Archive

Posts Tagged ‘fear’

Why fear the analyst?

March 9th, 2010 admin 2 comments

Someone turned me on to this article on fearing the auditor which made me think of other information sources we might fear.  The author of that article claim there are three types of auditors: the good, the bad, and the ugly (ok, so I paraphrased.)

Variance in individual quality should be no surprise since we see this in just about every industry.  There are a range of skills in just about every profession including penetration testing, auditing, and yes analysts.  So let me propose that there are three types of analysts:

  1. Polar Bears: These are people who believe that polarizing the conversation is the best way to improve the industry.  They are masters of the catch phrase and speak only in sounds bites.  They survey a few people and make bold statements that reflect only one segment of the industry.  What they lack in substance and facts they make up for in cliches.
  2. Gold Mine Speculators: These are people who do not know what the actual answer is but they speculate, typically in 5-10 year projection statements.  They may be correct 25% of the time but that’s good enough.  If they are correct people call them visionaries; if they are not they pick a new industry and re-speculate.
  3. Educators: They understand that there is no one simple answer but that solutions are custom made and long term collaborations.  They are not in the news as much since they are not making polar speculative claims, but they help bring a holistic analysis of the options and present the pros/cons with every statement.

I like analysts but believe that in every profession one should “seek first to understand and then to be understood”.

Categories: Security Tags: ,

Becoming Fearless: Deweaponizing Permanence

December 13th, 2009 admin No comments

(Re-post of an item written in June 2007)

The mind offers protectionism against our fears, but this can sometimes lead to stagnation. It’s not a voluntary act, but more a learned experience. The government is an expert at this art. The information security community leverages it to impose their will on the masses. They even have a term for it: FUD – fear, uncertainty, and doubt.

But better than any social experiment, our mind is a master of illusion and perception augmentation. We can see this easily in the movies we watch. Anyone watching a scary movie knows the point at which fear enters the picture. The camera closes in on a character leaving the viewer unable to see anything but their face. This triggers a reaction in the viewers mind about the infinite number of things that could befall this character. Out mind is almost trained to enumerate the fearful possibilities and recite them to ourselves.

Left unchecked, this fear can be debilitating. In its best forms we call it complacency and in its worst we call it insanity. So we build structures against such fear. We arm ourselves with weapons such as hope, faith, and through the lives of our heroes. Some religious groups will literally say they are “putting on the full armor or god” in order to do battle with the devil, for which fear is a material or mental manifestation.

One of these protective structures is permanence. We believe… we must believe that some things are permanent, even if just in the short term. We believe that we will live past tomorrow, or else people would do erratic things and chaos would ensue. We believe that we will grow old, or else we would never prepare for something we call ‘retirement’. We believe that strangers on the street will not randomly attack us, or else we would quickly become a society of roaming fear mongers. Society works because fear is contained and fed to us in only small and predictable doses. Fear can sometimes even make one feel safe and provide a central theme to unite a group of people.

What would happen if there was ever a loss of our beliefs or a fracture of the permanence that we so carefully rely on? Some might argue that chaos would follow and thus the argument for keeping people feeling safe and secure. But what about those things that cannot be controlled? The smaller things, that based on their very nature, no government or society can contain?

Things like a relationship break up, death in the family, divorce, pain, solitude, shame? The list goes on and on. These are things that cannot be controlled and thus cannot offer permanence. These are the things that Reinhold Niebuhr thought of when he wrote the Serenity Prayer.

accept the things I cannot change,
have courage to change the things I can
and have the wisdom to know the difference

I couple this with the quote from Fight Club that says, “It’s only after we’ve lost everything that we’re free to do anything.” Fear exists within us all and it’s only when you free yourself of it that you can ever accomplish the things you imagine and desire. It’s only after you know, not just acknowledge, that some day things will change. You will no longer like chocolate, you will want children, you will learn that you always wanted to be something you were not, and then you will die.

It’s only after we confront our fears and take action that we can ever move beyond our current state of mind. It’s only after we step out into the abyss with our eyes wide open that we can ever evolve into something more than we currently are.

Oscar Levant is quoted as saying “there is a fine line between genius and insanity.” I do not believe this means that genius is close to insanity, but that insanity can remove the barriers in ones mind and enable them to see beyond their current static form and imagine the impossible.

My favorite quote is that “nothing is impossible, the impossible just takes longer.” To say this and believe it is one step closer to deweaponizing permanence, and for me one step closer towards happiness.

Categories: Chaordic Thought Tags: , , , , , , , , ,

Becoming Fearless: Make the unknown known

September 15th, 2009 admin No comments

Fearless is an interesting word, for in fact, in being fearless you are not without fear, rather you are withstanding fear. You are moving forward in spite of it. Writing a very short story requires a degree of fearlessness, and I think reading one does also. I have deep respect for the very short story for many reasons, perhaps most profoundly for its fearlessness.
–Meredith Pignon

One of the things about becoming fearless is embracing your fears and adjusting to them.  If your fear is writing then you should do it more and more until you think of it as an extension of your being.  If your new fear is getting published you need to do it more and more (even if just on your blog) so you can get over the feeling of fear associated with doing something new.

Remember buying your first house?  Remember buying your second?  Wasn’t it so much easier after you had been through the unknown once?  Easier that you had mapped out and faced those fears head on.  When it is the unknown that drives your fear, the way to overcome it is to make the unknown known.

Categories: Chaordic Thought Tags: , , ,

Risk Management is a Utopian Kool-aid

May 5th, 2009 admin 5 comments

Update: It should be noted that I am a believer in risk management, especially quantitative risk management, but simply want to highlight some of the effects that bounded rationality has on our ability to manage risk.  I want to push us towards a more optimized view of rationality and risk management.

When we think of how to protect our most sensitive data we have one of two approaches.  Security is a tactical approach and risk management is a strategic approach.  Security implies the implementation of sound risk management practices.  While technical people like to talk about ‘vulns’ it is the risk management people who wax philosophically about long term strategy, data centric vs system centric approaches, and drink from the fountain of Utopian kool-aid.

I too have paid my dues and talked about risk management in its perfect form.  This approach involves metrics, models, threat vectors, CIA triad, and a multitude of other factors.  Risk management was married long ago to the maiden of Capability and Maturity Models for long term vitality.  Combined, these two go hand in hand to protect data from the foes.  Or so the story goes.

Now, I’m not about to become a risk management heretic, but as Mahan Khalsa says in his infamous sales books, “let’s get real!”  One thing that risk management does not (typically) take into account is that people, humans, are irrational beings.  When it comes to assessing risk, managing hazards, making decisions, managing a crisis, navigating office politics, and altering perceptions we have a roadblock called emotion.  Within emotion are all the factors that influence our decision making capabilities, such as: fear, uncertainty, doubt, misdirection, and oh so many more.

History has shown that human fear the small possibility of a quick immediate death much more than the larger possibility of a long term slow death.  The World Health Organization (WHO) reported that from 2003 – 2009 the total number of global deaths from Avian Fluwas 257.  That’s not enough to even be a statistical anomaly but we saw it on cover of just about every magazine and newspaper around the world for a few months. The WHO does not even rank influenza, of any sort, in the top 10 causes of deathby the WHO.  In fact, chronic heart disease killed 7.2 million people in 2004, and road traffic accidents killed 1.27 million people.  We worry more about contracting a rare form of the flu and dying than we do of driving to the grocery store on a Friday night.

Proper MetriCon people might say that numbers don’t lie or have emotions, but the question is, “how good are those numbers?”  I recall one year an analyst group put out a press release saying that it costs companies $200 per lost credit card.  The following year many vendor companies ran with that number and sold their product as costing only $100 per record to protect.  This could result in a 50% savings.  The problem came the following year when the analyst firm revised their numbers to say that it only cost companies $80 per lost credit card.  (Numbers have been rounded and changed to protect their creators.)

I have been sold on the need for more metrics in risk management and security, but the problem is we need to temper our reaction to data the same way we wait for Service Pack 2 before purchasing software.

We need to temper our risk management approach to one that accepts the hesitation of people to make precise and accurate decisions, especially if they are not satisfying an immediate need.  I’ve spoken with many PCI Qualified Security Assessor (QSA) companies and many agree that companies focus on satisfying compliance first and push off risk management for a later date, that sometimes never arrives.  The economics do not even need to matter as long as the immediate need is being satisfied.

People would rather spend more money now to satisfy compliance even if they could spend less over the long term to pave the road for a sound security strategy.  Why?  Well, there are many reasons but some of them include:

  • High turnover
  • Annual management based objectives (MBOs)
  • Immediate need for “compliance”
  • Lack of enterprise visibility
  • Siloed departments/divisions
  • Lack of information/education

It is the lack of awareness, information, and education that causes many companies to ignore the long term death and focus on the short term threat.  This can be like putting a band-aid on a bloody stump and calling it a mere “flesh wound“.

We need to accept that people are going to make irrational decisions and devise new and creative ways to re-educate them about the decisions they are making.  I think that better and better metrics are certainly a way to get there, but we are a long way from the panacea of payment security and risk metrics.

Categories: Risk Management Tags: , , , ,
sidebar west END -->