« ROI v. NPV v. Risk Management | Main | Count 'Em All By Hand »

August 07, 2007


Russell C. Thomas

Thanks for pointing me to John Boyd's work and OODA. I actually came across that model years ago but lost the pointer. Similar models have been developed in other fields, such as cognitive science and quality management ("Plan-do-check-act"). What's great about Boyd is that he has put this in both a strategic and tactical framework in the context of conflict or competition. Not enough security managers and executives think this way.

As a rather glaring example, consider the congressional testimony of the DHS CIO Scott Charbo (press converage: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025420&pageNumber=1; testimony web cast: http://boss.streamos.com/wmedia/homeland/chs/cyberjune.wvx). From the CW article: "Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from US-CERT and intelligence agencies." It was clear that DHS did not have systematic organization learning activities or metrics. If I recall the web cast correctly, Charbo admitted "We don't know what we don't know".

Sadly, they are not alone. The same could probably be said for most organizations, and it provides a prima facie case for organization learning in information security management.

Russell C. Thomas

The "puzzles vs. mysteries" idea came from this article: http://www.smithsonianmagazine.com/issues/2007/june/presence-puzzle.php

My presetation "Security Meta Metrics" will be posted here: http://meritology.com/resources/index.htm

John S. Quarterman

Personally, I think the Chinese should be embarassed at going after such a soft target as the U.S. government:


Social engineering worked for Kevin Mitnick,


and it still works for anybody who wants to attack the U.S. government; no actual technical skills required.

Meanwhile, DHS mandated a single operating system, so who would expect such a department to be concerned about security?



The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad