Practical Measures

---------- Warning - Long Post -------------- Our CSE, Kat Lind, has been working with a high-level group from our Global Security Watch for many years. The last 12 months have been especially challenging for our personnel, due to the high number of requests for risk, disease spread, business continuity planning, and other risk projections and mitigation strategies. 

As of today, we have run over 320M models to try to help government agencies and ministries, businesses, and other organizations try to clarify the challenges that we face today. Most of that data and the findings from the analyses are confidential. However, there are some cases that allow us to pass the information on to others. 

What follows is a document that our CSE composed that we can share, although there was some pushback initially against just handing the info out. None of us at SIL are medical specialists. We work with data. To us, the data speaks for itself. We do complex modeling, millions of analyses every year, and have for decades. This information is what we are working with for ourselves and our families. We hope that it will provide some of you with another source of thoughtful input.

-----------------------------------------

I was asked by the high-level Security Council to which I belong to put together a set of policies and procedures for individual households dealing with the growing pandemic. Taking input from the rest of the members of my global security group, I created a set of policies and procedures that would be put into place for my own household. Some of them may not work for you, but the reasons behind each one come from people who are experts in the field of infectious diseases and different types of vulnerabilities.

Although I was maneuvered into producing the document because of the many things I write during the year, several other reasons were used to convince me to tackle something that is going to be an effort that will bring arguments and criticisms rather than thanks.

The write up I was asked to do was for those in our population that not only wanted to be given something that would help but told plainly what was the reason behind the suggestion.

I want to clearly state here that I am not a medical professional. I am a security person, someone who models complex situations, such as security incursion patterns, impacts on businesses of natural disasters and new products, or contagion models that examine marketing trends and the spread of diseases. Generally, I get a lot of data and put it together, before analyzing it for vulnerability and probabilities.

Translated into ordinary, everyday language, that means that I am used to talking to real people, rather than just to those with science degrees. Much of what I have done for decades is to translate the highly technical into something that makes sense to the people making decisions.

My security group told me that my ability to translate from that complexity into something that would allow people to make decisions is precisely what they needed. When they requested that I do this write-up, they told me they were going to use it within their organizations and governmental bodies. When I told them that I was just going to put it out on my own social networks, they were surprised and, in some cases, distressed.

Their immediate feedback was that it would be irresponsible for me to take a document that I was supposed to create for everyday people and pass it out to those same ordinary people. I told them that it would be the cost of my doing this write-up. The fact that none of them argued with me after that point told me something important.

None of them wanted to be in the center of the target, where people will either yell about being overcautious or argue with the writer’s qualifications. It never occurred to me to avoid writing about my thoughts or findings. How can we help each other if we are not willing to take a stand?

For those of you that either want to yell at me or argue, please do not bother. These are my thoughts, and you do not have to agree with them or obey them. But understand this, the six countries represented by my Security Council group will be using this write-up as input to some of their policies.

Many of these things that I mentioned in this document are either covered or partially mentioned in the guidelines put out by the World Health Organization and the Centers for Disease Control and Prevention. However, wading through that documentation is almost impossible for non-technical people.

Added into that information is the highly technical input of experts on infectious diseases, logistics, and military matters. Their language is all highly-couched in the linguistic form of their specialties and is not easily comprehensible for those without that background.

Doing my best to reduce the hundreds of hours that we have spent discussing this topic, beginning in late 2019 and occurring each day until now, I distilled out some physical and psychological practices. These are the ones that our collective group believes will provide some mitigation to the possible overwhelming wave of disease and loss that threatens us.

I am going to address the physical perspective first since that is the one to which most attention is being devoted.

The foremost item that had a unanimous agreement within our group is that if anyone returns from out-of-town travel, they must immediately wash all of their clothing when they get home. This includes wiping off shoes, luggage, etc. 

The reason for this is pretty straightforward. When you go into an area that is not contained within your own community, even if it is only ten miles away, you have entered an area that is under different controls and mitigation strategies than the area with which you are most familiar.

Epidemics jump from spot to spot carried by travelers. Whether it be someone who needed to go pick up a desperately-needed supply in a different city or someone who is driving a truck to deliver things to a different suburb, the danger still increases. That also means that the more places that you visit on that trip, the broader area from which you draw possible contagion.

If you look at activity closer to home, the next thing that needs to be discussed and laid down in your household was one that did not make sense to my husband. Simply stated, anyone who comes inside after traveling off your property needs to take their shoes off at the door.

Although many people have stated that the coronavirus is not transmitted by aerosol, none of my group agrees. Too many of the experts that I work with around the world say otherwise, beginning with knowledgeable concerns over two months ago

Anything that is spread in aerosol form can hang in the air for variable periods, depending on humidity and wind conditions. After that, it can fall to the ground like rain to be picked up by foot traffic. 

Your shoes are going to track through it. If you bring it into your home, you will not even recognize what you are doing or when. Taking off your shoes, there is a strong chance that sometime later, you will touch your face or, even worse, contact a child’s face

As I write this, I can look over to my entry hall and see the outside shoes set by the door. My husband has inside slippers that he puts on when he comes in. Others choose to go barefoot, thinking that it is far easier to wash feet then scrub every crevice of shoes that have trailed through who knows what.

After coming into the house and removing shoes, hands must be washed immediately. One of my colleagues who works with a similar analysis group has put a pan of water and dishwashing soap by the door. When she comes in, before she does more than take her shoes off, she uses the water to wash her hands. This has been shown to be a significant help when you are trailing some form of contagion. 

I do find it amusing that her husband does not want to follow this procedure because, and I quote, “The water is too cold!”

Enough said on that.

The next item that was simple to distill out of the mass of discussions and data is that we needed a checklist that included things like updating your will, collecting all-important relevant numbers and emails, and having something similar to a fire escape plan.

If you do not have a plan for when disaster hits, it is highly likely you will do something to make it worse. So my husband and I sat down and worked out what we would do if one of us became ill. Luckily, we have the option of isolating ourselves in a separate bathroom and bedroom area if one of us becomes sick. We can get a separation within the house and even have different air filtering systems for those regions.

