Book review: The regulatory craft - Controlling Risks, Solving Problems and Managing Compliance by Malcolm K. Sparrow

Are you working in a policy-setting team and, at the same time, would you really like to see problems occurring in reality being solved?
How do you normally answer the typical dilemma between theoretical governance and effective policy-implementation in reality?

If the answer to the first question is "yes" and the answer to the second question is "hardly", this book by Malcolm K. Sparrow is for you. Also if the answer to the second question was "I am doing fine but I am running out of ideas", then this is your book to read, too.

It has 4 parts, about 330 pages and a myriad of real examples coming from the author's broad experience.

Part 1 sets the scene describing current regulatory practices and the very much used process improvement approach. A useful manner to achieve a gain delta i.e. improvements (but non-major) in policy implementation.

Part 2 proposes an innovative way to achieve bigger gains than those obtained with process improvement. The author calls it "problem solving" i.e. the capacity to focus on a specific non-compliant situation and to make it compliant. In other words, the possibility to solve real problems, one after the other.

Once a problem is listed, identified and selected, it needs to be precisely defined and, as important as that, the problem-solving team needs to set up a way to measure impact.

Only when these initial steps are thoroughly reflected and mature, one can start with the design of the measures to be taken and their implementation and monitoring. It seems pretty common sense, however, this approach is often not followed.

Together with this problem-solving approach, the author mentions different systems that need to be in place: a problem nomination and selection system, a resource and responsibility assignment system, an oversight and review system and finally, three additional systems: a reporting system, a support system and a learning and reward system.

Clearly problem-solving is not just an ad-hoc alternative to process improvement. It is a thoroughly thought through approach to manage compliance while providing value to the community.

With regard to reactive, proactive and preventive techniques, the author states that the three of them are valid and useful. He adds a valuable ingredient: using risk control as the meter to decide which technique to use in each moment.

Part 3 of the book is precisely devoted to risk control. The innovative element that would empower compliance in their quest towards excellence. The author makes risk management pivotal to apply problem solving techniques.

Risk management methodologies (like the ones also mentioned here and there) and strategic thinking would then become working tools to guide our daily work and to make it effective, regardless of the compliance field we are working on.

Worth mentioning are three risks whose treatment is, according to the author, somehow challenging: "Invisible risks", "risks involving opponents" and "risks for which prevention is paramount".

Certainly in a risk-centered world, the task to assess current and new risks, mostly know as intelligence gathering, becomes crucial for success.

The last part of the book, Part 4, provides examples and summarises proposals.

All in all, a reference for those responsible to make out of a compliance agency a successful story!

Happy problem solving and risk control!

Solving height problems

Security sites to bookmark: and

Belgium: Waffles... and security

The professional activities that we undertake within our company, be it our own shop or our employer, can, and should, benefit from all our other security related activities. The two Security Sites I recommend to visit confirm this. Both are written by well known names in the European Information Security community: The Belgians Didier Stevens and Xavier Mertens.

As securityandrisk, Didier Stevens created his blog in 2006. Since then, he regularly publishes very practical and technical security articles. Didier pays special attention to network security. The quality of the blog invites you to visit his own business' site, especially dedicated to pdf and "shellcode" analysis.  His company site is accessible from

Xavier Mertens, with his unique "Belgian balloon fish" avatar, present both in his twitter account and blog, is the author of On the Internet since 2003, publishes, together with his presented papers, very detailed summaries of the security conferences he attends. This is an opportunity to know what happened and what was said there. As in the case of Didier, also links to, his own security company, specialized in log management and security testing.

Both authors discuss security issues that are useful to our everyday job. From the pages of their blogs, they both link to some security tools (both Didier and Xavier). Didier proposes his own Microsoft Windows process-related utilities and Xavier introduces evasion tools such as "PingTunnel" and "Dns2tcp".

Information security is still a working field in which many breakthroughs, ideas and new developments come from "informal" channels such as blogs and security conferences rather than through formal academic degrees and scientific journals in the field. These two sites confirm this trend.

In short, the visit of these two personal sites from well-known Belgian security experts gives us ideas for our professional life while they nicely introduce the security companies they have created.

You can also read this post in Spanish here.

Happy Belgian security reading!

Making bridges

Security site to bookmark:

Controversial but worth-reading

In the past, guilds regulated and controlled the practice of a craft., an initiative from the volunteer crew, aims to protect the information security profession from intruders.

In an almost irreverent way, they publish news that is charged with irony (for example, a security company that promises 100% security with its products and that, interestingly enough, is successfully attacked and compromised) and references to security snake oil sellers.

All this controversial content is organized into twelve sections that reveal:

- Companies that sell products containing malware before they even reach customers.

- Legal threats to security researchers who have found a security vulnerability.

- Failures in automated software update processes.

- Charlatans, be it individuals or companies, who introduce themselves as security gurus. The subsection dealing with companies can be controversial.

- Plagiarism: A long list of authors and books that turn out to be copies of previous publications.

- Firms offering security services or products that have been attacked and compromised themselves.

- Security companies that send unsolicited e-mail ("spam") to prospective customers.

- Security incidents involving Internet-related companies, such as the case of Stratfor, a company that suffered loss of confidential information in 2011.

- Invented or manipulated security statistics.

- Examples of how media confuse their audience with not confirmed security news. This section stopped being updated a long time ago. The authors could not keep with the rhythm of appearance of such pieces of news.

- Vulnerabilities and data leakage items from initiatives like, the Open Source Vulnerability Database, and, a site that I already recommended in this blog.

Definitely shows the great influence of mass media and acts as a whistle blower against charlatans. It is an Internet-based antidote to identify attempted fraud in information security. Therefore, before buying a product or a security book, have a look at their pages.

Happy errata reading!

You can also read this post in Spanish here.

Dark night

The hedgehog's dilemma - Story of business and IT Security

In Summer 2011 a new security related conference series was started in Madrid. Or better said, a technology-based risk management and innovation event. I had the privilege to give the opening talk on the links between security and business to a wide and wise audience. I titled my talk the hedgehog's dilemma.
This post summarises the main points of the talk. They are still applicable (they are even more applicable now than in 2011!). Happy to start a discussion thread on your views on these macro topics. They are not closed to a command line but they certainly steer our professional future working with and at corporations.
Using wikipedia's description of the dilemma, "hedgehogs all seek to become close to one another to share heat during cold weather but they must remain apart, however, as they cannot avoid hurting one another with their sharp spines".
Security and business suffer exactly from the same dilemma. The objective will be to change the paradigm from hedgehogs to penguins. Penguins can stay together. Actually, they benefit from staying together every winter.
I proposed two dimensions to work with, a methodological dimension and a human one. Let's describe both of them:

From hedgehogs to penguins: A method
Firstly, we need to use traditional risk management concepts such as vulnerability, threat, risk, impact & probability and benefit to risk ratio, all of them explained in the first chapters of IT Securiteers.
Secondly, I propose the use of 1 + 3 + 1 filters. As a security professional, pay attention to elements that pass these five filters:
1. They are real and detected threats. This is why monitoring is key.
2. They cause a high impact to the organisation and they mean a low risk for the attacker.
3. Their treatment does not require massive resources and does not decrease customer usability. This filter is a though one to respect. However, it constitutes a mid-term survival guarantee for Infosec professionals at work.
4. They bring a positive reputation to the security team. This one is also challenging but worth considering in these times in which we need to market everything.
5. They comply with legal and governance requirements and they satisfy senior management's requests. Please do not forget the last part of this fifth filter.
Certainly this is easier said than done. Three additional tactical tips:
a. Plan not more than 40% of your security resources. They need to be available to deal with a great deal of unknown (and ad-hoc/unplanned) activities.
b. Follow a "baby-step" planning approach and celebrate (and sell!) every successful delta.
c. A useful way to structure your work is considering these layers: networks, systems, applications, data and identities. (Thanks to Jess Garcia for this point).

From hedgehogs to penguins: A passion
Security teams certainly need passionate and technically-savvy security professionals. Together with this statement, I would add that we need a multidisciplinary team. Non IT-savvy and non-security savvy players have also their place in a Security Team. These new players can come from fields as distinct as marketing, sociology, statistics, journalism, law and economics.
The number of interactions that some of the security team members need to have with the rest of the organisation is high. Public relations and marketing are essential for the previously presented 5-filter method to succeed.
How many active security teams do you know that already have this innovative composition? Probably not many. Two references to go deeper into this subject of security management: Try IT Security Management and Secure IT up!. I would be happy to present it to you if required.
These multidisciplinary teams will live the motto "share, respect and mobilise":
- Share the information you work with with your colleagues.
- Respect any personal and academic background from any player in the team.
- Mobilise your peers i.e. trigger their curiosity for your field of expertise.
Two models to help growing cohesive teams. Both models aim to find a balance in every team member:
- Find the sweet balanced spot among the skills they offer, their passions and market demands.
- Find the sweet balanced spot among they as individuals, they in their social dimension and finally they in their professional lives.

Multiple leadership and continuous learning
Security teams need more than one leader. Preferably three. At least two that get along well and complement each other. The role of the leader will be to look after team members while delivering the mandated value to the organisation.
In a two-dimensional graph, draw where your team members are in terms of valuable security skills and level of motivation. Those scoring high in both axis constitute your team's critical mass. The role of the leader will be to grow that critical mass i.e. encouraging everyone to sharpen their skills and letting motivation grow inside of them. Imagine a KPI on this!

Important ingredient not to oversee
Security team leaders need to be outward looking and multidisciplinary themselves. They need to act as security ambassadors specially with their reporting lines and customers. They'd better double check periodically whether they still have their senior management support.  

Security innovation: Five provocations
Some food for thought. Call it crazy ideas, call it security innovation:
- Conduct effective guerrilla marketing out of your CERT team.
- Design accurately (and smartly) the experience that a visitor to your facilities and a customer of your security services would leave with. End to end.
- Identify social connectors in your organisations and make them be your security marketing ambassadors, even if they do it unconsciously.
- Make the most of the "power of free" e.g. distribute free encrypted memory devices.
- Be constructive. Remember, life will always find a way!

