According to Fast Company, No one actually uses Game Theory in business.

Adopting our usual rigorous methodology, we set the following parameters. To count, an example must:

1. be an actual business situation where somebody used the insights of game theory;
2. have occurred within the past five years; and
3. involve real, live, actual companies — not governments, nonprofit organizations, or Russell Crowe.

First, we scoured the literature. We selected a relevant portfolio of 40 publications and submitted our queries. We tried again. And again. And we found . . . nothing. There were plenty of mentions of government spectrum auctions, and A Beautiful Mind came up hundreds of times. Not quite what we had in mind.

Personally, I use the concepts of Game Theory all the time in my day-to-day work, although maybe not in the ways that the Fast Company team are looking for.

I use the concepts, I just don’t (usually) brag about them. They are tools that I use to solve the problem of managing risk, not and end unto themselves.

I don’t wake up in the morning, look around me, and think, Today, I’m going to use Game Theory any more than I wake up and think, Today, I’m going to use Excel. If I need to build a cost model, I use Excel. If I need to predict expected outcomes, I’ll probably apply the lessons of Game Theory.

Also, I don’t necessarily use them in the sort of big-picture sort of way that the Fast Company writers defined to make their idea into a story. But, to quote my Game Theory professor, “He who makes the rules, wins the game.”

Concepts like the Prisoner’s Dilemma and Nash Equilibria figure into my work life with some frequency as I attempt to balance competing and contradictory interests to everyone’s satisfaction, then convince them that’s really the case.

And, reaching a bit, I’ve even been known to use Finite Automatons when I develop processes and workflow.

How about the rest of you? How many of you are using the concepts you learned in game theory and had forgotten that’s what they were called?

Wired News has an article about Tales from Packaging Hell which raises several interesting points.

From Psyclone electronics cables encased in impenetrable layers of thick plastic to DigiPower camera batteries coated with packaging several times the size of the item itself, the hardest part of buying electronics these days is opening the products when you get them home. In many cases, it makes solving Halo 2 seem like a kindergarten project.

The bottom line is the bottom line. Retailers demand the hard-to-open packaging to avoid “shrinkage,” or shoplifting, a problem that cost U.S. stores more than $10 billion a year or $25 million a day, according to statistics from the National Association for Shoplifting Prevention. They also want the item to be visible to customers and capable of withstanding the rigors of long-distance shipping from manufacturing plants in Asia.

“In a nutshell, it is pretty much all about retail theft,” says Mary Ann Falkman, editor-in-chief of Packaging Digest, a trade publication.

It’s a trade-off. Retailers choose availability (difficulty to steal) and integrity (ability to resist damage in shipment) since those are the threats from which they must absorb the economic impact and tough packaging is an effectively mitigates those threats.

I once bought a Belkin KVM whose packaging I’m pretty sure is classifed as an anti-personnel munition. When I sliced my finger open trying to get it out of that packaging (I still have scar), it was an externality to everyone on the supplier side of the transaction. I had to accept that cost.

Actually, I transferred the cost onto my employer, because they bore the cost of lost productivity due to my slow typing for a few days. But either way, it was an externality to both Belkin and CompUSA since they didn’t have to pay for so much as a band-aid.

And I got off lucky.

Anecdotally, though, emergency room doctors say they’re slammed the week after Christmas with such injuries and see them regularly all year. Dr. Christian Arbelaez, a Boston-area ER physician, sees about a case a week, some as serious as tendon and nerve damage that require orthopedic surgeons to repair.

“I would definitely like to tell (manufacturers) that serious hand injuries are occurring because of this packaging,” said Arbelaez, a member of the Trauma Care and Injury Control National Committee of American College of Emergency Physicians.

There’s got to be more to it than the story presents, however, because at the end it talks about how retailers are trying to move away from this packaging.

Many manufacturers are beginning to tune into the problem. MP3 player maker iriver recently switched to paper boxes for its top-end offerings. Energizer started packaging its batteries with slits in the back of the clamshell to give customers a point of entry. Monster Cable is already a leader in easy-to-open packages — for years it has encased its cables in plastic containers bolted together with rivets at the corners that are simple to pull apart. The company says its upcoming next generation of packages will be even easier.

So consider the parties involved, their individual (and often conflicting) risk priorities, and let’s try to find the imbalance.