We went through a checklist of things that needed to be done to minimize cross contagion, and that included chores like changing the air filters in our furnace and air conditioning units every month instead of every six months. It also included the stocking of bottled water in the house so that if one person were ill, they could receive water without needing to hand off things directly from the healthy to the unhealthy person.

Phone numbers for doctors and emergency calls are now placed in several locations. This includes placement by all of our landline phones and also exists as an online document in case we do not have routine access. Several of our close friends have also been allowed access to those documents so that if both my husband and I become ill, we have others we can rely on.

The activities in the house need to also be restricted in the case of one of us becoming ill. The worst one is there will be no hugging and kissing for a while. That does not prevent being blown kisses from across the room, but I know that it will be challenging to be separated from my husband just at the time that we most need physical and mental comfort.

Based on many of the other data and findings of my security group, I also saw that it would become necessary to plan for what would happen with our animals if one or both of us became ill. In the case that one of us is sick and the other is not, the dogs should be safe. It is still best to figure out who will care for your animals if both of you are ill.

One surprising possible concern raised by both of our infectious disease specialists was that it might not be a good idea to have an oily-coated dog run from a sick person to a healthy one. Although there has been no study done on how long the virus can exist on the coat of an animal, oils will preserve it for a more extended period than other media. 

I cannot go through a breed by breed discussion of which dogs have oily coats. That would require far more science than either I have the time to spend or frankly that I totally understand.

However, those of you with dogs know if your dog has an oily coat. None of us are worried that the animals are going to catch the coronavirus from us at this point, but we do know how stressed animals get when their owners are ill. You know they will be there cuddling up to you, and that any viral components that you cough or breathe out will likely fall on their coats.

When I was severely ill a year ago, anytime I came out of my fevered sleep, there was at least one animal tucked against me doing their best to comfort me. Those people with pets in their households are going to find that comfort important, whether they become ill or not. The companionship of our animals keeps us social and feeling loved. Both of those are very important for maintaining health and speeding recovery.

Just keep your animals clean as well as yourself. If you can, wipe your dog’s back with a wet rag and dog shampoo occasionally. It should break up the oils and address this concern whether or not it is a significant risk. 

The benefits to our comfort and calmness are more substantial with the presence of pets than without them. Even the infectious disease guys worry that they are getting too paranoid. I am more concerned with getting the information out. You decide what you want to do. Just do not let your beloved animals suffer also.

Another thing that had to change from the way it was before concerned the effects of social distancing. With the physical separation that is driven by the concept of social distancing, some of the activities that we usually would do outside of the house have ceased. It is my belief that those interactions will never again be as free as they were before this pandemic hit. However, it is essential to understand that the dearth of customary social interaction harms our mental health.

Other items on the distilled checklist included making sure that you had appropriate medicines in-house for an extended period. We researched and found out that our pharmacy had a delivery service, and many are now offering that service around the world.

The reference numbers or websites for the health resources and providers were put on our massive reference list so that even stressed or being cared for by someone else, the crucial drugs that we need can be easily obtained.

We also went through some of the less pleasant aspects of talking about possible disease and even death. That included updating our wills and documenting decisions on resuscitation paperwork. 

Although we know how to stay in contact with our children and grandchildren, we needed to leave information for others to do in our stead if necessary.

This re-examination of the pattern of our lives was beneficial in that we did it before we had to experience it. If some of those topics and procedures were not put into place before we became ill, the impact would be devastating.

The second area that needed to be discussed and agreed on concern the maintenance of mental health. Humans are social creatures, and any attempt to remove all social interaction ensures the loss of connection to reality and loss of the ability to create or motivate your own actions. 

With limitations on physical interaction, the need for activities that deal with others, whether that be online or across the width of your yard, becomes a crucial requirement to fill.

A friend of mine used to go to her girlfriend’s house once a week for coffee. Since both of them have extensive and active families, the chance of cross-contamination is high. Today, they visit each other by chairs and tables placed on their respective sides of their joint fence. Instead of traveling to each other’s homes, they take their coffee out, sit down, and talk over the twenty feet between them. 

This friend tells me that it felt very awkward at first, but now she looks forward to that day so much that she will start her day twice a week with that ritual. What I found very interesting was the change in her behavior from before they started this type of discussion and now. I had been tracking her moods and was quite concerned about her. When she began to be a little more cheerful, I asked her what had changed. When she told me about her long arms-length coffee klatsch, I thought that it was brilliant.

By changing her meeting with her friend to something that was at a very extended distance away but still visible, both of them could see body reactions and language that all of us crave as part of our connection to others. At the same time, the two of them remain at a safe distance.

My friend continues to improve and, while she is working under a massive load of tension and worry concerning her family, her overall mental tone has grown stronger. I rejoice in the fact that her smiles appear much more frequently.

Some type of scheduled activity in a person’s environment is essential to maintaining mental health. It is not necessary to have days that have every minute planned, but some structure is a foundation that many people need. 

Having days that have no reference points of attendance required or availability leaves most people floating in formless chaos that starts to erode their equilibrium. Without over scheduling, joining a group that exercises together over videoconference or signing up for story hour once a week can significantly improve not only your own stability but will affect your family’s mental balance.

It is also possible, especially with two small households, to form something I am going to call a cohort. Other terms for this type of sociological group are pod or compeer group. For instance, we have two friends that are following the same general procedures as we do to avoid becoming infected. They have been pretty much hunkered down for multiple weeks, and are not showing any signs of illness. 

They are in reasonable health, although my female friend has long-term lung challenges and would be very vulnerable to the pandemic. Between common procedures and extended self-isolation periods, we now are comfortable with visiting each other once a week to play cards.

Before you agree to form a cohort of your own, make sure that some clear rules and policies govern what you all will do or not do. That keeps your perimeters as secure as you can get them and still gives you a limited social interaction that can provide a significant benefit.

