Blogs Archives - Page 5 of 108 - J Wolfgang Goerlich

Archive for the ‘Blogs’ Category

Define what we do by what we don’t – Design Monday

Posted January 18, 2021 by Wolf Goerlich

“The essence of strategy is choosing what not to do.” — Michael Porter

Enzo Mari often repeated “form is everything.” The Italian designer produced thousands of works, staying active until his death in 2020 from Covid-19. Mari’s work has a clarity and cohesiveness which cyber security often lacks.

“Enzo Mari is a total work of art,” said Hans Ulrich Obrist. “Everything went together with him.” Hans Ulrich Obrist, director of the Serpentine Gallery in London, was developing a retrospective on Enzo Mari before the pandemic hit. Mari was the master of individual form, and a master of collective form, unifying them a cohesive whole. One could spend a lifetime as CISO and still not build a security program as unified as Mari’s 16 animali puzzle.

“There is only one right form, not several,” Enzo Mari insisted. To get to the essence of the form, the designer must strip away everything. Everything. The designer must explicitly decide what the design is not, in order to make the design what it is. Take the Timor calendar. Compare it to your calendar. There’s no writing in the margins. There’s no tabs or colors, no holidays or birthdays, no reminders, and certainly no notifications. There is no excess. Timor is a calendar. Nothing else.

It is bold to say no. It takes courage to say what we will not do.

Suppose we are designing a software security program. For the purposes of this example, suppose we are lining it up to OWASP’s Software Assurance Maturity Model. SAMM has fifteen practices and forty-five objectives. Most security professionals would focus on getting a handful right. Most would speak loudly about what’s being done, and mumble about the objectives that are being ignored. Instead, we should channel Enzo Mari. Banging a fist on the table, we should declare which practices we will not do. By saying no, we create space and commitment. Only then can we build the committed practices, working towards something that fits like one of Mari’s puzzles.

Good security is clear about what it doesn’t do.

Obrist’s exhibition is currently on display at the Triennale Milano (Enzo Mari curated by Hans Ulrich Obrist with Francesca Giacomelli). It may be the last public showing. If Enzo Mari’s work can be defined by his declaration of what his work isn’t, then Mari’s last act is a defining one. Mari bequeathed his collection to the city under the condition that none of it be displayed for 40-years.

Simplicity in form, Timor Desktop Calendar, designed by Enzo Mari

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Tell a story with the project name – Design Monday

Posted January 11, 2021 by Wolf Goerlich

The city is a book of poetry writ large across buildings. Santiago, Chile.

During the mid-1990s, Santiago went through building boom. The game was simple. A development investment project would be conceived and pitched. If the enough investors were interested, the project was funded, and the building was built. An apartment building here, an office building there. And key to the success of getting funding? The name.

Rodrigo Rojas, a poet and professor, played a key role in naming these buildings. “Rodrigo was a kind of interpreter of dreams — he tapped into the psyche of what the people of Santiago wanted to become, and tried to give that a name.”

Every project needs a name. Unfunded real estate projects and security projects, doubly so. Here are a few things I’ve learned from naming projects.

Be playful and fun. In my consulting days, to protect confidentiality, we wrote a name generator. We dedicated a portion of the project kick-off to laughing over possibilities. With names like Iron Taco and Gubbins Dance, you can’t go wrong. Security needs a spirit of play.

Share the vision. “One system, one team” was what I called my DevOps and IT modernization project. The clarity of the name simplified sharing the vision and making downstream decisions.

Address concerns. When I received feedback that my approach to managing several consulting practices was too complex, I came up with a three year roadmap in three words. Simplify, optimize, expand. One word per year. We executed on this from 2017-2019, with quarterly goals reinforcing the overall journey.

We need to find the spirit of a poet when naming security projects and initiatives. Tell a story with the name. Make it fun, while communicating the vision and addressing any concerns. We can use the name to drive action.

Photography courtesy of Horst Engelmann, Pixabay

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Find your own way without brainstorming or crowdsourcing – Design Monday

Posted January 4, 2021 by Wolf Goerlich

Imagine you are getting onto a train. Drive. Park. Traverse the crowds. Find the train. Sounds simple and, in many places, it is simple. But Millbrae Station is a difficult space to navigate. In fact, locals would tell you to find somebody to guide you. At least, for the first couple times, because it is easy to get lost. Bring a friend. Recently, San Francisco’s Bay Area Rapid Transit (BART) brought in studio1500 to design a better way.