1) Retailers want low theft rates and undamaged merchandise. Insanely-difficult-to-open packaging largely mitigates both their risks.
2) Manufacturers want low production costs and undamaged merchandise, since they may eat those costs through RMA’s, depending on the agreement. Packaging probably mitigates this risk very effectively.
3) Thieves need easy-to-open packages so they can get their hot little hands on some hot little goods without paying for them.
4) Consumers want low purchase costs and easier-to-open packages. The packaging aligns with the cost goal (assuming it reduces shrinkage), but does so in direct opposition to the goal of being able to start playing with our new toy within seconds of getting it home. I can’t speak for the vast mass of consumers, but I don’t know that the packaging has ever actually changed my purchase decision. Price, on the other hand, impacts my decisions (especially on the sort of goodies that come in blister packs) almost every time.

So why the change?

1) Thieves have adapted to blister packs effectively enough that they no longer mitigate the risk of theft. This mostly would consist of bringing an exacto knife, razor blade, or small scissors to the store. (highly likely–criminals are both determined and resourceful)

2) Consumers have begun forcing retailers to internalize the cost of packaging injuries, probably through lawsuits. Even if this is the case, I can’t see this driving a change in packaging, both because of the economic leverage ($25 million/day would need a LOT of lawsuits to offset that cost) and because I don’t think many retailers are well-coordinated enough internally to bring all the necessary data and decision makers together to cause a deliberate change. (conspiracy-theory-low likelihood)

3) I’m not a “normal” consumer, and people are not buying things because of the packaging. Given that there is generally *not* a less-protectively-packaged competing good (or, if there is, they’ve all been stolen), I put this at low likelihood as well.

I’m going with option #1–blister packs are a universally-despised, sometimes-dangerous countermeasure which no longer effectively mitigating the risk of theft.

I’m surprised John Robb hasn’t posted this over on Global Guerillas yet, since it provides a great comparison of the US military’s top-down transformation to the Open Source warfare model practiced by the Iraqi insurgency.

From the Popular Science article, “Winning–and Losing–the First Wired War.”

Compare the United States:

Even in the supposedly wired 4ID, it can take years for frontline soldiers to benefit from the technologies that high-ranking officers quickly take for granted. The finicky, incompatible equipment that’s given to the infantrymen and tank drivers in Charlie Company—the guys who are spending this cold, wet February night on the front—is primitive in comparison with the gear at the sprawling military base outside of Balad, where battalion-level commanders oversee the 300 troops in Charlie and three other companies. There, things are beginning to work like the network-centric theorists predicted, with drone video feeds and sensor data and situation reports flying in constantly. But to the guys in Charlie Company, this technological wizardry and the Pentagon’s futuristic hypotheses seem awfully far away.

There is a simple, but significant, reason why: Bringing frontline infantrymen into the network isn’t as easy as wiring up a headquarters. Battlefield gear has to be wireless, durable, secure, and completely effortless to use in the chaos of combat. The network is slowly expanding to meet the grunts. But the Department of Defense’s lumbering process for buying new equipment still virtually ensures that ground-level soldiers won’t be linked-in until early next decade. “The fog, friction and uncertainty of war are still there, same as always,” says retired Marine Col. T.X. Hammes, considered one of the leading authorities on counterinsurgency. “This net-centricity helps some, but it only goes as far as the battalion [the command echelon above the companies that do the actual fighting]. After that, these guys are on their own.”

to the insurgents:

It’s at this point, just beyond the edge of the American network, where the guerrillas are best connected. Using disposable cellphones, anonymous e-mail addresses at public Internet cafés, and “lessons learned” Web sites that rival Cavnet, disparate guerrilla groups coordinate attacks, share tactics, hire bomb makers, and draw in fresh recruits. It’s an ad hoc, constantly changing web of connections, so it’s hard for U.S. spooks to know where to listen in next. It also lets the insurgents keep a loose command structure, without much hierarchy—just like the network-centric theorists call for. Even if their communications are compromised, only a small cell is exposed, not the entire insurgency. “They’re more effectively networked than we are,” says Hammes, the guerrilla-war expert. “They have a worldwide, secure communications network. And all it cost them was two dinars.”

There’s a certain irony to the fact that even a project intended to let the military operate in “Internet time” ultimately can only move at the speed of the military’s own procurement and program management offices.

Fortunately, the troops themselves are a little more enterprising:

To compensate, some American soldiers are buying their own gear: $50 Motorola walkie-talkies, so they can talk to their squad mates; $160 Garmin GPS receivers to make up for FBCB2’s gaps. It’s quicker than waiting for the wheels of the Pentagon bureaucracy to turn.

What it comes down to is that Command & Control structures which were once too expensive for anyone but national governments can now be built ad-hoc and on-the-cheap. This has significant implications for any state actor which assumes they can exert control based on some monopoly of information.

