Tag Archives: smb

Does trust scale?

In this age where scale is king and where government sanctioned pension default, where executive compensation and line worker pay disparities continue to grow, and where willingness to shed trust for a few moments of attention, among others exist, what does trust mean to us? Is there a limit to how large a business can grow and still be trusted, both internally (employee to business) and externally (business to customer)?

Many, if not most, of our information systems rely on trust. Prime examples are banking systems, healthcare systems, and Industrial Control Systems (ICS). We expect banking and healthcare systems to have technical protections in place to keep our information from ‘getting out’. We expect that the people who operate these systems won’t reveal our data or the secrets and mechanisms that protect them.

Similarly, critical infrastructure ICS, such as power generation and distribution systems, must deliver essential services to the public, government, and businesses. To prevent misuse, whether ignorance or malicious intent, it must do so without revealing to all how it is done. Again, we expect there to be sufficient protective technologies in place and trusted people who, in turn, protect these systems.

The problem is that I’m not sure that trust scales at the same rate as other aspects of the business.

British anthropologist Robin Dunbar’s research suggests that the maximum number of stable relationships a person can maintain is in the ball park of 150. After that number, the ability to recognize faces, trust others in the organization, and other attributes of a stable group begin to roll off.

Exacerbating this numerical analysis are the recent phenomena mentioned above of pension defaults, unprecedented compensation disparities, and selling trust for attention. We don’t trust our employers like we used to. That idealized 1950’s corporate loyalty image is simply not there.

No data centers for trust

So as critical information systems such as healthcare, banking, and ICS seek to scale to optimize efficiency for profit margins and their systems require trust and the required trust doesn’t scale with them, what does that mean?

It means there is a gap. There are no data centers for trust amongst people. The popular business model implies that trust scales as the business scales, but trust doesn’t scale that way, and then we’re surprised when things go awry.

I think it’s reasonable to assert that in an environment of diminishing trust in business and corporations (society today), that the likelihood goes up of one or more constituents violating that trust and possibly disclosing data or the secrets of the mechanisms that protect that data.

Can we fix it?

I don’t think so. It’s a pleasant thought and it’s tidy math, but it’s just that — pleasant and tidy and not real. However, the next best thing is to recognize and acknowledge this. Recognize and plan for the fact that the average trust level across 100 large businesses is probably measurably less than the average trust level across 100 small businesses.

With globalization and mingling of nationalities in a single business entity, there is talk of misplaced loyalties as a source of “insider threat” or other trust leakage or violation. That may be, but I don’t know that it’s worse than the changes in perception of loyalty in any one country stemming from changes in trust perception over the past couple of decades.

So what do we do — Resilience

It gets back to resilience. If we scale beyond a certain point, we’re going to incur more risk — so plan for it. Set aside resources to respond to data breach costs, reputation damage, and other unpleasantness. Or plan to stop scaling fairly early on. Businesses that choose this route are probably fairly atypical, but not unheard of.

We can’t control what happens to us, but we can plan for a little more arbitrariness and a few more surprises. This doesn’t mean the check is in the mail, but it increases the likelihood that our business can make it to another day.

Good cybersecurity advice to SMB’s from California AG


Kamala Harris, Attorney General, California Department of Justice

Kamala Harris, Attorney General, California has posted some pretty good cybersecurity advice for small and medium sized businesses (SMB’s) in that state.

California has 3.5 million small businesses which represents 99% of all employers. The report states 98% of their SMB’s use wireless technology of some sort, 85% use smartphones, 67% using websites, 41% on Facebook, and 36% using LinkedIn.  I would speculate that other states, while not as large, probably have similar percentages of types of technology use.

The document covers threats such as social engineering scams, network attacks, physical attacks, and mobile attacks as threats to SMB’s in that state. Overviews of data protection and encryption, access control, incident response, and authentication mechanisms are also provided.


The core tenets espoused by the document are:

  1. Assume you’re a target
  2. Lead by example
  3. Map your data
  4. Encrypt your data
  5. Bank securely
  6. Defend yourself
  7. Educate employees
  8. Be password wise
  9. Operate securely
  10. Plan for the worst

This document does a great job of providing an overview of cybersecurity issues and initial effort prioritization for SMB’s. It would be great to see other States follow their lead.

Chuck Benson’s Information Risk Management Video Lectures

Slide from lectures -- Building an Information Risk Management Toolkit -- Week 9My lectures on Information Risk Management are on deck again this week in the University of Washington & Coursera course Building an Information Risk Management Toolkit.

