Mind the Gap

Stewart Kowalski (stewart.kowalski@ntnu.no) Department of Information Security and Communication Technology

«Vær oppmerksom på avstanden mellom de og den «Norsk» digitalplattforms»

2

Overview

• A socio-technical security perspective of the “cyber”

security situations for individuals, organization,

nations and societies.

• Some of the on going work at NTNU-Gjøvik to frame

the discussion to help create adequate and fit for

purpose cyber security for Norway, the Nordics

countires and beyond.

Information

Security and

Privacy

ManagementCyber

DefenceCritical

Infrastructure

Security and

Resilience

e-Health

and

Welfare

Security

3

NTNU

Digital

Forensics

Group

Norwegian

Biometrics

Laboratory

Centre for Cyber and Information SecurityCCIS

Institutt for informasjonssikkerhet og

kommunikasjonsteknologi (IIK)● 80 ansatte i Gjøvik og Trondheim

● Forskningslaboratorier innen avhengighet og ytelse, biometri, cyberforsvar,

forensics, intelligente transportsystemer, internet of things,

informasjonssikkerhetsledelse, kritisk infrastruktur, kryptografi, skadevare, e-helse

og velferd

● 1 bachelor- (60), 2 master- (60+20), 1 siv.ing- (45) (45) og 2 PhD-utdanninger

● Forskningsprosjekter: EU H2020 (5), EU FP7 (4), EU Cost (1), EDA (1),

NFR FME (1), NFR IKT+ (4), NFR ENERGIX (1), NFR BIA (2),

NFR Forskerskole (1), NFR NæringsPhD (1), RFF (4)

Omfang ca 40 MNOK (45% budsjettet)

● Vertsinstitutt for NTNUs Center for Cyber and Information Security

● Akademiske konferanser, Cyber symposiet, SikkertNOK, Sikkerhetstoppmøtet

CyberforsvaretTelenorEidsivaEidsiva BredbåndIKOMMCombitech ASHøgskolen i InnlandetEvry BuypassHelsenødnettsdriftsorganisasjonNorSISNTNUSivilforsvaret StarumNammoNorsk TippingInnlandet PolitidistriktGenoOppland Fylkeskommune

Cyber Security Skill Shortage

“A 2015 report from Cisco puts the global figure at one million

cybersecurity job openings. Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million, says Michael Brown, CEO at Symantec, the world’s largest security software vendor.”https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#764a33b27ea2

https://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf

Demand&

EducationOutput

2000

Demand

OutputGap

2019

https://www.cio.com/article/3060813/it-skills-training/top-u-s-universities-failing-at-cybersecurity-education.html

The Problem (Technological Determinism vs Socio-Constructivism)

https://www.youtube.com/watch?v=uOrG6jfBzEU

The School of Athens

The Problem: Learning how to think about secure computers and technology land earning how to work with computers and technology

https://oldplay.dsv.su.se/hypercaster/3762/width=640/height=360/link.js

Teach them to

coding and

encryption

first.Teach them to

think about

secure systems

first.

All the world “including Norway “!)

is made

of faith, trust and pixie dust

by either

well educated or poorly educated

socio-technical systems designers

Demand&

EducationOutput

Demand

OutputGap

2019

?

PROBLEM 1

“IKT” research funding development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly!

EXAMPLE GARTNERS SECURITY HYPE CURVES 2003

PROBLEM 1

research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly!

Do you want

to buy a

parachute?

What ???????

We need to

make this

thing a light as

possiblle!

PROBLEM 1

ICT research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly correctly!

http://ca.news.yahoo.com/blogs/good-news/airplane-recovery-parachute-saves-three-lives-connecticut-crash-171749029.html

PROBLEM 1

Computer and Media Technology research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly correctly!

Kunnskap for en bedre verden

Information system components:

● Data and information

● Software, applications, services

● Hardware, network, infrastructure

● Humans, users, management

● Organisation, society

Federal Research and Development Strategic Plan

!The Problem!

There is always a Security GAP (social-technical and socio-technical with new technology !

Why Do We Model

Some like to undestand what they believe in.

Others like to believe in what they understand.

(Stainslaw Jerzy Lec)

Which one are you?

Niave Mental Models

”engineering vs science”

“You continually need to learn to mange yourself and your organization or society efficient and effectivelywith incentives and disincentive or you will end up being managed by your enemies or near friends. “

The Information Security Management Group researches and teaches critical thinking in, theoretical, empirical, applied and clinical methods and techniques to

model, measure, managei.e. govern

information security management system’s strengths (security, privacy) and weaknesses (Risk)

at the individual,

organization and

nationlevels.

Information Security Management and Privacy Group (ISMG)

! Manage or be Managed !

The Socio Technical Systems Approach

(PAST) • Eric Trist and Ken Bamforth etc

– 1950

– Coal mine

– Three levels

• primary work system

• the whole organization

• macro-social phenomena

Interesting Link but bad soundhttps://www.youtube.com/watch?v=OUqtmo8vmz0

Interesting Link 25 minuteshttps://www.youtube.com/watch?v=OUqtmo8vmz0

26

Risk Normal form a Socio-Techincal

(View)

Socio-Techinical Analysis

1989 USA

IMIT 4115

IT Rhetoric for Seucurity and

Risk Managment

Stewart Kowalski Ph.D

Professor Information Security

28

stewart.kowalski@ntnu.no

29

SikkertNOK på NTNU Campus

Gjøvik. oktober 2016.

