on the limitations of PPT

Building blocks of security are people, processes and technology ("PPT").

These days we rely more on technology than we used to.

Also, the amount of these ingredients will vary between organisations. Think of a highly regulated large entity, such as a bank, heavy in processes. Then think of a smaller company in another industry where no one ever talks about processes.

Why do some organisations seem to be doing well without adhering to this PPT scheme? What additional factor could help explain this?


the human element

Upholding security involves different levels in an organisation. This is reflected in the three courses I'm teaching - Strategic, Operational and Technical Infosec (see "my events" above).

But one factor is clearly missing on this "headline" level: people!

Strategies are devised by humans. Operational processes are designed by and populated with humans. And - without humans, technology won't help.

How can we approach the "human element" of Information Security? Trust and motivation will be key factors.


handling the truth

Security is about protecting someone or something from someone or something.

Information Security does not exist in a vacuum. There is a context.

For intentional threat sources, the context is the motive behind an attack. As an example, consider an orchestrated release of correct information which was obtained without authorization. It is of course a breach of confidentiality. But that's just the means. The real attack involves releasing information as a projectile. Can your organisation handle the truth?


future's bright for Risk Analysis #SRAE16

Last year, Society for Risk Analysis (SRA) launched its Nordic Chapter. This week, 100+ researchers and other risk nerds (like myself) gathered in Gothenburg for its second conference with presentations on just about every facet of risk. My highlights were Björn Nevhage of FOI (and Riskkollegiet) with a meta-evaluation of methods for InfoSec Risk Analysis plus Sven-Ove Hansson of KTH offering a strong argument that the probabilistic risk approach is in fact tone-deaf and needs an ethical dimension.


on negative security awareness

We talk of an individual's security awareness as "high" or "low".

Recently, I waited for a friend at a locked entrance to his place of work. A carpenter (who - unlike me - had legitimate access) arrived, opened the door, and gave me that "aren't you going to follow me"-look when I remained outside, waiting for my friend.

This guy exhibited a polite, friendly attitude. He also displayed cluelessness on how to handle his access card.

Actively inviting risk - is that a case of negative security awareness?


from London to Stockholm - sharing is a capability. #SSRsem16

A city is a complex organism. Keeping its wheels ticking is a challenge in normal circumstances. What about a crisis? In the face of pandemics, flooding, or even attack - how can a megacity like London become resilient? Samverkan Stockholm of the County Administrative Board hosted a seminar where London Resilience presented their work and the recent Exercise Unified Response. My main takeaway was about a learning culture among actors. Sharing is a capability. Collaboration will not happen without trust.


classification fosters dialogue

I used to think of info classification as a useless over-simplification. Information has unique properties which couldn't be reflected by association to predefined classes.

Sure enough - having info represented by classes is a simplification. But these days I see merit in the practice.

Classification fosters dialogue about the sensitivity of info. A process owner might not know his security requirements but I can get him started by asking: where is integrity more important - for info type x or type y?


lots of hot air

What's up with the climate? After triumphant reports from COP 21, are we making progress?

It's a painstaking process. Right now it's about ratifying - confirming that we really have agreed.

Lots of hot air, if you will. Meanwhile, we're poised for another record year in global temperature.

Today's politicians will have to solidarily "sell" mitigation with no measurable reward until decades later.

Seeing is believing. From talk to policy to practice. But it's our only chance. How will you contribute today?


quality of constructions - or construction of quality

What is architecture?

To some, it's a structured way of elaborating an implementation through a series of abstractions.

To some, it's about classifying, capturing similarities in different implementations.

SIG Security recently launched a study circle "IT-arkitektur" based on a topical book.

I look forward to our sharing thoughts on the "enterprise", "business" and "solution" aspects of architecture. The book is not about security per se but we'll surely be reading with our "security glasses" on.


Strategisk informationssäkerhet

Strategic Infosec is one of four Infosec courses with DF Kompetens where I'm privileged to be teaching.

Participants from both public and private sector discussed their way through three days of theory with a couple of exercises about a fictitious company where there is room for improvement in security. Invited lecturers added their insight on how to navigate in the legal landscape as well as on media and dealing with journalists in a crisis.

The next course will be Operative Infosec, Stockholm in October.