per spective

Enterprise Miracle Management

2011-09-28T21:14:00.000+02:00

Can't Enterprise Risk Management guarantee against failure?

It's like asking why there are still fires now that we've hired firefighters. ERM could use a good portion of expectation management. If someone believes that nothing could ever go wrong since we have an ERM function, they need a reality check.

Not all existing risk will be discovered.
Not all discovered risk will be mitigated.
Not all mitigated risk will be eliminated.

Be sure to equip your firefighters but don't go expecting miracles.

Read more about Risk Management Failures at Sonia Jaspal's RiskBoard.

guided by risk

2011-09-14T07:14:00.023+02:00

How is the risk paradigm relevant during a breach?

If the breach relates to risks previously documented, we know risk level, vulnerabilities and assets involved. Incident Management is also informed in another way. We will have to pick strategies for containment and recovery. Each strategy carries risk. How do we choose? By swiftly assessing risk. (The incident doesn't wait.)

So - just like incidents inform future risk management, impromptu risk assessments can guide ongoing incident handling.

a useless paradigm?

2011-09-07T11:10:00.002+02:00

Some argue that risk is a useless paradigm when a breach has occurred. It is happening, probability 100%, why theorize further?

To me, this analysis is surprisingly shallow.

Being under attack is not a binary thing, it is not about an enterprise losing its virginity once and for all. Sure, we must deal urgently with the current incident. But there's a host of potential events awaiting tomorrow which need to be foreseen and prevented.

Today's incident enlightens us in assessing current risk.

creativity is key

2011-08-20T23:55:00.001+02:00

Why all this fuss about creativity? From a systems perspective, creativity is important for two reasons.

Partly because of disruptive change. When change occurs, we need new ways to look upon ourselves. These can't be found in school books.

Partly because of complexity. Even if our environment was perfectly stable, we need to frame existing complexity - making it understandable, controllable.

So, creativity is key. That said, ideas are not enough. Someone will still have to be implementing them!

Read more about Creativity@Risk at Sonia Jaspal's RiskBoard.

motivated we stand

2011-07-20T21:56:00.002+02:00

In order to limit (hopefully avoid) InfoSec risk, we use controls. These can be technical or administrative.

Either way, they will involve humans who need to understand and accept the controls. In general, we may require people to wear seatbelts, pick complex passwords or quit smoking at work. Co-workers will find ways to circumvent controls that they’re not motivated to accept.

Any technocrat can pick the strongest control. A wise leader will consult and motivate his team before implementing it.

Read more about employee disengagement at Sonia Jaspal's RiskBoard.

learning from incidents

2011-07-09T20:27:00.002+02:00

In Infosec, there are risks (what could happen) and incidents (what has happened).

We deal with risks proactively by asking questions. Identify, describe, quantify and so on. We treat the risks, hopefully avoid them.

Incidents call for a reactive posture. How can we recover?

A mature organization prefers to be proactive as opposed to reactive. One way is to interconnect the two approaches. Analyze your incident history so that recurring issues can be addressed. Don't forget that rear mirror.

Read more about distinguishing between risk and issue at The Innovation of Risk.

future in the rear mirror

2011-06-29T21:20:00.001+02:00

Security risk is uncertainty about undesirable future events, a lack of control. To reduce uncertainty, we'd need a way to look into the future. And we can.

Having identified threat sources and vulnerabilities relevant to our assets, we construct risk by formulating realistic events. Neither objective nor scientific, it does provide a crystal ball of sorts.

Also, what has already happened? History is an indicator of what might happen. Spotting the future in the rear mirror could be our best option.

the risk you wouldn't want

2011-06-19T19:41:00.002+02:00

There are different kinds of risk. Some are desirable. Doing business means taking risk to make money. The risk appetite will vary between companies and over time.

Other risks represent things going wrong in a company's everyday activities. We call them operational. You won't have an appetite for them. Instead, we talk of risk tolerance. When do you decide to close a factory, do things differently to avoid the potential cost? Operational risks are risks you don't want. Infosec risks among them.

meet your infosec risk

2011-05-18T21:15:00.000+02:00

Consider your asset, something information-related worthwhile protecting. Mind your threat sources. Who or what could attack the asset, intentionally or not? Think vulnerabilities. Is there a weakness which could be used? Now: is there a combination where a relevant threat source can exploit a known vulnerability to compromise your asset? Just how bad is this potential harmful event? Quantify with respect to likelihood and impact. And there you have it. Meet your information security risk.

no such thing

2011-01-22T05:22:00.004+01:00

If I could only... would that make me safe? Is there a recipe for removing or mitigating all risk? Not in life. Not in software. In practice, everyday software is infinitely complex. Foreseeing and countering everything that could go wrong - however desirable - is not realistic. That's why I prefer not to talk about "secure" software. A desirable goal indeed but not within our reach. That'd be promising something we can't deliver. Software security is not absolute. It's about gray-scales and risk.

delicious remorse

2010-12-18T18:51:00.002+01:00

Those who have known me for a while will probably be giggling by now. For the rest of you, I can let you in on a secret. You know old King Midas? Everything he touched turned into gold. Well, in the world of services I frequently assume the role of some inverted Midas. I've managed to join (or buy) lots of products and services over the years, only to discover that they soon get discontinued. Apparently, this time it took me five weeks to get Delicious swaying. When news broke about Yahoo allegedly sunsetting this bookmarking service I was disappointed but not exactly surprised...

deliciously yours

2010-11-13T19:13:00.001+01:00

Being a student of Risk Management and Security Informatics implies quite a bit of reading. Ergo bookmarking. Once in a while I do come across a text which may or may not be of interest to others. Ergo Social Bookmarking. I try hard not to involve myself in more services and networks than necessary but have decided to make a tactical retreat now and join Delicious after all.

For now, my bookmarks collection can be found here.

a silent movie

2010-09-02T20:05:00.000+02:00

Apparently, I'm now into silent movies. Or slide shows, to be precise. It's an experiment and I'd appreciate feedback. In case you recognize some photos, they have been published on pixels and plenty.

tunnel vision

2010-08-28T21:00:00.000+02:00

Someone suggested that Risk Management takes place at the intersection of three disciplines: psychology, economy and technology. This is an important observation.

Consider.

The recent, long-awaited breakthrough in the Hallandsås Ridge Tunnel highlights the tremendous challenges facing this infrastructure project which was originally launched way back in the 1990's.

Let's recall the issues.
1. Was it a good idea to have this new railroad through the notorious ridge?
2. Was it doable?
3. Was it economically viable?

At the outset, we knew the geology was tough. It turned out worse than expected. We knew we needed extraordinary technology. That still wasn't enough. Time schedules slipped, budgets evaporated and as the nervousness began to set in, the previous project management started cutting corners, introducing substances which would create an environmental scandal. The Rhoca-Gil pollution issue turned out to be grossly exaggerated but in the hearts and minds of the locals and the general public is was a complete PR catastrophe. Viewed through the respective lenses of technology, economy and psychology the halted project was a hopeless failure.

So, where does one go from there? First the technology. Means and methods for tunneling through hopeless "non-rock" had to be reinvented. Then the economy. A credible plan had to be laid out, setting the record straight on what the job would cost and when it would get done. Still, succeeding on those two difficult fronts wouldn't be worth a penny unless trust could be regained. Trust from the locals that the construction work would be pursued safely. Trust from the taxpayers that huge piles of additional money would in fact be well spent. Trust from decision-makers who once again had to go on record, actively supporting this ill-fated tunneling effort. And there you have it. Technology risk, environmental risk, financial risk and political risk - all intertwined.

I wouldn't open the real expensive champagne quite yet but the events of last week, the spectacular breakthrough, was an important psychological milestone.

