Cyber Protection of People

The Cyber Protection of People

Cyber protection is about people, not computers
Protection of People is the only purpose of cybersecurity

ARM-LP’s three cyber security competencies are Security of Data, Security of Information, and Security of Systems. One way or another each of these competencies enhances the venue security of online venues. ARM-LP uses a six layer model to depict cyber security as it ascends in humanity from the machine (Layer 5) to the user (Layer 0).

This Layer Is…
5 Machine The least human aspect of cyber protection, a machine is a fundamentally stupid appliance, entirely reliant on human ingenuity and creativity, that cannot easily (or at all) distinguish between benevolent and malevolent intent
4 Inside The lived experience of an organisation that influences decision-making, esp. with respect to expected conducts and behaviours or important stakeholders. It is the 1st of the two most human aspects of cyber protection.
3 Impersonal How does the lived experience of an organistaion motivate “inside legislation,” e.g., the policies and procedures used to govern what computer use is acceptable, tolerable, or intolerable.
2 Social How does the lived experience of an organistaion motivate (or not) the use of online social media?
1 Systems How do people use “inbound technology,” e.g., phones, faxes, email, texting, websites, Twitter…
0 Outside The 2nd of the two most human aspects of cyber protection, and arguably the most important: the Outside Layer describes or interprets events outside the organisation that influence decision-making, risk identification, and also the identification of opportunities

Targeted attacks

In this article, venue security means protecting groups of people targeted for attack.

A distinct use of venue security, Domain Intelligence protects online venues rather than physical ones.

Venue security in any context — people on property or cyber security — is subject to sophisticated and commonplace targeted attacks that affect the physical protection of people. In this article, however, targeted attack describes the actions of criminal actors who actively pursue and attack one or more specific groups (“targets”) that affect the data and information people willingly give to the organisations and communities they subscribe to or join.

The cyber protection of people assumes targeted attacks require both some expertise and sufficient resources to target, acquire, and anonymously compromise small business networks. Script kiddies must not escape our consideration.

Posted on

Information Cyber Security and Risk

Information is data made useful. There is a great deal of information to consider in respect of the risk management cyber security requires. Access to assurance services is important. In this article…

Cyber security means technology, processes, measures and countermeasures used to mitigate the many known risks that come with digital technology use. Cyber security must be, and is, a multidisciplinary body of knowledge.

What is an assurance service?

Useful information is not the same as reliable information. Many people will know many things — the executive directors, the financial managers, the program directors, the facilities managers, the trustees, the volunteers: all have useful information.

What happens if (when!) they don’t share what they know?

Malicious intent isn’t necessary to consider this question. It’s much more likely that none of them really knows what information someone else needs to make an informed decision.

CPA Canada, the national association of Canadian chartered professional accountants, defines assurance service as a service used to enhance…

…the reliability of information through activities such as internal control, internal and comprehensive auditing as well as through external third-party assurance services such as auditing.

Put more simply? The chartered professional accountant who provides assurance services performs these three services:

Investigation I Investigates who has what information in an organisation
Consulting II Helps determine who can best use the information
Verification III Periodically checks back to ensure the information flows correctly

Cyber Risk

In this article, cyber risk describes financial loss, organisational chaos, or reputational damage that results from any information technology failure.

Our risk management considerations must include IT vendors or staff, not rely upon them. Your community is served also by approachable risk management professionals, such as insurance underwriters, independent insurance agents and brokers, and CPAs. As to IT vendors? This is tricky:

Your principal concern is almost certainly a small office computing network. The supply chains common to many, many IT vendors are often much more concerned about enterprise computing than you are. It’s very hard to generalise. Techopedia puts the matter this way:

Enterprise computing is usually seen as a collection of big business software solutions to common problems such as resource management and streamlining processes.

Are there small office computing vendors with access to enterprise computing expertise? I think it likely. Where to find them? I’ve no idea.

There are certainly more professions one might consider but not, I think, in respect of small-to-medium size social enterprises. Is your organisation likely to require routine penetration testing and cyberthreat vector analysis? No. You risks are more fundamental.

Posted on

Domain Intelligence

Domain intelligence is an ARM-LP risk intelligence term of art. An attempt to describe the place loss prevention and reputation management intersect, domain intelligence considers three discrete components:

  • Security of Data
  • Security of Information, and
  • Security of Systems

These three segments define how ARM-LP (opens a new tab in your browser) understands cyber security, which does not protect computer systems and networks. Information security does that.

Before we encounter these competencies, though, I want to reiterate precisely what each competency intends to accomplish.

