2016-12-26
handling the truth
Security is about protecting someone or something from someone or something.
Information Security does not exist in a vacuum. There is a context.
For intentional threat sources, the context is the motive behind an attack. As an example, consider an orchestrated release of correct information which was obtained without authorization. It is of course a breach of confidentiality. But that's just the means. The real attack involves releasing information as a projectile. Can your organisation handle the truth?
2016-11-15
future's bright for Risk Analysis #SRAE16
Last year, Society for Risk Analysis (SRA) launched its Nordic Chapter. This week, 100+ researchers and other risk nerds (like myself) gathered in Gothenburg for its second conference with presentations on just about every facet of risk. My highlights were Björn Nevhage of FOI (and Riskkollegiet) with a meta-evaluation of methods for InfoSec Risk Analysis plus Sven-Ove Hansson of KTH offering a strong argument that the probabilistic risk approach is in fact tone-deaf and needs an ethical dimension.
15 definitions of #InfoSec Risk! a stunning lack of systematic and transparent evaluations of risk analysis methods. -@Nevhage_Bjorn #SRAE16 pic.twitter.com/IcXimDARH3— per stromsjo (@stromsjo) November 14, 2016
balancing roles risk-exposed, decision-maker, beneficiary through ethical (not just probabilistic) risk analysis. -Sven-Ove Hansson #SRAE16 https://t.co/puIbvamFOm— per stromsjo (@stromsjo) November 15, 2016
2016-10-31
on negative security awareness
We talk of an individual's security awareness as "high" or "low".
Recently, I waited for a friend at a locked entrance to his place of work. A carpenter (who - unlike me - had legitimate access) arrived, opened the door, and gave me that "aren't you going to follow me"-look when I remained outside, waiting for my friend.
This guy exhibited a polite, friendly attitude. He also displayed cluelessness on how to handle his access card.
Actively inviting risk - is that a case of negative security awareness?
Recently, I waited for a friend at a locked entrance to his place of work. A carpenter (who - unlike me - had legitimate access) arrived, opened the door, and gave me that "aren't you going to follow me"-look when I remained outside, waiting for my friend.
This guy exhibited a polite, friendly attitude. He also displayed cluelessness on how to handle his access card.
Actively inviting risk - is that a case of negative security awareness?
2016-10-18
from London to Stockholm - sharing is a capability. #SSRsem16
A city is a complex organism. Keeping its wheels ticking is a challenge in normal circumstances. What about a crisis? In the face of pandemics, flooding, or even attack - how can a megacity like London become resilient? Samverkan Stockholm of the County Administrative Board hosted a seminar where London Resilience presented their work and the recent Exercise Unified Response. My main takeaway was about a learning culture among actors. Sharing is a capability. Collaboration will not happen without trust.
Sweden has enjoyed peace for centuries. how does that affect attitudes and capabilities in situational awareness and Crisis Mgmt? #SSRsem16— per stromsjo (@stromsjo) 18 oktober 2016
2016-09-26
classification fosters dialogue
I used to think of info classification as a useless over-simplification. Information has unique properties which couldn't be reflected by association to predefined classes.
Sure enough - having info represented by classes is a simplification. But these days I see merit in the practice.
Classification fosters dialogue about the sensitivity of info. A process owner might not know his security requirements but I can get him started by asking: where is integrity more important - for info type x or type y?
Sure enough - having info represented by classes is a simplification. But these days I see merit in the practice.
Classification fosters dialogue about the sensitivity of info. A process owner might not know his security requirements but I can get him started by asking: where is integrity more important - for info type x or type y?
2016-09-19
lots of hot air
What's up with the climate? After triumphant reports from COP 21, are we making progress?
It's a painstaking process. Right now it's about ratifying - confirming that we really have agreed.
Lots of hot air, if you will. Meanwhile, we're poised for another record year in global temperature.
Today's politicians will have to solidarily "sell" mitigation with no measurable reward until decades later.
Seeing is believing. From talk to policy to practice. But it's our only chance. How will you contribute today?
It's a painstaking process. Right now it's about ratifying - confirming that we really have agreed.
Lots of hot air, if you will. Meanwhile, we're poised for another record year in global temperature.
Today's politicians will have to solidarily "sell" mitigation with no measurable reward until decades later.
Seeing is believing. From talk to policy to practice. But it's our only chance. How will you contribute today?
promise to agree > agree > promise to implement > face the voters > implement > measure effect. simple as that. #COP22 #ClimateDiploWeek— per stromsjo (@stromsjo) September 16, 2016
2016-09-12
quality of constructions - or construction of quality
What is architecture?
To some, it's a structured way of elaborating an implementation through a series of abstractions.
To some, it's about classifying, capturing similarities in different implementations.
SIG Security recently launched a study circle "IT-arkitektur" based on a topical book.
I look forward to our sharing thoughts on the "enterprise", "business" and "solution" aspects of architecture. The book is not about security per se but we'll surely be reading with our "security glasses" on.
To some, it's a structured way of elaborating an implementation through a series of abstractions.
To some, it's about classifying, capturing similarities in different implementations.
SIG Security recently launched a study circle "IT-arkitektur" based on a topical book.
I look forward to our sharing thoughts on the "enterprise", "business" and "solution" aspects of architecture. The book is not about security per se but we'll surely be reading with our "security glasses" on.
@sigsecuritysv lovande första kväll i bokcirkeln om #arkitektur. många perspektiv och abstraktionsnivåer. pangstart med intro av @dakenine.— per stromsjo (@stromsjo) September 6, 2016
2016-09-05
Strategisk informationssäkerhet
Strategic Infosec is one of four Infosec courses with DF Kompetens where I'm privileged to be teaching.
Participants from both public and private sector discussed their way through three days of theory with a couple of exercises about a fictitious company where there is room for improvement in security. Invited lecturers added their insight on how to navigate in the legal landscape as well as on media and dealing with journalists in a crisis.
The next course will be Operative Infosec, Stockholm in October.
Participants from both public and private sector discussed their way through three days of theory with a couple of exercises about a fictitious company where there is room for improvement in security. Invited lecturers added their insight on how to navigate in the legal landscape as well as on media and dealing with journalists in a crisis.
The next course will be Operative Infosec, Stockholm in October.
fine 1st course day on Strategic Infosec with @DFKompetens. discussing challenges, means and methods in very different organizations. #gnite— per stromsjo (@stromsjo) August 31, 2016
2nd day of Strategic Infosec with @DFKompetens. legal matters. data protection #GDPR in the crystal ball. assets, classification and risk.— per stromsjo (@stromsjo) September 1, 2016
3rd Strategic Infosec day with @DFkompetens. handling the truth with journalists. crisis, media logic and rhetoric. motivate investment.— per stromsjo (@stromsjo) September 2, 2016
2016-09-02
thieves with an attitude
- I don't understand why so many people take this personally!?
A stylish gentleman, who had just inconspicuously entered the subway on my ticket instead of buying his own, tried to soften my irritation by arguing that neither I nor anyone else had paid for his ride. No one pays, he explained. A new economy indeed! So, why should I bother? It took me a while to figure out his logic: why would anyone care about something which does not affect him?
That, my dear well-dressed youngster, is not how we built a society.
A stylish gentleman, who had just inconspicuously entered the subway on my ticket instead of buying his own, tried to soften my irritation by arguing that neither I nor anyone else had paid for his ride. No one pays, he explained. A new economy indeed! So, why should I bother? It took me a while to figure out his logic: why would anyone care about something which does not affect him?
That, my dear well-dressed youngster, is not how we built a society.
2016-08-29
on orchestrated falsehood and embarrassing transparency
Information Security is about protecting info.
What about disinformation? What about intentional leaking?
Sometimes, we must protect ourselves against information. These are clearly security issues concerning info. So, are they matters of Information Security? Technically, yes.
The typical impact is a compromise of correctness/integrity or confidentiality. But there is a world of difference between an embezzler and a hostile government. For new Threat Sources with new motives we'll need new defences.
What about disinformation? What about intentional leaking?
Sometimes, we must protect ourselves against information. These are clearly security issues concerning info. So, are they matters of Information Security? Technically, yes.
The typical impact is a compromise of correctness/integrity or confidentiality. But there is a world of difference between an embezzler and a hostile government. For new Threat Sources with new motives we'll need new defences.
2016-08-20
takeaway from Uppsala
What do I mean by security through information? What is the asset, what are we protecting?
Could be other information - think intellectual property.
Often the asset is the life and wellbeing of people, as in the case of combatting terror.
But, you ask, how is this conceptually different from the classic Chief Inspector, laying a puzzle with clues, trying to preempt the murderer's next move? There are similarities. What is different is the amount of information, and that algorithms do most of the work.