The challenge was bigger than the space. There is an information system which guides people through the BART public transportation system. Broadly, this known as wayfinding. Specifically, in San Francisco, this was a set of design choices made by different firms at different times. BART’s internal team would be implementing the wayfinding system at Millbrae Station. The colors, typeface, paint choices, all these and more had to come together in a design that coordinated and communicated with multiple parties. One final consideration was how the design would be kept up. Public transportation departments routinely touch-up and refresh signage over the lifetime of a project.

Wayfinding is an analogy for thinking about how people navigate the various screens, sites, security systems, prompts, and challenges. Our workforce navigates wayfinding systems done by others (say, WorkDay and SalesForce) at the same time they’re working through what we control (say, VPN and SSO). An example of a wayfinding design, across multiple environments, with strong need for maintainability, such an example is fertile ground for cyber security lessons.

Returning to Millbrae Station, you might expect the story to begin with a brainstorming session with the studio1500 partners Julio Martinez and Erik Schmitt. You’d be wrong. It’s cool. I was wrong, too. In fact, Martinez himself wrote: “I assumed life in a design team would be full of brainstorming sessions — mythical, lively, fast-paced meetings with brilliant ideas bouncing off multiple heads until they were captured in someone’s notebook as shiny kernels of greatness. There would be roars of celebration and laughter, hugs and high-fives, uproarious chants.”

Several years ago, I took an improv course. During my time spent learning how to Zip-Zap-Zop, I realized I wasn’t fast at coming up with ideas. Someone would shout a premise, I would freeze, and others would jump in. This wasn’t surprising. After all, I took the course because I felt slow. I decided to take each improv class twice. Double down. Work through it. And here is where I ran into a surprise. Across different classes, with entirely different teammates, with different composition of ages and backgrounds, the exercises were remarkably the same. I froze. Others jumped in. But no matter who it was, in both classes, people made essentially the same joke.

Free association isn’t all that free. It’s bound by shared experiences and cultural expectations.

David Palermo and James Jenkins studied free association with words in the 1960s. Simon De Deyne is studying this today. (Check out https://smallworldofwords.org to participate.) If you give someone a word, you can be reasonably certain what word they’ll think of next. Likewise, if you give someone a premise, you can be reasonably certain what they’ll improvise. Our first instincts feel creative but actually repeat what most anyone else would do.

Brainstorming tries and fails to avoid the work of preparation and contemplation.

Mihaly Csikszentmihalyi, the psychologist who popularized the concept of flow, once said there are five stages in the creative process. This was after interviewing a hundred designers and artists, including Don Norman, so we can assume Csikszentmihalyi was on solid ground. The five steps are: preparation, incubation, insight, evaluation, and elaboration. Incubation can take days, weeks, or months. Scheduling a brainstorming session for a Tuesday at 4 o’clock, showing up, and jumping to insights feels tantalizingly innovative. But it ignores decades of research into how creative work gets done unconsciously.

Okay, but what does improv have to do with wayfinding, you ask?

“This dance between the conscious and the unconscious is important,” Martinez explained. Instead of brainstorming, they read the brief. They walked the site. Martinez made time for his observations and intuitions to gel. When studio1500 presented to BART, they came with a number of thoughtful options for the Millbrae Station. They came with ideas to discuss and build upon.

“Our approach is antithetical to the classical Paul Rand model of design. You have one idea. You show up. It is a God-given idea and it is done. Take it or leave it.” Martinez said, contrasting studio1500‘s approach. “We like to play. We like to think as we’re designing. It’s collaboration. It’s iteration. It’s actually how you figure the ideas out.”

The Millbrae Station wayfinding would go through a few iterations. The design firms working within and without gradually got onto the same page. Martinez worked to make sure the vision was translated and executed properly. This meant simplifying the design a bit, choosing colors that were more maintainable. It also meant some rework to get the typeface correct. Each change required thought, but none required a storm of ideas and flurry of sticky notes.

Brainstorming is theater. As security theater makes us feel secure without actually increasing security, brainstorming makes us feel insightful without producing insights.

Don’t feel pressured to crowdsource or brainstorm ideas. Prepare by setting a vision, thinking through how to protect the organization and define the security capability. Give it time to seep into your subconscious. You’ll be ready the day comes for creatively defining architecture and controls.

