Wednesday, November 27, 2013

Did chariots & cavalry drive social complexity for 3,000 yrs.? (letter to PNAS)

Battle scene decoration on the chariot of Thutmose III
(click to enlarge)
(It's holiday time, so it's probably a good time for non-risk, non-InfoSec posts.  Time for war chariots!)

tl;dr:  I wrote a letter to PNAS disputing the claims made by a famous author in a recent article.  My beef was with their modeling methods. We'll see if it gets published and if the author(s) respond.

Friday, November 22, 2013

"Prediction" vs "Forecast"

The "Bonds Shift" was based on a forecast.  In contrast,
the decision to intentionally walk him so often
(120 times in 2004) was based on a prediction that
the shift wouldn't work well enough.
We sometimes hear arguments against quantitative risk analysis that include a claim that "you can't predict what intelligent adversaries will do".  In reply, advocates often say "we don't aim to predict, but instead to forecast", but that rarely settles the argument because people don't agree on what those terms mean and if they are even different.

Most recently, this topic was debated by the hosts of the Risk Science Podcast Ep. 9, (31:10 to 55:00).

Summarizing the debate: two hosts say there’s no meaningful difference between “prediction” and “forecast” because they are both probabilistic statements about the future -- plus real people don’t care. In contrast, two hosts disagree, saying there is a meaningful difference and real-world people do care.

I side with the people who say there is a meaningful difference, but I’m not sure the essence of the difference came out in the podcast conversation. I do think that Jay’s statement at 31:10 is the best jumping off point.

 The main difference between "prediction" and "forecast", in my opinion, has to do with what actions you take based on the information and what uncertainty is communicated.

Thursday, November 14, 2013

Several pieces of good news

Sorry I haven't posted in a while.  I've been pretty busy with research work -- writing papers for conferences, mostly.  But I've got some good news to report.

Cash will be flowing as nature intended.
First, I'm starting a full-time job at a Financial Institution* with the title Security Data Analyst/Scientist, which I choose to shorten to Security Data Scientist.  This is a big deal on many levels.  One of  the best things is that their capabilities are comparatively mature and the leadership is both visionary and pragmatic.  This means that I hope to do some fairly compelling analysis drawing on some rich data sources and previous analysis rather than having to start from scratch.

(* My Twitter followers will know.)

I'm continuing my PhD program part-time, with focusing on my dissertation.  I hope to complete that in 2014.

Also, I'll continue blogging here on all the same topics.

Second, I'm very happy to say that I've had a talk accepted at the RSA Conference in February 2014, co-presenting with David Severski:
10 Dimensions of Security Performance for Agility & Rapid Learning
2/26/2014, 10:40 AM - 11:00 AM
Abstract: Information security is an innovation arms race. We need agility and rapid learning to stay ahead of adversaries. In this presentation, you'll learn about a Balanced Scorecard method called the Ten Dimensions of Cyber Security Performance. Case studies will show how this approach can dramatically improve organization learning and agility, and also to get buy-in from managers and executives. 
This is a 20 minute time slot, and there's no way that I can compress my 60 minute or 45 minute versions of "Ten Dimensions" into such a short time.  Therefore, David and I are going to cook up an extended "trailer" that conveys the basic idea of double loop learning in practice (David is doing some neat stuff that we'll try to "fly through").  In parallel, I hope to have some videos, webinar, or other media that people can go to in order to get a proper introduction and survey.

Also, I've proposed a peer-to-peer session at RSA on a related theme: "Building a Quantitative Evidence-based Security & Risk Management Program".  I should hear later in November whether it's been accepted.  It will be an hour long session and I will only be facilitating, but it should be a good time for Q&A, sharing insights, etc.

Finally, I'll be presenting a SIRA webinar "Big 'R' Risk Management - from concept to pilot implementation".  This is basically the same talk I gave at SIRAcon, but some people couldn't attend that session (we had parallel tracks) and many people couldn't attend SIRAcon at all.  I think it'll be in December, but there isn't a date set yet.

I've got some good blog posts in the works, including Game Theory Meets Risk Analysis, several more Shades of Black Swans, a review of RIPE, some philosophy, and others.   Thanks for reading and thanks for your comments, both here and in other media.


One more bit of good news from a completely different domain: the book Chasing Chariots is coming soon!  Includes most of the papers presented at the First International Chariot Conference held in Cairo in December 2012.  The evolution of technology in the Late Bronze Age became an strong interest (a.k.a. compulsion) of mine a couple years ago, with particular focus on the so-called "first revolution in military affairs" -- the war chariot.  Beyond just curiosity, I'd like to do some serious research in this area, but short of getting a second PhD, the only way it's going to happen is if I can find some collaborators (after I graduate!).

Periodically, I'll post some war chariot stuff here.  Bruce S. has his squids;  I have my war chariots.