Friday, October 31, 2014

Presentation: Topological View on Radical Innovation

I'm presenting today at the 6th Annual Complexity in Business Conference, sponsored by the University of Maryland Center for Complexity in Business.  Here are my slides.  (FYI: no information security content here, unless you are interested in institutional innovation.)

If you are really, really interested in this topic and want all the details and references, here is a paper I just completed for a Directed Reading class (89 pages, PDF).  It's a little rough around the edges due to time constraints.

Thursday, October 9, 2014

SIRAcon presentation

I'm presenting at SIRAcon today: "How to aggregate ground-truth metrics & indicators into a performance index".  It will be recorded and will be available to SIRA members on the SIRA web site.  Here are the slides.  Here is the blog post with background and tutorial.

Wednesday, June 25, 2014

My inputs to DHS on cyber economics & incentives

I'm at the 3rd day of Workshop on Economics of Information Security (WEIS) at Penn State.  The focus of this day is to provide input and ideas to the Science & Technology (S&T) Directorate in US Department of Homeland Security regarding R&D on cyber economics and incentives.

Here is the 2007 working paper I co-authored: "Incentive-based Cyber Trust -- A Call to Action".  I think many of the arguments and ideas are still relevant.  (It's long -- 27 pages -- but I think readers will be rewarded.)

Here are my slides.

Thursday, May 1, 2014

Splitting this blog and moving to Octopress

I've decided to split this blog to separate my academic posts from my industry posts.  I'm going to be blogging more about my dissertation and related works in progress, and I suspect that most of my industry readers won't be interested and I don't want to dilute my posts on industry topics -- information security, risk, performance metrics, etc.

Google's Blogger has worked well for me, but I've decided to move to Octopress.  I'll spare you all the details of the decision process but here's a post that describes the process and benefits.  I'm also following in the footsteps of others in my community (e.g. Securitymetrics.org, Data Driven Security, and Adam Elkus).

The industry blog with be renamed "Meritology Blog" and will have a meritology.com URL.  The academic blog will be "Exploring Possibility Space" and will have an exploringpossibilityspace.com URL.  I aim to move all the Blogger posts to these so that the archives are available under both.

I'll let you know when this goes live, and hopefully there will be redirection once the move is complete.

Thursday, April 17, 2014

"Creative Destruction": 500 word entry for Schneier's Movie Plot Contest

Since I won last year, I wasn't going to enter this year. But my imagination started turning and this came out.  Hope you enjoy it.

Bruce Schneier's 7th Annual Movie Plot Contest

Theme: NSA wins!  But how? (full description and all entries are here)

My entry:
Creative Destruction
June 2014 – March 2015: Stock market booms.

June 2014: Snowden revelations trigger international political scandals.

July: Feinstein-Rogers Intelligence Reform Bill passes, breaks up NSA. “Largest garage sale in history”.

Headline: “NSA Nuked”

August: 10,000 NSA workers are laid off.

September – December: Open Source projects, Working Groups see influx of volunteers.

September – November: “NSA garage sale” draws small contractors and public-private partnerships spread over 50 states. Private equity firms are buyers – Flatiron Partners, Narsil Capital, and Tech Disruptions.

September – November 2014: Flurry of privacy and security scandals hit big firms. Lawsuits, investigations, and criminal indictments follow.

November: “Alt Apps Group” formed: “Secure, private, and ad-free”. Most members are majority owned by Flatiron, Narsil Capital, or Tech Disruptions.

July – December: Symantec goes on buying spree: Webroot, Cloudflare, StackExchange, Disqus, Rapid7, and MaaS360 – all funded by Flatiron, Narsil Capital, or Tech Disruptions.

December: Puerto Rico Bridge Initiative announces completion of 50GB fiber optic cable.

January 2015: Private equity firms, led by Flatiron, make offer for Symantec.