When designing cyber security capabilities, find your own way.

Afterwards

In past articles in this series, I’ve covered four of my preferred ways for exploring problems and discovering new possible solutions. These are:

Find an analogy or metaphor to generate new tactics.
Discuss the thing without naming the thing.
Discuss what the thing does rather than what the thing is.
Mimic a working solution using the IDEA method.

Julio Martinez recommends James L. Adams’ book, Conceptual Blockbusting: A Guide to Better Ideas. The book is now on my end table.

Bay Area Rapid Transit (BART) Map, Courtesy Wikipedia

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Let’s not Become Password Huggers: Passwordless Guest Post on SC

Posted December 29, 2020 by Wolf Goerlich

SC Magazine has a guest blog from me on passwordless authentication, and the importance of addressing usability, manageability, and defensibility.

Change happens at an uneven pace. Take the latest smartphone. The camera still has a lovely shutter click, though digital cameras have long since surpassed shutter cameras. The QWERTY keyboard was designed to solve the problem of jamming in 19th century typewriters. And yes, to open apps and websites alike, we’re still using an idea conceived of 60 years ago for mainframes: the password.

We cling to the password. It’s security’s first, and sometimes disastrously, last line of defense. As surely as we know the camera doesn’t have to click, we know the password can be replaced by stronger factors. In fact, with adaptive and contextual controls, replacing the password means greater security and user experience benefits.

What’s holding us back from moving forward with passwordless?

Read the full article here: Three ways we can move the industry to passwordless authentication

Cyber Security Design Studies, Papers, Books, and Resources

Posted December 19, 2020 by Wolf Goerlich

The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.

This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Paths They Take

Number of steps; Familiarity of each step; Friction at each step.

Introduction to Customer Journey Mapping (ebook)

Flow Design Processes – Focusing on the Users’ Needs

Scientific Articles

Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y

G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976

Julia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-wBongiorno,

Basu, R., Gebauer, R., Herfurth, T. et al. The orbitofrontal cortex maps future navigational goals. Nature, 2021 // How do goal maps guide the brain toward a destination?

C., Zhou, Y., Kryven, M. et al. Vector-based pedestrian navigation in cities. Nat Comput Sci, 2021 DOI: 10.1038/s43588-021-00130-y. // People don’t follow the shortest path. They follow the easiest path to recall and follow. That is, the pointiest path.

Li Zheng, Zhiyao Gao, Andrew S. McAvan, Eve A. Isham, Arne D. Ekstrom. Partially overlapping spatial environments trigger reinstatement in hippocampus and schema representations in prefrontal cortex. Nature Communications, 2021 // Navigating an environment that’s sort of similar but not, is harder than navigating an entirely new environment.

Choices They Make

Number of choices; Predictability of the choice; Cognitive load of each choice.

Nudge to Health: Harnessing Decision Research to Promote Health Behavior

Sludge: “activities that are essentially nudging for evil”

Intentional and Unintentional Sludge

Books

Choosing Not to Choose, by Cass Sunstein

How to Decide: Simple Tools for Making Better Choices, by Annie Duke

Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz

Think Again: The Power of Knowing What You Don’t Know, by Adam Grant

Scientific Articles

Sunstein, C. (2020). Sludge Audits. Behavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32

Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019

Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant information. Exp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.

Thomas L. Saltsman, Mark D. Seery, Deborah E. Ward, Veronica M. Lamarche, Cheryl L. Kondrak. Is satisficing really satisfying? Satisficers exhibit greater threat than maximizers during choice overload. Psychophysiology (2020). // To get past frustration, satisficers make a speedy choice instead of thinking too deeply about the choices being presented.

Stuart Mills. Personalized Nudging. Cambridge University Press (2020). // Choice architects can personalize both the choices being nudged towards (choice personalization) and the method of nudging itself (delivery personalization).

Stephanie Mertens, Mario Herberz, Ulf J. J. Hahnel, Tobias Brosch. The effectiveness of nudging: A meta-analysis of choice architecture interventions across behavioral domains. Proceedings of the National Academy of Sciences, 2022. // Over 450 strategies analyzed, with nudges across three groups: “information,” “structure” and “assistance.” Strong proof of nudging over mandates for leading to behavior change.