In the situation that I am talking about, my girlfriend likes to play cards but also loves to cook. Her outlet for that has become very limited since she no longer has weekly dinners or game nights where people come from all over the Chicago area.

With the formation of the cohort, she and her husband can come play cards, and she can happily create dishes for us to sample and discuss. It fills a hole in her heart while it provides comfort to all of us to be together.

Find something to do that will help someone without putting yourself in danger. Become part of the solution, rather than standing there helpless, feeling like a tidal wave of death and destruction is going to crash over you. Take some of your own power back, without endangering others or yourself.

Build a plan now before you need it. Make it one that expresses your choices and lifestyle. 

Maintain the unique things that define you, but still implement the procedures to keep you safe.

Betting Your Business - Part 3 - Other Crucial Criteria

In the first two parts of this case study, the identification of a significant business opportunity coupled with technical assets that were essential to the operation meant that choosing a platform was a necessary part of the enterprise’s viability. Solitaire Interglobal Ltd. (SIL) a knowledge that security was the primary criterion, but once the data on that essential metric was gathered, there were other requirements that had to be met.

Although it was difficult to see past the urgent need for security, including data protection and privacy, there were other high priority requirements for the new venture to become a reality. That area of platform feasibility included the capability of the selected platform to scale since the demand for capacity would have significant peaks.

Additionally, the entire area of quality of service would need to be considered since the end customer response would be driven by consistent delivery and meeting expectations of speed.

Existing streaming services have significant issues with erratic delivery, broken links, and spotty coverage. Although the proposed new venture does not share many of the characteristics of current video streaming, its reception would be adversely affected by any of those problems.

With a significant growth potential and a worldwide launch planned, the nature of an active cyber market indicated a need to balance the risk of exploding demand against an infrastructure that could quickly and easily scale to address any level of capacity demand.

Realizing that the criteria in this area addressed the raw ability to scale, financial considerations were not addressed at this point. Instead, the ability of the platforms under consideration to handle peak workload without infrastructure modification and the load thresholds that could be maintained on an ongoing basis were examined.

Additional factors that played into the evaluation in this area included any delay in supplemental capacity availability and the degree of automation that was possible to remove the human element from the execution timeline.

FINANCIAL COSTS Of course, there was a financial component to the evaluation. After all, just because it’s possible to provide a service doesn’t mean that there is a commercial justification for doing so.

There were several areas of financial metrics that were identified as critical to the decision. They can be summarized as:

• Cost to deploy the initial application in terms of weighted time expense • Cost of security, both initial and ongoing • Cost of scalability, both core and associated with growth

As with most things, the analysis showed that it is not the initial cost that is the most substantial, but the upkeep and ongoing operations financial impact. Therefore, the total cost of ownership (TCO) was the primary metric used.

RISK The perspective that SIL takes when viewing risk is that it is an accumulation of not only the possibility of shortfalls in protection, deployment, and operations, but the metric must include the scope of the impact of that failure. Given that, the risk evaluation was structured to build an accumulated risk metric that would provide the decision-making team with a consistent and useful criterion.

Since SIL risk analysis is built on an actuarial basis, the extensive data reported by SIL customers and participants in GSW was used to create that complex probability matrix. With an excess of 164 million discrete data points, each of the possible platform solutions received intense scrutiny.

RISK-BASED SOLUTION FILTERING SIL works with millions of model requests every year. One of its strengths is the massive database the covers the aspects of risk and behavior. Any time that a SIL model is requested, that ocean of data is mined for possibilities. Over 50% of these predictive models start out with more than 500 options.

Depending on the parameters set by SIL customers, the field is narrowed down to a more comprehensible number of scenarios before being further culled. This is a process that is executed hundreds of times per day in the SIL analytic labs.

This standard SIL process produced an initial field of 712 possible scenarios for internal SIL consideration. After the first round reduction, 137 were left. These included on-premise infrastructures, public cloud solutions, MSP offerings, and hybrid cloud infrastructures. All of these options were modeled to build comparison points. The consolidated risk rating was used to do the first level cut.

Any scenario with a risk rating of over 15 was deemed unacceptable, and anything rated more than 10 discarded as significantly high risk. The general risk metric for the solutions can be seen in the chart below.

All of the solutions that exceeded the threshold for high risk were eliminated, and only those that were medium to low risk were considered.

This group of shortlisted platform solutions included only five scenarios. Each of these was reviewed in more detail.

None of the solutions presented a low-risk profile. This was not unexpected since the venture being considered was a significant paradigm shift in both the streaming and entertainment environment. In any new creative endeavor, there is a considerable element of risk, and that was not ignored when building the evaluation profile.

However, the platform contribution obviously needed to be minimized, so that the overall feasibility of the project was not additionally burdened.

The evaluation committee found it extremely interesting that all of the shortlisted scenarios shared key components that addressed security and scalability. To differentiate among the options in this group, the secondary criteria would have to be factored in, but first, verification of operational abilities was required for the first two areas.

Coming up next, Results

Depression is like a bruise that never goes away. A bruise in your mind. You just got to be careful not to touch it where it hurts. It’s always there, though.

Jeffrey Eugenides (via quotemadness)

A beautiful and evocative way of saying something that millions of people deal with every day.

Search for a Safe and Scalable Platform

Thousands of companies make decisions every day on where and how to deploy new features of their operations and sometimes are lucky enough to explore totally new ventures. Usually, Solitaire Interglobal Ltd. (SIL) is involved in this type of decision-making only in modeling the opportunity, risk, and cost of proposed solutions.

In early 2018, however, SIL found itself in a different position. Intellectual capital that had been developed over the last several decades coalesced with market opportunity, and SIL’s internal analysts identified a possible new, disruptive technology that SIL was uniquely positioned to deploy. The decision was made to investigate this using SIL’s normal processes. In the first step, opportunity and risk projects are always analyzed against a tremendously large, multi-petabyte database. This allows weaknesses and strengths to be quantified and supported.