February: Loren Reynolds, rookie Equity Analyst at JPMorgan Chase working on Symantec project, is accidentally copied on email from Flatiron:
“Confirming that Launch has been accelerated to March. Don’t use email anymore.”
Loren is puzzled by the distribution list:
  • Puerto Rico Bridge Initiative (PRBI) 
  • Economic Development Corporation Utah (EDCU)
  • Fatherly (formerly GoDaddy)
  • DuckDuckGo 
  • Safebook (startup)
March: Traffic and membership surges at Alt Apps Group members. Fatherly achieves 70% share in Certificate Authority market.

March: Loren receives email from friend Zoltin, networking expert:
“PRBI isn’t 50GB. It’s 75TB – the highest capacity in the world!!! WTF! There’s more. Same capacity cables to Bermuda and to Azores. Looks like they are bypassing US-Europe cables. Big news: Big data center on PR now complete.”
April: Google earnings due 4/15; then Facebook, Apple, Twitter, Microsoft, and Verizon on 4/22.

April: Over beers, Loren hears rumors of large short positions in technology stocks from a few “weird” hedge funds.

April 4: Loren receives email from Sarah:
“EDCU is gatekeeper on NSA Utah Data Center.”
April 15: Google disappoints. Earnings down 40% on flat revenue. Stock falls 30%, overall market falls 10%. 
April 20: Loren discovers link between former NSA executives and Flatiron, Narsil Capital, and Tech Disruptions. Finds NSA people behind tech firm scandals in the previous Fall 2014. Tip of the iceberg, she suspects.

April 21: Loren sends IM to her husband, an Assistant DA in the Southern District of NY:

“Must see you ASAP. NSA & GCHQ live on. They’ve gone legit – running private businesses and funds. THEY ARE KILLING THE INTERNET AD BUSINESS.”
After clicking “send”, her computer freezes. She reaches for her smart phone to call her husband, but the directory is empty. She dials the number manually, but gets an “out of service” signal, followed by “low battery”. The phone dies.

Running down seven flights of stairs, Loren races to her car. She jumps in, starts the engine, and backs out with a screech. One turn from the exit the car engine suddenly cuts out and brakes lock. The car crashes into a cement pillar. The airbag fails to deploy. Loren is out cold.
[This has a few lines added, so it's beyond 500 word limit.  But the entry on Bruce's site is below the limit.]

Tuesday, March 25, 2014

RAND Report on Innovation in the Cybercrime Ecosystem

This is an excellent report -- well-researched and well-written -- on the growth and development of the cybercrime ecosystem:
Though it's sponsored by Juniper Networks, I don't see any evidence that the analysis or report were slanted.  This report should be useful for people in industry, government, and academia (a rare feat!).

While they do a broad survey of the cybercrime ecosystem, they examine botnets and zero-day exploit markets in detail.  What's important about this report is that it provides a thorough analysis of the innovation capabilities and trajectories in the cybercrime ecosystem.  This is vital to understand to guide investment decisions, architecture decisions, and R&D decisions beyond a 1 year time horizon.

Here's a timeline that documents the growing sophistication and innovation capability:

Black Market timeline (part 1) -- click to enlarge
Black Market timeline (part 2) -- click to enlarge




Monday, March 24, 2014

Review of Whitsitt's "B-side Cyber Security Framework" (Mapped to the Ten Dimensions)

My colleague Jack Whitsitt (@sintixerr) has proposed a B-side version of the NIST Cyber Security Framework (NIST CSF) in this blog post.  In this post I will give my comments on Jack's framework, and do so by mapping it to the Ten Dimensions.

The NIST CSF is a catalog of information security practices, organized into categories and maturity tiers. I've criticized the NIST-CSF here, here, and here, and proposed an alternative -- the Ten Dimensions.  Jack has posted commentary and critiques here, here and  here.  Jack has the advantage of participating in all five workshops, plus several side meetings with various players.

Here's a diagram of Jack's framework:

Short Summary

I like Jack's B-sides framework. I see a lot of overlap between it and my Ten Dimensions.  They aren't identical but the same themes come through in both. His has the advantage of simpler interpretation (top-down layer cake, half as many dimensions).  It has short-comings as well.  In it's current form, it lacks performance measurement and, in my opinion, as inadequate attention to "Effective Response, Recovery, & Resilience", "Effective External Engagement", "Optimize Cost of Risk", and organization learning loops.