by Thomas Stanley, William Danko
Narrarated by: Cotter Smith
Publisher: Sound Ideas
Total Length: 8 Hours, 50 Minutes
Date Published: June 24, 2008
Publisher: Taylor Trade Publishing
ISBN: 978-1589795471
Number of Pages: 258
Date Published: November 16, 2010
Each time I interview someone for an opening that I trying to fill, I almost always throw out the question, "What book have you read most recently (other than a technical manual), and what did you learn from it?" It helps gauge a person's analytical skills on something other than a purely technical problem (gives them the opportunity to identify an issue or area of interest and prove that they put some thought into it). It was during one of these interviews that a candidate mentioned The Millionaire Next Door (TMND). I ended up sending that candidate a job offer, and I am grateful for the recommendation for my reading list.
Surprised?
- What kind of car do you drive?
- What neighborhood do you live in?
- What is the most you ever paid for a pair of shoes?
- How much did you spend on a college education?
- Are you an entreprenuer?
- Do you believe that hard work pays off?
Danko and Stanley surveyed millionaires with these types of questions and many, many more. This book is a distillation of the metrics that they found correspond to the success of millionaires. "In the course of our investigations, we discovered seven common denominators among those who successfully build wealth."
- They live well below their means
- The allocate their time, energy, and money efficiently, in ways conducive to building wealth.
- They believe that financial independence is more important than displaying high social status.
- Their parents did not provide economic outpatient care.
- Their adult children are economically self-sufficient.
- They are proficient in targeting market opportunities.
- They chose the right occupation.
Wealth Accumulation
Income does not equal wealth. Stanley and Danko make it a point to distinguish between current income, total net worth and expected net worth. They provide an interesting calculation to see where you stack up.
"Multiply your age times your realized pretax annual household income from all sources except inheritances. Divide by 10. This, less any inherited wealth, is what your net worth should be."
Based on this formula, if you are close to the expected value, then you are considered an Average Accumulator of Wealth (AAW). The ones that have at least twice the expected net worth (Age * Income / 10 * 2) are considered a Prodigious Accumulators of Wealth (PAW). At the bottom end of the calculation, you are an Under Accumulator of Wealth (UAW) if you have less than half of your expected net worth (Age * Income / 10 / 2).
"Big Hat, No Cattle"
The primary reason that so many people do not achieve the levels of wealth accumulation that they should is because they are too busy trying to appear well off, at the expense of sacrificing true financial security for the façade of keeping up with the Jones'. The truly affluent are more worried about how many cattle they have, not how big their cowboy hat is.
Education
The wealth accumulation formula is interesting because it takes into account how many years
a person has to build their wealth. One of the major factors that
contribute to the time spent building wealth is whether that person pursues post secondary education. Michael Bloomberg gave a graduation speech last month that mentions this fact (which some criticized him for), but Stanley and Danko's research supports this fact. The time spent in college, is time lost in terms of accumulating wealth, plus the money spent on college tuition and expenses (see denominator #7 above).
Budgeting Is Like Exercise
There probably aren't many people that really "enjoy" sitting down and going over all of their expenses and categorizing them and analyzing income and spending trends, but that is was the majority of these PAWs do on a regular basis. Do you know how much you spent on gasoline last month? How about eating out? How about household utilities? TMND relates this routine practice to that of exercise. Who is more likely to have a regular exercise routine, those who are in shape or the less than healthy types?
You might think, why would someone who is rich need to worry about keeping track of all these details? But that is precisely the point. They don't keep track of them because they are wealthy; they are wealthy because they took the time to keep track of their budget.
Economic Outpatient Care
Economic Outpatient Care is defined in the book as relying on income from your parents when you should be at a point of providing for yourself (see denominator #4 and #5 above). Some of the best lessons I got from TMND was the sections dealing how to help your children be successful. What it really comes down to is that teaching children how to be self sufficient and provide for themselves is much more beneficial than continually investing in their bad spending habits.
Reflections
I originally listened to the audiobook first, but then ended up getting a copy of the paperback to be able to review all of the tables and charts in the book. I have since loaned out my copy of this book to several friends and they have all be appreciative of the recommendation as well. Take the time to read this book. It is definitely an eye opener.
Breakpoint by: Richard A. Clarke
Narrarated by: Robertson Dean
Publisher: Penguin Audio
Total Length: 8 Hours, 19 Minutes
Date Released: September 20, 2007
It has been a while since I've enjoyed a recreational novel, or so I thought. (I don't count The Phoenix Project since that more or less is a text book on DevOps, ToC, Lean, and VisibleOps disguised as a novel). But then I saw this quote from the author,
"Fiction can often tell the truth better than nonfiction. And there is a lot of truth that needs to be told."
The Internet links between North America and the rest of the world severed. Research facilities blown up by hackers gaining access to SCADA devices. The heads of DARPA, the National Science Foundation, and the National Institutes of Health blown up by a suicide bomber. The evolution of a new human species... This cloak and dagger story is filled with twists and turns. The FBI, CIA, DHS, NSA and every other government agency is trying to figure out who is behind these attacks, but it is up to a NYPD detective and an analyst with the 'Special Projects Office, Intelligence Analysis Center' to really crack the case. As far fetched or implausible as the plot line seems, Clarke lays out some very clear reasoning for combining these particular elements and other into Breakpoint.
