Plusquote: Happening

“For a moment, nothing happened. Then, after a second or so, nothing continued to happen”.
Douglas Adams, The Hitchhiker’s Guide to the Galaxy

When scientists of the most esoteric kind finally come to wrap their heads around Einstein’s “Time is that not everything happens at once” in a provable way (errm, would like to have it in a falsifyable way but how would that happen? [no pun intended when typing but now it’s there…]), i.e., to the insight that the most fundamental something that happens in the universe, underpinning and giving rise to space, time, and matter [overOxfordian?], is Information,
this Information thing may wrap up the second quote, and the official quote of the day may be what was before Information — apologies that there is no clue in there how nothing happening suddenly gave rise to Information of why it wanted to / had to do so.
Both of the latter cases to be reflected on Sloterdijk’s understanding of the Ultimate Insurance Provider sphere-wrapping The Universe And Everything.

Plus:
XcqOBO3
[This guy understood; London]

Posted in Books by Quote, ERM, GRC, Information Risk Management, Information Security, Sociological, psychological notes | Tagged , , , , | Leave a comment

From bike design to security design

You recall my posts from a couple of days ago (various), and here, and have studied the underlying Dutch Granny Bike Theory (as here), while not being put off by the lack (?) of design when taking a concrete view here.

You may also recall discussions, forever returning as long as security (control) design existed even when not (yet) as a separate subject, that users’ Desire Paths (exepelainifyed here) would inevitably be catered for or one would find continual resistance until failure — with opposition from the Yes But Users Should Be Made Aware Of Sensitivity Of Their Dealing With Commensurate (Linearly Appropriate) Security Hindrance side; things are hard for a reason and one should make things as simple as possible but not simpler. [Yeah, I know that’s a reformulation of Ockam’s Razor for simpletons outside of science and having dropped the scientific precision of O and of application to science where it’s valid and the second part is often lost by and on the most simpletons of all short of politicians which are in a league of their own.]

I feel there may be a world a.k.a. whole field of science, to be developed (sic) regarding this. Or at least, let’s drop the pretension of simpleness of cost/benefit calculations that are a long way on the very, very wrong side of but not simpler.

Anyone have pointers to some applicable science in this field?

Oh, and:
DSCN3655
[Applicable to security design: “You understand it when you get it” © Johan Cruyff; Toronto]

Posted in Books by Quote, ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven), Sociological, psychological notes | Tagged , , , , , , , , , , , , | Leave a comment

The 46th

When Ford can launch the 2018 model of the Mustang already in January 2017, wouldn’t the People of the US not be able to already launch the improved-at-about-all-points 46th president, please ..!?

Similarly, I’d be happy already when someone(s) could have their infosec product / methodologies for 2018 out indeed per Jan ’17, so one’s protected against current threats rather than have to wait till next year before being able to be protected against the threats of today; always lagging.

Similarly, this:
DSC_0042
[Gloomy and unprotected, ravaged, by not having the 46th yet; NY]

Posted in ERM, GRC, Sociological, psychological notes | Tagged , , | Leave a comment

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.

Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069
[An optimal mix of complexity with clarity; Valencia]

Posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven) | Tagged , , , , , , , , , , , , , | Leave a comment

One extra for Two AI tipping point(er)s

To add, to the post below of a month ago.
This here piece, on how AI software is now writing (better) AI software. Still in its infancy, but if you recall the Singularity praise (terroristic future), you see how fast this can get out of hand. Do you?

The old bits:

You may have misread that title.

It’s about tips, being pointers, two to papers that give such a nice overview of the year ahead in AI-and-ethics (mostly) research. Like, this and this. With, of course, subsequent linkage to many other useful stuff that you’d almost miss even if you’d pay attention.

Be ware of quite a number of follow-up posts, that will delve into all sorts of issue listed in the papers, and will quiz or puzzle you depending on whether you did pay attention or not. OK, you’ll be puzzled, right?

And:

DSCN1441

[Self-learned AI question could be: “Why?” but to be honest and demonstrating some issues, that’s completely besides the point; Toronto]

Posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven), Privacy | Tagged , , , , , , , , , , , , , , , | Leave a comment

You Don’t Call The Shots

I.E., You Are Not In Control !

This, as a consequence of the ‘In Control’ definition. Where the controlling and ‘steering’ (what Steering Committees are about, if properly functioning … 😐 ) are the same.
But as explained previously, such steering doesn’t happen (is impossible) already in a Mediocristan world its complexity, let alone the mix-in (to say the least) with Extremistan that you’ll find everywhere and certainly in your business.

NO you can risk-manage your business to the hilt, or even make it extremely brittle, antiresilient by totalitarian bureaucracy that leaves no human breathing space but switches to full 100% bot-run enterprise, DAO-style ops (hence will fail with complete certainty when interacting with humans like, e.g., your clients),
because complete risk-managed stuff still weighs costs so is imperfect or isn’t…
And of the imperfection of fully-reactive quod non-‘security’, see the above and many of my previous posts…

So either way, things will happen that you didn’t order. Estimates run from 50-50 (where you have zero clue about which 50 you do control) to 90%, 95%, 99% not-your-call shots. The latter category since your brain is not wired [link: huh] to deal with more than 10% ‘free will’ and the rest is, as scientifically determined, reactive to the environment however clever and deep-minded you think yourself to be (the more the latter, the less you are … If you have to say you are wise, you aren’t). Which make the majority of what happens to you and your organisation, accidental and from the outside. Which is by the very definition not you being ‘in control’.

Despite all the ‘GRC’ liars that should be called out for that quality.

[Edited after scheduling, to add: In this here piece, there are very, very useful pointers to break away from the dismal Type I and II In Control (quod non) Statements of all shades. Should be studied, and seen to refer back to the foundations of auditing ..!]

Oh, and:
DSC_1033
[Designed to belittle humans — failing since they’re still there…; DC]

Posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven), Sociological, psychological notes | Tagged , , , , , , , , , , , , , , | Leave a comment

On your own, or forever be weak

Just a note that ‘cyber’security vendors (that hate #ditchcyber) will not save you whatever their claims are. Because they live off the perpetuation of the problem, and will make you weaker by lack of upkeep of your strengths at whatever levels they were.

Just a note that this applies to ‘intelligent’ devices of whatever sorts, too. Like, The Shallows squared; Home voice-recognising butlering devices (is there a category name for those already? The Echo’s, Alexia’s, Home’s I mean) or the bots out there on the ‘net, self-driving cars, etc.etc.

So, ed-ju-cay-shun is still to be pursued, in all directions! And:
DSC_0711
[Yes art education as well, to not skew your perspective…; DC sculpture garden]

Posted in Information Risk Management, Information Security, Innovation (technologicallly driven), Privacy, Sociological, psychological notes | Tagged , , , , | Leave a comment