Unplugged Security

Epitaph on a community centre’s tombstone:
I don’t know what to say
I don’t know what to speak
My MBA is from Good Ole Ivy
They never taught me Geek

Domain intelligence is based on Security of Venue, an ARM-LP philosophy of use with respect to vandalism. Security of Venue is a type of physical security: it protects buildings, monuments, and other meaningful places. Domain intelligence is a type of digital security. It protects digital venues: websites, intranets and social media.

It’s simply not true that cyber security is about computers.

ARM-LP does not usually consider “cyber crime.” We are here concerned about the criminal use of a computer. If I use a hammer to commit assault, is it a “hammer crime”?

One particular phrase, or variations of it, is very important in ARM-LP: the communities we serve. Organisations and the markets they compete in are communities. Communities are people. People use computers. Criminals are people.

Criminals are people.

We all know what trolls are, but I prefer to use English: these people are delinquents, and though we commonly consider delinquents to be juveniles who tend to petty criminal behaviours, it’s not really so, at least with respect to the criminal use of computers. A report by the United Kingdom’s National Crime Agency states that juveniles definitely commit these crimes, and that they are trained by adults. This question occurs to me:
How do we differentiate the juvenile delinquents from the adult delinquents?
According to a news report from the BBC, “… hackers and cyber-criminmals hitting the headlines aren’t doing anything magical.” The average age of those arrested for malicious hacking? Seventeen.

This answer occurs to me:

We can’t differentiate the juvenile delinquents from the adult delinquents. The best we can do is differentiate the intent, and I don’t think that’s good enough.

 

Posted on

Moral Obligations

This paper concerns moral obligations with respect to exporting Canadian digital technology used by “oppressive” regimes with poor human rights records. 

Two Types of Immaturity

An Obligation To Control Markets

Does Netsweeper have an obligation to control or eliminate the distribution of its technology in some circumstances? Yes, replies Ron Deibert, the director of Citizen Lab at University of Toronto’s Munk School.

The Right To Expand Markets

“Bullshit” is Perry Roach’s reply to the Canadian Broadcasting Corporation, when it asked him about Citizen Lab’s criticism. Roach’s response is immature.

So is Citizen Lab’s perspective.

“Immature,” however, does not mean incorrect. Both immature responses have my sympathy, one more than the other.

 Absurdities: What Is Legal vs What Is Moral

It’s absurd for Netsweeper to assert its legality. To ask legal counsel to assert that the company “cannot prevent an end-user from manually overriding its software” is ridiculous: we all know this. Software can be re-imagined because it can be reverse engineered. We used to call this “hacking” when I was in school.

It’s absurd for Citizen Lab to assert that human rights are a universal imperative. Human rights are a western first world standard not welcome, to different degrees, by other nations. Ron Deibert, Citizen Lab’s director, is a trained critical thinker. So am I, and I’m amused:

A left-libertarian technorat, who normally vilifies cultural appropriation, wants the post-colonial world to endorse western standards on human rights.

Does he understand the irony of his position? I wonder.

Yet Citizen Lab has begun an important conversation, I applaud them, and Netsweeper’s replies to date lack sobriety (in the Canadian sense of “sober, second thought”).

Marketing & Morality

I commend Netsweeper to rethink its replies to command my respect. I do not need to agree with Netsweeper to respect them.

I certainly respect Citizen Lab. I certainly disagree with them.

I’ve had an interesting life. I’ve done many things, I’ve accomplished a few, my spiritual life is rich, and among the many things I’ve done two stand out: marketing and morality. This May I celebrate my 41st year as a marketer and also my 18th year as a religious educator. I suppose that makes me both a marketer and a moralist.

Marketers and moralists view boundaries differently. Marketers hate boundaries when these impose economic barriers to entry. Moralists appreciate boundaries — but honest moralists understand that boundaries must sometimes be either stretched or re-shaped. An honest moralist? Social conservatives and social progressives can agree on this, if nothing else: the modern idea of society tends to leave the traditional idea of morality behind.

Netsweeper is not immoral. Profit is not immoral. The use of technology to deny “human rights” is not immoral — only a philosopher thinks human rights is a moral issue; it isn’t:

Human rights is the noble lie of the secular nation-state and its social system. Human rights is the greatest noble lie western society tells.

The noble lie of traditional society is based on human obligations, not human rights. Interpersonal relationships breed mutual aid, what Stephen Covey, I think, calls interdependence in The 7 Habits of Highly Effective People.

The noble lie of human obligations is more truthful.

 

 

 

 

 

 

 

Posted on