Questions to Ponder
Given the news articles throughout the past year or so, I wasn't surprised by all the references to China hacking into university research centers or SCADA systems. But had I read this book when it came out back in 2007, I probably would have been fairly surprised by and skeptical of all these vulnerabilities gaping holes in the safety of the everyday life that I take for granted as an American.
Throughout the book, Clarke presents several conflicts of ethical debate, the biggest of which is the question of what it means to be "human". Would genetically engineering someone to have several extra chromosomes change whether they were still human?
Clarke makes an interesting reference to Plato's republic, by bringing up the class system of gold men vs bronze men. Are the changes and advances in technology widening the gap between the haves and the have-nots?
For all the advances that we claim technology has made for us, are we really any better off in terms of happiness or quality of life?
by Leo Tolstoy
Translated by L. and A. Maude
Originally Published: 1885
Project Gutenberg: June 13, 2009
I love this short story, a great lesson in Time Management and Social Responsibility...
- How can I learn to do the right thing at the right time?
- Who are the people I most need, and to whom should I, therefore, pay more attention than to the rest?
- And, what affairs are the most important, and need my first attention?
Three Questions
It once occurred to a certain king, that if he always knew the right time to begin everything; if he knew who were the right people to listen to, and whom to avoid; and, above all, if he always knew what was the most important thing to do, he would never fail in anything he might undertake.
And this thought having occurred to him, he had it proclaimed throughout his kingdom that he would give a great reward to any one who would teach him what was the right time for every action, and who were the most necessary people, and how he might know what was the most important thing to do.
And learned men came to the King, but they all answered his questions differently.
In reply to the first question, some said that to know the right time for every action, one must draw up in advance, a table of days, months and years, and must live strictly according to it. Only thus, said they, could everything be done at its proper time. Others declared that it was impossible to decide beforehand the right time for every action; but that, not letting oneself be absorbed in idle pastimes, one should always attend to all that was going on, and then do what was most needful. Others, again, said that however attentive the King might be to what was going on, it was impossible for one man to decide correctly the right time for every action, but that he should have a Council of wise men, who would help him to fix the proper time for everything.
But then again others said there were some things which could not wait to be laid before a Council, but about which one had at once to decide whether to undertake them or not. But in order to decide that, one must know beforehand what was going to happen. It is only magicians who know that; and, therefore, in order to know the right time for every action, one must consult magicians.
Equally various were the answers to the second question. Some said, the people the King most needed were his councillors; others, the priests; others, the doctors; while some said the warriors were the most necessary.
To the third question, as to what was the most important occupation: some replied that the most important thing in the world was science. Others said it was skill in warfare; and others, again, that it was religious worship.
All the answers being different, the King agreed with none of them, and gave the reward to none. But still wishing to find the right answers to his questions, he decided to consult a hermit, widely renowned for his wisdom.
The hermit lived in a wood which he never quitted, and he received none but common folk. So the King put on simple clothes, and before reaching the hermit's cell dismounted from his horse, and, leaving his body-guard behind, went on alone.
When the King approached, the hermit was digging the ground in front of his hut. Seeing the King, he greeted him and went on digging. The hermit was frail and weak, and each time he stuck his spade into the ground and turned a little earth, he breathed heavily.
The King went up to him and said: "I have come to you, wise hermit, to ask you to answer three questions: How can I learn to do the right thing at the right time? Who are the people I most need, and to whom should I, therefore, pay more attention than to the rest? And, what affairs are the most important, and need my first attention?"
The hermit listened to the King, but answered nothing. He just spat on his hand and recommenced digging.
"You are tired," said the King, "let me take the spade and work awhile for you."
"Thanks!" said the hermit, and, giving the spade to the King, he sat down on the ground.
When he had dug two beds, the King stopped and repeated his questions. The hermit again gave no answer, but rose, stretched out his hand for the spade, and said:
"Now rest awhile-and let me work a bit."
But the King did not give him the spade, and continued to dig. One hour passed, and another. The sun began to sink behind the trees, and the King at last stuck the spade into the ground, and said:
"I came to you, wise man, for an answer to my questions. If you can give me none, tell me so, and I will return home."
"Here comes some one running," said the hermit, "let us see who it is."
The King turned round, and saw a bearded man come running out of the wood. The man held his hands pressed against his stomach, and blood was flowing from under them. When he reached the King, he fell fainting on the ground moaning feebly. The King and the hermit unfastened the man's clothing. There was a large wound in his stomach. The King washed it as best he could, and bandaged it with his handkerchief and with a towel the hermit had. But the blood would not stop flowing, and the King again and again removed the bandage soaked with warm blood, and washed and rebandaged the wound. When at last the blood ceased flowing, the man revived and asked for something to drink. The King brought fresh water and gave it to him. Meanwhile the sun had set, and it had become cool. So the King, with the hermit's help, carried the wounded man into the hut and laid him on the bed. Lying on the bed the man closed his eyes and was quiet; but the King was so tired with his walk and with the work he had done, that he crouched down on the threshold, and also fell asleep--so soundly that he slept all through the short summer night. When he awoke in the morning, it was long before he could remember where he was, or who was the strange bearded man lying on the bed and gazing intently at him with shining eyes.
