Mind the Gap
Stewart Kowalski ([email protected]) Department of Information Security and Communication Technology
«Vær oppmerksom på avstanden mellom de og den «Norsk» digitalplattforms»
2
Overview
• A socio-technical security perspective of the “cyber”
security situations for individuals, organization,
nations and societies.
• Some of the on going work at NTNU-Gjøvik to frame
the discussion to help create adequate and fit for
purpose cyber security for Norway, the Nordics
countires and beyond.
Information
Security and
Privacy
ManagementCyber
DefenceCritical
Infrastructure
Security and
Resilience
e-Health
and
Welfare
Security
3
NTNU
Digital
Forensics
Group
Norwegian
Biometrics
Laboratory
Centre for Cyber and Information SecurityCCIS
Institutt for informasjonssikkerhet og
kommunikasjonsteknologi (IIK)● 80 ansatte i Gjøvik og Trondheim
● Forskningslaboratorier innen avhengighet og ytelse, biometri, cyberforsvar,
forensics, intelligente transportsystemer, internet of things,
informasjonssikkerhetsledelse, kritisk infrastruktur, kryptografi, skadevare, e-helse
og velferd
● 1 bachelor- (60), 2 master- (60+20), 1 siv.ing- (45) (45) og 2 PhD-utdanninger
● Forskningsprosjekter: EU H2020 (5), EU FP7 (4), EU Cost (1), EDA (1),
NFR FME (1), NFR IKT+ (4), NFR ENERGIX (1), NFR BIA (2),
NFR Forskerskole (1), NFR NæringsPhD (1), RFF (4)
Omfang ca 40 MNOK (45% budsjettet)
● Vertsinstitutt for NTNUs Center for Cyber and Information Security
● Akademiske konferanser, Cyber symposiet, SikkertNOK, Sikkerhetstoppmøtet
CyberforsvaretTelenorEidsivaEidsiva BredbåndIKOMMCombitech ASHøgskolen i InnlandetEvry BuypassHelsenødnettsdriftsorganisasjonNorSISNTNUSivilforsvaret StarumNammoNorsk TippingInnlandet PolitidistriktGenoOppland Fylkeskommune
Cyber Security Skill Shortage
“A 2015 report from Cisco puts the global figure at one million
cybersecurity job openings. Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million, says Michael Brown, CEO at Symantec, the world’s largest security software vendor.”https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#764a33b27ea2
https://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf
Demand&
EducationOutput
2000
Demand
OutputGap
2019
https://www.cio.com/article/3060813/it-skills-training/top-u-s-universities-failing-at-cybersecurity-education.html
The Problem (Technological Determinism vs Socio-Constructivism)
https://www.youtube.com/watch?v=uOrG6jfBzEU
The School of Athens
The Problem: Learning how to think about secure computers and technology land earning how to work with computers and technology
https://oldplay.dsv.su.se/hypercaster/3762/width=640/height=360/link.js
Teach them to
coding and
encryption
first.Teach them to
think about
secure systems
first.
All the world “including Norway “!)
is made
of faith, trust and pixie dust
by either
well educated or poorly educated
socio-technical systems designers
Demand&
EducationOutput
Demand
OutputGap
2019
?
PROBLEM 1
“IKT” research funding development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly!
EXAMPLE GARTNERS SECURITY HYPE CURVES 2003
PROBLEM 1
research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly!
Do you want
to buy a
parachute?
What ???????
We need to
make this
thing a light as
possiblle!
PROBLEM 1
ICT research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly correctly!
http://ca.news.yahoo.com/blogs/good-news/airplane-recovery-parachute-saves-three-lives-connecticut-crash-171749029.html
PROBLEM 1
Computer and Media Technology research and development, adoption and implementation is driven to a large extent by “hype” and security issue and other constraints are neither thought about or taught correctly correctly!
Kunnskap for en bedre verden
Information system components:
● Data and information
● Software, applications, services
● Hardware, network, infrastructure
● Humans, users, management
● Organisation, society
Federal Research and Development Strategic Plan
!The Problem!
There is always a Security GAP (social-technical and socio-technical with new technology !
Why Do We Model
Some like to undestand what they believe in.
Others like to believe in what they understand.
(Stainslaw Jerzy Lec)
Which one are you?
Niave Mental Models
”engineering vs science”
“You continually need to learn to mange yourself and your organization or society efficient and effectivelywith incentives and disincentive or you will end up being managed by your enemies or near friends. “
The Information Security Management Group researches and teaches critical thinking in, theoretical, empirical, applied and clinical methods and techniques to
model, measure, managei.e. govern
information security management system’s strengths (security, privacy) and weaknesses (Risk)
at the individual,
organization and
nationlevels.
Information Security Management and Privacy Group (ISMG)
! Manage or be Managed !
The Socio Technical Systems Approach
(PAST) • Eric Trist and Ken Bamforth etc
– 1950
– Coal mine
– Three levels
• primary work system
• the whole organization
• macro-social phenomena
Interesting Link but bad soundhttps://www.youtube.com/watch?v=OUqtmo8vmz0
Interesting Link 25 minuteshttps://www.youtube.com/watch?v=OUqtmo8vmz0
26
Risk Normal form a Socio-Techincal
(View)
Socio-Techinical Analysis
1989 USA
IMIT 4115
IT Rhetoric for Seucurity and
Risk Managment
Stewart Kowalski Ph.D
Professor Information Security
28
29
SikkertNOK på NTNU Campus
Gjøvik. oktober 2016.
