2015-06-12

again, known unknowns and unknown unknowns

This week's #sthlmcrimsymposium was fun and valuable. This being my 2nd time, I had managed expectations better.

Sure, linking outdoor violence to substance abuse is different from preventing compromise of valuable information. But there are also similarities. There was a poster session about Situational Prevention in the context of incident response. Infosec has so much to learn from mature fields, such as Criminology.

Managing known unknowns. Constructing unknown unknowns. We're all in that business.

2015-06-01

on the unsinkable and the unthinkable

It started as a jolt on the lower deck

Swedish song-writer Mikael Wiehe captures bewilderment, affection, anxiety, hope, pride and despair during the final hours of the RMS Titanic. 103 years later on, this spectacular disaster offers lessons for those of us working with risk and security. Using the power of analogies, we can help our stakeholders approach difficult subjects in persuasive ways. While doing the best we can to protect our systems, we must admit that they are by no means unsinkable.

2015-05-13

vertical challenges

Riskkollegiet and Swedish Radiation Safety Authority (SSM) hosted a seminar on Risk Communication.

Informing is not communicating. Still, the prevailing perspective was that of authorities with their experts informing the public, motivating them to change behaviour.

I advocate local ownership of risk. We are the experts on our system, we own and manage its risk. But I must admit that there's a difference between horizontal communication within an enterprise and the challenges for government officials.

2015-05-11

continuity through imagination

What does it mean to be planning for the unexpected? Something out of the blue which we failed to foresee, how could we be planning around this?

Firstly, the unexpected might not be unheard of. We don't expect all engines of a jet plane to fail at the same time, but we know this has happened.

Secondly, let's differentiate between cause and effect. Our office might suffer a power outage. We can think of possible causes for this effect, but we won't know them all. Still, if we can imagine the effect we can plan around it.

2015-04-20

old rules for new stuff

Why do we need system-specific security requirements? Can't we just comply with instructions? Yes we can, and we must. But it's not enough.

A new system does new stuff (or familiar stuff in new ways) or we wouldn't bother constructing it. New stuff means new risk components (assets, threat sources, vulnerabilities) and consequently new risk. New risk means we cannot simply rely on old rules. We need to rethink how security is implemented for this very system. System-specific security requirements.

2015-03-30

from policy to real change

When you want something to happen, you can write a policy. Then what? Is it realistic or does the policy assume components which are not in place? Is it easy to adhere or will compliance be an uphill battle? Now that it's easy, have you anchored the policy, ensuring that stakeholders understand it? Also - are people motivated to adhere? Always remember: awareness is not motivation.

Once again:

  • define "right"
  • make it possible to comply
  • make it easy
  • communicate your policy
  • help people understand
  • build motivation

2015-03-09

implementing is not establishing

Implementing something is about solving a problem, finding a workable technical solution, showing that it can be done.

Establishing something is about making it happen in the real world. Communicating the implementation to stakeholders, gaining their acceptance, understanding and commitment to use it. Integrating it into their processes, making it part of their business-as-usual.

From firewalls to access control models - implementing is not establishing. Security folks should ponder the difference.

2015-02-16

security is about timing

Beside the who, the how and the where - security is a lot about the "when".

In the best of worlds, you will be able to deter an adversary from even trying to compromise your system.
If not, can you prevent the attack from succeeding?
If not, can you detect the intrusion in a timely fashion?
Once detected, can you contain the attacker and prevent a wider compromise?
Finally, can you swiftly restore your system to agreed service levels?

Better get the chronology straight. Security is a lot about timing.

2015-02-12

obligatory quality

I'm reflecting on Business Continuity Planning. The ability to withstand the unexpected and carry on, serving customers as best you can.

Two observations.

The field is compliance-driven. Before the advent of regulation, interest was lukewarm at best. Whatever happened to self-preservation? Haven't we learned anything from 9/11?

Terminology is confusing. Guidance refer to several categories of plans. Relating them and putting them in context is left as an exercise for the layman. A challenge for us educators!

2015-02-04

still blogging, a decade down the line

Ten years ago I got an idea. It was rather trendy in those days, having your own blog. One purpose soon emerged though. I wanted to practice my English. The topics have been widely varying, so picking a generic blog title proved useful.

I used to be interested in politics, as became apparent in the first posts:


In recent years I have shifted focus. When I got started within the security realm, I chose to devote the blog to precisely that:


As for the next ten years, who knows? What will be my perspective?
20150606