Let's revisit the main issues.
1. Today hardly anyone would argue against the importance of investing in our railroads. The climate threat changes everything. So yes, it is a good idea to have this new railroad.
2. Having the first tunnel completed is a fact which speaks loudly for itself. Yes - although the geology of Hallandsås Ridge may still hold some surprises for us, this is in fact doable. Our means and methods are working - and in a safe way too. Through openness and engaging in public debate, the new project management has regained the confidence of those living and breathing around the ridge.
3. Which leaves us with the issues of time and money. Skanska-Vinci are now delivering on the new plan. They're on schedule for allowing trains into the tunnel in 2015. The economists will continue arguing on whether the huge cost-overruns have been justifiable. As always, the money you already spent will be lost if you give up and seal the tunnel. What matters is the marginal cost of the work remaining.

Now, this time let's stay on track.

compact living - revisited

2010-08-03T21:56:00.000+02:00

OK, so it's official.

There's absolutely nothing wrong with my SLR camera but photography has become immensely boring. It's too heavy to carry around unless I have some specific shooting in mind. Consequently, the camera stays home six days a week and snapping photos has turned into a Planned Activity on Rare Occasions.

Clinging to a Point&Shoot is not supposed to be healthy for anyone aiming to take photography seriously. Still, I did cling for years and I miss those days. I suppose my photos are in some respect technically "better" these days but they're also rather uninspired. Creative moments are few and far between and I blame my heavy-weight SLR companion. In my world, a camera should be something handy to stick in your bag (or - even better - your pocket!) and forget about until the moment you encounter Something Worthy of Being Snapped.

So, let it be known. I miss my P&S.

thanks for asking

2010-06-07T19:07:00.001+02:00

Monday 2.30AM among high-rise buildings in the eastern, commercial part of Kista. Silence. Next to a quiet, empty six-lane road, a man is squatting. A police car drives up and the officers realize what's going on.

- Hi! Are you getting any good photographs tonight?

As a matter of fact I wasn't. The sky was boring and the mood wasn't right. But thanks for asking. Thanks for being there for us.

one picture at a time

2010-05-01T07:01:00.021+02:00

Half a century of creative imagery by Swedish photographer Gunnar Smoliansky has been summarized in the exhibition One picture at a time ("En bild i taget") which can be seen in Dunkers kulturhus, Helsingborg. Always in monochrome, often minimalistic compositions in soft gray-scales, sometimes grainy, he explores his neighborhood, conceptualizing everyday scenes in Stockholm. The same street intersection gets revisited time and time again, decade after decade.

This is artistic photography at a level I cannot even relate to. How could I? I don't have his talent, I don't have his technical skills, I don't have 50+ years of experience in the field.

Smoliansky has been dubbed a "strolling photographer". In my opinion, that has got to be misleading. Just because we recognize the street where a photo has been taken does not mean it was snapped while passing by, the way we do. Far from it. This man has spent a lifetime patiently awaiting the right moment, exploring what we don't even notice, carefully capturing it - one picture at a time.

- If it's one thing I can't stand it's having others within view while I'm working with a picture, asking what I'm doing - Smoliansky explains.

There, finally, is something even I can relate to! I so recognize spending hours chasing a particular image, wanting to be left alone while pursuing this strange activity. Now, whether you're an amateur (like me) or not, be sure not to miss the work of Gunnar Smoliansky.

know me by my work

2010-04-20T23:39:00.000+02:00

- This is so yummy.

The cook looks at me and smiles. I shouldn't say that - he adds - since I cooked this myself but there's just so much love behind this dish.

He's an artist in his own right, trying to make a living in a competitive climate where not every restaurant will comply with taxation laws. Somehow, his words moved me. Pure, simple pride in a work well done. I wish him a successful year and many delighted lunch guests in the golf restaurant.

Kafka by bus

2010-03-04T21:44:00.001+01:00

Bus 540 heading for Universitetet makes a stop at Råsta by the bus garage. Our driver will go off his shift and someone will replace him. Four (4) drivers wait at the bus stop, cheerfully chatting about this and that. One by one they enter the bus asking each other which one of them is going to drive this bus. Negative. They're all passengers-to-be, going home after a long day at work or just commuting to another place where they will pick up another bus.

