Business case for trustworthy software

Posted on May 16, 2013 by trustcontroller

Seriously, is there one? I struggle to find it. However, it is not a frivolous matter: if there is no business case for trustworthy software then there will be no commercial trustworthy software. So, if you know of one, please let me know.

This question of a business case essentially boils down to the nature of the software industry. Is it an industry similar to bridge building, with detailed expectations, stringent norms and personal responsibility, with designers and builders sitting below the bridge during the stress test? Or is it like an insurance industry: selling non-specific promises only to weasel themselves out of any responsibility when you actually need them?

I know that we know the answer: it is like an insurance industry. We all know it. The exception: software companies do not even pretend to promise anything. They do not even pretend to accept any responsibility. It is all clear, black on white, in a 6 point Times, on the bottom of the 13th page of your licence agreement. Did not read it? Your fault.

Software industry is an anomaly among industries, and it will remain such if we do not complain. No software house will ever regret having one user less, but there are many that will regret not having thousands or millions. Money speaks.

Note that my harsh words apply only to the general-computing, game-office-and-network fare of software. There is a large industry of automotive software and dedicated financial software that actually accepts certain responsibility for their products. It is probably because auto-makers and banks actually read licence agreements and actually complain.

What is it that you can do? First: use free open source. Seriously. It is free, it has plenty of functionality and it is not concerned with its business case, because it is free. Actually the majority of the Internet runs on open source. Try for yourself.

Second: reward trustworthiness. I mean: pay for it. If you see a trustworthy paid-for chunk of software do not complain that it is expensive. Do not try to steal (i.e. appropriate) it. If you do so, you destroy trustworthiness.

Third: do not lock yourself in. Do not let others lock you in. If only you can, reject proprietary standards. Which means that if you get disappointed with any bit of software you can move on. Which means that those who want to be trustworthy must keep trying.

Posted in trust governance, trustworthiness | Leave a comment

One big damning multiplier

Posted on May 13, 2013 by trustcontroller

I do not think I could have written it better, so I decided to quote Bloomberg Businessweek (May 6, 2013) verbatim. I hope I will be forgiven.

Peter Drucker, the celebrated management theorist, certainly thought that the CEO-to-rank-and-file multiplier mattered. Starting with a 1977 article and until his death in 2005, Drucker considered 25-to-1 or even 20-to-1 the appropriate limit. Beyond that, he indicated, it’s bad for business. In his view, excessively high multiples undermine teamwork and promote a winner-takes-all, “did-it-because-I-could” culture that’s poison to a company’s long-term health”

What it is all about? Bloomberg calculated the ‘multiplier’, the ratio of the CEO pay to the average non-managerial worker for the S&P 500 companies. It is only the approximation of the real thing, but it is telling nonetheless. The average is slightly above 200, and the maximum score is about 1800. Good-bye Drucker. Hello, greed.

A fish rots from the head down. That’s apparent and no amount of teamwork exercises and positive self-learning books will change it. If we cannot do something with the apparent greed of our so-called corporate leaders, then it is only our pipe dream to have trustworthy business.

I wonder whether this ratio will be the best index ever to measure trustworthiness of the company. The simple Trust-O-Meter indicator that lets us anticipate years in advance how the company will progress. Or decline. Which is more likely, considering the multiplier.

Posted in companies, news, Trust-O-Meter, trustworthiness | Leave a comment

The inversion of reachability

Posted on May 9, 2013 by trustcontroller

‘The inversion of..’ is a popular phrase, specifically among software developers. If you are not the one slavishly bound to your workstations, you probably never heard of the ‘inversion of control’, the new fashion in software. I hope that the ‘inversion of reachability’ will make a similar career among information security professionals.

What is reachability? It is an increasingly popular risk assessment trick. In computer network security it means that if one computer becomes compromised, the attacker has access to all the computers that are reachable from the compromised one. So, it is not enough to consider the front-line protection, but it also worth considering what will happen once the front-line breaks.

