on standards in Sollentuna

Ever wondered where standards (such as the ISO 27000) come from? Guess what? Somebody has to devise, write, publish and maintain them!

That's what technical committees are for. Standards are a global matter and I'm honoured to be part of (Technical Committee) TK318 of the non-profit association Swedish Standards Institute.

During our Spring meeting in summery Sollentuna, the discussion ranged from incidents and privacy to promoting standards. Good to be joining this team of national Infosec authorities.


on requirements in Umeå

To end five hectic days of teaching, I gave an updated version of my "KRAV-märkt" talk on Security Requirements as a lunch seminar at Umeå University together with Omegapoint colleagues.

The audience made a word cloud about Security Req's ("necessary" was the #1 word) and ranked the relative importance of tactics against modern threats (prevention was #1).

The salad was fine and there were plenty of good questions, not least about upcoming regulations in the privacy domain.

My thanks to everyone!


on capabilities in Östersund

I was honoured to give a guest lecture in Östersund at the Mid Sweden University Political Science course Policy-Making During Crises in Society.

Giving a practitioner's view on InfoSec and Continuity Risk, I chose to focus on key capabilities for organisations in dealing with a crisis.

We did a team exercise on creating pandemic plans for a fictitious restaurant, which turned out not to be much of a challenge for these security managers of the future.

A pleasure meeting Evangelia Petridou and her students!


on archiving and agility

I was glad to see last week's Technical Infosec course fully booked.

This time I added a session on backup and archiving. Availability from a preservation perspective is becoming increasingly important as archives are being digitised.

We did a "100 points" Mentimeter exercise, ranking the relative importance of Agile Principles. The question was, which principles will have the most impact (positive or negative) on security work? Not surprisingly, principle #2 "Welcome changing requirements..." ended up on top.


using smartphones in the classroom

In this week's course Operational Infosec, we experimented with Mentimeter. I had prepared a set of questions, and participants used their phones to answer.

They voted on how to spend resources among Software Security practices:
Also on the relative cost efficiency of three crisis capabilities for our fictitious company:

And finally on the relative importance of 12 privacy principles.

Mentimeter is intuitive. This was our first try and yet it only took five minutes from question to voting result.


on the limitations of PPT

Building blocks of security are people, processes and technology ("PPT").

These days we rely more on technology than we used to.

Also, the amount of these ingredients will vary between organisations. Think of a highly regulated large entity, such as a bank, heavy in processes. Then think of a smaller company in another industry where no one ever talks about processes.

Why do some organisations seem to be doing well without adhering to this PPT scheme? What additional factor could help explain this?


the human element

Upholding security involves different levels in an organisation. This is reflected in the three courses I'm teaching - Strategic, Operational and Technical Infosec (see "my events" above).

But one factor is clearly missing on this "headline" level: people!

Strategies are devised by humans. Operational processes are designed by and populated with humans. And - without humans, technology won't help.

How can we approach the "human element" of Information Security? Trust and motivation will be key factors.


handling the truth

Security is about protecting someone or something from someone or something.

Information Security does not exist in a vacuum. There is a context.

For intentional threat sources, the context is the motive behind an attack. As an example, consider an orchestrated release of correct information which was obtained without authorization. It is of course a breach of confidentiality. But that's just the means. The real attack involves releasing information as a projectile. Can your organisation handle the truth?


future's bright for Risk Analysis #SRAE16

Last year, Society for Risk Analysis (SRA) launched its Nordic Chapter. This week, 100+ researchers and other risk nerds (like myself) gathered in Gothenburg for its second conference with presentations on just about every facet of risk. My highlights were Björn Nevhage of FOI (and Riskkollegiet) with a meta-evaluation of methods for InfoSec Risk Analysis plus Sven-Ove Hansson of KTH offering a strong argument that the probabilistic risk approach is in fact tone-deaf and needs an ethical dimension.


on negative security awareness

We talk of an individual's security awareness as "high" or "low".

Recently, I waited for a friend at a locked entrance to his place of work. A carpenter (who - unlike me - had legitimate access) arrived, opened the door, and gave me that "aren't you going to follow me"-look when I remained outside, waiting for my friend.

This guy exhibited a polite, friendly attitude. He also displayed cluelessness on how to handle his access card.

Actively inviting risk - is that a case of negative security awareness?