Gabrielle S. Adams, Benjamin A. Converse, Andrew H. Hales, Leidy E. Klotz. People systematically overlook subtractive changes. Nature, 2021. // People approaching a problem rarely think removing something as a solution. People almost always add something whether it helps or not.

Cary Frydman, Ian Krajbich. Using Response Times to Infer Others’ Private Information: An Application to Information Cascades. Management Science, 2021. // If people in a group pause when making a decision, other people are twice as likely to break from the group to make their own choice.

Narayan Ramasubbu and Indranil R. Bardhan. Reconfiguring for Agility: Examining the Performance Implications for Project Team Autonomy Through an Organizational Policy Experiment. MIS Quarterly, 2021. // More freedom means greater productivity and better customer satisfaction. By contrast, more top-down governance results in lower productivity and customer satisfaction.

Blair R. K. Shevlin, Stephanie M. Smith, Jan Hausfeld, Ian Krajbich. High-value decisions are fast and accurate, inconsistent with diminishing value sensitivity. Proceedings of the National Academy of Sciences, 2022.

Nancy Padilla-Coreano, Kanha Batra, Makenzie Patarino, Zexin Chen, et al. Cortical ensembles orchestrate social competition through hypothalamic outputs. Nature, 2022. // Study on mice to determine how the brain encodes social rank and “winning mindset”.

Behavior

The behavior we want people to perform.

Scientific Articles

Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).

Robison, M. K., Unsworth, N., & Brewer, G. A. Examining the effects of goal-setting, feedback, and incentives on sustained attention. (August 7, 2021). // Providing feedback on performance is a strong motivator and sustains attention over a longer-term than goal-setting alone.

Kevin P. Grubiak, Andrea Isoni, Robert Sugden, Mengjie Wang, Jiwei Zheng. Taking the New Year’s Resolution Test seriously: eliciting individuals’ judgements about self-control and spontaneity. Behavioural Public Policy, 2022. // “Individuals often make resolutions in January to maintain healthy lifestyle regimes — for example to eat better or exercise more often — then fail to keep them. Behavioural scientists frequently interpret such behaviour as evidence of a conflict between two ‘selves’ of a person — a Planner (in charge of self-control) and a Doer (who responds spontaneously to the temptations of the moment). Public policies designed to ‘nudge’ people towards healthy lifestyles are often justified on the grounds that people think of their Planners as their true selves and disown the actions of their Doers. However, the authors argue this justification overlooks the possibility that people value spontaneity as well as self-control, and approve of their own flexible attitudes to resolutions.”

Qi Su, Alex McAvoy and Joshua B. Plotkin. Evolution of cooperation with contextualized behavior. Science Advances, 2022.

Gareth J. Hollands, Juliet A. Usher-Smith, Rana Hasan, Florence Alexander, Natasha Clarke, Simon J. Griffin. Visualising health risks with medical imaging for changing recipients’ health behaviours and risk factors: Systematic review with meta-analysis. PLOS Medicine, 2022. // Improved visualization leads to risk-reducing behaviors.

Barriers

Barriers preventing people from completing the behavior.

Scientific Articles

Helen Demetriou, Bill Nicholl. Empathy is the mother of invention: Emotion and cognition for creativity in the classroom. Improving Schools (2021).

Rachel C. Forbes and Jennifer E. Stellar. When the Ones We Love Misbehave: Exploring Moral Processes Within Intimate Bonds. Journal of Personality and Social Psychology, 2021 // This applies to security champion and security advocate programs. Tighter relationships mean more forgiveness, which in turn provides more room for the security team to maneuver.

Benefits

Benefits of completing the behavior.

Scientific Articles

Nicole Abi-Esber, Jennifer Abel, Francesca Gino, Juliana Schroeder. Just Letting You Know: Underestimating Others Desire for Constructive Feedback. Journal of Personality and Social Psychology, 2022. // A series of five experiments involving 1,984 participants to measure how much people underestimate others’ desire for constructive feedback. People want feedback.

Flow (Concentration)

Benefits of completing the behavior.

Scientific Articles

loria Mark, Mary Czerwinski, and Shamsi T. Iqbal. Effects of Individual Differences in Blocking Workplace Distractions. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018. // Security needs to be extremely careful not to overload people’s already overloaded attention. Check this for strategies people use to manage (ignore?) notifications.

