Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

The Legend of Knuth the Agile

Once upon a time in a land far, far off-shore to today’s centers of economic, political of civilised-society gravity, before DevOps was a thing even, there was a great algorithm champion warrior named Knuth. Unlike his fellow programmer clansman, that coded for fun and profit deep innovation and peer recognition [f&p came only decades i.e. ‘centuries’ later; ed.], in a world that was barren of bad code but still inhospitable to what later would become hero geeks and nerds (for whom this was still obvious), Knuth was just that little bit less quickly-footed in his subject matter, earning him the nickname The Agile, just to deride his profound work.

Because, you see, he was a man of honour and clean algorithms, two things that in his days were nearly the same. And he was in favour of solving things with fundamental parts. Not ‘process steps’ or so – how would he laugh at those that propose that, these days. Nor happenstantially bundled ‘sprints’ of fast (hacked, in its profound meaning) coding – though extreme coders live on here and there, not given the honour and credit they deserve.
But real, standardised, tried and tested (even in a semi- or fully mathematical way) logically consistent actual process steps. But then, he understands that the real warrior body (brains) belong only to those that have honed the warrior spirit, have grinded and polished their skills over decades to shine like blank sheet metal of the finest alloys. So, not like ‘hey I had this one-year (??, mostly one-week or so ..!) course in agile programming now I’m a l33t h@x0r’ kind of pre-puerile nonsense.

Well, dear readers, you know how times can fly and how reputations can change overnight. So it happens that his nickname suddenly meant something else. No more poetic escapes of sparse code and clean, logic-based algorithm library linking and calling/returning at the side of the waterfall. development method. No more re-use of the tried and tested. No more frozen waterfalls at all, due to scope creep leading to progress-temperature drops to zero and below, leading to icy atmospheres where nothing works anymore. No more basic weapons training of even knowing how to deploy re-usable code and algorithms…
All we have now, in these days with no more heroes (but the baddies are still out there, everywhere), is/was faint attempts at “patterns”, being of course the latter-day devolution of the very algorithms that made Knuth the hero he was. Is.

And then, DevOps came to the scene. If only Knuth were still in his prime, he would know what to do


[Only in such art is extremely precisely applied sloppiness a virtue …! Gemeentemuseum Den Haag]

Explicitation of Risk — scaring yourself into victimhood

As may be clear, Sloterdijk’s explicitation ideas don’t hold on metaphysics levels of abstraction alone.
It works for all the mundane stuff like ‘risk management’ [disclaimer for the contradictio], too.

And, by making explicit what previously was ‘there’ already, but implicitly and hence not in any beholders’ eyes, in this case all one gains is not understanding (per se) but especially, systemic, existential scare.
Because the Unknown is identified, explicitised into existence. The Unknown that is, by (now) definition, the primordial Chaos contra the Order of Zeus and Apollo in his wake. In turn turning your existence into some degree of insecurity. [In a practical sense, not in the Schäume/Über-sphere sense of Peter Big-S]
And then, ‘risk management’ is the continuation through treatment of that Uncertainty with the addition of other means. [Italics mine, to correct towards the Original quote.] Because, you see, ‘managing’ the risks, even if for the moment we purely hypothetically consider that to be the case in any above-absolute-zero factual degree even for the most trivial, operational form, means having to acknowledge the fundamental impossibility of it. The harder ‘modelling’ types throw their weight [ah, yes, a very-big-if assumption, Pinocchio/Calimero’an again] against the uncertainties, the bigger the resistance is; the harder the chaos-theoretical unpredictability of the future bounces back. The further pushed, the more the full weight of the Universe pushes back.

You get that drift.

Well, then. What remains in nearby sight is the loss of naïvety that would give room for human growth. No guts, no glory! Where the guts are taken out of the picture, when they once were the area where gut feelings pro and contra any action or inaction were properly weighed, now only stupidly-crippled-rationality weighted.
But on the other hand; believing in the efficacy of ‘risk management’ in principle, will lull to sleep in a most blue pill sense.