Happy finding!

Finding a way

Discussion on intuition. Daniel Kahneman's lecture.

Google talks
This post is a recommendation to watch the lecture that Daniel Kahneman gave in the @Google Presents talks. It was a discussion on human intuition, somehow explaining why we magically know things without knowing we know them. We information security practitioners will find many points to link to.

Modest disclaimer: This post by no means tries to replace the video of the talk. It just provides a very subjective (and telegraphic) summary of some of the points touched upon.

Some references such as "Sources of Power: How People Make Decisions" by Gary Klein or "Blink" by Malcolm Gladwell propose that judgement biases are not so negative and actually a source of power. Daniel Kahneman is certainly very sceptical on the power of expert. For example, how would intuition play in Medicine? When you can trust intuition?

Intuition and judgement

Kahneman distinguishes between two modes of thinking i.e. thoughts that come to mind (system 1) and judgements (system 2). Examples of the first ones are something that happens to us, something truly perceived, impressions and also intuitive thinking. This type of thoughts are intuitive, automatic. The second type requires effort. They are deliberate and effortful.

A empirical exercise would be the following one: we would fall into the temptation of eating chocolate more easily if we have to keep a 7 digit number in our head. Our self control is impaired if we are doing another activity. This clearly means that it takes some effort to control our impulses.

Then in minute 12 he starts to talk about skills. For example, driving is a skill. In a skill things begin to happen automatically. That is the reason why we can drive and talk or why braking is completely automatic. However, some skills are completely non-intuitive e.g. driving on skids requires different and non-intuitive skills.

An interesting point is that having emotional reactions to a certain perception is automatic in system 1 but also system 1 is where skills are located. Then he mentions that Herbert Simon (Nobel laureate) defined intuition as simply recognition.

When can you trust intuition?
If there are clear rules in the environment, especially if they can give you immediate feedback, we will acquire those rules e.g. we all identify erratic behaviour when driving.

Human beings are also very good at reinforced practice e.g. anesthesiologists get very good feedback and very quickly, radiologists get the opposite case, slow and not so good feedback i.e. it is more difficult for them to develop intuitive expertise.

In a sentence, intuitive expertise is not possible in chaotic scenarios, that is the reason why the world is not predictable. Formulas beat human when there is some predictability but the perform poorly in low predictability environments.

We frequently have intuitions that are false and are not distinguishable from expert intuitions - how can we distinguish from expert intuition?.

A book by Joshua Foer titled "Moonwalking with Einstein" states that memory is superb at remembering routes through space but memory is poor at remembering a list Our mind is set to think about agents (and they have traits, behaviours) however we are not good at remembering sentences with abstract subjects.

Getting influenced by the environment
Posters we can see and read close to us influence our behaviour. When people are exposed to a threatening word, they move back - the symbolic threat has somehow a real effect.

If we see two unrelated words together, like "banana" and "vomit", we will think about vomit when we see a banana. In effect, we saw two words and we made a story e.g. the banana made us vomit, our associative machinery tries to find a cause.

You make a disgust face, you experience disgust. You make a smiling face, you are more likely to think that things are funny. Place a pencil in your mouth and you will think cartoons are funnier.

By partially activating ideas e.g. by whispering words, then the threshold to feel emotions related to those ideas is lower and all this happen without you knowing it consciously. It is a way to prepare ourselves.

Associative memory is a repository of knowledge. We try to suppress ambiguity, making ambiguous stimuli coherent.

It takes us very little time to create a norm. Our reasoning flows along causal lines, this happens intuitively. The coherence that we experience can be turned into a judgement of probability. However, people have confidence in intuitions that are not essentially true. We use a system that classifies things,  whether they are normal or abnormal, and very quickly. Speed is key for our brain.

Substitution: The dates experiment
Two questions: How happy are you? and How many dates did you had last month?
In that order, correlation is zero. In the reverse order, correlation is 0.66. This is an example of substitution, the emotion that reigns when answering the second one.

Subjective confidence
There is a real demand for over confidence, but this is not the secret to get real and valuable information. Confidence is not a good diagnostic to trust somebody.
The wise way to do it would be to ask what the environment is like and whether they had the opportunity to learn its regularities.

Daniel Kahneman is not really optimistic on us being able to train system 1. This is why e.g. the advertising industry addresses system 1 (emotions and not judgements) e.g. facial characteristics on political leaders (which one looks more confident?) predict 70% of elections. See reference

(minute 56) What happens to people when they are exposed to the idea of money (e.g. the symbol of a dollar), they show selfishness and lack of solidarity.

Nice things
We need to create an environment that will remind people of nice things (and not money e.g.).

Connection between selfcontrol and the general activation of system 2 is an important personality characteristic (e.g. the marshmallow test in children predicts whether they would do better when they are 20)

However, most intelligence tests we have are only for system 2.

It's hard work for system 2 to overturn what system 1 tells. Have that in mind when preparing security awareness sessions or when having a lessons learned exercise on why some security awareness sessions were not effective!

Happy system 1 and system 2 security!

The knowledge house