Richard Huskey, Justin Robert Keene, Shelby Wilcox, Xuanjun (Jason) Gong, Robyn Adams, Christina J Najera, Flexible and Modular Brain Network Dynamics Characterize Flow Experiences During Media Use: A Functional Magnetic Resonance Imaging Study, Journal of Communication, 2021. // The sweet spot is when “activities are engaging enough to fully involve someone to the point of barely being distracted, but not so difficult that the activity becomes frustrating.”

Training (Ignorance)

Scientific Articles

Nesra Yannier, Scott E. Hudson, Kenneth R. Koedinger, Kathy Hirsh-Pasek, Roberta Michnick Golinkoff, Yuko Munakata, Sabine Doebel, Daniel L. Schwartz, Louis Deslauriers, Logan McCarty, Kristina Callaghan, Elli J. Theobald, Scott Freeman, Katelyn M. Cooper, Sara E. Brownell. Active learning: “Hands-on” meets “minds-on”. Science, 2020 // It’s no surprise that hands-on training exceeds lecture. But who does that in security? These researchers evaluate and share ways to make learning active.

Irrationality

40 Clever and Creative Bus Stop Advertisements

Scientific Articles

Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.

Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.

Beisswingert, B. M., Zhang, K., Goetz, T., Fang, P., & Fischbacher, U. (2015). The effects of subjective loss of control on risk-taking behavior: the mediating role of anger. Frontiers in psychology, 6, 774.

Yana Fandakova, Elliott G Johnson, Simona Ghetti. Distinct neural mechanisms underlie subjective and objective recollection and guide memory-based decision making. eLife, 2021. // Memory involves both recall of specific details (who, where, when) and feelings of remembering and reliving past events. New research shows that these objective and subjective memories function independently, involve different parts of the brain, and that we make decisions based on subjective memory.

Elizabeth A. Minton, T. Bettina Cornwell, Hong Yuan. I know what you are thinking: How theory of mind is employed in product evaluations. Journal of Business Research, 2021

Adrian R. Walker, Danielle J. Navarro, Ben R. Newell, Tom Beesley. Protection from uncertainty in the exploration/exploitation trade-off. Journal of Experimental Psychology: Learning, Memory, and Cognition, 2021.

Investments

More people, better technology.

Scientific Articles

Incentives

Books

Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink

Scientific Articles

Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061

Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.

University of Pennsylvania. (2021, January 19). Money matters to happiness–perhaps more than previously thought.

Johnny Långstedt. How will our Values Fit Future Work? An Empirical Exploration of Basic Values and Susceptibility to Automation. Labour & Industry: a journal of the social and economic relations of work, 2021. // A look at the intrinsic value people feel from doing the work.

Georgia Clay, Christopher Mlynski, Franziska M. Korb, Thomas Goschke, and Veronika Job. Rewarding cognitive effort increases the intrinsic value of mental labor. PNAS, 2022. // If people are rewarded for their effort, it motivates them to seek further challenging tasks that are not rewarded.

Metrics

Books

How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard, Richard Seiersen

Scientific Articles

Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS ’16). USENIX Association, USA, 253–270.

Behavior Economics

From “Economic Man” to Behavioral Economics

Related Books

The design of everyday things, by Don Norman
Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
Design research: Methods and perspectives, by Brenda Laurel
User experience revolution, by Paul Boag

Presentations

Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.

How does design apply to securing application development and DevOps? Securing without Slowing.

How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.

How does design apply to blue teaming? Design Thinking for Blue Teams.

Design Thinking for Blue Teams at Converge Detroit

Posted December 6, 2020 by Wolf Goerlich

Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future?

Recorded for Converge Detroit 2020

Watch more videos on my YouTube channel.

Minimum Viable Security – Design Monday

Posted November 30, 2020 by Wolf Goerlich

My focus on IT security began in 1997 with a malware outbreak. To get a sense of how much has changed, I checked out the (ISC)² website as it existed back then. Whoa. It’s ugly. The website and the views on cyber security have drastically improved since the nineties.

These days I regularly get asked, “where do we begin?” Privileged Access Management is supposed to look like this. Zero Trust Architecture is supposed to look like that. We only have a these two things, a paperclip, some duct tape, an overworked staff, and an intern. Where do we even start?