Just don’t force all to take that colour; some actually want to succeed in Life.
[Aim for clarity, deal with reality; Amsterdam (Lights Festival tour)]

Nog een / One more on audit culture

U zult weinig genoegen scheppen in zang, dans of vechtsport als u bij de zang de harmonie van de muziek ontleedt in haar verschillende klanken en u bij iedere toon afvraagt: ben ik hier nu echt van onder de indruk? U zou u voor zoiets schamen. Hetzelfde geldt voor de dans, wanneer u elke beweging en houding apart beoordeelt, en voor de vechtsport.
Which translates to, anachronistically:
A pleasant song or dance; the Pancratiast’s exercise, sports that thou art wont to be much taken with, thou shalt easily contemn; if the harmonious voice thou shalt divide into so many particular sounds whereof it doth consist, and of every one in particular shall ask thyself; whether this or that sound is it, that doth so conquer thee. For thou wilt be ashamed of it. And so for shame, if accordingly thou shalt consider it, every particular motion and posture by itself: and so for the wrestler’s exercise too.

Which in turn brings back the discussions on the auditors being of a stratum or subclass that abhors the Cultural stuff, runs away from the Arts. Contrary, statistically, to e.g., lawyers and notaries-public. This was researched some years/decade back here in NL: auditors don’t read books. Don’t go to theaters. Don’t go to concerts. The bores, the bereft of exposure to the Classics, in classical or latest-modern form. They just don’t delve into anything moral, or consider Advanced Excel the ultimate they’ll go to.

As POTUS of the Western world — military and culturally, not just the latter or, much degrading, economically only — Marcus Aurelius saw it right (yes the above is from his Meditationes, book XI / II): Those that focus only on the analytical, tracing the veracity of the True and Fair View to the detail only and not do (moral/ethical-Value) synthesis, are of an ethically overly impoverished, plebeian folk; worth to be (wage) slaves.
Those, on the contrary, that use the nitty-gritty to arrive at some grand, eloquent plea like lawyers do [should do; ed. – yeah that’s me myself ;-] even when not fully in compliance AAARGGGH! Yes I’ll go rinse my mouth with green soap   with the Original “ISO” standard for that, will see their Virtue strengthen…

Never thought that I’d prefer lawyers over … anything.

But it does also refer back to my post of a couple of weeks ago in which I explained the difference between dispassionate conformity checking and invariable fault finding, the robotic way, versus compassionate improvement-issue formulation and risk-based prioritisation, the nothing-like-robotic way.
Now imagine which side I prefer to be on …

[Ah, Culture and heritage, much over, higher, than mere systems of record; Edinburgh]

"Compliance auditing"

Is two distinct things, or a contradictio if taken as one.

  • The ‘compliance’ thing is just rote checking of the implementation of all petty rules. The Certificate certification type. If I’d even need to say more…
    Some even claim that by repeated checks of implementation, ‘operating effectiveness’ would be established. Fools. The operating effectiveness can only be designed in, so the first 99% of operating effectiveness can be checked in the design; what do you check the design for in the first place? Why would you check the design otherwise? And if you don’t, then what value to the petty paper that the standards are?
    Ah, “…the slavery of fear had made men afraid to think.” (Thomas Paine, Rights of Man, p.159) — that’s what this is about… As in a couple of last days’posts. But this is Not Auditing, since ..:
  • Auditing is the art of application of risk management upfront, and insight and wisdom afterwards. (as also in this.)
    Risk management upfront: Even when taking up some standards first and then seeing how it would apply to the case at hand, a true auditor would select, inter alia based on informal and formal risk assessment (in a mix dependent on the case, and experience) wat rules from the standard apply and which ones to check for in what various levels of detail. If ‘all’, you’re doing something Wrong like doing compliance checking.
    Insight and wisdom after: There’s no value whatsoever in noting deficiencies as such, or recommending on their remediation simply by inner-productlike fixes. There is value when taken one, two, more, many more, levels up and digging deep (upwards, usually) to find the true causes, possibly root causes (but do NOT overdo this), and then advising in smart, intelligent, wise ways to remediate those. Don’t think black-white here, but about (fundamentally different!) thesis versus antithesis, towards Synthesis… And, along the way of the audit, support and encourage those under stress/duress of audit requirements, petty standards requirements, and micromanaging bosses all standing in the way of actual performance and use of brain. When then, a final overall conclusion is to be had, this would be based on the ability and application to weigh arguments (as Cicero, utterly correct: “One should not count arguments but weigh them”, De Oratore 307-310 LXXVII) and hand down a verdict which all embrace for its wisdom and authority — your personal authority which isn’t power, not rightiousness-by-procedural-justice! Let alone attachment to some organisational body (self-aggrandised company or professional association), or by it of a title to you.