Pizza and Panic: 16:00-18:30

The Annual

Information Security Management

and Privacy Group

Cyber Security Ghost Story

and

Question Competition .

Challenge: To Be or Not to be a Security Enough

in Cyber Space

Viking name of the city of York (Jórvík)

http://languagehat.com/atlas-of-true-names/http://study.com/academy/lesson/alas-poor-yorick-quotes-meaning-lesson-quiz.html

Fake news Alert not verified but fun!

31

The Challenge

Your task is to tell your fellow cyber-citizens', a story about a information or cyber security incident that will get them to

stop,

be scared,

think

socio-technical system security

and

change your fellow cyber citizen to

Act,

feel,

and know

how

to be good citizen in cyber space! Ref 2

Ref2

32

5th Place Jórvík beats Oxford and West Point

https://www.youtube.com/watch?v=O-Q-dRw7ngU&feature=youtu.be

Bridge the Gap

33

SikkertNOK på NTNU Campus

Gjøvik. XX oktober 2018.

Pizza and Panic: 16:00-18:30

The Annual

Information Security Management

and Privacy Group

Delta 2 Debate

and

Question Competition .

ο από μηχανής

Θεός ή διάβολος

A Rhetoric's Game:

Cyber security by Debate

A Delta2 Debate on “

“Digital Drivers Licenses” for Norway”

Moderator: Mariusz Nowostawski (NTNU)

SikkertNOK 2017

.

ὁ δὲ ἀνεξέταστος βίος οὐ

βιωτὸς ἀνθρώπῳ

Why are we here ?

Add value to your education

An Apology ?

ὁ δὲ ἀνεξέταστος βίος οὐ βιωτὸς ἀνθρώπῳ

“The unexamined life is not worth living”

and it might not be worth securing in cyber space.

• In the Cyberworld, cyber security like ”fake

news” is a consumable good.

• Definition of: consumable good1

A material that is used up and needs continuous

replenishment, such as paper and toner. "The

low-tech end of the high-tech field!“1

http://www.pcmag.com/encyclopedia_term/0,2542,t=consumable&i=40253,00.asp

https://Apple or Banna Debate

Goals of a Delat 2 Debate

• Cyber Security like any other consumable

good has to be marketed, maintained and

managed.

• The goal of these debate is explore how we

can collectively market, maintain, and manage

the socio-technical systems we call cyber

space to be secure “enough”.

• Move from using FUD Fear Uncertainty and

Doubt

• To RUD =Reason Uncertaintiy and Doubt

Delta 2 Debate Format

• Flip a coin to decide who will be For/Against the motion (Simon/Stewart)

• Audience votes (For, Against Undecided, No at Relevant motion”

• For 3 minutes

• Against 3 minutes

• 2.33 Minutes Reflection – https://Music of the inner spheres

• For cross examination 5 minutes

• Against cross examination 5 minutes Against 1 Minutes Summary

• 2.00 Minutes Reflection – https://Music of the inner spheres

• Against 1 minutes Closing

• For 1 minute Closing

• Audience votes (For, Against Undersided, No at Relevant motion”

3

8

Motion

Norway should enact a cyber space regulation that requires

citizens to pass a digital driver licences test which both indicates

that their have the necessary security competence to operate in the

Norwegian .no domain and their digital identity .

Is Cyber

Security

in

Norway

still a

public

good?

Public Phone Gone

Possible

2018 Delta 2 Debate

!Problem!

!Do we have a cyber – academic – Industrial complex in Norway !

In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military industrial complex. The potential for the disastrous rise of misplaced power exists and will persist.

1:37 https://www.youtube.com/watch?v=8y06NSBBRtY

43

Overview

• A socio-technical security perspective of the “cyber”

security situations for individuals, organization,

nations and societies.

• Some of the on going work at NTNU-Gjøvik to frame

the discussion to help create adequate and fit for

purpose cyber security for Norway, the Nordics and

beyond.

S. Ko

walski Th

e SBC

Mo

del a

s a C

on

ceptu

al Fra

mew

ork fo

r R

epo

rting

IT Crim

es,Pro

ceedin

gs of th

e IFIP TC

9/W

G9

.6

Wo

rking C

on

ference o

n Secu

rity and

Co

ntro

l of In

form

ation

Tech

no

logy in

Society

(19

93

)

● Cybersikkerhet går langt ut

over teknologi og samband

● Forstå konsekvensene av

mulige hendelsene for et

individ, en virksomhet og en

nasjon

● 100% sikkerhet er ikke

oppnåelig, vi må evne å

akseptere et risikonivå

Trenger kunnskap, ferdigheter og

kompetanse innen teknologi,

organisasjon og ledelse.

Time

Leanr to doLearn to think

1976 2009

THE Gap

THE GAP needs to be filled with Socio-Technical Debate

Debate

Socio-Technical

DEBATEQuestions