risk vs. compliance

Suppose you're driving along a country road. Imagine it's snowing and visibility is poor. You will be driving carefully to avoid an accident. This is the risk perspective. Managing potential consequences.

The next day is sunny and there's hardly any traffic. Accidents seem unlikely. However, by the roadside is a sign with the local speed limit. You will be adhering to this limit. (Right?) This is the compliance perspective. Doing as we're told.

These perspectives are different but also interrelated.


enter Knowledge Security

Philosophy informs us that knowledge requires belief, truth, and justification. Let x be an assertion, e.g. "Sweden is not Snowden", and suppose I claim to know x. If so, I have to believe x, x must be true, and my belief in x must be justified.

Knowledge appears to be information which is correct and which has been logically internalized. Information exists on its own but knowledge requires an actor. When would it be meaningful to talk about Knowledge Security, rather than Information Security?


motivation happened

Why did I grow to like studying?

It's about perspectives. Relating findings in one discipline to questions in another context, such as my work life. It feels more rewarding to theoretically explore current issues at work, rather than merely memorizing (seemingly) abstract stuff for an upcoming exam.

And it's about giving back. With the benefit of experience, I find myself in situations where I can contribute. Students and lecturers expect me to offer my input.

How could I not feel motivated?


enter The Alumnus

Once upon a time, I was busy taking notes. Sitting at the feet of lecturers, eager to inhale their accumulated wisdom, convinced that they had all the answers.

I got my exam and was fortunate to find challenging work among great colleagues. Years went by. Some scribbled notes never came to use. Certain concepts helped save the day.

The world has changed. So have I. By now, I know a thing or two about what works and what doesn't.

There comes a time for giving back. 'tis the season for an alumnus.


never again

To me, studying was always boring, bordering on burdensome. Never again, I told myself upon getting my exam in Systems Science.

That forecast seemed to hold water. 15+ years later did I hesitantly return for some Security Informatics. And some more. Plus a dose of Criminology. Followed by Decision-, Risk- and Policy Analysis...

And, guess what? Now, at long last, I enjoy myself. Lectures are interesting, assignments meaningful, interacting with other students often a delight.

So, what happened?


what did you trust?

Risk is connected to trust.

Daily life involves trust in many situations. Trusting your washing machine not to destroy your clothes. Trusting the bus to arrive on time and the driver to find her way. Trusting that the elevator is properly constructed and won’t collapse. Trusting the bank to take care of your savings.

Without trust, everyday life becomes impossible.

But we cannot trust blindly. When driving, you won’t trust a kid to take the wheel. Doing so seems unnecessarily risky.

Trust depends on risk. And unless properly handled, trust creates risk.

In whom - and what - did you trust today?


feeling secure

Which is most important to you – being secure or feeling secure?

Should we spend resources on “real” risk rather than perceived risk?

If you and I don’t feel secure, our behavior will change. We might not open our door when a neighbor knocks. We might choose to skip that new mobile service.

Also, perceived risk influences real risk. Suppose grown-ups stop riding the subway at night due to perceived risk. This might contribute to real risk for those still there.

Being secure is a lot about feeling secure.


the risk perspective

You and I make many decisions every day. Most are trivial, we don’t even think of them as decisions. (Should I wear grey socks?) Once in a while, we face an important decision. (Should I buy this house?) How can I make a smart choice?

In the best of worlds, there would be a guideline for every situation. Someone wiser than me would have foreseen the choices I face and offered his wisdom.

In the real world, in the absence of this monumental handbook, we have to fend for ourselves. One important tool is thinking of risk. What are my alternatives and what consequences will they carry? The risk perspective.


what’s in a word?

Talking about risk is difficult. One reason is that we use the same term differently in different contexts.

Technically, risk can be seen as the quantified potential consequences of uncertainty. Such consequences can be good or bad, with respect to our objectives. After all, doing business is about taking risk. An investor will have a certain appetite for risk.

In everyday life, we talk about the risk for rain and we’re not referring to potential consequences as much as the likelihood that it will, in fact, rain.

Both interpretations are fine, as long as we recognize the difference.

What’s in a word?


risk center

How do we understand or construct risk?

What happens when a museum becomes a site-specific risk assessment facility and performance space? The Swedish Museum of Architecture in Stockholm lets British designer Onkar Kular create an interactive space where the visitor gets a nudge to start thinking personal safety. The venue is primarily aimed at children and I would love to be a fly on the wall when they make their way through ten different scenarios.

Say, doesn’t that staircase look frightfully steep?


Å.R.E. (3)

A few notes on context analysis and Design thinking from the final day of Åre Risk Event.

An approach for context analysis in managing risk:
Your objectives?
The "local" history?
Your position in place/time?
The views of those around you?

Crisis Management (or Risk Mgmt?) as a Design activity.
In a fluent/ambiguous situation, Design thinking can bridge the gap between predefined templates for action (the rule-book) and an open, emergent approach. Reshaping concepts as we go: Could we judge water quality in terms of 'safe' when 'clean' has become unrealistic?


Å.R.E. (2)

My impressions from day 2 of Åre Risk Event.

Environmental regulations based on hazard classification as opposed to risk-based (considering dose, exposure) are irrational.

Before a crisis, build trust through 'soft' factors. Watch out for excessive trust e.g. groupthink.

Meet a crisis with flexible, loosely coupled, emergent mgmt structures. Bureaucracy is not the answer!

People have a potential to self-organize.

A common information architecture for gov't agencies will not happen on a voluntary basis.



Day 1 of this year's Åre Risk Event. My personal key take-aways.

Accidents will happen. Social science holds the answer.
Making cities resilient. Disasters are not 'natural'.
Build back better. Guidelines for reconstruction.
Revisit Maslow in the face of existential risk. Courageous individuals with visions.
Bring educators, practitioners and researchers together.

Local readiness, national platforms, UN directives.

Lots of activity in the public sector. How do we define and measure effectiveness?


mind those bookmarks

So, how does one maintain a Delicious bookmarks collection?

I'm pretty sure it will involve more than just creating additional bookmarks and hoping the old links still work...

A few years old and at 144 links it's no longer rudimentary enough to ignore. Apparently, I've managed to use well over a hundred tags, a ridiculously detailed level. This in itself would justify a mild make-over.

And no, free-text web searching would not do the trick. I find my bookmarks useful. Your mileage may vary.


do you accept?

The easiest way to treat a risk is not to.

Risk acceptance is perfectly reasonable in many cases where it would be too expensive or even impossible to mitigate a risk. Exposing a system to the Internet carries substantial risk and yet we do so because that's where potential customers are.

Who has the authority to accept risk? It's down to policy, ownership of systems and ultimately management structures.

Risk acceptance should be a conscious, documented decision and not just lack of action.


on intersubjectivity

We cannot measure information risk. Not in monetary terms, not on any quantitative scale.

We can (and must) assess risk through lenses available, but to achieve business relevance we need an element of intersubjectivity. A metric shouldn't depend on what individuals happen to be involved.

Therefore, we need methods based on a common understanding of basic concepts. We could take a vote on what constitutes a "threat" but the fact that we need to take a vote is a reflection of low industry maturity.


objective it isn't

With all its deficiencies - biases, incompleteness and errors - a systematic SRA is our best hope for tackling security risk.

If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.

When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.