So, either you set your mind to Blank and do compliance checking, or you use your brain for its intended purpose [“irregardless” of its nature/nurture capability levels with you] and audit.
The first, not for nothing to be replaced by AI soon, very soon. The second, the almost-definition of what AI still (your mileage may vary) can’t do, yet… The first, for DAOs; the second, lost through Bureaucarcy (see previous posts).

[Shifty facades/faces; Zuid-As Amsterdam]

Low standards

The compliance check-box approach is an atrocious thing for and to many things and reasons, but has been induced by the very growth of the industry. Since all margin calls at all controls and controls objectives achievement have been whipped out — and no-one dares to or has the experience for margins calls anymore. How low can your standards of professionalism dive.

Sic transit gloria mundi; the trade once was a veritable gentleman’s (M/F/~) affair, for one put up one’s honour and good name (and standing including life, liberty, welfare and happiness) for the value of the second opinion over the full width of the (opinion about subject matter) playing field.
But one’s good name is no more. Men are no longer honorable, virtue isn’t a thing anymore; pluto reigns, in particular at 1600 Penn Ave — the demise of humanity. In the coming years, the standards will follow; having deteriorated from standards to hold Men to, to straight jackets most easily escaped from by surreptitiously gaming the system, making the system the mockery of men. I repeat myself.

But ideals, values, virtue and all things principle-based will resurface; if only trivially since the now resurgent risk-management approach would not work otherwise. The value is already returning to the dare of the expert to call it not to fold on details.
Hence, new standards will emerge. Pure-principles lists, no nitty-gritty stuff. To be audited on, by knowledgeable advisors that can relate sample controls / -frameworks to the principles and back. The 27k1/2 divide, but strengthened, widened.

About the latter; the renewed gap between principles and samples, will also allow auditors more flex when determining their audit approach as in next week’s post ;-|

By the way, the Dutch may read a bit on the same issue, au fond, and some pointers to solutions, if they’d work (put hypothetically for a reason), in this here piece, released after my draft of the above.

Oh, and:
[A winery, of course; Douro valley]