Borrowing from the product design world, take a Minimum Viable Product (MVP) strategy. Take a limited number of security controls. Take a limited scope of people and systems. Design a security capability, implement it, and get feedback on what works and where improvements are needed. Then, rinse and repeat with refined controls and in a new area of the organization.

A concern is that this process may lead to a patchwork of controls assembled from a tangle of point solutions. Valid concern. We’ve all seen such environments. A few of us have been lucky enough to build such mistakes, and learn from them. The way to avoid this is to use a consistent set of architecture patterns and project templates. Each sprint begins with these patterns and plans. Each one ends with updating the architecture and PMO libraries. It’ll be ugly, but with a controlled process, it’ll improve rapidly.

Criminals don’t care that we got the capability perfect. Adversaries aren’t impressed with the beauty of our control framework. So toss out the textbook.

Start where you are. Dare to be ugly. Iterate and improve.

The (ISC)² CISSP webpage from 1997, courtesy of The Internet Archive.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Change Creates Adventure – Design Monday

Posted October 26, 2020 by Wolf Goerlich

It has been said San Francisco is forty-nine square miles surrounded by reality. Fleeing Michigan snows for a week in San Francisco leads to feeling the otherworldliness. One flight and everything changes.

In San Francisco, underneath a series of hills reminiscent of Hobbit holes, is the California Academy of Sciences. The hills reflect the structures below, such as the planetarium. The overall field forms a living roof which keeps “interior temperatures about 10 degrees cooler than a standard roof and reducing low frequency noise by 40 decibels. It also decreases the urban heat island effect, staying about 40 degrees cooler than a standard roof.” This according to the California Academy of Sciences press release from 2007.

Renzo Piano designed building. His starting point was a question that’s delightful in his lateral thinking: “what if we were to lift up a piece of the park and put a building underneath?” In the California Academy of Sciences building and throughout Piano’s work, he returns again and again to themes of culture and change.

“The world keeps changing,” Renzo Piano said on the TED stage. “Changes are difficult to swallow by people. And architecture is a mirror of those changes. Architecture is the built expression of those changes. Those changes create adventure. They create adventure, and architecture is adventure.”

There’s a tension when designing a security architecture. The architecture must meet and mirror culture of the organization. The design can’t run contrary to how the organization works. But at the same time, the new controls must facilitate a cultural change towards a more secure way of being. The architecture mirrors while it modifies.

There’s another tension when designing a security architecture. Ongoing change will impact how people perceive and experience security. But at the same time, the security principles and posture must remain unchanged in the face of far ranging organizational change. “Architects give a shape to the change,” Piano once said. The architecture is flexible but stable.

My last trip in the US, before the pandemic, was to San Francisco. Within a month, everything had changed. We are experiencing the greatest migration in human history. A migration from the office to the home, certainly. More significantly, a migration from the physical to the digital. We now live in 1440 square pixels surrounded by reality.

Security architects must meet the wave of this change while holding steadfast to our security principles.

California Academy of Sciences living roof. Photography Columbia Daily Tribune.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

The IDEA Behind Simple Robots and Simple Security – Design Monday

Posted October 12, 2020 by Wolf Goerlich

It was the early nineties when I first saw the photograph of a small robot wandering the desert. I would go on to buy the Robo Sapien book which featured photographs from the same shoot, along with more from Peter Menzel. Iconic. Simple. Inspiring and, most of all, achievable.

Robotics in the 1980s and 1990s were incredibly complex and costly. Significant computing power and sensor tech was needed to move a limb. The idea of walking robots was a dream, to some, a fantasy. Rodney Brooks had made some advances with Genghis and Attila. But these were still tens of thousands of dollars. Such robots were available to grad students and researchers, but out tantalizingly of reach for the rest of us.

Enter Mark Tilden. The robot in the Menzel’s photograph, and the rest of Tilden’s menagerie in the 1990s, had a price tag of a few hundred dollars. Many were built from scrap parts and recycled electronics. This allowed for rapid prototyping, which in turn facilitated rapid innovation. End result? Simple robots that worked. Inexpensive robots that walked.

