Friday, June 14, 2019

RESET: "Data-driven Security Smashup" will launch in Fall 2019

Big change of plans for the "Data-driven Security Smashup":
We are canceling the live event in Las Vegas, August 3 - 5. 
Instead, we aim to launch one or more Virtual Smashup projects in the Fall of 2019, followed by one or more live events early in 2020, perhaps one in the US and one in UK.

Why?

Basically, we ran out of time as we were trying to organize the event: sponsorship, organizer recruiting and on-boarding, Call for Participation, legal structure, venue.  No fault to anyone.  We started relatively late, and our standards are high.  We didn't want to just throw it together and risk having things fall apart during the event.

Benefits

This new schedule gives us time to do it right, starting with the basics.  For example, we will secure a "fiscal sponsorship" relationship so we have the legal, financial, and operational infrastructure to take donations, manage risk, and to spend money responsibly.

Another "basic" that needs attention is contact and relationship management for all the people who have expressed interest, asked questions, or need responses.  This includes a dedicated website instead of this blog.

The new schedule gives us the lead time to recruit organizers and collaborators in academia, professional associations, industry, independent consultants, and government, both in US and internationally (mostly UK, Europe, Switzerland).

Personally, I'm not disappointed. The core idea is solid.  Lots of interest.  This change makes some space for some of my other priorities (dissertation!).

Stay tuned!

Monday, April 15, 2019

Announcing: Data-driven Security Smashup

Data-driven Security Smashup

A Hackathon + Supercollider of Talent, Ideas, & Resources

Fall 2019

Las Vegas, NV; Saturday - Monday August 3-5, 2019

[updated June 14, 2019, see "RESET..." for more info]
  • Venue: rented house*, well off the Strip Working on it.  Aiming for UNLV
  • Timing: just before B-Sides LV/Black Hat/Defcon
  • Organizers: Me, Jon Hawkes, plus 2-6 others to be named (interested? Contact me)
  • On-site capacity: ~30 30 - 60
  • Remote/virtual participation? Yes. Details TBD  Also several Satellite locations
  • Call for Participation: coming soon, mid May
  • Call for Sponsorship: coming soon, mid May
  • Other locations: if this first Smashup goes well, we'd like to 'step-and-repeat' it soon in the EU, UK, Switzerland, elsewhere in US, and maybe more
  • Updates and news:  follow @dds_smashup on Twitter

Summary

The Data-driven Security Smashup (DDS Smashup) is a combination of hackathon and ‘supercollider’ of talent, ideas, and resources, aiming for breakthrough innovations in data-driven cyber security, especially solutions to problems that span domains of people, process, technology, institutions, and culture.  

Sunday, April 14, 2019

Why Is Breakthrough Innovation in Cyber Security So Hard?

Short answer: Innovation activities tend to focus on just a few pieces at a time, treating it as a simple problem. That doesn't create breakthroughs because the system* is too complicated.
* "system" = technology, information, people, processes, organizations, institutions, economics,...
In Sciences of the Artificial, Herbert Simon argued that most evolved systems (natural and artificial) were "partially decomposable" (if not fully decomposable) into units or subsystems that could be studied and understood in isolation. While cyber security is partially decomposable for many purposes, it is my conjecture that it is much less decomposable than we believe or desire.

What this means is that breakthrough innovations will depend on many, simultaneous inventions, including crossing system levels.

Sunday, March 31, 2019

A 12 Year Quest -- My Story

On a quest, through the desert.

(credit: Assassin's Creed – Origins;
Thick Skin Side Quest –
Crocodile, Hyena, Vulture Locations)
Last week I started a new job as Principal Modeler for Cyber Risk at Risk Management Solutions (RMS).  This is HUGE, coming after a 12 year quest that was far from easy or certain.

I don't normally post personal stories on this blog (or elsewhere) but today feels like the right time for this particular personal story.  I'm writing this as a way of connecting to my community, many of whom have shared the ups and downs of this journey.  I don't have any big lessons or advice. Even so, some readers may find this story instructive or inspirational, even indirectly.  I hope so.

Caveats: In this post, I don't individually acknowledge and thank all the people who have helped me along the way.  There are so many, so I will do that separately, both in one-on-one communications and later blog posts.  I'm also going to discipline myself not to write about all the details, all the events, all the feelings along the way.  That would be too long.  I aim is to have a post that is readable and still specific enough to be meaningful.

Even so, it's a long blog post. If this suits you, the story continues below.

Sunday, March 24, 2019

Personal Mission Statement

Dorothy & Co. on a quest to find the Wizard of Oz
(Originally written in 2004, posted in 2006, prior to my entry into Information Security metrics/risk, and prior to my 2010 entry into the PhD program for Computational Social Science.  Then as now, I view InfoSec metrics + risk as the practical domain where this mission will unfold.)

My personal mission is to make value visible in complex organization systems – private sector, public sector, and social sector.

I am on a quest for breakthroughs in our theoretical and practical knowledge regarding the qualitative dynamics of meaning, structure, and value.

I feel this is my duty, responsibility, and calling.

I value individuals and want to enhance their creative thinking abilities.  I value human society, and want to help organizations and society manage the ever-increasing complexity we are creating and living.  I value the world, and want to help us live more gently in our world.  I expect to both increase our knowledge and increase our humility.

I will be an explorer of this uncharted world; a courageously creative thinker; a mid-wife for the ideas and creations that are waiting to be born; a caretaker for the fragile ideas before they are made substantial; an evangelist for a cause; a laborer getting done what needs to get done; a community builder to support the people working in this area and drawing support from them; and a witness – part of the universe looking back on itself.

To fulfill this personal mission statement, I will focus on the journey and the process, and share the fruits with the world along the way.  The material benefits will be used to support my family and me, and to support my personal mission.

I believe this mission will draw on all of my talents, challenge all my capabilities and energies, and require steadfast persistence.  I face uncertainty and risk, and potential failure, disappointment, and delusion.  Knowing all this, I commit myself completely.

Tuesday, December 18, 2018

Does Modern Portfolio Theory (MPT) apply to cyber security risks?

Many months ago, my colleague David Severski asked on Twitter how Modern Portfolio Theory (MPT) does or does not apply to quantified cyber security risk:



I replied that I would blog on this "...soon".  Ha!  Almost four months later.  Well, better late than never.

Short answerNo, MPT doesn't apply.  Read on for explanations.

NOTE: "Cyber security risk" in this article is quantified risk -- probabilistic costs of loss events or probabilistic total costs of cyber security.  Not talking about color-coded risk, categorical risk, or ordinal scores for risk.  I don't ever talk about them, if I can help it.