Sony Pictures and risk management

Sony Pictures information security team, small as it is, is in the crosshairs of all and sundry after the recent breach of significant proportions. As is typical for information security, once a victim is found the ritual and merciless victim bashing can begin. What most of these pieces forget is…

Read this article

An attacker only has to get it right once ... and other lies we tell

"Companies have to get security right every time – an attacker only has to get it right once." This is probably one of the biggest lies that information security tells on a frequent basis, partially to get more money for ineffective security technologies and partially to maintain the illusion that perfect…

Read this article

Recommended books for (budding) risk professionals

Risk related books are a dime a dozen nowadays. Many are rehashing the stuff that was new and hot a couple of decades ago, fewer are keeping up with the industry maturation and even fewer are applying the academic learnings to the industry. Here's a short list of a few…

Read this article

Dunning-Kruger Effect and I, the impostor

Dunning-Kruger effect is an illusion of competence bias, presenting itself in two ways: one, the severely incompetent do not recognise their own incompetence, nor do they recognise competence in others, and assume they’re far better than they really are; two, the highly competent assume that others are at a…

Read this article

Security technology cargo cult: buy more boxes (part 2)

In Part 1 we looked at the deterrence quality of security controls. It’s one of the three attributes of security controls that are often ignored; sometimes consciously but more often due to ignorance. Now we will look at another attribute that is too often neglected: awareness. Typically when discussing…

Read this article

Security technology cargo cult: buy more boxes

Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this…

Read this article

Wassenaar Arrangement and dual-use computer code

The Wassenaar Arrangement is frequently mentioned in information security (and vulnerability research in particular) since inclusion of computer code as dual-use good. The Agreement does not clearly specify what is and isn't considered a controlled good that should be subject to export controls, making a number of security researchers and…

Read this article

Information security and the observer effect

The initial empirical study of the observer effect (Hawthorne effect), which said that people change their behaviour to the better when observed, has seen equal measures of criticism and support over the years. Whilst a lot of the critiques were typically academic (i.e. no impact on the end effect…

Read this article

Microsoft, No-IP and lawfare

In the grand gesture of protecting public wellfare Microsoft exposed just how fragile the internet really is when a large organisation decides to use lawfare. All that's needed is a pliable judge. This isn't Microsoft's first such grand gesture or use of lawfare, or using law as a weapon of…

Read this article

The value of risk management to the organisation

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can't seem to make a difference…

Read this article

Thinking about thinking: risk analysis edition

I’m catching up on my reading and one of the books I’m often going to for quick references is Charles Yoe’s “Principles of Risk Analysis”. There is a great chapter in Morgan D. Jones’s (1998) book The Thinker’s Toolkit. It is called “Thinking about Thinking…

Read this article

eBay shows what not to do in a customer data breach

TL;DR: eBay's security was breached in late February, early March. Customer personal information was stolen. The breach was discovered two months later. The details of the breach are scarce, but eBay has divulged that the attackers only needed simple username and password to breach eBay's security. Using just username…

Read this article

Soft power: the good, the bad, and the ugly

The title may be a bit misleading, because each of these three examples of soft power have a mix of both three. I’ll highlight some of each, but there’s plenty more that could be drawn from them. First example is the use of recent (relatively) Russian tactics against…

Read this article

Russia's New Generation Warfare in Ukraine

Recently Edward Lucas tweeted a series on the changes in Russian military doctrine, which signified a change away from physical combat and towards information domination in the form not seen since mid-90's. That Russians always preferred, and are extremely skilled on, the battlefield in the cognitive domain is not new…

Read this article

ASPI ICPC's Cyber Maturity in Asia-Pacific region 2014 report: a review

The International Cyber Policy Centre of the Australian Strategic Policy Institute’s (ASPI-ICPC) released its inaugural “Cyber Maturity in the Asia-Pacific Region 2014” report. Like all such endeavours it has its warts, but it should be congratulated for tackling a significant challenge. The report is a mix of quantitative and…

Read this article

China: c-c-changes

This article on unintended consequences of China's President's Xi Jinping's drive to purge the China's Communist Party of corruption is likely to go unnoticed by most. Which is a shame, because it shows most clearly just how divided CCP is and how many different factions there are. Some key quotes…

Read this article

Cyber war and Russian view

Keir Giles’ wrote a good paper that you really should read on the Russian view of the information warfare/operations (cyber warfare) legality. This is a fairly neglected aspect of information warfare studies and is completely ignored by cyber warfare experts in the West, who consider the Western view to…

Read this article

Not everyone is WEIRD

If you are told that you are WEIRD don't take it as an offence. It likely means that you belong to about 12% of the global population that is Western, Educated, Industrialised, Rich, and Democratic *. Good as it may sound, it also puts you in the disadvantage when dealing with…

Read this article

Cyber and the art of conversation

Spurred by Justine Aitel’s talk at SOURCE Boston where she supposedly (not being there is a bit hard to confirm that) said that IT risk and/or security industry need to use the term “cyber” in order to reach the business audience more effectively. "Who hates the word…

Read this article

Cyber espionage - the Chinese way

We reviewed the Chinese intelligence community structure, the way they collect data and, as a result of the first two, also tackled the monolith myth of China in order to explain why most things you hear about Chinese cyber activities do not make sense nor survive any closer analysis. Now…

Read this article

China: The monolith myth

Diversity that is China China is always seen by the West as a big, monolithic country. That nothing could be further from the truth does not shake that popular wisdom, which is typical of cultural biases and heuristics. After all, our brain is mostly wired to deal with small communities…

Read this article

Urbicide, cybercide and living memory

Is revision of history, so thorough that it is impossible to prove it, possible? The short answer, of course, is yes. In the past such revisions would take generations and coercion. In the future, as the bigger and bigger part of our lives relies on digitally stored information such revisions…

Read this article

The Chinese way of collecting data

Just like the Russian intelligence services make a great deal of using traditional tradecraft and Western agencies prefer clear-cut approach which leaves no doubt in the asset's mind who they are working for so the Chinese approach has a typical modus operandi... This is Part 2 of the four part…

Read this article

Cyber: what does it even mean?

Cyber is hot property nowadays. There’s not a “thought leader”, an organisation, a think tank, an industry body, government body, and the list goes on and on and on. There’s only one slight problem: no one agrees what ‘cyber’ actually means and what is and isn’t cyber…

Read this article

Smart CISOs know when not to pay attention to the "wisdom of the crowds"

If Apple followed the 'wisdom of the crowds' in 2006-2007 they'd never made an iPhone. If smart CISOs paid too much attention to the article in the Information Risk Leadership Council's latest article they'd be in as much trouble as they purportedly are right now. There is a lot wrong…

Read this article