"Forgive me!" said the bearded man in a weak voice, when he saw that the King was awake and was looking at him.
"I do not know you, and have nothing to forgive you for," said the King.
"You do not know me, but I know you. I am that enemy of yours who swore to revenge himself on you, because you executed his brother and seized his property. I knew you had gone alone to see the hermit, and I resolved to kill you on your way back. But the day passed and you did not return. So I came out from my ambush to find you, and I came upon your bodyguard, and they recognized me, and wounded me. I escaped from them, but should have bled to death had you not dressed my wound. I wished to kill you, and you have saved my life. Now, if I live, and if you wish it, I will serve you as your most faithful slave, and will bid my sons do the same. Forgive me!"
The King was very glad to have made peace with his enemy so easily, and to have gained him for a friend, and he not only forgave him, but said he would send his servants and his own physician to attend him, and promised to restore his property.
Having taken leave of the wounded man, the King went out into the porch and looked around for the hermit. Before going away he wished once more to beg an answer to the questions he had put. The hermit was outside, on his knees, sowing seeds in the beds that had been dug the day before.
The King approached him, and said:
"For the last time, I pray you to answer my questions, wise man."
"You have already been answered!" said the hermit, still crouching on his thin legs, and looking up at the King, who stood before him.
"How answered? What do you mean?" asked the King.
"Do you not see," replied the hermit. "If you had not pitied my weakness yesterday, and had not dug those beds for me, but had gone your way, that man would have attacked you, and you would have repented of not having stayed with me. So the most important time was when you were digging the beds; and I was the most important man; and to do me good was your most important business. Afterwards when that man ran to us, the most important time was when you were attending to him, for if you had not bound up his wounds he would have died without having made peace with you. So he was the most important man, and what you did for him was your most important business. Remember then: there is only one time that is important; now! It is the most important time because it is the only time when we have any power. The most necessary man is he with whom you are, for no man knows whether he will ever have dealings with any one else: and the most important affair is, to do him good, because for that purpose alone was man sent into this life."
by Josh More
Publisher: Syngress
ISBN: 978-0124096073
Number of Pages: 95
Date Published: May 10, 2013
As I've noted in several previous blog posts, I believe the concept of Vendor Management is one of the weaker links in the security chain at many organizations. While this book doesn't necessarily show you everything you need to know to fix this problem, it does provide solid advice on proper due diligence for selecting vendors and products that you want to build a relationship with.
Josh More lays out a very practical framework for finding vendors that provide technology (products and/or services) that address the needs of your situation. More's Vendor Assessment process contains nine phases to help those responsible for evaluating and recommending solutions in Information Technology and InfoSec. The process is designed to help these individuals in fairly and quickly evaluating vendors, understanding how the vendor/sales atmosphere operates, and getting more value out of vendor contracts.
One of the biggest lessons I got out of the book was in properly defining the criteria used to assess and compare various solutions. By selecting specific criteria to measure each vendor, you are ensuring a fair and systematic evaluation so that the final decision can be based on a true apples to apples comparison and backed up with data. On page 17, More provides some great advice for deciding how many different criteria should be used in this process:
The limit is going to be the number of dimensions that you can hold in your head at any given time. This way, as you assess systems, you don't have to bounce between modes of thinking too much. This process, called "context shift," is a very common source of time loss when doing analyses. If you are running down a large list for each candidate, you have to constantly change your mode of thinking and every time you do, it will cost you a little bit of time. If your list is too short, you will be losing time thing of real-world scenarios that could be concerning but cannot be captured in your limited system.
More provides several examples to address this issue, ranging from the C-I-A triad to the CISSP 10 Domains. But I really liked the reference to the Parkerian Hexad on page 18, which is a short enough list to easily remember, but comprehensive enough to cover the majority of vendor/product assessments you will run into.
- Availability
- Possession/Control
- Confidentiality
- Utility
- Integrity
- Authenticity
I have to admit, this isn't the most exciting IT book out there, but I'm glad I read through it. All in all, this one is a quick read weighing in at just under 100 pages, but sheds some light on what can sometimes be a very ad-hoc selection and purchasing process.
I recently participated in a Behavioral Economics MOOC on Coursera.org taught by Dan Ariely. I used to love listening to Dan's conversations with Kai Ryssdal on NPR/Marketplace on my drive home several years ago. And I had already been through each of his books, Predictably Irrational, The Upside of Irrationality, and The Truth About Dishonesty. So, I thought the class would be a lot of fun.
A Beginner's Guide to Irrational Behavior
Most of the topics, research and experiments that were covered in the class were ones straight out of the books, but there were also interesting references to research papers to see more details about how the experiments were carried out and the exact findings of the research. It is evident that Dan and his team put a lot of effort into building and presenting a very high quality MOOC.