When it comes to Risk, Appetite is Tolerance

Previously, with many others I believed that Risk Appetite would have to be the starting point of discussion for anything Risk within organisatons. The appetite, following from discussions on Strategy being the choices of directions and subsequent steps that would need to be taken to achieve strategic objectives, i.e., where one sees the organisation ending up in the future. Very clearly elucidated here. Backtracking, one will find the risks associated with these possibly multiple directions and steps — in qualitative terms, as NO valid data exists (logically necessarily, since these concern the future and hence are determined by all information in the universe which, logically, cannot be captured in any model since then, the model would have to be part of itself, incurring circularities ad infinitum and already, the organisational actions will impact the context and vice versa, in as yet (for the same reason) unpredictable ways.
And then … This risk appetite, automatically equated with the risk tolerance by the Board for risks incurred bottom-up by the mundane actions of all the underlings (i.e., including ‘managers’, see yesterday’s post), then suddenly would have to be in quantitative terms… [Yes, bypassing tolerance-as-organisational-resilience-capacity]
As all that goes around in organisations, through the first 99.9% of Operational / Operations Risk, and then some 10% industry-specific risks (e.g., market- and credit- for the finanical industry), not measured but guesstimated by hitherto outstandingly some that have least clue and experience [otherwise, they would have been much better employed in the first line of business themselves… The picture changes favorably (!) where we see some organisations shift to first-line do-it-yourself risk management… finally!] with what the chance and impact figures would be. As if those were the two only quantities to be estimated per ‘event’… As if any data from anywhere would be sufficiently reliable benchmarking material — If you believe that nevertheless, you should be locked up in a treatment facility… Yes sometimes it’s taken to be this moronic… No need to flame bigger here, as that was already done here.

But wait where was I. Oh, yeah, with the bypassing of tolerance defined as what the organisation could bear. The bare fact being, that no-one can establish a reliable figure for that. What the Board can and want to bear … Considering that the Board would have to be all-in, i.e., not only all of their bonuses since ever under clawback threat, but also all of their earned income incl salaries and personal wealth — if any of the Board would not want to risk all they ever had and have, bugger off this is what you signed up to. Considering also that strategic decisions are about wagering the existence of the company on choosing right or else, this wagering the well-being and wealth of all employees however unable to bear loss by mere fact of never had the ability to create some reserves, the previous consideration isn’t exaggerated. You wager others’ very existence, you wager your own ‘first’.

Summa summarum:
Risk Appetite is what the Board lets happen as Risk Tolerated Already.

[And away goes your grand hallway down the drain; [non-related] Haarzuilens, Utrecht]

World Animal Day: a disruptive Whale

Because today is World Animal Day, let’s think of the Whale.
Because this is the kind of disruption your brain needs. Today, and any day.
Yes the clip is ‘Old’ — but still fresh; how’s that you Under-30-or-younger hunting faux headhunters that still, en masse (over 99,5% at least) hunt for dummies (car crashing kind) to fill dummy slots in Bureaucratia.

That’s all. And do check the vid at least until 2:42 Because Reasons.

What we all want / need …

Just as a simple link. If (sic) you understand, you’ll understand what you, we, all need, crave.

Yes indeed that’s all. Plus:
[More than just the Montanges …]

~vergent predictions, Do or Don’t

This idea, or lack of it, crossed my mind:
When it comes to predictions, following the lead of Tetlock’s Superforecasters may very well work (though note much of it starts with the, sort-of, mental, 50-50 approach of soberly realizing that one may improve, by admitting imprecision and those that claim precision or high scoring rates are wrong) … for issues and questions that converge on one, somewhat exactly determinable, outcome. This, all being within the realm of said book which is very much recommended by the way.
Where some questions, like “What is the best strategy?” may not have such a single outcome; the world changes, and (business-like) having a vision is a grand prediction already. Let alone that the ‘mission’, one’s desired place in that vision of how the world will be in the future, (often / always without a miss) skips the implicit choice issue of what one’s future place could be within that, vaguely defined, future state of affairs. Even if you shoot for the moon [and end up in an infinite and infinitely cold vacuum, among the stars but near-infinitely dwarfed by them] and miss, you may end up in a not-first but still pretty comfortable position; no hard feelings. … This, as an explication of what I’d call diverging predictions: Wide-ranging future states that you might ‘predict’ but most probably in a vocabulaire that will not be valid or understood in the future so traceability of your predictions is … quite close to zero hence your advance predictions have no worth ..! This of course is also in the book but still, too often not realised.

Now, let’s combine this with Maister’s Advisor let alone simple consultancy …

Oh well. Plus:
[Predicting quality of resulting still wines … for second fermentation, mariage, and onwards — priceless; Ployez-Jacquemart]