Additionally, since SIL has been running Global Security Watch for more than 23 years, exhaustive business risk information was available to mine for crucial nuggets of information. The resulting data on security, financial impact, longevity, and broad risk allowed SIL to evaluate the opportunity.

With extensive supporting detail, SIL’s strategic committee came to a quick decision to proceed and attacked the next step of critical thinking.

This next step was the establishment of the criteria. The individual metrics clustered in four primary areas.

Security

Platform Feasibility

Financial Costs

Risk

It is not surprising that this list looks like a summary of many articles that are written today about doing business over the Internet. The number one area is security for most digital marketplace organizations. This goal encompasses the safeguard of uninterrupted business operations and exclusive control of proprietary digital assets.

Only after that primary requirement is assured our metrics for feasibility, finances, and general risk pertinent.

In the process of choosing a safe and scalable environment, SIL experienced firsthand what thousands of their clients have been living each day. It was an exercise in empathy for many of SIL’s analysts, with remote analysis colliding with practical business considerations.

The resulting guidelines and best practices that were derived from both the extensive analytics and SIL’s business experience have been used to construct a multipart case study that hopefully will provide some guidance and other organizations search for a secure, efficient, and effective platform for deployment.

CyberBusiness – Impacts of Encryption

Up to now, the implementation of substantial encryption as a form of asset protection has been limited by several things. The first of these is the sheer amount of resources that are required to encrypt the data in the current technological environment.

In general, cryptographic engines tend to be somewhat slow. The decision trees within the algorithms that drive the encryption are by necessity complex and mutable. Therefore, organizations have made the decision to minimize the amount of encryption that is being done on their data in order to meet service level agreements and other performance metrics.

The other bar to widespread encryption has been the cost. When calculated as part of TCO or by cost allocation based on system activity, encryption has been an extremely costly feature to implement and maintain. It is not just the expense of the hardware and software necessary to drive the encryption, but the fairly significant amount of personal time that is required to determine what is to be encrypted and the basis for that encryption.

With cryptographic engines that are tied to human input for decisions, the flow of encrypted data has been an exception pathway that interrupts any application’s straightforward activity. That extra component within the processing stream causes a significant delay and requires a fair amount of care and tending on an ongoing basis from knowledgeable personnel.

There are exceptions to this state. The large majority of mobile devices, such as phones, use fairly widespread encryption to protect their data. This process is built into the ongoing operations of the device and does not require any significant hands-on maintenance, nor does it appreciably degrade performance. This enviable position is in part due to the smaller volume of data that is being handled on the devices. Where data strings are fairly short, the necessary bandwidth within the device to perform the encryption is proportionally smaller, resulting in lesser performance drag.

The other major contribution to the ability of the mobile devices to maintain encryption protection is that the cryptographic process is built into the operating system. This means that there are no independent decisions that are made whether to encrypt or not, the data is simply all processed. This is not to say that there is no at-risk data on a mobile device. Especially on those devices that have been unlocked, or have an open operating system, there is a fair amount of hacking activity. However, the more closed operating systems, such as iOS, maintain a high level of encryption and do so in a cost-efficient and timely manner.

The result is that there is more encrypted data carried on cell phones then there is in data centers around the world. One could argue that more attention is paid to protecting the privacy of the individual than is applied to the protection of corporate and organizational assets. The contravening argument is that business runs on cost-benefit analysis. When risk and benefit are balanced against exposure, most frequently the cost side wins out.

The rise in concentrated hacking has changed that consideration. Where the probability of damage, theft, or subversion is low, the prudent business may very well not consider encryption a significant factor. However, with the rise in incursions and associated damage, the business case has shifted.

The average overhead for security perimeter defense capacity consumption has gone from less than 2% 10 years ago to as high as 68% in the global market today. Reevaluation of the cost and risk analysis is needed. Normal planning parameters are breaking as organizations’ ability to appropriately tabulate and evaluate risk is crippled by lack of data.

Executive management cannot adequately set strategy, control finances, and deliver services without protection for its assets, or valid data feeding its decisions. That horrific exposure can be seen easily by looking at the 2017 market. News and articles call out organizations that have been caught short in this position almost every day. Choices that would have been reasonable five years ago, in a less combative environment, are naïve in the cyber business world we are living in.

The changing paradigm that is being demanded is one that alters the way organizations evaluate risk. With the combination of passive and active risk, a better understanding of vulnerabilities and exposures can provide important input to critical thinking. Additionally, shifting from a focus on perimeter defenses to one that incorporates both perimeter and internal defenses has become cost justified, even with the current state of encryption.

The challenge is for the technology that supports cyber business to expand its offerings in a changed universe. To develop the technology and the mechanisms that will allow data at rest to be protected.

Eventually, all perimeter defenses can be breached. That may be from an overpowering attack of rapidly changing threat directions, deception vectors, or even personnel subversion.

When the castle walls are broken, and the cyber barbarians storm through the breach, will they find your organizational assets lying there ripe for the plucking? Or will there be another layer of defense that is carried out automatically, irrespective of application, irrespective of other budgetary considerations? Will your data be encrypted and of limited use, or will be there for theft and damage?

Cyber business is at war, and your assets are at risk. How are you going to protect them?

CyberBusiness - Altering the Face of Risk

Splitting the risk profiles between operational and security is necessitated by the significantly different factors that build the risk profile. Operational risk still has the same metrics and input that are present in a non-cyber business for the most part, but security risk has a far different shape. As discussed before, this is the difference between passive risk calculation and the type of risk one calculates in an ongoing war. In all cases, the risk is calculated against experiential data, and that is crucial when it comes to cyber business. Analyzing security risk for cyber business means that characteristics or aspects of the security set up, techniques, processes, and personnel all need to be considered in the analysis.

While some of these trackable characteristics are commonplace and similar to other forms of organizational analysis, there are some that require more discussion to fully understand. One of these is security complexity. This term loosely relates to the number of differentiated pieces, or “moving parts,” that are present in a security practice, and that must work together smoothly to achieve an optimal protection.