Impressions of Coursera
I have to say I'm a fan of Coursera. I think it is very cool that they have worked out a deal with so many top colleges and universities to offer outstanding content to the masses for free! The Coursera website is easy to navigate. Access to course materials, video lectures, and discussions is fantastic. The quizzes associated with the lectures and reading assignments were straight forward and engaging.
The one area that I find to be rather disheartening is the peer grading process. I understand that there is no way for a professor and a couple of graduate students to grade tens of thousands of essays and writing assignments, but there seems to be a rather large flaw in the the grading criteria for these non-multiple choice assignments. The problem is subjectivity of the grader on the written assignment.
Peer Grading
After submitting the written assignment, each student was asked to grade three other assignments based on the following criteria:
- Did the student identify and describe a behavioral problem?
- Did the student correctly identify and describe research that is relevant to the problem?
- Did the student propose a research-based solution?
I find it odd that someone as fluent in measuring the results of research and experiments as professor Ariely (which are often dependent upon how questions are phrased, the order in which the questions appear and the types of choices presented), would purposefully introduce subjectivity into this grading process by allowing the grader a three point scale for each of these criteria. Unless I'm mistaken, these appear to be simple "Yes/No" questions, yet the grader was given a range of choices from 1 (didn't meet the criteria) to 3 (met the criteria) thereby adding unnecessary subjectivity.
For the first criteria,
either the student described a behavioral problem or they didn't.
Answering this question should not be based upon the grader's bias as to
whether they perceive the issue to truly be a problem or not. If the student articulated a
topic in the context of human behavior, how can anyone honestly give them less
than full credit for this criteria?
The second criteria possibly could have been worded more precisely as to convey the intent of the question, such as, "Did the student utilize material from the course reading assignments that supports the claim of the behavioral problem?"
The third criteria, again, is not asking for the grader's biased opinion as to whether or not they agree with the proposed solution. It is simply asking if the student proposed a solution within the context of the research covered by the course reading assignments. It is not the grader's responsibility to assess the viability of the proposed solution. It shouldn't be the grader's prerogative to judge the effectiveness of the proposed solution. I find it hard to believe that anyone would submit their written assignment if it were totally void of a proposed solution.
Proposed Solution for Peer Grading
Dear Coursera and prof. Ariely, to improve the quality of this course for the students, I believe an effort should be made to remove as much subjectivity from the peer grading process as possible. If you are going to ask "Yes/No" questions, then grade accordingly with "Yes/No" answers. If you want the written assignment to be based on a total of 9 points, then ask 9 "Yes/No" questions that are specific to the quality of the written assignment, such as:
- Did the student use the correct name for the problem (if the problem has a name we discussed in this course)?
- Did the student give a clear indication of why the behavior is problematic?
- Did the student tell us what the scale of the problem was?
- Did the student summarize the experiments and findings about this behavior? This should include only relevant experiments and findings.
- Did the student refer to experiments from the assigned readings and/or lectures?
- Did the student cite his or her sources?
- Did the student propose a solution?
- Did the student show the solution was based on existing behavioral research?
- Was the solution original? That is, did the student come up with plan that was not exactly like another we have studied?
By the way, these questions were provided as guidance for answering the original three criteria, but were left up to the subjectivity of the grader to incorporate within the faulty three point scale.
I also realize that grading any written assignment will inherently include some subjectivity of the grader, but the need to limit this subjectivity is only magnified by the fact that the graders in this case have no credibility on which to base their opinions (i.e. the students of a free online introduction class are most likely not "experts" on the subject of behavioral economics).
Trying to clear out the backlog of posts in my Drafts folder and this one is long over due...
News Headlines
These are just a couple of the new stories that caught my eye [in the hopefully not too distant past].
BofA Confirms Third-Party Breach
"Bank of America systems were not compromised. Our customer data is secure." Mark Pipitone, BofA Spokesman
Evernote Security Notice
"Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service."
LA Times Serving Up Malware
"To ensure safety, the Offers & Deals platform has been rebuilt and
further secured. The sub-domain generates only advertising content and
does not contain any customer information."
So What's Going On?
When ever I read headlines like this, they almost always come with some disclaimer that "There is no evidence that the intruders gained access to..." and rightly so. A lot of companies don't have the ability to detect the breach in the first place, and then when they are notified about it by some third party (customers, law enforcement or the attackers themselves) they most certainly don't have any way to tell what information was stolen, so they claim that customers need not worry because there isn't any evidence of their information being stolen.
"Is it just me or am I the only one who thinks how can these attackers be so good as to break into the networks of companies yet those companies always seem to stop the attack just before the attackers gain access to sensitive information?" Brian Honan, SANS NewsBites Vol 15 Issue18.
Assessing the Damage
Because of all of the cover-up attempts by companies to minimize the negative publicity falls out from disclosing a data breach, it can be difficult to find relevant data to use to education the decision makers in your organization about the importance of good Network Security Monitoring. Here are some resources that I have found useful in describing the impact of a security breach to executives and senior management:
And some other interesting statistics in regards to the accuracy of claims that companies caught the bad guys "just in the nick of time".
