• Amuses

    The art of misunderstanding

    I have been talking in this blog about my journey back into academia. But I have said little about why. There is a reason for this reticence. Well, several. First, I am not at all sure I will complete this quest, so the less said, the better. Second, I might change my mind. Seriously, after just 3 weeks I am already so filled up with new thoughts that anything might happen. And finally, well, you might laugh. But never mind all that. I will explain.

    In my day job I am a security architect. That is someone who thinks out a web of strategic and actual safety measures which will protect a company from bad people or natural disaster. There is a lot of IT involved.

    One might ask how a philosophy & psychology graduate ever ended up as a security architect. Well, I am not sure. It happened. And it involves being in a world of very serious, conscientious people who argue about …. words. It is almost impossible to get any work done because of these arguments.

    It is not about ordinary words.  It is about words in regulations and contracts, even laws. Anyway, you can read it all in the paper below. It is the one I wrote for “my” professor during the university acceptance process. I have also included the mind map I created before writing the actual paper. I was nervous, I had written nothing academic in 30+ years. Mind mapping is always a good idea. This one is colourful.


    Meeting expectations: the language of governance and compliance

    Meeting expectations: the language of governance and compliance

    Introduction

    Organisations are expected to take care of their assets.  This is especially true when damage or misuse has negative consequences for the public or the state. In this digital age, information is widely regarded as a major asset. It needs protection against many threats. Threats may range from common theft to a disgruntled employee bent on revenge; from industrial espionage to natural disaster; from human error to terrorist attack. In general terms, protecting information means ensuring its availability, integrity and confidentiality up to a pre-agreed level.

    On the subject of information security, in the past 20 years a multitude of (inter)national regulations and standards have emerged, and more appear every day. These regulations and standards guide, direct or impel companies to institute good information security governance and to report on the level of compliance achieved.  Failing to comply may be punished in various ways: a formal warning, a fine, a revoked licence, or public shaming; and may result in the loss of a job, bankruptcy or even a prison sentence.

    Because of the value of information assets, its many threats, and consequences of failing to institute proper protection, governmental and business organisations actually want to comply with regulations and standards.  

    However, there is a problem. These texts are hard to understand, and their meaning is often open to different interpretations. This negatively influences the quality of information security that can be achieved.

    Regulations and standards on information security

    Let us first identify common characteristics of relevant regulations and standards. As we will see later, some of these characteristics may be tied to interpretation problems within the texts themselves.  

    Regulations and standards on information security always are:

    • in written form only, typically containing a mix of persuasive, informative, descriptive and instructive texts.
    • intended for a specific purpose (a topic within the field of information security)
    • intended to regulate behaviour (should, could, must)
    • issued by a high-level body, such as a government, a board of directors of an (inter) national organisation
    • produced as a group effort, usually involving stakeholders, experts and policy makers. Typically, there is no mention of the author(s) in the regulation or standard.
    • created and maintained through a formal process
    • available to a large audience, usually the public, but may require payment
    • authoritative, either as an official directive or regarded as a de facto standard

    Examples of such regulations and standards, are:

    Organisations tend to treat regulations and standards as a single point of truth, taking texts as literally as possible. This is because of the need to demonstrate compliance. For the same reason, implementation is usually achieved through a top-down chain of command.

    Texts and meanings

    The text of these regulations and standards are riddled with meaning problems. Why should that fact be a problem? General wisdom dictates that if you don’t understand something, you should go and ask. Why does that not work here?

    • One reason is that there is no one to ask. There is no author to ask for clarification, nor is there an easily accessible expert group.  An additional problem is that reaching out to the publisher of the regulation or standard in question, must be done through proper channels, i.e. not something just any employee can do. Usually, the best that may be achieved is to send in a formal request for clarification – which may or may not be processed during a future maintenance window.
    • Another reason is that readers tend not te be aware of the different meanings of a particular bit of text, because they assume that there is only one meaning, namely the meaning they have assigned themselves. Only when one happens to be confronted with a different interpretation by someone else, will there be cause to wonder.
    • Yet another reason is in the field of regulations and standards: no one likes to admit to a lack of understanding or knowledge.  It is associated with losing face, particularly when the particular regulation or standard is implemented from the top-down. Power and knowledge of  important matters is supposed to live at the top, rather than in the workplace.

