An article by the 50-year-old University of York Department of Computer Science outlines algorithmic approaches in A rtificial I ntelligence. Here are the highlights: Linear sequence : progresses directly through a series of tasks/statements, one after the other. Conditional: decides between courses of action according to the conditions set (e.g. if X is 10 then do Y, otherwise do Z). Loop: sequential statements are repeated. Sequential statements are repeated. Brute force : tries approaches systematically, blocking off dead ends to leave only viable routes to get closer to a solution. Recursive : apply the learning from a series of small episodes to larger problems of the same type. Backtracking : incrementally builds a data set of all possible solutions, retracing or undoing/reversing its last step if unsuccessful in order to pursue other pathways until a satisfactory result is reached. Greedy : quickly goes to the most obvious solution (low-hanging fruit) and stops. Dynamic progra...

      Here's a simple, generic way to manage virtually anything, particularly complex and dynamic things: Think of something to do Try it Watch what happens Discover and learn Identify potential improvements GOTO 1 It's a naive programmer's version of Deming's P lan- D o- C heck- A ct cycle - an iterative approach to continuous improvement that has proven very successful in various fields over several decades. Notice that it is rational, systematic and repeatable. Here's a similar grossly-simplified outline of the classical experimental method that has proven equally successful over several centuries of scientific endeavour:

We have just completed and released another topic-specific information security policy template, covering responsible disclosure (of vulnerabilities, mostly). The policy encourages people to report any vulnerabilities or other information security issues they discover with the organisation's IT systems, networks, processes and people. Management undertakes to investigate and address reports using a risk-based approach, reducing the time and effort required for spurious or trivial issues, while ensuring that more significant matters are prioritised. The policy distinguishes authorised from unauthorised security testing, and touches on ethical aspects such as hacking and premature disclosure. It allows for reports to be made or escalated to Internal Audit, acting as a trustworthy, independent function, competent to undertake investigations dispassionately. This is a relief-valve for potentially sensitive or troublesome reports where the reporter is dubious of receiving fair, prompt t...

In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard. This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downs...

  The 'obvious' driver for information security is information risk: valuable yet vulnerable information must be secured/protected against anything that might compromise its confidentiality, integrity or availability, right? Given an infinite array of possible risks and finite resources to address them, information risk analysis and management techniques help us scan the risk landscape for things that stand out - the peaks - and so we play whack-a-mole, attempting to level the field through mitigating controls, remainingly constantly on the lookout for erupting peaks and those hidden behind the ones we can see or were otherwise transparent. That's 'obvious' from my perspective as an experienced information risk and security professional, anyway. Your perspective probably differs. You may look at things from a slightly or dramatically different angle - and that's fine. I see these as interesting and stimulating complementary approaches, not alternatives. Complian...

In relation to professional services, management responsibilities are shared between client and provider, except where their interests and concerns diverge. Identifying and exploiting common interests goes beyond the commercial/financial arrangements , involving different levels and types of management: Strategic management: whereas some professional services may be seen as short-term point solutions to specific issues ("temping"), many have longer-term implications such as the prospect of repeat/future business if things work out so well that the engagement is clearly productive and beneficial to both parties. Establishing semi-permanent insourcing and outsourcing arrangements can involve substantial investments and risks with strategic implications, hence senior management should be involved in considering and deciding between various options, designing and instituting the appropriate governance and management arrangements, clarifying responsibilities and accountabilities...

  We have just completed and released a brand new information security policy template on professional services. The policy is generic, pragmatic and yet succinct at just over 2 pages. Professional services engagements, and hence the associated information risks, are so diverse that it made no sense to specify particular infosec controls, except a few examples. Instead, the policy requires management to nominate Information Owners for each professional services engagement, and they, in turn, are required to identify, evaluate and treat the information risks. This is another shining example of the value of the 'information ownership' concept. Although they are encouraged to delegate responsibilities to, or at least take advice from, relevant, competent experts (e.g. in Information Risk and Security, Legal/Compliance, HR, IT, Procurement), Information Owners are held personally accountable for the protection and legitimate exploitation of 'their' information. If Informati...

According to a Radio New Zealand news report today: "Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018. AA travel and tourism general manager Greg Leighton said the data was taken in August last year and AA Traveller found out in March. He said a lot of the data was not needed anymore, so it should have been deleted, and the breach "could have been prevented"." The disclosure prompted the acting NZ Privacy Commissioner to opine that companies 'need a review policy': "Acting Privacy Commisioner Liz Macpherson told Midday Report that if data was not needed it should be deleted ... Companies needed a review policy in place to determine if the data stored was neccessary, or could be deleted, Macpherson said." So I've looked through our SecAware information security policies to see whether we have it covered already, and sure enough we do - well, sor...

While perusing yet another promotional, commercially-sponsored survey today, something caught my beady eye. According to the report, "On average, organizations track four to five metrics".   Four to five [cybersecurity] metrics?!!  Really?   Oh boy. Given the importance, complexities and breadth of cybersecurity, how on Earth can anyone sensibly manage it with just four to five metrics? It beggars belief, particularly as the report indicates that three quarters of the 1,200 surveyed companies had at least a $billion in revenue, and more than half of them have at least 10,000 employees. With a total cybersecurity expenditure of $125billion (around 80% of the total global estimate), these were large corporations, not tiddlers. The report indicates the corresponding survey question was "Q30. Which of the following cybersecurity metrics does your organization track, and which metrics are the most important?". Well OK, that's two questions in one, and the report does...

  Last evening I completed and published another SecAware infosec policy template addressing ISO/IEC 27002:2022 clause 8.11 "Data masking": "Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific, and business requirements, taking applicable legislation into consideration." The techniques for masking or redacting highly sensitive information from electronic and physical documents may appear quite straightforward. However, experience tells us the controls are error-prone and fragile: they generally fail-insecure, meaning that sensitive information is liable to be disclosed inappropriately. That. in turn, often leads to embarrassing and costly incidents with the possibility of prosecution and penalties for the organisation at fault, along with reputational damage and brand devaluation. The policy therefore takes a risk-based approach, outlining a range of masking and redaction controls...

  I finally found the time today to complete and publish an information security policy template on threat intelligence.  The policy supports the new control in ISO/IEC 27002:2022 clause 5.7:  "Information relating to information security threats should be collected and analysed to produce threat intelligence." The SecAware policy template goes a little further: rather than merely collecting and analysing threat intelligence, the organisation should ideally respond to threats - for example, avoiding or mitigating them. That, in turn, emphasises the value of 'actionable intelligence', in the same way that 'actionable security metrics' are worth more than 'coffee table'/'nice to know' metrics that are of no practical use. The point is that information quality is more important that its volume . This is an information integrity issue, as much as information availability. The policy also mentions 'current and emerging threats'. This is a ve...