Schrödinger’s Christmas

In 1935, Austrian physicist Erwin Schrödinger devised the thought experiment known as Schrödinger’s Cat. It’s a gruesome but pretend experiment where we place a cat in a cage (sometimes a box) with a device that could randomly release a poison that is capable of killing the cat. However, it may also never release the poison and the cat would remain alive. There are many variations to this, such as if you open the box it would release the poison rendering the cat dead, etc. One of the implications of this is that the cat could exist in two states at the same time: both alive and dead. We’d never know for sure unless we open the box, but then we’d be complicit in the cat’s death (I suppose this could be done with any pet, but Erwin must have hated cats).

Over the years, there have been many version and extensions of this thought experiment. One is that when people are aware they are being observed, they behave differently. In what way did their behavior change? We can never know as the observation itself changed the outcome (Heisenberg’s Uncertainty Principle). In security, we rely on this behavioral effect as a preventative control. It’s the reason that home security signs exist: somewhat paradoxically, letting would-be attackers know the level of security that exists in your home serves the purpose of deterring attackers (by revealing our control strength, we make it possible for the attacker to assess their own risk; including evaluating how good their skills are at overcoming our controls). This same concept is in play when we use login banners and periodically remind our users that their activity on company systems is monitored. We let them know that we are watching and in so doing we change the outcome in the hopes that good people remain that way.

Which is exactly what we try to do with our children this time of year. Clearly, the “naughty or nice” list is subject to halo bias; children work harder at being on the nice list in December than in any other month (especially January). However, they are also more aware they are being monitored. We as parents reinforce this verbally, they hear it in carols, and see it in effect in holiday television programming. Austrian and German cultures took this concept of monitoring children’s behavior to another extreme (although admittedly more stick than carrot) with the Krampus (Now a major motion picture!) and Belsnickel characters, who punished naughty children in a horribly violent and terrifying manner. Not to be outdone, Japanese New Year’s ceremonies feature the Namahage character that wears a demonic mask and punishes lazy or bad children into obeying their parents. All of which to say that we have a long historical understanding of the value monitoring plays in regulating behavior. Now I need to get back to work because the Elf of the Shelf is staring at me and I don’t want to end up on the naughty list this year…

Security Project Triage is all about Resource Allocation

In my latest @ISACA column, I tackle the problem of project triage. Its a pernicious problem that many security departments have to manage: we have to check everything currently in place, yet new stuff is being added all the time.

I address this problem from a risk perspective: we need to allocate our scarce security resources on projects the same as we do everywhere else.

Zanshin Risk Management

I really enjoyed Bruce Schneier’s recent post on Code Yellow. It inspired me to write about it in the context of personal self defense (and its parallels to the Japanese term zanshin).

I disagree with Bruce’s opinion that being in Code Yellow generally is a bad thing (at least, that’s the impression I got from his piece). Like much in life, there is a balance between seeing danger in every shadow and being alert and aware in our daily lives. For instance, how many people are not living in the moment due to the smartphones in their pockets and what are they missing out on? What danger are they placing themselves in?

Cybersecurity can have a similar problem: jumping at those shadows can be dangerous, but not acknowledging that there could be danger in that shadow can be just as bad as many attacks are dependent upon catching the victim unawares. It does take practice however to strike the balance between paranoia and alertness, but its one that must be worked at. Organizations with a mature risk management function can successfully negotiate the trade off of conducting their business and not drowning in losses. Being “In Yellow” really is the job of the risk function of an organization; its the equivalent of that voice in your head reminding you of the bad things that could happen so that you can make a well-informed decision.

DeVry Charlotte 2014 Commencement Address

On 27 June 2014, I delivered the Commencement Address to the graduating class at DeVry University Charlotte. I was honored to be asked by Dr. Regina Campbell. I didn’t post the address here previously, but I talk about risk so I thought it might be interesting to my followers here. Enjoy!


Thank you to Dr. Campbell for inviting me here today and thank you to the faculty, administration, and staff of the DeVry University Charlotte Campus for the warm welcome they have extended to me. Congratulations to all of today’s graduates, their parents, families, spouses, partners, significant others and all the other recalcitrant folk you managed to bring to today’s proceedings. But seriously, we should all be enormously proud of our graduates today. They join an ever-growing body of DeVry alumni across this nation, Canada, the Caribbean, and other parts of the world that have benefited from the uniquely DeVry experience and how it enhances their careers. I know a little something about this group as I have been honored to have been made a DeVry alumnus three times in my life–and my wife a DeVry alumna twice. All of which means that I’ve had the opportunity to sit where you are now several times and as a result, I know there is truth in the old joke about there being two kinds of commencement speeches: short and bad. As for me, I plan for this one to be short, however I’m also sure that no one plans to deliver a boring commencement address, which may very well account for my knowledge of both the masculine and feminine forms of the Latin noun “alumnus” so well (thank you Wikipedia).

There are several time-honored traditions in American commencement address giving that I am obliged to follow. The first I’ll call the Pronouncement of the State of the Real World. It will come as no surprise to you that we live in a rapidly changing world where our lives and fortunes rise and fall with the technological innovations we love and love to hate. Navigating a career in this environment is nothing short of a lifetime commitment. A recent publication by the Business Insider reported on the most in-demand college majors. The four that topped the list (in order) were Business, Computer and Information Sciences, Engineering, and Health Professions, the sum total of which comprised 82% of new demand. If you’ve identified those as majors that DeVry focuses on and has so prepared you for, you get to get a diploma today, or sometimes later in the mail, as the case may be.

Continue reading DeVry Charlotte 2014 Commencement Address

Using Behavioral Interview Techniques to Assess Supplier Security Posture

Organizations are increasingly furthering their goals through reliance on suppliers conducting critical work. In support of this, information security departments routinely conduct security assessments of those suppliers in order help minimize risk in their supply chains. These assessments usually consist of some combination of questionnaires, onsite observations, testing, and interviews. Unfortunately, such assessment routines tend to reveal superficial (or overly obvious) issues with the suppliers. However, what decision makers really need to know is whether the supplier will handle the information entrusted to them with care. Amongst other things, what managers and executives want to know is if they have had problems doing this in the past, and what are the odds of them making mistakes in the future? This article will provide a technique to help better inform management and to make better information security decisions about vendor and supplier choices.

Continue reading Using Behavioral Interview Techniques to Assess Supplier Security Posture