    The nett result is that texts get interpreted in different ways by different people who all believe they are right even when they are working at cross purposes. This generally results in a confused implementation of the regulation or standard, and ultimately, in compliance failure.

    The art of misunderstanding

    There are many causes which contribute to interpretation problems in these texts. However, let us begin with what, contrary to popular opinion, is not a cause.  It is not the case that the authors of these texts are unable or unwilling to use plain language. Rather, they arrive at the final wording through a group effort[1]. To achieve consensus, the outcome of a negotiation process, is much more important than clarity. Meaning problems which arise from this cause take the form of obfuscation and generally over-complicated text containing (too) many qualifiers.

    The same effect may be produced deliberately. Organisations that issue regulations and standards are usually funded by public money and derive their status at least in part from their authority of being accepted by all parties involved.  To keep that status and funding, they try to avoid any big confrontation with the intended audience. For that reason, expectations on compliance tend to be worded softly, so they won’t chafe too much, allowing for an escape. One way to do this is by introducing intentional vagueness into the text, for instance, by not being specific on whether something must, should or could be done.

    Context is another issue. The same words will mean different things in different contexts, or to different people, and these meanings may even be contradictory. Some examples:

    • the term special data (“bijzondere gegevens”) might be taken to mean data that need special care, or to  data that are for some reason special. Yet the term also refers to data which it is the special duty of the government to secure[2]. Within the context of the GDPR[3] it means something completely different again, namely data describing very particular human characteristics such as DNA, creed, race or political inclination.
    • the use of the word value (“belang”). In Dutch governmental regulations the term refers to anything which, when compromised, will negatively affect the Dutch state or its partners[4].  To security professionals, the term signifies the value of a company asset[5], expressed in either quantitative (money) or qualitative terms. In a business context the term usually refers to the interest of an important stakeholder[6]. In everyday speech, the term just means that the issue is deemed to be of some importance.

    Last but not least, there are knowledge problems. These take various forms.  

    • There may be a lack of knowledge at the level of the intended audience. The committee or group composing the regulation or standard may also have knowledge gaps. A knowledge gap may have an underlying cause, such as a belief about the extent to which it is possible or desirable to regulate behaviour, or an opinion about whether information security threats are real or may be countered.
    • Another area is the definition of knowledge itself.  Within the field of information processing various modelling languages have been developed, ranging from formal, mathematical models to more descriptive languages such as UML, BPMN and Archimate which have the added advantage of being designed to produce strong visualisations which can be shared with a less specialised audience. The problem with these ‘descriptive’ languages, though popular, is that the concepts they are built on, have been arrived at through trial-and-error and common sense. Inevitably concepts overlap, leave gaps, are overloaded or simply are not sufficiently clear for the use of capturing knowledge[7].
    • Within the field of computing, much interest has centred on the possibility of capturing information within an ontology in a formal language (such as OWL or WSDL) that can be processed by a standardised computer program or interface (semantic web service)[8]. In principle, this idea works for all kinds of information, including security, and may be used to construct theories, harmonise concepts or create computer-based applications.  Some real progress has been made in highly specialised sub-topics such as automatic threat detection in cyberspace. Yet that progress seems to have been possible only because there exists a straightforward cause-and-effect relation between a cyberthreat and the way to respond to it. Overall, security ontologies for sub-topics are developed independently from each other. In a recent survey[9] eight different families of security ontologies were identified. Despite considerable work, these efforts do not converge. There exists general agreement on the lack of a common body of knowledge, but this conclusion tends to be presented both as a cause and as a solution.

    Next steps

    The above presents a general overview of problems encountered when interpreting regulations and standards on information security and points to some possible causes. These causes may exist simultaneously and may interact. Much more work needs to be done on this to achieve a true identification of relevant causes and underlying factors. It might be possible to construct a diagnostic framework which may be used to identify specific semantic problems in regulations and standards on information security, such that agreement may emerge on how to avoid current interpretation problems. At the very least, a deeper insight into the art of misunderstanding may be achieved.

    Bibliography

    Europees Parlement, Algemene Verordening Gegevensbescherming (AVG). (2016, 04 27). https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-nieuwe-europese-privacywetgeving. Retrieved from Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/verordening_2016_-_679_definitief.pdf

    Figay, N. (2017, 8 8). Linked Enterprises: from ArchiMate language to ArchiMate Web Ontology? Retrieved from https://www.linkedin.com/pulse/from-archimate-language-web-ontology-dr-nicolas-figay/

    Gomes, H., Zúquete, A., & Dias, G. P. (2009). An overview of security ontologies. 9ª Conferência da Associação Portuguesa de Sistemas de Informação . Viseu, Portugal. Retrieved from https://www.researchgate.net/publication/228692638_An_Overview_of_Security_Ontologies/references

    Mast, N. v. (2006). De zin van ambtelijk taalgebruik. In Rijksvoorlichtingsdienst, De taal van de overheid (Vol. 5). Den Haag, Netherlands: SDU uitgeverij. Retrieved from https://www.communicatierijk.nl/documenten/publicaties/2006/04/01/platform-5

    Minister van Algemene Zaken, BVR-2013. (2013, 06 01). Beveiligingsvoorschrift Rijksdienst 2013. Rijksoverheid. Retrieved from http://wetten.overheid.nl/BWBR0033512/2013-06-01

    NEN, NEN-EN-ISO/IEC 27001:2017. (2017, 03 1). NEN. Retrieved from https://www.nen.nl/NEN-Shop/Norm/NENENISOIEC-270012017-en.htm

    Soug, A., Salinesi, C., & Comyn-Wattiau, I. (2012). Ontologies for Security Requirements: A Literature Survey and Classification. In E. Bayro-Corrochano, & E. Hancock (Eds.), Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications (Vol. 8827, pp. 61-69). Cham: Springer International Publishing. doi:10.1007/978-3-642-31069-0_5

    The Open Group. (2012). TOGAF 9.1. Zaltbommel, Netherlands: Van Haren Publishing. doi:isbn: 978-90-8753-679-4


    [1] (Mast, 2006)

    [2] (Minister van Algemene Zaken, BVR-2013, 2013)

    [3] (Europees Parlement, Algemene Verordening Gegevensbescherming (AVG), 2016)

    [4] (Minister van Algemene Zaken, BVR-2013, 2013)

    [5] (NEN, NEN-EN-ISO/IEC 27001:2017, 2017)

    [6] (The Open Group, 2012)

    [7] (Figay, 2017)

    [8] (Gomes, Zúquete, & Dias, 2009)

    [9] (Soug, Salinesi, & Comyn-Wattiau, 2012)


  • Amuses

    And so it begins

    It was a long wait, from the end of November until February when I finally could start on my research master (“ReMa”, as it is affectionally called at “uni”). I might tell you I used all that time really well, preparing for my courses and lectures, catching up on everything that had been happening in Philosophy during the past 30+ years.  But that would be nowhere near the truth.

    For a start, even though I had been formally admitted, there were lots of administrative details to be completed which made me feel as if I had entered a different universe. For instance,  a form which had to be signed by all sort of high-up people agreeing that I could start in the middle of the academic year, and which was already overdue.  Which is a bit strange considering the official starting dates of my particular course are September and February.  I got through all the red tape, eventually. Bit of my own fault really, by started the admission process backwards, I must have confused people. 

    Secondly, I was suddenly afflicted with  a personal loss which I won’t elaborate on in these pages, but very nearly toppled me. I self-medicated on Belgium beer and the things that politician don’t inhale and I put in chocolates (rather than medication), and after some weeks, slowly picked myself up again. Thank you, my  husband, for watching over me.

    Third, my beloved employer on whose behalf I daily save the country, decided to reorganise all 30.000 of us yet at again.  This time they managed to eradicate the security organisation almost completely, so finding a new boss proved difficult for a while. Not that my workload has gone down, I still do the work of 2 or 3 people, and that is not including the work for my new boss. Must not complain though, because my employer pays half of my fees and I even get study leave (a day every two weeks), so that is grand. Just as a precaution, I decided on a social media strategy at work (we run an internal platform) so as to become more efficient at sharing information (and save myself many meetings in which I would constantly have to repeat myself). Let’s hope I can keep it up and not get side-tracked.

    In January I was finally administratively enrolled, and able to get access to the university digital environment. Which took me a while to get to know. I did not know where to start, so I did what I always do: I dived into the library. Ah, all those books, journals, publishers suddenly at my fingertips. Not that I had nothing before: I get full JSTOR access as an Oxford alumni, and I am a member of the Dutch Royal Library which has an extensive ebook section. Not to mention my international friends who graciously share their library access with me. But real university access is so much better. So I wallowed around in this newly found luxury for some days, reading all kinds of stuff just for the fun.

    After that came the settings up of email- and other accounts and my student pass. Aha, the student pass, with the student number. It entitles me to discount, and as I am Dutch, I cannot resist a bargain. So I have been buying useful software at knock-down prices. Husband graciously donated the use of his laptop (cannot take the company laptop into campus), and updated his own equipment at a discount. I renewed my local library card (50% discount), splurged on a great grammar checker (no discount) and experimented with speech-to-text software (which I decided not to buy because my typing speed is so high that there is not much profit, time-wise, to be gained).

    Then came module enrolment, a real pain in the neck. For a start, the schedules are not released until very late, and general descriptions are not, how shall I put this, information-dense. My professor had told me to look also at modules at other universities, which I did. The whole thing took several days of break-neck speed googling and consolidating; then validating the result with the professor.  The net result was that I should take 3 modules in the next 6 months which is the equivalent of a full-time study. Yes, I know, it is crazy. But husband and I had just watched Lord of the Rings yet again.

    Having arranged everything well in advance, I now sat back and waited. Nothing was happening on the courses I signed up for. I even sent a worry-mail to my professor, asking if I had somehow missed the posting of the reading list, as I wanted to buy the books, order them from the library? Aha, welcome to 2019! Reading materials are simply posted with the digital space every module has on the university system. I felt stupid. I nearly missed the reading materials when they were finally posted, because I had not set some parameter somewhere that meant I did not get informed, etc etc. Anyway, it took some late hours, but I read everything, for all 3 modules in time. Wow. My poor brain suddenly got stretched out again. Did it hurt, I hear you think? I am not sure. It is a mighty strange feeling. But addictive. I suddenly realised that most of my work comprises educating and guiding people, not getting new ideas myself. Well, of course I knew that, otherwise I would not have started on this whole escapade, but you get my drift.

    So I went to university, the first week of February.  I can get there by public transport, but husband insists on taking me by car, which is lovely and much quicker. 

    How did it go? I will tell you, in another post. I also need to tell you about what it is that I set out to do, in taking up this research master. Also another post. For now, I can just say this: No one laughed. No one even looked at me twice. The whole place was friendly, well organised, warm, bright, shiny and clean. I immediately felt at home. 