This is similar to the imbalance in productivity and force effectiveness that eventually caused the Soviet Union to arm itself into collapse trying to defend against NATO. They were spending so much of their GDP building fighters, submarines, and tanks that there was no capacity left for civilian consumption. Unfortunately, I fear that this time around the United States is going to be the one which arms itself into collapse, leaving insurgents with nothing but two dinars and a will to win in our wake.

Image: U.S. Tanks caught in combat in Baghdad, courtesy of Google Maps, originally found on Shii’s Rocky Middle Path.

At my wife’s insistence, I saw the Da Vinci Code over the weekend, and have to say that it was better than the reviews, although not by much.

Imagine a mix of the X-Files-ish Conspiracy Theories, Catholic Mythology, a monk assassin, and a scavenger hunt led by a very stoned/befuddled-looking Tom Hanks and you pretty much have the ingredients that make up this film. At least it was better than National Treasure, which I watched on a trans-Atlantic flight and still wanted my two hours back.

As for the whole “religious controversy,” I this it was created from whole cloth by the film’s marketing team. Saying this film could cause a crisis of The Church makes about as much sense to me as claiming that Enemy of the State could cause a Constitutional Crisis. (Unfortunately, we now know that people doing Enemy of the State stuff for real doesn’t seem to benough to cause a Constitutional Crisis, but that’s a whole different issue).
Alternatively, I think of the person (whom I would cite if I could remember where I read it) who said something like, “If this film makes you question your faith, then you need to re-examine your faith, not this film.”
As a risk & security type, I enjoyed watching all of the Best, Worst and Silly Practices which had somehow never failed in hundreds of years…until Tom Hanks shows up.

Inside, spoiler-ish bits about a few of my favorite security-ish moments from the film.
(more…)

In order to tackle the recent flood of attempted comment spam I’ve been suffering under (hundreds of spam per day), I upgraded Wordpress from 1.5 to 2.0.2 this morning.

Other changes include a new theme since the old one didn’t seem to work after the upgrade and I did a little php hacking to include the “Recent Comments” to the sidebar.

All seems to be well at this time, but please feel free to note any issues, bugs, thoughts, comments, etc. that anyone has as comments on this post.

Maybe it’s because we’ve been hiding behind oceans for the past few hundred years, or maybe it’s because we’ve never gotten to experience fixed fortifications failing in practice, but I would say that America is generally lagging Europe in thinking about deperimeterization.

Yesterday was another Jericho Forum meeting, this one in Chicago. Nowhere near as much attendance, although part of that was almost certainly the fact that it was not in close physical and temporal proximity to a major security trade show.

Jericho is going to have a major presence at Black Hat, including a half-day session as part of the training courses. I don’t have any more information than that, but I’m interested to see what the interest level and turn-out look like there.

Also, in late September, Boeing will be hosting a Jericho meeting and work session in Seattle, Washington and at least the first day of it will be open to all interested parties, meaning you have plenty of time to convince your boss to approve travel.

No great quotes this time around, but I’m starting to feel like I have a pretty firm grasp of what enterprises reasonably can and can’t expect to accomplish at both the business and technical levels around deperimeterization at this time.

I’m also noting a couple of trends that I’m seeing play out, both in my own efforts as well as at other companies. These are based on some work sessions held before the main meeting as well as lunch/drinks/dinner conversations over the past few days.

Things we can do:

• Protect an application’s infrastructure by applying the principle of Least Privilege at the network layer.

  This is done at the perimeter today with the granularity pretty much being “in the building or possessing a VPN account” and “everyone else in the world.” This is a level of granularity historically chosen because anything more complex was unmanagable (see “Things we can’t do”).

  Diana Kelly of the Burton group referred to this as “Deep Perimeterization” last year, referring to the fact that in its crudest form, it’s just sticking a firewall between the application and the internal network. I agree that’s a part of it, but only a small part.

  Firewalls were a stop gap until secure protocols were developed twelve years ago, and they still are today.

• Protect applications, even insecure and poorly-written applications. This is where application layer gateways and protocol-aware inspection comes to play.
• Utilize secure (Confidential, authenticated, integrity maintained) protocols (i.e. ssh over telnet) or wrap less secure protocols to achieve an acceptable level of security (i.e. tunneling things inside SSL), even without ubiquitous authentication or robust applications.

Things we can’t do:

• Pretty much any of these things cheaply or without exotic (start-up) technology
• Manage access effectively. This problem will only be solved once we’re able to provision access based on structures that are meaningful to The Business. This will be a painful process, but it’s do-able.