Could be other information - think intellectual property.
Often the asset is the life and wellbeing of people, as in the case of combatting terror.
But, you ask, how is this conceptually different from the classic Chief Inspector, laying a puzzle with clues, trying to preempt the murderer's next move? There are similarities. What is different is the amount of information, and that algorithms do most of the work.
veracity, validity & visibility? Roger Clarke on Quality Assurance for security applications of Big Data. https://t.co/m8eaMFcelg #EISIC2016— per stromsjo (@stromsjo) August 19, 2016
2016-08-19
reflections in Uppsala
If #EISIC2016 isn't about InfoSec, what is it? Is there a common denominator in looking for terror-inciting needles in a social haystack, in analyzing spatio-temporal data from offenders, in monitoring communication between (presumably) anonymous suspected parties?
It's not so much security of information (although that's instrumental as well). We're looking at the prospect of security through information. Collecting data, identifying patterns to gain knowledge e.g. for preempting acts of terror.
It's not so much security of information (although that's instrumental as well). We're looking at the prospect of security through information. Collecting data, identifying patterns to gain knowledge e.g. for preempting acts of terror.
hw>sw>systems>services: Kowalski on adding value to the socio-technical global cybersecurity value chain. #EISIC2016 https://t.co/KEl93Ppw7j— per stromsjo (@stromsjo) August 18, 2016
2016-08-18
inspiration in Uppsala
What am I doing at EISIC? I will hardly ever go chasing terrorists, DarkWeb execs or pirates in the Gulf of Aden. Intelligence and Security Informatics is not conventional Information Security, is it?
No, it isn't.
But security is such a challenging domain. By approaching it from other angles, we can understand it better. And that is a necessity. InfoSec desperately needs innovation. But without humility and inspiration from other fields, it's just not going to happen. Hence EISIC. Time well spent.
No, it isn't.
But security is such a challenging domain. By approaching it from other angles, we can understand it better. And that is a necessity. InfoSec desperately needs innovation. But without humility and inspiration from other fields, it's just not going to happen. Hence EISIC. Time well spent.
cashing out is the main interest of cyberfraudsters. downloading & mining Russian hacker-forums brings insight to means &methods. #EISIC2016— per stromsjo (@stromsjo) August 17, 2016
2016-07-26
it's all about the assets
Information risk is the potential for damage to sensitive info - the crown jewels (or assets). Think of risk as a combination of asset, threat source and vulnerability.
Technical people tend to downplay assets, probably because they don't know them too well. Business people know, infra folks don't. And yet, too many biz people expect tech colleagues to take the lead in managing Info Risk. The term "IT Security" only adds to the confusion about who should be on top of the matter.
It's all about the assets.
Technical people tend to downplay assets, probably because they don't know them too well. Business people know, infra folks don't. And yet, too many biz people expect tech colleagues to take the lead in managing Info Risk. The term "IT Security" only adds to the confusion about who should be on top of the matter.
It's all about the assets.
2016-06-18
in test we trust
Testing is how you evaluate your continuity plan.
When a developer has found 5 bugs, is he done?
How can you evaluate your test? And why should you?
To trust your plan, you need to trust your test. Did you merely "kick the tyres" or did you go through the plan systematically? Did you involve your stakeholders, did you have a good discussion?
If not, now is the time to take notice. Who did you forget to invite? What did you forget to prepare? Document how your test can be improved the next time around.
When a developer has found 5 bugs, is he done?
How can you evaluate your test? And why should you?
To trust your plan, you need to trust your test. Did you merely "kick the tyres" or did you go through the plan systematically? Did you involve your stakeholders, did you have a good discussion?
If not, now is the time to take notice. Who did you forget to invite? What did you forget to prepare? Document how your test can be improved the next time around.
2016-05-02
meet Riskkollegiet!
The future is uncertain. We all have goals which might not be met. Risk is everywhere. It concerns bankers, beekeepers, and billiards players. Since risk is a part of every field, it can take many forms. Exploring the specifics of risk, and risk as a concept, how risk is perceived and managed, is what Swedish Society for Risk Sciences (Riskkollegiet) is about. The Society hosts seminars, publishes reports and supports young researchers. I'm proud to join the board of Riskkollegiet as a deputy member.
annual meeting of @Riskkollegiet at @FOIresearch, with updates on strategic migration analysis, energy market risk & regulation of chemicals— per stromsjo (@stromsjo) March 18, 2016
2016-04-11
on rational evilness
Researcher Hans Brun helps us grasp terrorism as a phenomenon.