Pizza and Panic: 16:00-18:30
The Annual
Information Security Management
and Privacy Group
Cyber Security Ghost Story
and
Question Competition .
Challenge: To Be or Not to be a Security Enough
in Cyber Space
Viking name of the city of York (Jórvík)
http://languagehat.com/atlas-of-true-names/http://study.com/academy/lesson/alas-poor-yorick-quotes-meaning-lesson-quiz.html
Fake news Alert not verified but fun!
31
The Challenge
Your task is to tell your fellow cyber-citizens', a story about a information or cyber security incident that will get them to
stop,
be scared,
think
socio-technical system security
and
change your fellow cyber citizen to
Act,
feel,
and know
how
to be good citizen in cyber space! Ref 2
Ref2
32
5th Place Jórvík beats Oxford and West Point
https://www.youtube.com/watch?v=O-Q-dRw7ngU&feature=youtu.be
Bridge the Gap
33
SikkertNOK på NTNU Campus
Gjøvik. XX oktober 2018.
Pizza and Panic: 16:00-18:30
The Annual
Information Security Management
and Privacy Group
Delta 2 Debate
and
Question Competition .
ο από μηχανής
Θεός ή διάβολος
A Rhetoric's Game:
Cyber security by Debate
A Delta2 Debate on “
“Digital Drivers Licenses” for Norway”
Moderator: Mariusz Nowostawski (NTNU)
SikkertNOK 2017
.
ὁ δὲ ἀνεξέταστος βίος οὐ
βιωτὸς ἀνθρώπῳ
Why are we here ?
Add value to your education
An Apology ?
ὁ δὲ ἀνεξέταστος βίος οὐ βιωτὸς ἀνθρώπῳ
“The unexamined life is not worth living”
and it might not be worth securing in cyber space.
• In the Cyberworld, cyber security like ”fake
news” is a consumable good.
• Definition of: consumable good1
A material that is used up and needs continuous
replenishment, such as paper and toner. "The
low-tech end of the high-tech field!“1
http://www.pcmag.com/encyclopedia_term/0,2542,t=consumable&i=40253,00.asp
https://Apple or Banna Debate
Goals of a Delat 2 Debate
• Cyber Security like any other consumable
good has to be marketed, maintained and
managed.
• The goal of these debate is explore how we
can collectively market, maintain, and manage
the socio-technical systems we call cyber
space to be secure “enough”.
• Move from using FUD Fear Uncertainty and
Doubt
• To RUD =Reason Uncertaintiy and Doubt
Delta 2 Debate Format
• Flip a coin to decide who will be For/Against the motion (Simon/Stewart)
• Audience votes (For, Against Undecided, No at Relevant motion”
• For 3 minutes
• Against 3 minutes
• 2.33 Minutes Reflection – https://Music of the inner spheres
• For cross examination 5 minutes
• Against cross examination 5 minutes Against 1 Minutes Summary
• 2.00 Minutes Reflection – https://Music of the inner spheres
• Against 1 minutes Closing
• For 1 minute Closing
• Audience votes (For, Against Undersided, No at Relevant motion”
3
8
Motion
Norway should enact a cyber space regulation that requires
citizens to pass a digital driver licences test which both indicates
that their have the necessary security competence to operate in the
Norwegian .no domain and their digital identity .
Is Cyber
Security
in
Norway
still a
public
good?
Public Phone Gone
Possible
2018 Delta 2 Debate
!Problem!
!Do we have a cyber – academic – Industrial complex in Norway !
In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military industrial complex. The potential for the disastrous rise of misplaced power exists and will persist.
1:37 https://www.youtube.com/watch?v=8y06NSBBRtY
43
Overview
• A socio-technical security perspective of the “cyber”
security situations for individuals, organization,
nations and societies.
• Some of the on going work at NTNU-Gjøvik to frame
the discussion to help create adequate and fit for
purpose cyber security for Norway, the Nordics and
beyond.
S. Ko
walski Th
e SBC
Mo
del a
s a C
on
ceptu
al Fra
mew
ork fo
r R
epo
rting
IT Crim
es,Pro
ceedin
gs of th
e IFIP TC
9/W
G9
.6
Wo
rking C
on
ference o
n Secu
rity and
Co
ntro
l of In
form
ation
Tech
no
logy in
Society
(19
93
)
● Cybersikkerhet går langt ut
over teknologi og samband
● Forstå konsekvensene av
mulige hendelsene for et
individ, en virksomhet og en
nasjon
● 100% sikkerhet er ikke
oppnåelig, vi må evne å
akseptere et risikonivå
Trenger kunnskap, ferdigheter og
kompetanse innen teknologi,
organisasjon og ledelse.
Time
Leanr to doLearn to think
1976 2009
THE Gap
THE GAP needs to be filled with Socio-Technical Debate
Debate
Socio-Technical
DEBATEQuestions
Top Related