  For example, all provisioning of user privilege within my corporate financial systems is performed by “Functional,” not IT people. It works because Oracle defines roles (”responsibilities,” in Oracle-speak) which are meaningful to those functional people. The responsibility is something like “Accounts Payable Approver,” not GRANT EXECUTE ON PROC ORA_FIN_P.AP_APPROV TO howellc–that’s the magic of provisioning (along with approval workflow, unified views of access, and lots of other neat bits, but what people care about is that good provisioning systems mean they don’t have to know what they need to get what they want).

  Identity Management is expected to be the silver bullet to solve these problems, but it still doesn’t change the fact that someone will still have to determine what “Provision New User->Finance->AP Approver” translates into as a set of network ACL’s (Open access to Oracle Financials), host security controls (SMS push of full-disk encryption software and a PGP plug-in for outlook), and accounts and responsibilities within the Oracle App itself.

• Protect information from abuse by end-users.
  Technologically, this is the realm of DRM and I just posted my thoughts on that separately

There are a lot of smart people doing a lot of good work to tackle all of these problems, most of them in the Real World rather than on paper. The next Jericho meeting will be next month in the England and I’ll have my next update then.

I spent a lot of time yesterday thinking about Digital Rights Management. Call it anything you like, but DRM is proprietary, limited, painful-to-use, and fundamentally ineffective. Liquid Machines (”Enterprise Rights Management” — did no one tell their marketing team that “ERM” has been taken as an acronym since before they were founded?), Adobe (Adobe Policy Server), and Microsoft (Windows Rights Management Services (RMS)) are all trying to be solutions for an impossible problem, which is that people make poor decisions about what is appropriate to do with information.

Further irritating me is the fact that it depends on closed-source, binary-only software to ensure that the use policies (read-only, no printing, no save-as, etc.) are followed once the information is decrypted. I’m sure that Microsoft is counting on RMS to keep people from defecting to Open Office or, even worse, some server-based Ajax office suite (*cough*Googleoffice*cough*).

DRM may stop a few people from leaking data in some formats, but it’s not a solution to the fundamental problem of human nature. People want to want to share information, the more valuable, the better–access to sensitive data equates to prestige, but only if you can prove it. Sure, DRM can make that harder, but the the greater the value of the information, the more likely that someone will bypass the DRM protections at either the technical or social levels. Consider how Hollywood, Apple, and the RIAA have been immortalizing themselves as Bad Examples of the limitations of DRM for years now.

Once deployed, I expect that DRM will fail in one of two ways. I call the first one the Command Economy failure. Fixed policies will be set and managed centrally, then assigned to documents as they are created. In the same way that Soviet central planners tried (and failed miserably) to predict the number of pairs of shoes or rolls of toilet paper the country would need, so we will fail miserably to predict the appropriate DRM boundaries for information, usually erring on the side of caution and acting as a drag on the business when people can’t get the information the need to do their jobs.

The other failure I think of as the Doorstop Failure, named for the traditional security example of the (usually data center) door that gets propped open because it’s too inconvenient to authenticate to it every time someone needs to go in. If people are granted the ability to set their own access policies and they will very soon begin setting extremely broad policies to ensure that anyone who might need access to the information has it.

What it comes down to is that if someone is going to share information inappropriately, all you’re doing is making it a little more inconvenient. If someone can see it, they can share it. Even if they can’t share it, they can summarize its value and share that.

DRM increases the technical barriers to inappropriate disclosure, but I strongly suspect the cost of increased friction it introduces to conducting business (even ignoring the cost of implementation) will outweigh the benefits.

That’s not to say that I won’t give DRM a chance–I’ve actually got a DRM pilot running right now, and what we’re finding is that the product’s user interface and stability are the biggest limitations. It’s so cumbersome and inflexible that it takes minutes to set policy for a document. Then the recipient needs a plug-in, which requires a re-boot if they don’t have it. Even then, it only works with MS Office. And when the plug-in fails, it takes down every Office app. All-in-all, not something that I’m going to roll out and poison the well for any future efforts.

So at this point, I think it’s too early to say if corporate DRM is going to work or not. If I didn’t feel like it was mainly a tool for ensuring vendor lock-in, I’d be a lot more interesting in finding a balancing point between effectiveness and friction in the business, but for the time being, I am definitely skeptical.

As Saso pointed out in one of his always-appreciated comments on deperimeterization,

What I find quite remarkable is our inability to learn from other people’s experiences. Take castles as prime examples of how layered security should work. Those that were built by masters of their art are still around (if they weren’t used later on as source of building stones for houses around the area, that is), to show how a good defense in depth works. There’s the perimeter layer, a hard-to-pass (unnoticed) area; then there’s first perimeter, with strong defences; then there’s second perimeter, in case first gets breached; … and all that is usually overseen by corner towers that can only reached via a staircase that winds clockwise, to hamper attacker’s sword wielding.

