... "freedom from those conditions that can cause loss of assets with unacceptable consequences" [source:  NIST SP800-160v1r1 ] ... "the state in which one or more assets is adequately protected against  risks " [source: SecAware glossary ] ... "an illusion of protection against perpetual vulnerabilities being actively exploited" [source: Philip Brider ] ... related to information ,  control ,  governance , compliance,  risk ,  resilience , continuity, privacy, assets, IT, society, technology, politics, systems, networking, incidents, ' cyber ', assurance, trust , people ... ... the NO Department - absolutely not, no way, forbidden, don't do that! ... the product of a safe, stable, supportive environment ... ensuring confidentiality, integrity and availability ... the apparent absence of incidents ... best avoided to get the job done ... having no exposed vulnerability ... the lull before the next incident...

... " the science of communication and control theory that is concerned especially with the comparative study of automatic control systems" [source:  Mirriam-Webster ] ... "a jargon prefix/buzz-word, much abused by marketers, journalists, politicians and widely misinterpreted" [source: SecAware glossary ] ... robotics, artificial intelligence and machine learning ... remaining operational despite serious incidents ... a muddle of paradoxes and contradictions ... protecting critical corporate infrastructure ... protecting critical national infrastructure ... whatever the speaker/writer thinks it is ... information risk , security and control ... only part of the problem space ... more than just technology ... recovering from incidents ... nation-state weaponry ... short for cybersecurity   ... the modern battlefield ... only about technology ... a solid-gold buzzword ... unknown unknowns ... conveniently vague ... smoke and mirrors ... computer security ... six-fi...

Welcome to the all-new SecAware blog! Well OK, perhaps 'all' is over-stating it. In truth, it's the same old same old with a shiny new URL and look. I have migrated the historical content from blog.NoticeBored.com to here, and will continue adding to it for as long as I remain sentient.   I will be as surprised as you to see the next piece. You can still browse this stuff, or filter by keywords and search for anything using the panel on the right.  As always, your comments, feedback, suggestions and complaints are very welcome.  Alternative realities fascinate me. Criticisms spur me on. Just about anything beats stony silence and that dreadful feeling that I'm shouting plaintively into the void ... - Over -

  ... "s omething which prevents or reduces the probability of an information security incident, indicates that an incident may have occurred and/or mitigates the damage, harm, costs or other adverse consequences caused or triggered by or simply following on from an incident" [source:  SecAware glossary ] ... "the exertion of influence over a subordinate by an authority or assertive figure" [source:  SecAware glossary ] ...  technical, physical, procedural, legal, social, mechanical, economic, political ... ... applied to processes, systems, machines, people, quality ... ... a "measure that maintains and/or modifies risk Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk. Note 2 to entry: Controls may not always exert the intended or assumed modifying effect." [source: ISO 31000 ] ... a volume knob that goes all the way to 11 ... automated, s...

The business benefits of developing an information security strategy and accompanying security architecture/design include:   Being proactive, taking the lead in this area - more puppeteer than puppet; Designing a framework or structure to support the organisation's unique situation and needs; Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc .), c omplementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...); Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operatio...

  ... "the predicted or projected frequency and magnitude of future loss if a threat exploits an exposed vulnerability to cause an adverse business and/or personal impact" [source:  SecAware glossary ]  ... "a relative term, implying degrees or levels of risk, or absolute value if the frequency and magnitude are calculated credibly, with some precision" [source:  SecAware glossary ] ... "a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence" [source:  NIST Cybersecurity Framework ] ... " any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems" [source: ENISA ] ... "e ffect of uncertainty on objectives ..." [source:  ISO Guide 73 ] ... when threat exploits vulnerability causing impact...

... the arch-enemy - not the polar opposite - of resilience ... a natural consequence of complexity and dependence ... when threat meets vulnerability exceeding control ... not knowing whether, how and when it will break ... being unable/unwilling/afraid to rely on it  ... untrustworthy, inadequate controls ... pushing too far, too fast, too hard ... passing the point of no return ... exceeding the breaking strain ... an engineering challenge ... inevitable at some point ... hanging on by a thread ... often revealed too late ... a propensity to failure ... being on a knife-edge ... going over the brink ... obvious in hindsight ... being a snowflake ... a smashed mirror ... beyond the pale ... a broken vase ... a cracked egg ... a step too far ... uncertainty ... snap! ...

This cold Winter's Monday morning, we woke to problems accessing our server and websites. The usual turnitoffandonagain approach let us down ... and this time so has downforeveryoneorjustme dotcom: It's ironic that a web service purely designed to tell us if a website is working is, itself, at least partially unresponsive - a broken control. It doesn't even say what or where the problem might be, remaining stubbornly stuck at "Checking server. Please wait ..." Ping and tracert indicate the server is still sitting pretty on its Internet perch, so my guess is something bizarre going on with the webserver, possibly an attack in progress but more likely a simple config problem somewhere along the long, long chain of links and systems between us and the server, maybe even the DNS. This is embarrssing given my professional interests, a bad start to the week but our incident management team is on the case, tooling-up as I speak. So what can I say? Normal service will b...