Zwarte Lijst ..?

Euhm, als een ‘contract’ zo is opgesteld dat deze bedoeld is om te misleiden of in ieder geval om onleesbaar te zijn voor een van de contractpartijen (en geen onderhandeling of wat dan ook mogelijk is; slechts een Hobson’s Choice), zijn dan niet betreffende clausules of het gehele contract bij voorbaat illegaal ..?

Zoals in (dank @ictrecht):

Book by Quote: Smarter Than You. Think.

Yet another ‘Book By Quote’ then. A full of … wisdom one again, for once.
An attempt to subjectively summarise a book by the quotes I found worthwhile to mark, to remember. Be aware that the quotes as such, aren’t a real unbiased ‘objective’ summary; most often I heartily advise to read the book yourself. This one, for sure – though don’t be uncritical while going through the many bends in not-so-water-tight logic ..!

So, this time: Clive Thompson, Smarter Than You Think, Williams Collins 2013, ISBN 978000742777-2.

“Human strategic guidance combined with the tactical acuity of a computer,” Kasparov concluded, “was overwhelming.” (p.5)

We’re all playing advanced chess these days. We just haven’t learned to appreciate it. (p.6)

Harold Innis – the lesser-known but arguably more interesting intellectual midwife of Marshall McLuhan – called this the bias of a new tool. Living with new technologies means understanding how they bias everyday life. (p.8)

As electricity became cheap and ubiquitous in the West, its role expanded from things you’d expect – like nighttime lighting – to the unexpected and seemingly trivial: battery-driven toy trains, electric blenders, vibrators. (p.8)

… scanned the brains of new mothers and fathers as they listened to recordings of their babies’ cries. They found brain circuit activity similar to that in people suffering from obsessive-compulsive disorder. (pp.14-15)

Marcel Proust regarded the recollection of your life as a defining task of humanity; meditating on what you’ve done is an act of recovering, … Vladimir Nabokov saw it a bit differently … “I confess I do not believe in time.” (As Faulkner put it, “The past is never dead. It’s not even past.”) (p.23)

We face an intriguing inversion point in human memory. We’re moving from a period in which most of the details of our lives were forgotten to one in which many, perhaps most of them, will be captured. (p.28)

OK, first a pic, than a moar tag; and the rest – a long rest.
DSCN0057
[Yup, Fiorentina.]
Continue reading “Book by Quote: Smarter Than You. Think.”

Quick note: Privacy is about Info, not Data

Just a quick note to drop it, here, already before my holiday. May elaborate on the subject later, in a much extended form. The idea being:

Privacy is about Information, not about Data. Privacy sits on the divide, or jump, from data to information, as in this previous post.

Data doesn’t mean a thing. And yes there’s use in protecting data, but that’s only part of the picture. To discuss ‘directly or indirectly identifying data’ one needs to understand the value, and information, in data combinations. So you’ll have to keep the information value in mind always.

Which also means that if you discuss topics with various categorically-not-understanding-anything-other-than-bonuses stakeholders under the common header of personal data protection, you have lost connection to them. By giving up before you started; they will not ‘get it’. They know ‘data’ only in the abstract, as something to stay away from. If you don’t keep the (distinction AND connection) in mind and exepelainify it extensively ‘externally’, you lose.

Same, if you don’t bridge the gap ‘internally’ in your in-group. Only when an exhaustive search for all meaning of any combination of data has been completed, would one know what data elements could possibly be necessary for identification and hence are privacy-sensitive.
This would probably set the threshold very low indeed. But hey, that’s your problem right there. Offer perfect protection of get sued into oblivion.

I’ll return on this. Thank you:
20140306_151133[1]
[Kei-good design.]

Live by the rules. Hopefully, not.

[Western version]

Hm, you wanted to live by the rules …? Hopefully, not in this way…

Next question would be: On what principles would you decide which rules to follow, and which not [so much] ..? Wouldn’t that constitute deeper and/or pre-existing moral/ethical principles? What and where’s the real instruction value ..?

But then, of course:
DSCN7427
[Relevant, MD]

Cybersecurity, yeah!

This is how you do it:
20140610_124346
[As spotted in Voorburg. No, not ‘shopped a single bit.]

Yes, indeed, this is how your ‘cybersecurity’ (#ditchcyber ! #wegmetcyber !) compares to the real deal. But hey, if you want to believe you’re up there with the Big Boys, go ahead. I won’t stop you from your own make-believe. At kindergarten.

