takeaway from Uppsala

What do I mean by security through information? What is the asset, what are we protecting?

Could be other information - think intellectual property.

Often the asset is the life and wellbeing of people, as in the case of combatting terror.

But, you ask, how is this conceptually different from the classic Chief Inspector, laying a puzzle with clues, trying to preempt the murderer's next move? There are similarities. What is different is the amount of information, and that algorithms do most of the work.


reflections in Uppsala

If #EISIC2016 isn't about InfoSec, what is it? Is there a common denominator in looking for terror-inciting needles in a social haystack, in analyzing spatio-temporal data from offenders, in monitoring communication between (presumably) anonymous suspected parties?

It's not so much security of information (although that's instrumental as well). We're looking at the prospect of security through information. Collecting data, identifying patterns to gain knowledge e.g. for preempting acts of terror.


inspiration in Uppsala

What am I doing at EISIC? I will hardly ever go chasing terrorists, DarkWeb execs or pirates in the Gulf of Aden. Intelligence and Security Informatics is not conventional Information Security, is it?

No, it isn't.

But security is such a challenging domain. By approaching it from other angles, we can understand it better. And that is a necessity. InfoSec desperately needs innovation. But without humility and inspiration from other fields, it's just not going to happen. Hence EISIC. Time well spent.


it's all about the assets

Information risk is the potential for damage to sensitive info - the crown jewels (or assets). Think of risk as a combination of asset, threat source and vulnerability.

Technical people tend to downplay assets, probably because they don't know them too well. Business people know, infra folks don't. And yet, too many biz people expect tech colleagues to take the lead in managing Info Risk. The term "IT Security" only adds to the confusion about who should be on top of the matter.

It's all about the assets.


in test we trust

Testing is how you evaluate your continuity plan.

When a developer has found 5 bugs, is he done?

How can you evaluate your test? And why should you?

To trust your plan, you need to trust your test. Did you merely "kick the tyres" or did you go through the plan systematically? Did you involve your stakeholders, did you have a good discussion?

If not, now is the time to take notice. Who did you forget to invite? What did you forget to prepare? Document how your test can be improved the next time around.


meet Riskkollegiet!

The future is uncertain. We all have goals which might not be met. Risk is everywhere. It concerns bankers, beekeepers, and billiards players. Since risk is a part of every field, it can take many forms. Exploring the specifics of risk, and risk as a concept, how risk is perceived and managed, is what Swedish Society for Risk Sciences (Riskkollegiet) is about. The Society hosts seminars, publishes reports and supports young researchers. I'm proud to join the board of Riskkollegiet as a deputy member.


on rational evilness

Researcher Hans Brun helps us grasp terrorism as a phenomenon.

It's not new, the first "wave" occurred well over a century ago. And it's not irrational. On the contrary - terrorism is a conscious choice made by rational actors, says Hans. It's a strategy serving specific purposes. Terrorists aim to create chaos, provoke an overreaction and portray themselves as a credible and legitimate power.

Deconstructing terrorism won't make it any less ominous, but it helps free societies find defensive strategies.


a lesson in troubled times

I spent an afternoon, hosted by the European Commission, with seminars on migration and climate change. Their way of reaching out and inviting dialogue is commendable and necessary when navigating political turmoil.

What struck me was how these seemingly different topics turn out to be interrelated. Climate change is a growing driver of migration. And neither issue could be addressed by fortifying borders. Nationalism won't solve anything, only strengthened cooperation will. A lesson in troubled times.


step by step towards assurance

In order to obtain assurance, your qualified continuity plan should be tested.

Don't wait for it to be "perfect". Test soon, and use the test to find weaknesses.

The effort you put into testing will depend on risk. Begin with a desktop test, discussing the plan step by step with stakeholders.

Iterate the test and watch your plan improve, as well as your ability to execute it.

Nothing beats reality. A realistic simulation is the next best thing. It won't be cheap or simple, but certain scenarios need to be simulated.


crystal ball out of service

Retirement planning and pension savings is one of the most difficult, long-term decisions most of us will ever face. At a recent seminar, Nordea offered a list of issues to think of, focusing on today's rulebook, how responsibilities are shared between state, employers and individuals. But the system keeps changing. We're all literate, we can read up on current rules. As experts, bring your crystal ball, help us understand trends and scenarios. What might the system look like 30 years from now?