Aspects of security complexity that have been tracked by SIL for decades include the topologies of protection and process within organizational security practices. Simply stated, this is the ongoing monitoring and evaluation of an organization’s ability to protect itself, as delivered in infrastructure and baseline forms, coupled with add-on layers that form the remainder of the strategy of asset protection and operational continuation assurance. In this perspective, what an organization has to start with and what it has available to build with are important distinctions to effectiveness, as well as the costs and vulnerability profile that results.

As the face of computing and business has changed over the years, so have the available options and strategies for deployment in the security arena. Advances in threat detection, threat containment, and damage remediation have been an increasing focus of a large segment of the digital community for many years.

Only in the last 4-5 years has this concern been percolating up to the executives that set organizational strategy. A large number of well-publicized incursions and the significant cost of the remediation has translated technical threats and risk into the financial profile that most executives expect as input to the decision-making process. That translation has raised the profile of security to the C-suite.

The number of incursions is skyrocketing, and the acknowledged damage to organizational operations and revenue is growing even faster. Comparing the monthly count and cost of these incursions with those reported 10 years ago against today from the worldwide Global Security Watch (GSW), organizations are experiencing roughly 1750 times the number of attacks and are coping with over 760 times the financial impact.

Despite rocketing staff needs for security personnel and exploding security budgets to pay for new types of protection, the warfare that is being conducted on the pathways of cyberspace shows no sign of resolving or going away. Adding more layers of protection does not appear to be the answer. The very presence of the layers increases the number of vulnerability points to the organizational armor. Anyplace that multiple applications need to interact presents a possible entry for an informed cyber criminal. Granted, the new layers have previously unknown entry points and therefore can be a significant delaying tactic when fighting in this type of war. However, eventually, each of those vulnerabilities is found and exploited.

Adding to the confusion, the complexity of all the security layers create a complex management challenge for personnel. Additional layers = complexity, complexity = chance of error, chance of error = increased breaches. As the complexity goes up, efficiency and productivity go down. There are more human errors and increased difficulty in integrating packages and applications later on. This is a design architecture that is ultimately doomed to fail.

There are brilliant minds that have been struggling with this problem. Their efforts have resulted in increased efficiency of the bolt-on security and innovations in management visualization. Service organizations have sprung up all over the world to assist in threat detection and patterning. Unfortunately, this is not altering the face of the cyber warfare that is being conducted against every business on the Internet.

In fact, the good guys, the businesses trying to maintain operational integrity, are losing ground.

Recently, at a symposium for security strategist and innovators, this very topic came up. There is no dispute on the tracking numbers because everyone there knew that the pattern was real and that the problem is not only immediate but becoming more critical. Most of the discussion circled around a rather plaintive question, “So what do we do?”

Obviously, doing more of the same is not working and will not work in the future. In fact, the more heavily an organization invests in layers of protection, the more difficult it will be to actually operate as a business on the Internet.

When situations like this have come up in the past within the digital world, the same pattern of escalation and stress has occurred. Smaller versions of this type of pent up problem analysis and breakthroughs have been seen and associated with similar fields in the storage arena and in the advent of multithreaded computing topology in recent years. In each case, what has been required to get to the next level has been a fundamental change. Not a change to the adaptive technologies that are applied in layers. Not a change to a specific tool. Instead, it required something that shook the foundation of the field.

What would be a fundamental change to the field of security? What would radically change the balance between the attackers and the attacked?

It would seem that the seeds of this type of change may have already been planted. In a test field in an incidental position, perhaps this change is being played out right now before our eyes and ears. Perhaps we just haven’t learned yet how to apply it and how to incorporate it.

Encryption. Today, at this moment, the encryption of data and transactions is occurring every second of every day, all around the world. Not so much in the data centers and information handling locations, but in some of the mobile devices.

In fact, a much larger percentage of the data handled by our cell phones and tablets is encrypted than is present in transit to or at rest in our data centers or laptops. The default level of encryption on that variety of places is surprisingly and substantially different. When a broad base of cell phones, tablets, data centers, and laptops was examined for encryption and security, the comparative results were surprising. The 6.8 million platforms compared showed that even with the presence of the unlocked and more vulnerable Android devices added in, data and transactions are up to 25 times more likely to be encrypted and protected on the cell phone sitting in your pocket than your business financials sitting in the cloud.

Similar findings showed that encryption of processes, transactions, metadata, and data storage are all likely to have a foundational protection on your mobile device. The word here that is important is “foundational” because it means that without any additional layers of protection, without any extraneous effort, that information is harder to subvert, steal, or damage.

The drive to support consumers, most of whom are not highly technical, at least when it comes to security, has created a different approach to cyberwarfare, mobile style. The creation of a foundational protection with the use of encryption is not a new idea. It is one that has been known for a long time to be very successful. Some portions of encryption within an operating system have been employed as part of mainframe architecture since the 70s. Even though the reason for that encryption was not driven by a need for protection, its genesis as part of the foundational control of an operating system serves two purposes: operational mechanisms and intrinsic protection.

Other architectures do not employ that type of mechanism in the normal business world. Since the concept of foundational encryption is neither unknown nor impossible, up to now, the detrimental factors have been the expensive and the adverse impacts on performance and speed.

At a point in time when performance degradation from security layers is approaching 38% in many organizations, and where the cost of security has increased by two orders of magnitude in the last seven years, perhaps it’s time to reevaluate the approach to security. To look at fundamental changes, foundational changes, that will change the battlefield.

Change the game. A shift from a barely encrypted, multilayered environment to one which has a foundational encryption mechanism is a branch point for the security path that the industry’s feet have been on for many years.

If the creative investment from the innovators in the security field and the experts in operational encryption can be directed toward creating an all-encompassing encryption, a more pervasive one, the simplification of security processes and vulnerabilities would provide relief to organizations desperate for assistance. It would fundamentally change the risk of doing business in cyberspace.

Risk and benefit. These are things that are examined every day by every business to evaluate which way to go, what decision to make. If the paradigm shift is being considered, the cost and the risk need to both be addressed.