(Use the link above & click on Video Lectures on left & then go to Week 9.  The video “Bounded Rationality” is a good place to start. Just need e-mail & password to create a Coursera account if you don’t have one).

slide from lectures -- Building an Information Risk Management Toolkit

Slide from lectures — Building an Information Risk Management Toolkit


Corporations better than government for your data ? (!!??!!)


Hudson concurs with Ripley’s proposal

Do you remember, in the movie Aliens, Hudson’s (played by Bill Paxton) enthusiastic concurrence to Ripley’s (Sigourney Weaver) proposal of “I say we take off and nuke the entire site from orbit. It’s the only way to be sure” ? I have similar enthusiasm for the point of this Guardian article — why in the world are we thinking that leaving our private data with megacorporations instead with the government is better? I’m not advocating giving it to the government, but I don’t understand all of the excitement about why leaving it with arguably less transparent corporations is better.


We need to be careful to not throw the baby out with the bath water.


Automation — another long tail


Descending frequency of different tasks moving left to right — and the who and what performs these tasks

Jason Kingdon illustrates what types of tasks are done by different parts of an organization and argues that that more use can be made of “Software Robots” to handle those many different types of tasks that occur with low frequency, aka in the long tail — stretching out to the right. (That is, each particular type of task in this region occurs with low frequency but there are many of these low frequency task types).

The chart shows how often particular tasks are carried out, ranked in descending order left to right, and who (or what) does the task — an organization’s core IT group, its support IT group, or end users.

  • Core IT has taken on tasks such as payroll, accounting, finance, and HR
  • Support IT has taken on roles such as CRM systems, business analytics, web support, and process management
  • People still staff call centers to work with customers and people are still used to correct errors, handle invoices, and monitor regulation/compliance implementation.

Kingdon says that Software Robots mimic humans and work via the same interfaces that humans do, thereby making them forever compatible. That is, they don’t work at some deeper abstracted systems logic, but rather via the same interface as people. Software Robots are trained, not programmed and they work in teams to solve problems.

I think there is something to this and look forward to hearing more.

Password usage seems to follow Zipf distribution

Like word distributions and company sizes, frequency of usage of particular passwords seems to follow a Zipf distribution or power law distribution. That is, there are a lot of people that pick from a small common pool of passwords and that the number of people that use a particular password drops off quickly once you step away from that common pool.

passworddistributionMark Burnett’s research shows that, of a list of 10,000 ranked passwords:

  •  91% of users have a password from the top 1000 passwords
  • 79% of users have a password from the top 500 passwords
  • 40% of users have a password from the top 100 passwords

BTW, almost 5% of all users have the password, ‘password’.

List of top passwords here.  Heads up — there’s some colorful language in play here for popular passwords.

Most SMB’s don’t consider cyberattack a substantial risk to their business

Ponemon Institute has released its Risk of an Uncertain Security Strategy study.  It surveyed over 2000 IT professionals overseeing the security role in their respective organizations.  The study identified 7 consequent risks of uncertainty in security strategy:

1. Cyber attacks go undetected
2. Data breach root causes are not determined
3. Intelligence to stop exploits is not actionable
4. Cybersecurity is not a priority
5. Weak business case for investing in cyber security
6. Mobility and BYOD security ambiguity
7. Financial impact of cyber crime is unknown

Most respondents believe that compliance efforts did not enhance security posture: [Do you agree that] “compliance standards do not lead to a stronger security posture?”


Types of attacks that respondents reported are summarized as:


Notably, 31% of respondents said that no one person or role was in charge of establishing security priorities.  58% said that management does not see cybersecurity as a significant risk. Finally, the study also indicated that the further up one went in the organization’s hierarchy, the more distant they were from understanding the organization’s cyber risk and related strategy. While not surprising, this is discouraging.

I keep getting back to the idea of force protection that the military had to develop 30 years ago. In response to world events to include attacks on bases and personnel, the military realized that it needed to explicitly remove resources, funds, and capacity off of the operational (pointy) end and use them to protect and resource the rear if they were to be survivable and sustainable. Over time, I think the market will bear this out too for most SMB’s. That is, I believe that those businesses that have been successful over several years will tend to be the ones that have made some investment in cybersecurity and resilience. And of the businesses that disappear after a short time, a high correlation will be made with those that did not invest in resilience.

Even though these conclusions might be fairly obvious, it’s not going to be pretty to watch.