The basic security rule is simple. The more reachability is there, the easier it is to compromise the network. The more partitioned the network is, the less reachability is there and the network seems to be more secure, even if the front-line has vulnerabilities. And harder to navigate. And slower.

Enough about reachability. TERM is using what can be called the inversion of reachability. We do not consider the frontal, top-down attack that has to go through several computers to reach the target. We consider the possibility that the back end, the foundation, the leaf of the dependency tree is untrustworthy. Thus the weakness we consider always comes from the bottom. From the soft underbelly of the system.

Actually, in this respect TERM nicely complements normal risk analysis. Risk flows from the front all the way to foundations of the system. Trustworthiness flows from foundations to the front. They complement each other. Reachability and its inversion meet. Which is exactly what we need.

Posted in model, risk management, TERM | Leave a comment

CESG new classification policy

Posted on May 2, 2013 by trustcontroller

I went to the InfoSecurity Europe , a yearly gathering of noisy information security vendors, restless wannabe security managers and youngsters collecting shiny gadgets. There was a usual clatter of companies that promise to improve trust, to eliminate the need for trust and to deliver if only you trust them. Normal, I would say.

Anyway, I stopped by the CESG booth. For those not living here, CESG stands for “Communications Electronics Security Group” and is responsible for securing governmental information systems. Quite a task, quite a responsibility, quite a level of trust they command and usually warrant.

While at the stand, I picked the “New Government Classification Policy (April 2013)”. An interesting reading: instead of three levels of protective markings there will be .. surprise .. three levels. They will be called: (1) Official, (2) Secret and (3) Top Secret. Disclosure: the document itself does not have any protective markings, so we do not go to jail.

The only problem is that in the next section of the same document those levels are called (1) Official, (2) Official-sensitive and (3) Secret. So: Secret or Official-sensitive? Secret or Top secret? If I incidentally bump on the document marked as Secret does it mean level 2 or level 3? How would I know if CESG does not seem to know?

Why is it important? Normally we do not deal with governmental documents (barring tax returns and voting papers), so the error does not seem that important. However, the protective marking of documents defines the levels of trustworthiness that is required to access those documents. If the marking goes ballistic, assessment of trustworthiness may follow. And this may be a disaster. So it is not just a typo, this is a problem.

By the way, it is always worth knowing who is the untrusted party. It is clear from the same policy document: governmental information must be protected from “threats such as hactivism, journalists and criminals”. For years I got used to the fact that apparently ‘hacker’ and ‘criminal’ means the same to governmental officials. But now I learned that ‘journalist’ and ‘criminal’ are equally untrustworthy and dangerous. Ouch. Murdoch, beware.

Posted in conference, government, trust | Leave a comment

The soft underbelly of finances

Posted on April 25, 2013 by trustcontroller

I went out of my comfort zone and had “Brussels for Breakfast”. It tasted good. It was, of course, a meting in the City (with sandwiches and pastry, to be honest), organised by CSFI and devoted to intricacies of financial policies and politics. Fascinating, in a way.

During the breakfast I had most interesting discussion with a friend of mine about different shades of trust in financial services. Different shads of trust in money, so to say. Not that we trust financial services in general, but how would we classify such trust if we had to have it.

We believe that there are three fundamentally different types of services. These are: utility banking that is responsible for letting others do things with money; investment banking that use money as a way to make money and credit banking that optimise allocation of money. The deserve different trust, with the majority of trust needed for the utility banking that acts as a service ‘plumbing’ for all other types of banking (and other economic activities).

However, for the majority of financial institutions, utility banking is given. It is a necessary plumbing, but the one nobody wants to talk about. It is boring and smells unpleasantly, the way plumbing does. Nothing to gloat about. Until, of course, it breaks. As with every plumbing, the breakage means major disaster.

I started looking at the structure of financial transactions using TERM, and it holds nicely. The story is much more clear than with the plain risk management. We were able to identify dependencies and then dive down to identify even more dependencies. Maybe it was not the most tasty outcome of a breakfast, but it was worth our while.

Posted in finances, TERM, trust, workshop | Leave a comment