lots of hot air

What's up with the climate? After triumphant reports from COP 21, are we making progress?

It's a painstaking process. Right now it's about ratifying - confirming that we really have agreed.

Lots of hot air, if you will. Meanwhile, we're poised for another record year in global temperature.

Today's politicians will have to solidarily "sell" mitigation with no measurable reward until decades later.

Seeing is believing. From talk to policy to practice. But it's our only chance. How will you contribute today?


quality of constructions - or construction of quality

What is architecture?

To some, it's a structured way of elaborating an implementation through a series of abstractions.

To some, it's about classifying, capturing similarities in different implementations.

SIG Security recently launched a study circle "IT-arkitektur" based on a topical book.

I look forward to our sharing thoughts on the "enterprise", "business" and "solution" aspects of architecture. The book is not about security per se but we'll surely be reading with our "security glasses" on.


Strategisk informationssäkerhet

Strategic Infosec is one of four Infosec courses with DF Kompetens where I'm privileged to be teaching.

Participants from both public and private sector discussed their way through three days of theory with a couple of exercises about a fictitious company where there is room for improvement in security. Invited lecturers added their insight on how to navigate in the legal landscape as well as on media and dealing with journalists in a crisis.

The next course will be Operative Infosec, Stockholm in October.


thieves with an attitude

- I don't understand why so many people take this personally!?

A stylish gentleman, who had just inconspicuously entered the subway on my ticket instead of buying his own, tried to soften my irritation by arguing that neither I nor anyone else had paid for his ride. No one pays, he explained. A new economy indeed! So, why should I bother? It took me a while to figure out his logic: why would anyone care about something which does not affect him?

That, my dear well-dressed youngster, is not how we built a society.


on orchestrated falsehood and embarrassing transparency

Information Security is about protecting info.

What about disinformation? What about intentional leaking?

Sometimes, we must protect ourselves against information. These are clearly security issues concerning info. So, are they matters of Information Security? Technically, yes.

The typical impact is a compromise of correctness/integrity or confidentiality. But there is a world of difference between an embezzler and a hostile government. For new Threat Sources with new motives we'll need new defences.


takeaway from Uppsala

What do I mean by security through information? What is the asset, what are we protecting?

Could be other information - think intellectual property.

Often the asset is the life and wellbeing of people, as in the case of combatting terror.

But, you ask, how is this conceptually different from the classic Chief Inspector, laying a puzzle with clues, trying to preempt the murderer's next move? There are similarities. What is different is the amount of information, and that algorithms do most of the work.


reflections in Uppsala

If #EISIC2016 isn't about InfoSec, what is it? Is there a common denominator in looking for terror-inciting needles in a social haystack, in analyzing spatio-temporal data from offenders, in monitoring communication between (presumably) anonymous suspected parties?

It's not so much security of information (although that's instrumental as well). We're looking at the prospect of security through information. Collecting data, identifying patterns to gain knowledge e.g. for preempting acts of terror.


inspiration in Uppsala

What am I doing at EISIC? I will hardly ever go chasing terrorists, DarkWeb execs or pirates in the Gulf of Aden. Intelligence and Security Informatics is not conventional Information Security, is it?

No, it isn't.

But security is such a challenging domain. By approaching it from other angles, we can understand it better. And that is a necessity. InfoSec desperately needs innovation. But without humility and inspiration from other fields, it's just not going to happen. Hence EISIC. Time well spent.


it's all about the assets

Information risk is the potential for damage to sensitive info - the crown jewels (or assets). Think of risk as a combination of asset, threat source and vulnerability.

Technical people tend to downplay assets, probably because they don't know them too well. Business people know, infra folks don't. And yet, too many biz people expect tech colleagues to take the lead in managing Info Risk. The term "IT Security" only adds to the confusion about who should be on top of the matter.

It's all about the assets.


in test we trust

Testing is how you evaluate your continuity plan.

When a developer has found 5 bugs, is he done?

How can you evaluate your test? And why should you?

To trust your plan, you need to trust your test. Did you merely "kick the tyres" or did you go through the plan systematically? Did you involve your stakeholders, did you have a good discussion?

If not, now is the time to take notice. Who did you forget to invite? What did you forget to prepare? Document how your test can be improved the next time around.