Picture this: a bus with some thirty frustrated passengers, four drivers and no one takes the wheel.

Two of the non-drivers moan about missing their train connections in Ulriksdal. So did I.

Enter modern technology. The administrative staff in the garage suddenly receive scores of messages over radio and cell phone, each of them evidently emanating from this same bus. The administrative lady subjected to this burst of information successfully dispatches a fifth driver (the one who should have been here from the beginning) and he makes a run across snow and ice. By the time he arrives one of the four non-drivers has decided that enough is enough and assumed the driver's position. The real driver barely manages to catch the bus (as a passenger) when it finally continues from Råsta.

A minute later the garage calls to check that all is well and the real driver confirms that he has successfully taken the wheel. Which he has not, he is standing among all the other non-drivers at the front of the bus but now we're finally under way. And after a few more dare-devil runs across snow and ice plus the additional benefit of a two-minute delay for the commuter train I believe we all made it.

A surreal moment in the life of a commuter.

home sweet home

2010-01-31T12:17:00.001+01:00

Meanwhile in a small house, life goes on.
Days are still short so the lights go on and off. One of them stays on all night until sunrise.
The house signals warmth and comfort in the coldest of months.
No doubt busy residents are happily pursuing their daily routines.

There's just one thing.

Outside, around the little house and all the way up to the small road nearby lays a thick blanket of untouched snow. Half a meter of accumulated precipitation is proof beyond reasonable doubt that noone has been walking to or from the house for a month. At least.

So, who are you kidding?

five years later

2009-12-26T19:20:00.000+01:00

Swedish Commissioner Margot Wallström is stepping down after five years at the forefront of the European Union. (Ten, actually, but the most recent five years as First Vice President.) Prime Minister Persson appointed her and since the two of them are known to get a long about as good as... well, folks who don't get along terribly well... there was a lot of speculation about his getting rid of her from the domestic scene. Be that as it may, she has been a great Commissioner - effectively helping promote openness and as a side-effect contributing to a more positive view of the Union back in Sweden and throughout Europe.

Her retrospective blog post looking back at these five years got me started thinking about my own humble presence in the world of web logs. I started writing in February 2005, also five years ago. One key driver was an interest in politics from a conservative perspective. Finding your own party in opposition creates energy and a passionate urge to make your point. Then - all of a sudden and when enough people have successfully been making their points - your party is in fact forming a government! Not having PM Persson to kick around anymore plus the disillusion which comes from realizing that your party will in fact not deliver a lot of what you had been hoping for can effectively dampen the political drive and so I find myself now writing about entirely different things - or not at all.

My posts are few and far-between and that doesn't bother me, I have never accepted the idea that one has to keep writing constantly regardless of whether one actually has anything to say or not. Updating infrequently was a nuisance in the old days when the reader used a static bookmark and had to randomly probe and visit to see if anything had been written. These days we subscribe to a feed so anyone can see if there's new content to be read at the moment without having to visit first.

Now we're heading into an election year again and I'll gladly leave that particular scene to others. I may however occasionally have something to say about risk, photography or life itself. Or something else - we do change as we grow older, you know. So feel free to bear with me and stay tuned for another year. Have a happy one!

crime and punishment

2009-11-28T17:15:00.000+01:00

I've had the opportunity to study a bit of criminology during this semester. I'm aiming for a refreshing perspective on my home turf - risk and security. Sort of getting into the minds of malicious individuals out there.

Crime has been around as long as there have been laws but criminology in a modern sense is a surprisingly young topic of research. A 19th century Italian doctor-turned-professor - Lombroso - is generally regarded its pioneer. So criminology is young and maybe not entirely mature yet. Numerous schools still coexist and they each have their preferred model, trying to explain deviant behavior (or conformity for that matter!) in a biological, economic or maybe psychological context. Or even deconstructing crime itself into a haze of postmodern subjectivity: "there's no way of understanding an objective reality so let's stop trying!".

