icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an 

ongoing web column  by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

No, cyber security training does not solve the problem

What is really missing in the fight against cyber crime?

How to cite this article?
Longo, Brunella (2013). No, cyber security training does not solve the problem. What is really missing in the fight against cyber crime? icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 2.2 (May).

How to cite this article?
Longo, Brunella (2013). No, cyber security training does not solve the problem. What is really missing in the fight against cyber crime? icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Online)], 2.2 (May).

1 May 2013 - How do we encourage 'good' behaviours and prevent bad ones in IT security and data management? Since there is no definitive reassurance from the technical level and even the most reliable standards can be easily compromised, for about two decades I have been among those who consider the training and the people skills argument as a priority. Training facilitates change and continuous improvement and as such reduces information security risks.

And yet, once we have turned every stone with courses, certifications routes and computer licences for all, still in 2013 research shows that business owners, employees and even the same experts do not care as much as we would expect about information and computer security. We all trust our own processes and procedures as if they were immune from the risks that affect others - or we may need the job done anyway.

Has the rise of the cyber crime issue in economics, in politics, in management, and within the legislative agenda (even in its often trivialised media representation) caused any improvement or advancement? It has not so far. Conversely, it has shown once more how scarce is the effectiveness of the conventional answers to the problem - i.e., train the people, install and keep antivirus software up to date, manage the maintenance, outsource all the risks.

Behind all the major IT disasters we read in the papers every day there are hundreds or thousands of diligent technicians, service managers and software developers who have done their jobs properly, and nobody can be really made accountable for pretty much any wrongdoing.

The question of cyber security is on the agenda of several academic disciplines, professional committees and, last but not least, the UK government. The last has recently launched a consultation to reach a common view of what constitutes good cyber security in an organisation (Cyber Security Organisational Standards. A call for views and evidence, March 2013).

That is. We do not have a common, standard view on what we should consider unacceptable in terms of cyber security, and that is in spite of the engineering professionals having promoted a systemic, holistic and fact finding approach to the matter since long, that weight technical, human and organisational factors all together.

What fact finding approach is possible in the liars’ houses?

My views on cyber security have been shaped by personal experiences and by the many problems I learned how to solve on the job in the latest twenty years of quite pioneering internet businesses.

In 1995 the most read italian newspaper, Il Corriere della Sera, reported I had been assaulted in public by a client who was unhappy with my advice in respect of his latest endeavour, the startup of the first consumer internet service provider, Video On Line. We had an argument - the details of which were left to the reader to imagine - and the entrepreneur and publisher from Sardinia, Nicola Grauso, a close business partner of several Berlusconi’s international advertising businesses, lost his temper and assaulted me because I had expressed such diverse opinion.

In a regional newspaper and through word of mouth with several colleagues and employees I had myself recruited on his behalf, Grauso started then a libel campaign against me, filling people imagination with ambiguous words and with allegations we had had a marital affair: he said he loved me very much, but he could not satisfy my expectations.

For more than 15 years I ignored the gossips and rumours around the ordeal fabricated against my reputation. I still cannot reckon how did it happen that so many people found Grauso’s version of a marital affair plausible. Nevertheless, from a media narrative point of view it is exactly the absence of realism in depicting an event or a situation what distracts people attention from the truth and the factual evidence, as it happens in many advertising campaigns as well as in cyber frauds, scams and media stories. Successful lies always target and embroil our emotions, wishes, aspirations or frustrations, leveraging on our ignorance as well as on our limited attention to the facts and lack of emotional intelligence.

After a couple of months the Video On Line startup - that formally was not even existing as a company as it was consisting in just an advertising operation - was said to be acquired by Telecom Italia after it turned out it had been managed by Grauso and his traditional ally Gianni Pilo (who had been at the heart of the Berlusconi’s marketing campaign to launch his new political party in 1993) on the assumption that Video on line could profit from both discounted Telecom Italia costs, legally guaranteed to Grauso’s newspaper on one side, while counting on funding from the new Berlusconi’s political party (Forza Italia) on the other. There was no actual ready business model to rely on. The one I was foreseeing, based on advertising revenues, was too much ahead of its time. So in few months since he had started the national advertising campaign to launch Video On Line, Grauso realised he would be let down by both Telecom Italia and Fininvest. His friend Pilo helped him to repay some debts and thanks to the help obtained by the new orthodox catholic connections that Berlusconi’s party was developing with political and entrepreneurial circles deeply rooted in the Lega Nord, mainly in Lombardia and Veneto, an agreement was reached for Telecom Italia to write off all his debts in exchange of the acquisition of the startup that would ease Telecom Italia developments in the new internet sectors while all the people I had recruited for Video On Line would keep their jobs in Rome and Cagliari. I had myself a new consultancy contract with Telecom Italia in Venice for another “impossible mission”, the merging of all the corporate R&D functions and department in possibly only one national documentation and research centre - but this is another story and should be told in another occasion.

What was the truth in my “Grauso affair”? Had I been physically assaulted in a public place by a man who acted as a psychopath, under the influence of drugs and alcohol or because of a mental disorder? He used a marital' argument as a cover up in order to avoid criminal prosecution. He had on his side the fact that everybody seemed prone to believe we really had an affair and nobody wanted to investigate the matter any further. Whatever I would say chances were it could be used against me and I would not be believed in any Court of Law. The same old story, as many victims of domestic violence, psychological and physical abuse and pedophiles know.

And yet, there is an overarching reason why we have a demarcation in place between civil and criminal law and a consistent, persistent demand to keep it in place.

A human-based fact finding approach does not seem to be neither realistically suitable, convenient or practicable in many cases of violence against women, hate crime, antisocial behaviours where the victims’ truths are overwhelmingly mingled with lies, libels, falsehood. But that does not diminishes the call for justice.

Beyond training and professionalism: towards an age of new insight from artificial intelligence?

During the last ten years I have slowly but inevitably changed my mind about the relevance of training for IT security purposes, and not just because of my skepticism about the traditional impact that the rule of law has in preventing and punishing media and computer misuse and in general technical negligence.

Training is not always the answer to reduce the risks of cyber crime because such risks go beyond individuals’ behaviours and public understanding of science. Cyber crime tend to be engineered, intertwined and nested in sophisticated contexts of use and technical frameworks, where exploiting human behaviours and communications is always double sided.

We can, of course, analyse, deconstruct and reconstruct environmental factors and cause-effect circumstances that are typical of any dual usage of concern in STEM projects, in research and development, where there is enough budget, time, skills and commitment to undertake the challenge of data collection, data assessment and analytics. But we cannot really count on artificial intelligence for insight at present.

Many IT security routines and software frameworks based on bayesian inference are weak and even counterproductive for the development of digital forensics as a science or for the improvement of the legal process. So all in all I do not believe that more software development or better software design could radically change the terms of the problem neither, per se.

Probability theory is not useful in a court of law even when it is obviously useful to make decisions in other fields. Statistics does not answer any real fundamental question about the truth. Limited by its own factual, human, contextualised and falsifiable nature, the truth question is still what really matters in the law, as well as in any scientific and technical debate.

A fact finding (and fact understanding) approach is what is still missing in the fight against cyber crime. More training would not help. But technology can perhaps enhance human choices and judgments about what facts deserve to be looked into, accounted and considered all in all credible.