- Trustwave 2012 GSR states breach to detection was 173.5 days within the victim’s environment before detection occurred.
- In the Trustwave 2013 GSR breach to detection window widened to 210 days.
- The Mandiant 2012 Annual Threat Report on Advanced Targeted Attacks sites a much larger window, "The median number of days from the first evidence of compromise to when the attack was identified was 416 days."
- The more recent Mandiant APT1 Report states "[attackers] were inside victim systems for avg of 356 days; longest observed: 1764 days"
- The Verizon DBIR 2012 states, "It saddens us to report that, yet again, breach victims could have circumnavigated the
globe in a pirogue (not from the bayou? Look it up.) before discovering
they were owned. In over half of the incidents investigated, it took
months—sometimes even years—for this realization to dawn. That’s a long
time for customer data, IP, and other sensitive information to be at the
disposal of criminals without the owners being aware of it."
- The Verizon DBIR 2013 concludes that it still takes on average 221 from breach to discovery.
These numbers seem to echo a common sentiment that there are two kinds of companies out there; those who know they've been breached and those who have been breached and just don't know it yet.
by Josh More
Publisher: RJS Smart Security
Number of Pages: 24
Josh More over at RJS Smart Security obviously had some fun putting this together. Lean Security 101 is a neat little info-graphic that looks an awful lot like a comic book.
Percy the Protection Pangolin
I'll admit it; I had to look up what a Pangolin actually was (+1 for originality). The Pangolin is Josh's sidekick throughout the story.
The 80x5 Rule
The biggest insight I got out of this comic was the 80x5 Rule. So you've probably heard of the "Pareto Principle", commonly referred to as the 80/20 rule. Well the 80x5 rule builds on this idea using concepts from Lean.
The 80/20 rule is often quoted by business managers and executives as a rallying cry to take some action or get started with some new project by trying to justify quick returns with minimal effort. But hidden within this management standard is an implicit acknowledgment that getting a project to 100% perfection (meeting all of the requirements on time and within budget) becomes increasingly difficult. The law of diminishing returns takes over and additional effort is needed just to make incremental progress towards the goal.
When applied to Information Security, this concept is just as true. There is no silver bullet for protecting your digital assets, so no single project or technology or defense mechanism is ever going to be 100% effective at keeping your data safe.
The 80x5 rule is designed to help you get the most value from the least amount of effort, and while maximizing your defensive posture.
The 80x5 rule says that instead of spending all of your effort trying to implement a single defensive measure (that will never reach 100% effectiveness), it would be much more productive to add complementary layers of security. After you have spent the first 20% of your effort on that defensive measure (and reached 80% of the results), any further effort on that task could be considered waste (based on Lean). In terms of opportunity cost, if you took the remaining unspent effort (you still have 80% left at this point) and divide that into four more blocks, you could potentially get 80% results from each of another four projects. This is obviously a much better ROI than spending that remaining 80% and only obtaining at most 20% benefit from your current task.
Assuming each layer is 80% effective (based on the Pareto Principle), eight layers could give you up to 99.999% effective security. Yes, there can and will be various exceptions to this line of reasoning. But why spend all your effort on fixing things that should be considered "good enough" when there are other more productive security measures you could be working on (like building up your incident response team and testing your IR plan)? I see this as an important tool for helping to prioritize competing projects and assessing those final inches toward the goal line.
The book goes into more detail, but hopefully you get the idea. Go download a free copy for yourself, http://www.rjssmartsecurity.com/Lean-Security-101-Comic/, and give them a call about a free Lean Security Assessment.
by Dan ArielyNarrated by: Simon Jones
Publisher: Harper Audio
Total Length: 7 Hours, 24 Minutes
Date Published: April 2, 2009
I first heard about Predictably Irrational on NPR while listening to the show Marketplace by American Public Media. Dan Ariely had a segment each week where he would discuss something from one of his experiments and how the results defy the general assumptions held by most people. I found Dan to be very entertaining to listen to, especially amid the context of the Great Recession. So, I decided to download Predictably Irrational to see if I was missing out on any other great insights in the world of Behavioral Economics.
The Decoy Effect
R
elativity is all about how we compare things. The example of the subscription to the Economist shows how most people don't really know what anything is worth, but when comparing two similar items it is easier to see the relative value of each. I love how it points out that, "Thinking is difficult and sometimes unpleasant." This is a vulnerability just waiting to be exploited.
The take away here is when you want to persuade someone towards a particular choice, one effective way to do so is by adding a similar, but less attractive option. When given this situation, Option A, Option B, and Option -B, most people will choose Option B.
"Free"
Here's a less than obvious calculation (well it wasn't obvious to me anyway). When given the choice between two products, I should compare the perceived value of each to the stated price and if the benefit of the higher priced product is worth the higher price to me, then I should choose that product. The difference in the price should be the difference in value (to me) of the two products. But, when one of the products is "free", the difference in value becomes much harder to justify. Ariely provides several examples of experiments where they offer a premium chocolate for $0.25 and an average chocolate for $0.01. If I value the premium chocolate by $0.24 more, then I should still be willing to pay the $0.24 for the premium chocolate even if the average chocolate is priced at "free".