Given foundational and pervasive encryption, how would the risk profile change? Where would the cost come from and how large would it be? This becomes the bottom line business justification.

<<< >>>

This post will continue with CyberBusiness – Impacts of Encryption next week.

CyberBusiness - Components of Risk

To understand risk on both a strategic and tactical basis, it is crucial that the right elements of risk be considered. After all, basing decisions on scant information does not provide the solid foundation that an organization needs to exercise good judgment.

The factors that go into a risk evaluation basically fall into two camps: the benefits or opportunities on one side versus the possibility of failure, and the cost of that failure, on the other. Ultimately, risk evaluation is the balancing of pros and cons, where both sides are adjusted by the level of acceptance of probabilities within an organization.

Another dimension is provided by the depth of data that is used to build an understanding of those pros and cons. In many cases in which SIL has been involved, multimillion dollar decisions have been based on a risk profile that was built with anecdotal or personal information. In some cases, that experiential base has been less than five projects. This simply does not provide a strong enough statistical base on which to do an analysis. The variance between projects tends to be large when considering just a few situations. Only when a large number of data points are used as the basis for decisions can the random vagrancies of individual project situations be filtered out.

The possible scenarios need to be viewed with both costs and risk associated, since many times the lowest cost may imply higher risk exposure. Risk occurs in different facets of cyber business since so much of its source stems from cyber attacks. To account for the different profiles, SIL examines operational and security risk separately. Those profiles have different contributions and dimensions that help clarify the business decisions that must be made.

SIL defines risk in three main venues for operational risk:

•         Percentage chance of component failure - This identifies the number of times that a similar scenario has been recorded with a specified component failing (without modification) within the entire SIL experiential base.

•         Percentage chance of budget or timeframe overrun - This identifies the number of times that a similar scenario has been recorded to exceed the planned budget or implementation schedule within the entire SIL experiential base.

•         Potential exposure, expressed as a percentage amount of overall budget or timeframe overrun - In the cases where a budget or timeframe overrun has occurred, this value identifies the average percentage of that overrun, as calculated against the full cost (in the case of a budget overrun) or the number of personnel hours (in the case of schedule overrun) within the entire SIL experiential base.

This type of risk centers on the ability of the organization to run its business in its normal operational mode, endangered by demands on capacity, equipment failure, etc. It does not account for an active adverse attack, such as is presented by hackers, criminals, and others interested in the destruction of data, theft of intellectual property, or other incursions.

Operational Risk Evaluation

Security risk analysis incorporates and considers the active warfare aspects of risk. The factors and components of this exposure can be grouped into three main aspects, but differ significantly from operational risk. The security component classes are:

•         Percentage chance of protection failure - This identifies the number of times that a similar scenario has been recorded with a specified component failing (without modification) within the entire SIL experiential base.

•         The potential scope of overall revenue impact – This identifies the average impact of incursions to organizational revenue within the SIL experiential base.

•         The potential scope of customer remediation – This identifies the average cost to offset customer damage due to security incursions as a percentage of organizational revenue within the SIL experiential base.

The risk analysis incorporates those contributions that are associated with each option, including the current strategy at a specific client. The comparison to baseline is crucial since many organizations forget that their existing path also contains uncertainty. Therefore, risk evaluation needs to compare the new possibilities with the current reality.

SIL normally sweeps in information from a large experiential pool that spans at least the last 24 calendar months for each option. This focused, moving window of comparison provides the optimal view on a rapidly changing market and technology base.

The security risk profiles have significantly different footprints. The ratings in this area are complex assessments of the proven vendor response in the security arena and are comprised of best practices, underlying architectures, and many other factors.

Security Risk Evaluation

A consolidated risk profile shows the accumulated picture of the risk that balances off any possible expense reduction. Since it is an increasingly common tactic to set aside funds to cushion possible incursion costs, the risk profile should be seen as an indicator of the size of such an offset.

Composite Risk Summary

There are no organizations that operate without risk. Risk is an ever-present specter that haunts executive’s dreams and brings indigestion to security personnel worldwide. Determining how large that risk is, how wide the exposure, is changing quickly as more organizations move a significant portion of their business to cyberspace.

The drive to compete is overwhelming, the need for a change in risk evaluation desperate. Organizations need to understand risk at a business level. Not bits and bytes, no speeds and feeds. Strategic management is focused on how to drive the business, as well as what will help to mitigate any risk identified.

By supporting strategic decisions with substantive data, better choices can be made. These will not be perfect but they will be far better than guesswork and conjecture. The passageway will be smoother and the success rate higher.

Are there significant changes that will radically alter the shape of the risk base? The whole cyberbusiness ecology has been pummeled with incremental advances. Smaller improvements to the market overall, even if some are significant in specific areas of technology, services, and approach. This type of chaotic pattern has been shown again and again to presage a larger, more pervasive paradigm shift.

What will that change be? How far-reaching will it become?

<<< >>>

This post will continue with CyberBusiness – Altering the Face of Risk next week.

Social motivation for cyber attacks is on the rise. Ignore the social protesters at your peril. Believing that hacktivists are less able or less dangerous is a sure recipe for disaster. http://www.sil-usa.com

Unbiased and data-driven SIL's modeling is unique in the combination of extensive AI tech coupled with holistic data from over 19K different ongoing sources. See what questions SIL can help you answer! http://www.sil-usa.com

One of the most significant problems in the movement to CyberBusiness is the education of and communication with the executive management of an organization. SIL addresses this every day in its reports and analyses. Many of those reports address similar information shortfalls. As a result, the Chief Systems Engineer at SIL, Kat Lind, has authored a series of Executive Briefing books to provide our customers, and others in similar situations, with succinct and unbiased information on key aspects of crucial CyberBusiness topics. The first of the series, CyberBusiness and Security: Justified Paranoia is available now from Amazon.

