science, to be developed (sic) regarding this. Or at least, let’s drop the pretension of simpleness of cost/benefit calculations that are a long way on the very, very wrong side of but not simpler.
Anyone have pointers to some applicable science in this field?

Oh, and:
DSCN3655[Applicable to security design: “You understand it when you get it” © Johan Cruyff; Toronto]

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.
Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069[An optimal mix of complexity with clarity; Valencia]

One extra for Two AI tipping point(er)s

To add, to the post below of a month ago.
This here piece, on how AI software is now writing (better) AI software. Still in its infancy, but if you recall the Singularity praise (terroristic future), you see how fast this can get out of hand. Do you?

The old bits:

You may have misread that title.

It’s about tips, being pointers, two to papers that give such a nice overview of the year ahead in AI-and-ethics (mostly) research. Like, this and this. With, of course, subsequent linkage to many other useful stuff that you’d almost miss even if you’d pay attention.

Be ware of quite a number of follow-up posts, that will delve into all sorts of issue listed in the papers, and will quiz or puzzle you depending on whether you did pay attention or not. OK, you’ll be puzzled, right?

And:
DSCN1441[Self-learned AI question could be: “Why?” but to be honest and demonstrating some issues, that’s completely besides the point; Toronto]

Maverisk / Étoiles du Nord