The real lesson I took from Tilden, which I applied both when I built his style of robots and when I designed IT systems, was how to copy an idea. It works like this:

Identify the features are providing the value
Deconstruct those into underlying principles and tasks
Emulate those tasks using the people and technology you have on hand
Act on those tasks to reproduce the effect, prototype and iterate, to develop your own way of providing the value

Tilden called his process biomimicry because the stated goal was to mimic biological systems. More broadly, applying Tilden’s process to my framework, you can envision the steps as follows:

Identify = Insects walk with legs controlled by a core set of neurons oscillating in a loop
Deconstruct = an oscillator with feedback
Emulate = two, four, or six inverter oscillators, or in BEAM nomenclature, Bicore, Quadcore, or Hexcore
Act = Unibug 1.0, seen in the photograph below

I wager this is the same process Tilden used to build unthinkable robots for a fraction of the cost using parts he had lying around. Meanwhile, in security, we’re challenged to build security capabilities with little budget using what we have on hand. This is where my IDEA method shines.

Implementing any capability reference model or framework is beyond the capacity of most organizations. So? Don’t.

In October 2019, I was in Haifa visiting the Technion. There I saw robots which mimicked the snakes which populate the deserts of Israel. The same movements that facilitate movement through the deserts of Israel are useful in navigating the rubble of fallen buildings and industrial accidents, in order to find survivors. My mind was instantly transported back to Mark Tilden and his spare-part creatures. It struck me that Alon Wolf’s bio-inspired snakes are the technological children of Tilden’s early experiments.

By following a process that closely mirrors my IDEA model, the engineers at the Technion had created a simple, efficient, and focused device which literally saves lives. They identified an unlikely source of inspiration and deconstructed that down to its most iconic element: the serpentine wiggle. They iterated until they were able to emulate this wiggle. Then they put their invention into action: rescuing folks who would otherwise perish.

We can do the same thing in our cyber security work.

Select your reference model. (Say, for an Identity and Access Management or IAM platform.) Use the process above to see where the value is coming from. (Let’s say, on-boarding and off-boarding.) Deconstruct these down to a few core objectives. Then, see what’s available in your organization in terms of tools and techniques. Run inexpensive and quick pilots to try out the ideas and form a plan.

Don’t act on all the things. Act on the right things.

Mark Tilden’s Unibug, photography by Peter Menzel.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Follow Signs of Friction to Find Security Champions – Design Monday

Posted October 5, 2020 by Wolf Goerlich

On a winter evening in 2014, Nikki Sylianteng got a parking ticket. It wasn’t a surprise. This was in LA where the city collects around $140 million from tickets annually. Sylianteng’s $95 parking ticket wasn’t significant and it wasn’t a surprise. But what happened next was.

When designing security capabilities, we have two aspects to consider:

• The paths people take to complete work – number of steps, familiarity, and friction of each step
• The choices people make during work – number of choices, predictability, and cognitive load

I argue that security can improve people’s work. Make it easier. Make it faster. I often get pushback on this argument, and for good reason. A very real problem is that security teams don’t have good visibility into the path and the choices. Even more worrisome, we don’t get good feedback when things are difficult or when security controls are making them worse.

Millions live in LA. Hundreds of thousands get tickets in LA. One person gave feedback with a solution.

Why? It is the same reason the workforce tolerates bad security controls: habituation. People get used it. They become blind to the annoyances along the path they have to take to complete their workflow. Listen for these tell-tale phrases:

• That’s just the way the world works
• We’ve always done it this way
• Things could be worse

That’s an indication of a workflow security may be to improve while increasing security. There lies habituation. There lies unnecessary steps or choices. There lies an opportunity to improve the path. But we need a partner on the inside, someone who can see beyond the habituation, someone who has what’s called beginner’s mind.

This is what drew me to the story of Sylianteng and her parking ticket. (Listen to Nikki Sylianteng tell her story herself here.) She didn’t accept the ticket. She couldn’t accept the way the parking signs were. She launched To Park or Not to Park and radically redesigned the parking signs. She has since created tools that anyone can use to create their own simplified parking signs.

Imagine our security goal is parking enforcement. Our control, the parking sign. Four million people in LA see the signs. Some follow them. Others don’t. Only one person actually says this is a problem, and takes it on themself to correct the problem. Do we embrace this person? Well. We should. According to Nikki Sylianteng, her new approach “has shown a 60% improvement in compliance and has pilots in 9 cities worldwide.”

Find those with a unique combination of beginner’s mind and desire to make a change. Embrace them. They are your security champions, and by working together, leaps in adoption and compliance are possible.

Before and after Nikki Sylianteng‘s parking sign redesign.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.