SIL is pleased to announce the launch of a website focused on the needs of the SMB business world. Whether you are thinking of starting a new business or expanding into a new market, the targeted services that are offered thru SBS will assist you in many ways. Services that address needs for business case development, targeted analytics, and semantic analysis have been gathered together for easy selection. Based on SIL's core AI and predictive performance modeling, these services deliver the same rapid and accurate information that thousands of SIL's customers have seen over the years.  - See more at: http://sil-usa.com/index.php

Great application of the extensive database and applied intelligence that is used for larger strategic marketing efforts! Love that it can be used for specific people in addition to large companies.

Semantics for Creatives

The SCARE Social Media Beta program will start in 7 days! Tracking the effects of AI #semantics for indie authors, filmmakers, composers and other artists! Match your art to your audience! #CreativeSense http://sil-creativesense.com/index.php?route=journal2/blog/post&journal_blog_post_id=29

The shift from IT-originated security risk assessment to requests from the business side has been definitive over the last several years. It clearly shows the increased scrutiny that executive management is performing on security. In the first six months of 2016, we have run over 2.4M models on security, compared to a total of 704K all of 2015.

The split between the traditional IT requests and those that are coming from business is changing considerably also. In 2014, the split was IT 90.84%, business 9.16%, 2015 adjusted to 84.33% versus business at 15.67%. This year, we see IT at 53.67%, narrowly beating out the total from business sources at 46.26%.

That is further changing since, for the first time in the 20+ years that SIL has been tracking security incursion and data, June 2016 had more business requests for security risk assessment than those coming from IT.

Changing View of Security - Mid-Year 2016

We have just passed the midway of 2016, a time of evaluation, planning adjustment, and contemplation. At least it is for SIL. One of the most significant things that we examine at this point is the volume of models and the composition of the model types and sources that have occurred during the first portion of the year. The driving reasons for this are twofold. The first is that this allows us to modify and tune our AI processing to better fit the current demand. Since as humans we are constantly evolving, so does our business environment. SIL continually upgrades and enhances its AI processing to match that changing ecology. The second reason is that we want to make sure the trends that are starting to emerge during this portion of the year are understood. This enables us to provide that information to those that are asking for models, reflecting a better and more complete picture of the complicated world in which they operate.

 After the explosive growth in overall models that occurred in 2015, our expectation was that there would be significant demand increase in 2016. The projection was that this would be as much as twice as many models requested in the first half of 2016 as compared to the first half of 2015. The actual volume is very far from that mark.

 Our overall model count has already been exceeded by a factor of three compared to the entirety of last year. The largest single source of that growth is security. An increasing number of requests have been originated from the business side of the organization, where traditionally IT has been the source of such engagements. The information profile is slightly different, which is understandable based on the differing perspectives that business management has from the technical aspects of asset protection.

 Executive management is being held responsible for more security aspects, both on a personal and professional level. This is reflected in increased volatility of executive employment based on adverse security events. In the first half of this year, a 73.2% rise in executive termination demonstrates the very real implications of this evolution. So security has become a very real and personal topic for a new group within an organization, one where the risk is measurable and high.

 If the IT department within a business is considered to be the first line of security, the secondary ring can be viewed as the executive management. The shift from technical security to security ramifications is just the beginning of a more far-reaching change. Some of the ripple effects that are echoed throughout worldwide business can be seen in the growth of model requests from organizations that could be considered to be the third tier of security. The most notable are the assurance companies that provide cyber-crime insurance.

 Requests to SIL for security risk and exposure models by insurance companies has grown by 742% in 2016. The implication of this shift in a highly conservative business segment is a key indicator of larger changes to come. With the very substantial costs of incursion remediation and the massive effects on intellectual capital and operational consistency that have occurred, assurance and insurance organizations will be forced to evaluate more accurately and audit security posture, governance, and execution as time goes on.

 It is very understandable that more organizations have heightened focus on security aspects. Even with many types of incursions going undiscovered and unremarked, the number of reported incursions into the SIL Global Security Watch has seen an exponential growth. Based on the midyear point, that pattern of increase will continue.

As we move into the second half of 2016, our SIL market behavior models predict a continuing shift in how security responsibility is distributed within an organization. Based on the pattern of growth that we have been tracking for over 20 years, we expect 2016 to exceed 7 million models for security alone. Think about that for a moment. This means that the roughly 4,900 ongoing SIL customers and the active Global Security Watch members are requesting security models more than twice a week, every week. That is a lot of attention on a single aspect of business operations.

 The increased vigilance that is necessary for an organization to operate in today's world is a burden on all aspects of business. With SIL continuing to gather data and to analyze the trends and patterns of criminal activity against organizations via cyber warfare, we expect to see higher volatility, increasingly damaging incursion effects and the result of an adversarial business environment within the Internet.

Cyber business today has gone from a practice of evaluating “acceptable loss” to one of “unacceptable exposure.” When executives are held personally responsible for adverse security events and insurance companies begin to require oversight into security practices and implementation, asset protection has shifted to an organization-wide concern and management focus.

Semantics

Connecting market behavior with the characteristics of successful and unsuccessful market offerings can be an impossible task for many organizations. The lack of knowledge in this area means that an organization does not understand what contributes to a successful sale. While it is easier to capture quantitative metrics, such as cost, frequency, etc., many qualitative metrics require a different method of extraction and measurement.

This area of knowledge can be referred to as semantics. The extraction of cognitive and emotional characteristics is the first stage of semantic analysis, sometimes labeled as sentiment mining. In the next step, characteristic identification processes build a multilayered definition for the extracted component. Using this set, it is then possible to construct a sophisticated model to discover the correlations among the nature of the offering, the market behavior, and desirable results.

Some of the dimensions that have to be accommodated include market saturation, social inertia, collaborative referential ties and contagion times. These technical aspects produce some very useful information for an organization, ranging from increased profitability and sales to better strategic planning.