Alas, many took the “we have a firewall, we’re secure” approach and then shot holes right through their perimeter walls. :-)

Personally, I dislike the whole castle analogy. As soon as you expand it beyond the idea of an outer curtain and inner keep, the whole analogy breaks down.

What’s the analog to the towers? IPS? That would only be the case if archers were blind and half of them were firing indiscriminately into the courtyard.

But as it is, I agree that the best analog we have is that we’ve already used the stones from the outer curtain to build our businesses and punched windows through the walls of the keep so we can see out and let light and fresh air in.

If I actually had some good analogs to boiling oil or a cavalry counterattack, I might be on-board with the whole castle analogy. But as it is, I’m just reminded that for all their effectiveness in preventing an attack, a defensively-sound castle is a dark, smelly, cramped and generally miserable place to live. If you’ve ever lived behind an “effective” firewall, your IT experience was probably quite similar.

Image of Middleham Castle courtesy of flickr.

Alex Hutton just asked me an interesting question in comments:

Do you specifically separate Information Security and IRM? Why and how?

I know plenty of people who will argue that Security is more than what I’m outlining, but I’ve found that in practice, this generally seems to be the boundary around the thought processes of those practitioners I know who self-identify as “Information Security” as compared to Risk Managers (of which there are numerous flavors).

Short Form: Information Security locks up information to keep it safe, whether or not that’s the best thing to do with it. Information Risk Managers figure out the best way to preserve the value of the information, which may or may not include locking it up.

To me, though, Security is a subset of IRM. There are many things you can do to preserve information’s value that have nothing to do with securing it, such as Transferring or Accepting the risk.

Long Form:

Information Security is the practice of designing and implementing countermeasures and other preventative (usually technical) controls on information. Security experts tend to understand the nuances of their tools, but all-too-often fall prey to the adage that, “When your only tool is a hammer, ever problem begins to look a lot like a nail.”

Information Risk Management (IRM) is the practice of determining which Information Assets need protection and what level of protection is required, then determining appropriate methods of achieving that level of protection by understanding the applicable vulnerabilities, threats and countermeasures.

To practice IRM successfully means understanding not just the technologies that enable communication but also the business that the communication enables, the applicable regulatory environment, how information is utilized, the circumstances under which it might have value to an attacker, and how to balance those variables based on the risk appetite and cost-consciousness of the business.

Note: Before anyone breaks out their asbestos keyboards, please recall that these are my definitions. If you don’t like them, feel free to try something non-’Net-like, which is to say constructive ;-), and add a comment with your own definitions.

Finally, now that I’ve written my defnitions, here are Wikipedia’s Information Security

Information Security deals with several different “trust” aspects of information. Another common term is information assurance. Information security is not confined to computer systems, nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form.

The U.S. National Information Systems Security Glossary defines Information systems security (INFOSEC) as:

the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

Most definitions of information security tend to focus, sometimes exclusively, on specific usages and, or, particular media; e.g., “protect electronic data from unauthorized use”. In fact it is a common misconception, or misunderstanding, that information security is synonymous with computer security—in any of its guises: computer and network security, information technology (IT) security, information systems security, information and communications technology (ICT) security. Each of these has a different emphasis, but the common concern is the security of information in some form (electronic in these cases): hence, all are subsets of information security. Conversely, information security covers not just information but all infrastructures that facilitate its use—processes, systems, services, technology, etc., including computers, voice and data networks, etc.

and Risk Management pages

Generally, Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Traditional risk management focuses on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death, and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. Intangible risk management focuses on the risks associated with human capital, such as knowledge risk, relationship risk, and engagement-process risk. Regardless of the type of risk management, all large corporations have risk management teams and small groups and corporations practice informal, if not formal, risk management.

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled later. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss vs. a risk with high loss but lower probability of occurrence can often be mishandled.

for comparison.

When we talk about Risk, we generally are talking about the likelihood that Something Bad Happening. If I look it up in a dictionary, risk is “The possibility of suffering harm or loss; danger.”

This is especially true when talking about Risk within IT. I get asked questions like, “What’s the risk of Vulnerability X?” or “What’s the risk of allowing this protocol through a firewall?” (The answer is, “It depends.”) Even project status slides present events in separate sections labeled “Risks” and “Opportunities,” as if the two are somehow independent.

But we should always consider that Risk (likelihood of Something Bad happening) is just one side of Volatility (likelihood of Something Happening, good or bad). Never forget that without risk we cannot have reward.

Our job is not to eliminate risk. It is to identify the risks we should mitigate or avoid because they don’t provide adequate potential for reward and determine how best to transfer or accept the ones that do.