Fraud, try angle it differently

The fraud triangle should be not more. For too long, the simpleton representation of fraud occurrence possibility has dumbed down the discussion about countermeasures too much, leading to an unwanted, unwarranted, inefficient and ineffective approach difference from various sides.

[For those who know where this is: This is unconnected to the story ;-]

Point being: The fraud triangle, being one where the three factors Motive (or Pressure), Rationalisation, and Opportunity are presented as if present at the same time, and banding together. Take one of the elements out of the equasion and you’re good. But the three factors do not play out at the same time.

Rather, they play out consecutively, leading to a false sense of security when only one is addressed as even the wiki page on fraud deterrence suggests.
Wrongly! Because e.g., when Opportunity is taken away, as if most often the ‘easy’ solution in organisations, Motive and Rationalisation (the formers start it, the latter coaches it) will find another way as the pressure of Motive will rise and rise until somewhere else than the valve installed, some crack or so may burst, or the whole kettle may explode.

[Damn! Here, I had a perfect, really perfect two A4 pages full of text that disappeared in a glitch… The rest you see here, is just a bleak re-do missing the brille of the original… No, the re-write is not better than the original. Thanks, Tumblr! [Insert hard expletives here]]

As Motive is the thing that comes first, it should also be the first thing to address. It starts with not giving too much motive, which is the same as giving all your employees a reasonable compensation for their efforts that starts with the paycheck. In particular in hard economic times, some or many of your employees may heed more to their ethics (!) and provide for their family before sticking to stupid rules of some big anonymous organisation that doesn’t really know who they are and what their pligh is. Ethics, yes, that thought discipline that is about having to decide between the conflicting rules of various groups that any human is part of. Family, friends, etc., and the organisation one might feel part of – or not, or not enough to let organisation group belonging outweigh familiy group belonging when it comes to a showdown, e.g., when they feel they don’t get their due but just the alms you so graciously hand them for your own grandeur only.
And if you’re visible to the public at large (and you will be, however you try to protect your image) as having so much more than your staff has, family etc. may start to actively pressure your employees to get up close to that level. You’re pushing them yourselves! Inequity forces (no, not less than forces) employees into a getting-even motivation..!
Both ‘hard’ and ‘soft’ pressures to get even, play out in the Motive element, but also in the Rationalisation element. Rationalisation is nothing else than the rationalisation of the ethical decision that your unconscious mind already made, for when your consciousness might turn up again later.
Let alone that it may not only be such ethics that force employees into less following the organisation’s stupid little rules. Think of what would happen if a family health or life is threatened by rogues; this happens all the time. But you can’t have all your employees and their family being secured all the time; they will leave you all as no-one can life under such circumstances of total siege.

And you do need to care for all employees, as all have access to possibly Opportunity-instrumental information. Do not think that you org chart or top-down approach may work, at all. That would miss (literally) 99% of all the information flow that goes through your organisation, and 99% of the paths that the information takes. You think your ‘processes’ are your organisation? Think again, think the opposite!

Which ties in with the Opportunity part. The Opportunity may be everywhere, at all organisation levels, in all sorts of combinations of petty-little-rule breaking or ‘sticking to the little rules so you can break the big ones’. You simply cannot know all the ways and places, and times, that Opportunity for fraud may exist. If you think that simple things like encryption may help then yes, they may help, but so little, so very, very little. As if IT staff, and masses of others, would not know their way around it. And any dam creates its lake that will overflow and create much more damage; the pressure is not diminished by the dam!

So, you can’t do much about Motive, Rationalisation, or Opportunity. Not much, a little bit.
Which is where we may take a look outside of the totalitarian control bureaucracy world I led you into above, which is typically today thinly veiled under a ‘Risk Management’ layer (just this morning saw an article discussing that we don’t need Risk Management, we need management of risk…!], or under the label ‘risk-driven information security’ etc. All wrong approaches, panicky seeking total control.

All we can do, then, is to sand off the rough edges. Which is what is done already, by (physical) Security as it has been done through the ages. Just take a look at a sample table:

It’s easy to see how this can be filled in to cover many more angles and available tools of information security, and can be expanded to cover much more of your organisation’s business. And it’s also easy to see that e.g., not all information security should be had only from IT measures, and not all process/procedural opportunity should be lessened by procedural refinement only. Cross-discipline measures could keep it all much lighter!

But just look at the last five column headers… Much better to approach fraud prevention through those than just sticking to Motive, Rationalisation, Opportunity, right? These ‘solutions’ may not prevent each and every fraud, but they keep things in check. If that’s the most you can get, then be happy with it!

More, maybe, later, on filling out the table in all sorts of situations.

Control industry

First, a picture for your viewing pleasure; you’ll need it:

[Baltimore inner harbour; rec area]

As a backlogged item, I was to give a little pointer to the design of control in (process-oriented!) industry, from which ‘we’ in the administrative world have taken some clues like sorcerer’s apprentices without due and proper translation and without taking the pitfalls of our botched translation job into account.

To start with, a little overview of the basics of how an industrial process (e.g., mixing paint, or medicine) is done, at the factory floor:

In which we see the main process as a (near- or complete) mathematical function of the input vector (i.e., multiple input categories) continuously (sic) resulting in the output vector which is supposed to come as close to a desired output as possible, continuously, on the parameters that matter. The parameters that matter, and the inputs, are measured by establishing values for parameters that we can actually measure, continuously (sic). With the inputs and outputs of course including secondary and tertiary ‘products’ like waste, heat, etc., and with all elements not being picture perfect but with varying variations off set values (the measuring devices and e.g. process hardware, also will have a fluctuating noise factor).
With the input vector being measured via the feedforward loop (control before anything might deviate) and the output vector being measured through the feedback loop (control by corrective actions, either tuning the process (recipe) or, more commonly, tuning the inputs). And the control function being the (near- or complete) mathematical derivative of the transformation function.
And all measurements being seen as signals; appropriately, as they concern continuous feeds of data.

That’s all, folks. There’s nothing more to it … Unless you consider the humongous number of inputs, outputs and fluctuations possible in all that can be measured – and not. In all elements, disturbances may occur, varying in time. So, you get the typical control room pictures from e.g., oil refineries and nuclear plants.
But there’s a bit more to it. On top of the control loop, secondary (‘tactical’, compared to the ‘operational’ level of which the simple picture speaks) control loop(s) may be stacked that e.g. may ‘decide’ which recipe to use for which desired output (think fuel grades at a refinery), and tertiary (‘strategic’ ..? Or would we reserve that for discrete whole new plants ..?). And there’s the gauges, meters and alarm lights in a dizzying array and display of the complexity of the main transformation function – the transformation function can be very complex! If pictured as a flow chart, it may easily have many tens if not hundreds of all sorts of (direct or time-delayed!) feedforward and feedback loops in itself. Now picture how the internals of that are displayed by measurement instruments…

Let’s put in another picture to freshen up your wiring a little:

[Baltimore, too; part of the business district]

Now then, we seem to have taken over the principles of these control designs into the administrative realm. Which may all be good, as it would be quite appropriate re-use of stuff that has proven to work quite soundly in the industrial process world with all its (physical, quality) risks.
But as latter-day newly trade trained practitioners, we seem to have not considered that there are some fundamental differences between the industrial process world and our bookkeeping world.

One striking difference is that the industrial process world governs continuous processes, with mostly linear (or understandable non-linear) transformation and control functions. Even in the industrial world, non-linearity but also non-continuous (i.e., discrete, in the mathematical sense) signals (sic) cause trouble, runaway processes and process deviations, etc.; these push the limits of the (continuous-, duh)control abilities.
Wouldn’t it be wise, then, if we had taken better care when making a weak shadow copy of the industrial control principles into the discrete administrative world …? Discrete, because even when masses of data points are available, they’re infinitely discrete as compared to continuous signals (that they sometimes were envisaged to represent)? Where was the cross-over from administering basic process / production data to administrating the derivative control measurements, and/or the switch from continous signals captured by sampling maybe (with reconstructability of the original signal being ensured by Shannon’s and other’s theories ..!!), to just discrete sampling without even an attempt to reconstruct(ability) of the original signals?

So we’re left with vastly un- or very sloppily controlled administrative ‘processes’, with major parts of ‘our’ processes being out of our scope of control (as is witnessed by the financial industry’s meltdown of 2007– ..!), non-linear, non-continuous, debilitatingly complex, erroneously governed/controlled (in fact, quod non) in haphazard fashion by all sorts of partial controller (groups) all with their own objectives, varying overwhelming lack of actual ‘process’ knowledge, etc.

Just sayin’. If you would have a usable (!) pointer to literature where the industrial control loop principles were carefully (sic) paradigm-transformed for use in administrative processes, I would be very grateful to hear from you.
And otherwise, I’d like to hear from you, too, for I fear it’ll be a silent time…

Maverisk / Étoiles du Nord