It's not new, the first "wave" occurred well over a century ago. And it's not irrational. On the contrary - terrorism is a conscious choice made by rational actors, says Hans. It's a strategy serving specific purposes. Terrorists aim to create chaos, provoke an overreaction and portray themselves as a credible and legitimate power.
Deconstructing terrorism won't make it any less ominous, but it helps free societies find defensive strategies.
It's not new, the first "wave" occurred well over a century ago. And it's not irrational. On the contrary - terrorism is a conscious choice made by rational actors, says Hans. It's a strategy serving specific purposes. Terrorists aim to create chaos, provoke an overreaction and portray themselves as a credible and legitimate power.
Deconstructing terrorism won't make it any less ominous, but it helps free societies find defensive strategies.
terrorism as a strategy, and as a form of communication. thought-provoking analysis by @stellapolaris10 at Karlberg Palace with @criscomse.— per stromsjo (@stromsjo) March 12, 2016
2016-03-21
a lesson in troubled times
I spent an afternoon, hosted by the European Commission, with seminars on migration and climate change. Their way of reaching out and inviting dialogue is commendable and necessary when navigating political turmoil.
What struck me was how these seemingly different topics turn out to be interrelated. Climate change is a growing driver of migration. And neither issue could be addressed by fortifying borders. Nationalism won't solve anything, only strengthened cooperation will. A lesson in troubled times.
What struck me was how these seemingly different topics turn out to be interrelated. Climate change is a growing driver of migration. And neither issue could be addressed by fortifying borders. Nationalism won't solve anything, only strengthened cooperation will. A lesson in troubled times.
what to do when external borders don't work? @EC_StockholmRep seminars on migration and climate at @Stockholm_Uni. #EUdag— per stromsjo (@stromsjo) March 7, 2016
2016-02-29
step by step towards assurance
In order to obtain assurance, your qualified continuity plan should be tested.
Don't wait for it to be "perfect". Test soon, and use the test to find weaknesses.
The effort you put into testing will depend on risk. Begin with a desktop test, discussing the plan step by step with stakeholders.
Iterate the test and watch your plan improve, as well as your ability to execute it.
Nothing beats reality. A realistic simulation is the next best thing. It won't be cheap or simple, but certain scenarios need to be simulated.
Don't wait for it to be "perfect". Test soon, and use the test to find weaknesses.
The effort you put into testing will depend on risk. Begin with a desktop test, discussing the plan step by step with stakeholders.
Iterate the test and watch your plan improve, as well as your ability to execute it.
Nothing beats reality. A realistic simulation is the next best thing. It won't be cheap or simple, but certain scenarios need to be simulated.
2016-02-18
crystal ball out of service
Retirement planning and pension savings is one of the most difficult, long-term decisions most of us will ever face. At a recent seminar, Nordea offered a list of issues to think of, focusing on today's rulebook, how responsibilities are shared between state, employers and individuals. But the system keeps changing. We're all literate, we can read up on current rules. As experts, bring your crystal ball, help us understand trends and scenarios. What might the system look like 30 years from now?
a static view on the most long-term decision most of us will ever face. @Nordea_SE offered a seminar on today's system for pension savings.— per stromsjo (@stromsjo) February 18, 2016
2016-02-08
it's not the technology, stupid!
I used to think that proactivity in security is all about Risk Management. Then I found myself involved in Crisis Readiness. Still with an eye on risk exposure, preparedness adds a human as well as organizational capability dimension. How good are we at dealing with difficulties, improvising and being creative from a platform of plans and structures? The crisis perspective makes security more challenging. but it does confirm an old belief - it's not the technology, stupid! Think people and processes.
2016-01-18
a second opinion isn't second best
By planning around certain harmful events you take ownership of your continuity risk. But there are things you won't know when writing your plan. You need to involve stakeholders, specialists. Seek their advice and perspectives, learn about their plans. Tell them about what risk you see and how you intend to treat it. Have your plan qualified through their input and compatible with their plans.
Business Continuity is not an arena for lone rangers. Getting a second opinion makes for a first-class plan.
Business Continuity is not an arena for lone rangers. Getting a second opinion makes for a first-class plan.
Subscribe to:
Posts (Atom)