The applications that benefit from the semantic analysis are extremely widespread. The ability to target creative work for specific audiences is one of these. By extracting the characteristics of the original work, it is possible to better select the audience. Conversely, if the components of the work are not in line with the planned audience, either the audience focus can be altered, or the work can be modified to better resonate with the desired audience. Imagine being able to know ahead of time if a particular author’s book will appeal to a significantly large audience. Or even if a poorly selling book can be effectively modified to sell better.

Many of the 120,000 semantic analyses that have been performed by SIL over the last 35+ years has been focused on technical applications of semantic analysis. Strategic marketing has only been one area, while the effectiveness of communications, ease-of-use, merger and acquisition risk mitigation, code performance, and many other business challenges have benefited greatly.

One of the biggest challenges with applied semantic analysis in the current business environment is that very few people understand either its value or the complexity of the work that has to go into such an analysis. The key to all semantic work is data. Without large masses of data to extract accurate characterization, the results of the semantic analysis can be misleading. However, with a significant amount of data and highly capable intellectual capital, semantic analysis can connect the knowledge of yesterday with foreknowledge for tomorrow’s success.

CyberBusiness Demands Change from Executives

Conducting business in cyberspace is not getting easier. The situation is exacerbated by a significant change in how new and evolving technologies are incorporated into the organization. In general, the cycles of adoption for new technologies follow recognizable patterns. You have the early adopters, the progressive group, the reluctant acceptors and the reactionaries who only go if they are forced into change by pressing business need. The waves of adoption are difficult enough when there is a single technology that has to echo through the marketplace. Unfortunately, cyber business isn’t a matter of a single adoption cycle. The high rate of evolution in this new type of marketplace means that an iteration adoption form is required, rather than an isolated cognitive adjustment.

Security personnel are accustomed to this iteration form while businesspeople normally are not. This mismatch in expectations and necessary workload structure and decision-making is partially to blame when communication between security experts and business executives becomes contentious. When the executive management is expecting decision-support information to be clearly delineated for cost and benefit, that form is the expected input to organizational, critical thinking. That paradigm is endangered when the data is mutable and fluid, rather than consistent and structured. Hitting a moving target is not an acceptable method of operations for most organizational executives, and is in fact highly discouraged in most acknowledged management philosophies. But that very fluidity is the basis for asset protection in cyberspace.

The changing paradigm of business conducted in cyberspace, or cyber business, is a larger challenge than many organizations fully appreciate. Business analysis for cloud adoption, deploying additional customer-facing applications, and integrating collaboration among employees, vendors, and end-users, fails to include the change from an environment that expects “once and done” to one that is in constant flux. The struggle with this changing paradigm is apparent in that many organizations still penalize executives for not having a complete information framework before decision making. The idea that those decisions have to be not only made initially but updated, again and again, is tough to grasp for those transitioning to cyber business. A correlated challenge is finding management personnel that understand when to reevaluate and make new decisions without impeding business operations. The net effect on security in cyberspace is immense.

Successful cyber business means that organizations are not only operating in cyberspace but have adopted an agile operations environment and have employed a fully functional cyber warfare department, otherwise known as security. The most efficient, profitable and dependable businesses in cyberspace are those that have successfully changed their operational paradigm to incorporate all of those aspects.

The foundation on which cyber business is built starts with architectural layers. This includes the physical platform that hosts operational and data assets, the operating system and virtualization technologies that create the interface between the base machine and executing applications, and the application components that provide the services promised within the business structure. Application components have many aspects. Those include database management systems, file structures, security protocols, etc. Each layer backs the overall protection of, or risk to, organizational assets. The contribution of each layer can have a significant effect on the ability of the organization to successfully protect its assets in cyberspace.

The base foundation layer combines the physical platform, operating system, and virtualization technology. The synergy and integration of those components have been shown to have a significant impact on the base protection capability, irrespective of additional application contributions. The different technological architectures provide initial security that varies widely in comprehensive coverage. Although it is an accepted methodology, security augmentation, or adding security tools to fulfill specific protection functions, still provides additional vulnerabilities for each augmentation component. The risk profile for amplified security schemas rises in response to the number of augmentation elements. Since some of the architectural topologies require more initial installation supplementation than others, this introduction of risk points within the security baseline is a continuing vulnerability for that organization. The tightly integrated foundation environments, such as the mainframe, provide a significantly more secure ecosystem.

The foundational security environment addresses the fundamental nature of asset protection within an organization for its cyber business. When that foundation is secure, additional asset protection is simpler, cheaper, faster and less risky. The costs, risks, exposure and other considerations are difficult to articulate in business terms, especially as agile business operations are adopted. With the changing nature of cyber business, the challenges to both security teams and executive management are substantial.

When it Comes to Security, Platform Matters!

Cyberspace is getting scary! The number of incursions that has been reported to the Global Security Watch for 2015 represents a massive increase from the previous years. The complexity of the attacks, the scope of resulting damages, and the longevity of the window of injury, are all growing. A recently completed SIL study on the general security environment showed a concerning level in the combination of ignorance, willful blindness, and overwhelmed security personnel. This study, based on multiple millions of reporting organizations, highlighted some absorbing factors. Some of these are only apparent when viewed from a massive scope since individual comparisons of security situations failed to build an overall image of overt behavior and trends. One of the most interesting findings from this study is that the platform foundation matters. While there are many ways of augmenting security based on organizational strategy and budget, the physical platform and its operating system, provide the underlying foundation on which everything else is built.

The platform with the clearest advantage for secure operations and asset protection was their traditional mainframe. Irrespective of individual opinions on cost-effectiveness, etc., the notable lack of incursions on that platform type from anything save password misuse in the last calendar year provides extensive experiential data on the real-world experience of millions of organizations worldwide. The impact on many aspects of cyber business is enormous. While organizations may be spending a couple of hundred thousand dollars more a year on their base platform to run a mainframe, the savings in remediation, customer confidence recapture and market loss quickly erase any shortsighted cost-cutting.

Of course, specific organization practices, postures, and tactics affect the general security risk profile. However, the study has found clear delineation of the impact on staffing, risk, exposure, and other aspects of operating in cyberspace, based on the foundational infrastructure for an organization's IT.