Not every theory is enlightening and some seem hopelessly obsolete. I'm amazed to learn that there are still Marxists around, for instance. But the dynamic mix of contradictory views, many of which appearing to be based on at least a certain amount of solid reasoning, is very interesting. To be continued...

ferdinand & the chainsaw massacre

2009-09-27T19:39:00.034+02:00

I would never make a good gardener, let alone farmer. Deciding on matters of life and death for plants and animals - naw, that would take some getting used to for a semi-sentimental fool like moi.

But since life has bestowed me a small cottage with a few surrounding square meters of what used to be a garden, I'd have to assume some minimalistic attitude of responsibility towards this Land of Mine. And since said cottage has been blessed with more trees than what's good for it (or its neighbours) I have established sort of a yearly tradition of inviting a team of arborists to "scope the problem".

They're real pro's, I'm mighty impressed. And scope they do, indeed. Three visits in as many years have reduced seven fairly proud trees into:
a) one pile of twigs being burnt in November
b) one pile of firewood being donated to neighbours
c) one tree stump

Well, maybe not that proud... This year's trio did in fact turn out to be marked by tree rot.

Still, I can't quite get used to Deciding. A pear tree finds a place to live, grows, delivers fruits and leaves for well over a century... and one sunny morning it gets chopped up in no time in a merry chainsaw massacre. Disintegrated into those three categories of remnants.
- Wham, bam, kindly pay at the counter!

I would never make a good gardener. In the words of good old Ferdinand the Bull:
- I think I'll just sit here and smell the flowers.

on frogs and trust

2009-08-28T23:59:00.006+02:00

It's been said that a frog placed in cold water that is slowly heated will not perceive the danger and will thus be cooked to death. Be that as it may, gradual changes are interesting and important. One such gradual change is the deteriorating social climate in our societies. We don't trust our neighbor anymore and - surprise! - he doesn't trust us either. This change has taken place within a few decades.

Not so long ago people hardly locked their doors. If they did the lock was primitive by today's standards and sometimes the key was put under the door mat. Today we get ourselves security doors and all sorts of locks and alarms. Why the sudden need for all these protective measures?

When I was a kid growing up in a suburb we used to walk to and from school. My Mom accompanied me for a week or two when I began school at age six - that was it. Nowadays a growing number of kids are being driven to and from school and my guess is that they are no more handicapped than we were. As long as the school is nearby, they could easily walk too but their parents don't want them to. Why is this? What are we trying to protect them from?

There's a well-known photo from Geneva in 1955 where a friendly-looking policeman is "guarding" a summit between U.S. President Eisenhower and the Soviet leader Khrushchev. I suppose he had a couple of colleagues back at the station as well. Just how many policemen are needed today to protect any EU summit?

A football game?

I'd say there's a trend emerging here and it's not a pretty one.

Maybe the frog would in fact jump out of the kettle. But what about us? Why don't I hear any debate at all about these changes which have taken place during the course of a couple of generations?

the happier meal

2009-07-30T21:33:00.004+02:00

I'm pretty impressed by McDonald's. Yes, that chain of restaurants. Granted, it's not the best venue for a candle-light dinner date. It's hardly a place for unique gourmet experiences. Their wine list is the shortest available on the market. Then again, they never claimed to be everything to everyone.

But the restaurant is clean, their opening hours are generous, the staff is friendly, the food is not expensive and - in spite of what we've been told and unless you're a vegetarian - they have plenty of dishes for a nutritiously balanced menu.

As far as I'm concerned there are three simple rules:

* avoid the soft drinks - we eat too much sugar anyhow
* stay away from the desserts - same reason
* nothing from the deep fryer

My respect for McDonald's goes way back. I'm old enough to remember those days when it was all but impossible to find a restaurant without guests smoking at their tables. Guess who were the first among Swedish restaurants to ban smoking? Yep. And that's what you would expect from a leader in quality, isn't it?