this weeks musings…..

Risk is a factor in absolutely every decision we make. Ultimately, in a business scenario,I feel its the company ethos, the company culture, that has a bigger impact than a mandate from management when considering IT risk. The majority of companies now absolutely depend on their systems. A large fractured struggling company who produce a generic product will struggle to motivate staff to take initiative and preventative action.

Our ‘social engineering’ work last week highlighted to me how big the daily human factor is in vulnerability. From research and a couple of comments from Piet, the phrase ‘low hanging fruit’ has relevance when discussing assets. It seems there are a frightening number of opportunities for ‘black hat’ hackers to make a living. The value of your assets are a huge factor in determining the attention level from malicious hackers but if your initial protection is strong enough it can be enough of a deterrent.

Quick note on assignment progress. I’m enjoying the creative process of this. Of course there are ideal answers but its nice to know we are not searching for one answer – there are multiple avenues to take! But I must admit to suffering with my work / study / parenting responsibilities as I come to the end of a hectic work contract. I really miss having extended periods of time to study and research whilst fresh. Really hope this is the last topic I feel I’m playing catchup.

Estimation of value and probability theory can be incredibly difficult. A claim of naiivity is quite a slur in my eyes. Thus, despite the inaccuracy, there is huge value in negative visualization. It really can help prevent bigger problems simply by having a strategy.

A sceptic might not agree with the estimations and guesswork required for this type of analysis, that its too unscientific and vulnerable to bias. But I would counter and say the greater value lies in making the risk real to some people. Quantifying a simple ‘high risk’ event into, “you will lose 20,000 customers / 5,000 sales / 200,000kr if this happens” can be a lot more motivating to staff!

One of my favourite books is “The Black Swan” by NN Taleb. Unforseen, unpredictable or unbelievable events can happen but if they could be predicted they wouldn’t be called black swans! 9/11 is the most cited such event.

Underappreciated risk surrounds us. I don’t drive slowly everywhere but I’m very aware of the statistics every time I drive. I try and avoid the comforts of familiarity that lowers one defences. This is also an attitude that would pervade an office which has the right policy and the right staff motivations. But Taleb reminds us how statistics can lie or be used in different ways. The average accident rate whilst driving can be altered significantly when considering time or length of journey, location, temperature, local events, locality to clubs/pubs, road surface….its an incredible number of variables!

I guess in a larger organisation there would be a lot of internal politics involved in trying to alter or create policy surrounding security. Each department would be biased about its own importance and value. There is a momentum to the processes that make it hard to change. The more we research security hacks and loopholes we see how vulnerable these bigger companies can be. Estimating insurance must be a nightmare!

“Move fast and break things” – it was Facebook’s motto and modus operandi for a long time. Clearly the startups need for speed means they have to tolerate a high level of risk as they chase ever increasing growth targets. Technical debt, inefficient IT infrastructure, policies, server instabilities are all low level risks the company probably still fights today. The major risk for them is in the political sphere, internally and externally. How do they manage third party access? How do they manage data? These decisions are executed in code but decided at the board level. Today was quite revealing from a security perspective! See picture ( source:

Leave a Reply