Social Norms vs Market Norms
I found the topic of comparing social norms and market norms very interesting. It seems to me that there are many untapped solutions to everyday problems that are obfuscated by the fact that we are looking at the problem through only one of the possible lenses (social or market norms). Based on the research presented in Predictably Irrational, it can often be difficult to make the shift from one point of view to the other, or difficult to return to a particular point of view once that shift has been made.
Price of Placebo
"Before recent times, almost all medicines were placebos. Eye of the toad, wing of the bat, dried fox lungs, mercury, mineral water, cocaine, an electric current: these were all touted as suitable cures for various aliments. When Lincoln lay dying across the street from Ford's Theater, it is said that his physician applied a bit of 'mummy paint' to the wounds. Egyptian mummy, ground to powder, was believed to be a remedy for epilepsy, abscesses, rashes, fractures, paralysis, migraine, ulcers, and many other things. As late as 1908, 'genuine Egyptian mummy' could be ordered through the E. Merck catalog... We may think we're different now. But we're not. Placebos still work their magic on us."
Chapter 10 was one of my favorite chapters. The Placebo Effect has long been a fascination of mine, and Ariely's research puts some hard data to this question. The results show that when people pay more, they claim to receive greater benefits. This bias is extremely unfortunate, given that alternative solutions may actually be more effective and more holistic, but are excluded because they don't fall within popular opinion.
Reflections
Overall, I really enjoyed this audio book. It is chock-full of great examples and data from experiments on behavioral economics (many, many more than the ones I mentioned here). I have gone back and listened to several of the chapters over again in the past couple of years, as it provides some interesting alternate view points and topics of debate to insert into other research projects I've been working on. My only disappointment with it, I might have preferred the audio book more if it was read by the author.
by Gene Kim, Kevin Behr, and George Spafford
Publisher: Information Technology Process Institute
ISBN: 0975568612
Number of Pages: 100
Date Published: June 15, 2005
VisibleOps is one of my favorite computer geek books of all time. This book is a no-nonsense, straight forward guide to running a highly successful IT department. But, VisibleOps is not just some flavor of the week self-help management book. The lessons and goals presented in VisibleOps are the culmination of years of observation and research by the authors, who happened to notice that successful organizations had IT departments that operated in very similar ways. This book is a distillation of those observations into a methodology that is easy for anyone in IT to grok. Loosely based on the ITIL framework, VisibleOps cuts straight to the chase with four basic steps.
The Four Steps of Visbile Ops
Phase 1. Stabilize the PatientPhase 2. Catch & Release and Find Fragile ArtifactsPhase 3. Establish Repeatable Build LibraryPhase 4. Enable Continuous Improvement
Stabilize the Patient
In the first phase of VisibleOps, the goal is triage. Can you reduce the number and impact of outages? Some of the key ways to accomplish this goal is to implement and strengthen Change Management processes, only allow scheduled changes, and have a defined maintenance window.
Another huge benefit to the Change Management
process that often gets overlooked is its ability to act as a
communication tool and a way to publish a schedule of changes. With these processes in place, you will have better visibility for outage responders:
- What changed?
- How to back out that change
Fragile Artifacts
The second phase is all about using a risk based approach to identifying and cataloging critical systems. Some of the key indicators include:
- Systems with the highest Mean Time To Recovery (MTTR)
- Systems with low change success rates
- Systems with the highest downtime costs
But being able to understand and identify the cost of downtime requires understanding the business processes that each system supports. That is why this phase is based on the Configuration Management process and includes implementing a Configuration Management Database (CMDB). Once these processes are in place, you should see a reduction in variance, increased conformity in your systems, and it will be easier to detect anomalies within the environment.
Repeatable Build Library
In order to overcome the limitations imposed by the Fragile Artifacts, you must create a way to commoditize these systems. Phase three is all about implementing proper Build and Release Management processes to further reduce variance and increase your understanding of what your systems are actually doing. The thing that makes systems fragile in the first place is your lack of understanding about how that system operates.
Once you are able to obtain that level of understanding, it is much easier to swap out interchangeable components than it is to ad-hoc a resolution out of random troubleshooting steps that you can't really explain WHY those steps "fixed" the issue.
Continuous Improvement
You would think that phase four would be self explanatory. It is anything but that. In terms of implementation, I have found that this can be the absolute most difficult because it requires a major shift in the culture of most organizations. The VisibleOps Handbook provides some key indicators and metrics that can help track your progress on this journey. It does not, however, provide much advice on how to steer your Titanic to avoid icebergs along the way.
Reflection
The thing I love the most about the Visible Ops approach to ITIL and managing IT in general, is how corporeal it is. The word "visible" in the title obviously wasn't an accident; it is visible because the steps for implementation, the explanation of the methodology, really everything about it is so clearly evident that [almost] anybody should be able to thumb through this booklet and pick up some ideas that they can put to use right away and see results almost as fast.
I keep seeing tweets and blog posts and hearing talks at various cons that keep repeating statements such as:
"[insert unpopular framework/checklist here] has done nothing to improve cyber security, and in fact it has probably made security worse"
And I don't believe it!
I recently wrote about how the InfoSec echo chamber keeps dogging on "outdated best practices", and today I started wondering if these echo repeaters all work for Gartner? So I'm proposing that all framework/checklist bashing should use the hashtag #ChecklistIsDead from now on.
My point is that one of the biggest reasons InfoSec is failing is not because we are using a bad checklist. We are failing because we aren't actually following through with implementing *any* checklist consistently, whether it is the PCI DSS, FFIEC, FISMA, NIST, or the SANS Critical Security Controls. I don't really care which checklist you are being graded on (most of them can be cross-referenced with each other anyway, just different wording for the same basic goals), but if you can't make a list of your key business process, a list of your critical information assets, and updated diagrams for your network and data flow... then what makes you think that you are going to do any better with the newest #RiskManagement flavor of the week?
For example, I hear a lot of people complaining about the PCI DSS in one breath and then calling for the need to replace checklists with a risk based approach to security. That's all fine and good, but if companies can't comply with the intent of PCI DSS v2.0 Requirement 12.1.2 to perform a risk assessment [only] once per year, then how well are they going on their own without such a requirement?
Establish, publish, maintain, and disseminate a security policy that "12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)"
I have read some articles lately (here and here) that talk about how security policies and frameworks are too silo'd and need to span across functional boundaries. I'm sorry, but show me what framework or checklist specifically calls for its implementation to be contained within silos? These failed implementations are the direct result of bad decisions made at the highest levels of most companies who don't understand the threats and vulnerabilities facing their organizations. Yet these same decision makers are supposed to magically understand the risk derived from these same threats and vulnerabilities in order to invent a better #RiskManagement program that fixes their security failures?
All the while, taking time to actually implement the items on the existing checklists keeps slipping through the cracks or falling down the priority list (and just getting a QSA to submit your RoC to the cardbrands doesn't mean your company has actually implemented all of the requirements on the checklist).
There were several interesting items listed in a recent paper by James Lewis of the Center for Strategic & International Studies, Raising the Bar for Cybersecurity.
"In the last few years, in 2009 and 2010, Australia’s Defense Signals Directorate (DSD) and the U.S. National Security Agency (NSA) independently surveyed the techniques hackers used to successfully penetrate networks. NSA (in partnership with private experts) and DSD each came up with a list of measures that stop almost all attacks.
"DSD found that four risk reduction measures block most attacks. Agencies and companies implementing these measures saw risk fall by 85 percent and, in some cases, to zero."
<sarcasm>Too bad checklists are dead.</sarcasm>
Great comment in this week's SANS NewsBites (Vol. 15 Num. 029) from Alan Paller, director of research at the SANS Institute.
[Editor's Note (Paller): As organizations discover there is economic liability for lax cybersecurity, and lawyers smell blood in the water, the recognition will dawn on policymakers that their reliance on high level "guidance" was a really bad idea and made government cybersecurity a terrible model for protecting the critical infrastructure and businesses. This week the Australian Attorney General established a legal requirement that all agencies implement a small number of critical security controls. No company can pretend they don't know the basic controls they must implement. The U.S. government will do that, too, but, as Winston Churchill said so long ago, "Americans will always do the right thing - after exhausting all the alternatives." You can get a head start on doing the right thing if you can get to London on May 1-2 (http://www.sans.org/event/critical-security-controls-international-summit) or listen in on the briefing on April 18. (http://www.sans.org/info/128297]
I found this comment somewhat ironic, given the recent twitter conversation with @joshcorman:
Maybe "Best Practices" really aren't the absolute "Best" that we can do in every individual situation. And can they really be called "Practices", if they aren't actually practiced? (i.e. repeated performance or systematic exercise for the purpose of acquiring skill or proficiency). Having cursory familiarity with an established checklist of known good security measures such as the SANS Critical Security Controls, does not qualify as practicing or best. ;)
Also, check out Cindy's article about being Consumers of Security Intelligence here.
by Chip Heath and Dan Heath
Narrated by: Charles Kahlenberg
Publisher: Random House Audio
Total Length: 8 Hours, 37 Minutes
Date Published: September 17, 2007
Any book that starts off with a variant of the kidney thieves heist automatically gets a +1 rating in my evaluation process. Another +1 for having duct tape on the front cover and you know this is going to be a great book.
Made to Stick was incredibly fun to listen to. The authors decided to explore a topic mentioned by Malcolm Gladwell in The Tipping Point to see whether you could measure or influence how "sticky" an idea is. The book is full of great examples of how to craft and alter the message you wish to convey so that it has a better chance of being remembered by others. The book is laid out in chapters explaining each of the six criteria for the S.U.C.C.E.Ss of a sticky message:
- Simple
- Unexpected
- Concrete
- Credible
- Emotional
- Stories
- s - and another 's' on the end for good measure.
As I started putting together some notes on each chapter for this blog post, I had a difficult time condensing the material covered by this book. Each chapter is full of great information and superb examples for supporting their point of view. Here are a few of the over arching concepts that I got the most out of. Each of these are a massive body of knowledge unto themselves, but perhaps it will provoke you to do some additional research on these subjects, and read this book!
The Curse of Knowledge
As described in the Harvard Business Review article The Curse of Knowledge, most people make the mistake of assuming that other people are going to understand the message they are trying to convey. The example of Tappers and Listeners makes it clear how easy it is for the meaning of a message to get lost in transmission.
Gap Theory
What makes a subject or situation "interesting"? How do you get someone to pay attention to your message? The answer, in short, curiosity. In George Loewenstein's 1994 article, The Psychology of Curiosity: A Review and Reinterpretation (PDF), Loewenstein "interprets curiosity as a form of cognitively induced deprivation that arises from the perception of a gap in knowledge or understanding."
Priming
In the chapter on Emotion, Mental Priming is discussed as a way of not only getting people to pay attention to your message, but for them to care about your message in a way that causes them to take action. These concepts about mental priming stood out to me as I read through Blink: The Power of Thinking Without Thinking by Malcolm Gladwell and Predictably Irrational and The Upside of Irrationality by Dan Ariely as well. Based on the studies and examples cited in these books, it is obvious that Mental Priming is an extremely powerful tool.
Mental Simulation
The results of the Mental Simulation experiments and studies mentioned in Chapter 6 are astounding. The studies show that "mental practice alone (sitting quietly, without moving, and picturing yourself performing a task successfully from start to finish) improves performance significantly. [...] Overall, mental practice alone produced about two thirds the benefits of actual physical practice." With these types of results it is hard to ignore the value of being mentally prepared and engaged for a task. "The more that training simulates the actions we must take in the world, the more effective it will be."
Deep Dive (Chapter Reviews Coming Sometime)
Chapter 1 - Simple
Chapter 2 - Unexpected
Chapter 3 - Concrete
Chapter 4 - Credible
Chapter 5 - Emotional
Chapter 6 - Stories
In a recent blog post, Is Your Security Harming Someone Else’s Business?, Tripwire CTO, Dwayne Melancon, talks about mapping out the relationships your business has with other outside entities to "connect security to the businesses we depend on and those who depend on us."
This is a novel concept considering that many organizations have such a hard time mapping out their own internal processes, let alone ones that stretch outside their environment. One of the main points that Dr. Eric Cole discussed this year during his SANS 2013 keynote in Orlando was that when he has been called into organizations to do an investigation or analysis, the first thing he asks for is a network diagram and a list of locations of critical data. He then conducts a discovery of critical data on the client's network and maps out the true location of critical data to find that it rarely matches the client's list.
One of the questions that Melancon asks in his blog is, do you know what impact changes in your organization might have on contractual commitments with outside parties? Many times the people engaged in writing, reviewing and signing contracts within an organization do not have the level of technical understanding to know what good security practices are, let alone whether they are properly included in the contract. In the financial sector, there are regulatory requirements for this sort of thing (see Interagency Guidelines Establishing Information Security Standards)
Under the Security Guidelines, each financial institution must:
- Develop and maintain an effective information security program tailored to the complexity of its operations, and
- Require, by contract, service providers that have access to its customer information to take appropriate steps to protect the security and confidentiality of this information.
You Get What You Pay For (and Prepare For)
If the people writing and signing these contracts do not understand InfoSec, then this whole process seems a bit like going off a cliff and not knowing what's up ahead.
I was reviewing some BCP/DR
documents for a small financial institution not long ago and found a contract with a
technology service provider (TSP) that was storing off-site backups for them. The TSP provided the proof of breach insurance that was requested and it showed that the coverage limit was $1 MM per incident. That sure doesn't sound like much given the amount of money lost by small and medium sized banks recently due to phishing and account take over attacks which led to ACH/Wire Fraud. But then after taking a closer look at the contract, I found this statement in the section titled "Limitation of Liability":
"If VENDOR becomes liable to the CUSTOMER under this Agreement for any other reason, whether arising by negligence, willful misconduct or otherwise, (a) the damages recoverable against VENDOR for all events, acts, delays, or omissions will not exceed in aggregate the compensation payable to VENDOR […] for the lesser of the months that have elapsed since the Operational Date […]"
Say what? [Unnecessary Risk]
Somebody obviously didn't take the time to read this garbage before whipping out their John Hancock. Let's just say the amount paid to this vendor each year is much less than the value of the data the customer was backing up with this vendor.
Managing the security of interconnected systems is not just an IT issue. It is a business issue which means taking the time to read and understand the contracts that your business is agreeing to abide by. Does your company have a process for reviewing contracts? Is your IT/InfoSec team involved in that process? Are contractual requirements communicated to your IT/InfoSec teams? If you are missing these steps, then it will be impossible to do any sort of impact analysis across interconnected outside entities... just say'n.