     

     

     

     

  • Amuses

    Back to the beginning

    Today, I received confirmation that I am to be enrolled on my coveted graduate course on Language and Logic. Great stuff. Now I am back in the world where the professor is God. I already went through an initiation procedure. Granted, the professor in question was very nice. He was just a bit worried about me wanting to do something practical – “this is not what we normally do ” 🙂

    The situation below depicts life until I have completed my own research. Which will take until my retirement – only 10 years away ….

  • Amuses

    Great news, negative results!

    My husband spends a lot of time reading, particularly when he has to wait for me to complete my weekly schedule at the gym. He is so much more efficient 🙂 When I finally come down, I usually find him engrossed in an article. He will look up and say: I have been waiting for hours! and smile. Then he will tell me about anything of interest that he came across. Today it was this, an article in the Volkskrant.

    Wonderful story about how difficult it can be for a specialist to express himself without causing confusion or misunderstanding.

  • Amuses

    Own thy name

    Today I received a mail via Geneanet containing this phrase: “I just happened to look into my family tree, which by the way I started many Years ago, and discovered change of ownership. What I like to know is; what gives you the right to claim ownership over a family tree to which you’re not related?”

    Where does one even start to put an end to this confusion?  I could not help making a quip about the genes on his side of the family not being very friendly. Then I referred the man to the Geneanet help-desk, hopefully they can sort him out.

    However, this incident has left me with a question. What does “ownership” mean in this particular case? A particular stake on Geneanet? Obviously I did not take over any family tree, he must have come across  my name because the same names are in my tree. Or a claim to exclusiveness on information about my great-grandmother who bears the same name as this irritable guy? I collected all this information by myself from Dutch archives, but then he might have done the same. Or the right to exercise administrative power as pater or mater familias to the family tree? Is my name mine or someone else’s? As it happens,  my official name is not the name that I was born with, and I do not feel I own either name; I am, in fact, nameless. There is a beautiful Dutch poem about not being named.  I will post it below . It has meant different things to me at different times of my life.

    It is strange how I felt compelled to defend myself against this alleged theft of ownership, without knowing what the word actually means in this particular context.

    The Dutch poem I referred to just now:

    Mijn moeder is mijn naam vergeten.
    Mijn kind weet nog niet hoe ik heet.
    Hoe moet ik mij geborgen weten?

    Noem mij, bevestig mijn bestaan,
    Laat mijn naam zijn als een keten.
    Noem mij, noem mij, spreek mij aan,
    o, noem mij bij mijn diepste naam.

    Voor wie ik liefheb, wil ik heten.

    Author:  Neeltje Maria Min, 1966 

    In translation: My mother has unremembered me/ my child is not yet aware  / now who am I? Name me, confirm my existence/ let my name be a like a chain/ name me, name me, address me/ o, call me by my deepest name. For you my loved ones, I will have my name

    Postscript!

    This story has an unexpected ending. You remember me somewhat acidly suggesting to the guy who wrote me the email, about his gene pool not being very friendly? As it turns out, he is a very friendly guy AND family. He knew my maternal great-grandparents; he was their nephew. He emigrated to Canada many years ago. We are in regular touch now.

  • Amuses

    Blauwbilgorgel

    Ik ben de blauwbilgorgel.
    Ik ben de blauwbilgorgel,
    Mijn vader was een porgel,
    Mijn moeder was een porulan,
    Daar komen vreemde kind’ren van.
    Raban! Raban! Raban!

    Ik ben een blauwbilgorgel
    Ik lust alleen maar korgel,
    Behalve als de nachtuil krijst,
    Dan eet ik riep en rimmelrijst.
    Rabijst! Rabijst! Rabijst!

    Ik ben een blauwbilgorgel,
    Als ik niet wok of worgel,
    Dan lig ik languit in de zon
    En knoester met mijn knezidon.
    Rabon! Rabon! Rabon!

    Ik ben een blauwbilgorgel
    Eens sterf ik aan de schorgel,
    En schrompel als een kriks ineen
    En word een blauwe kiezelsteen.
    Ga heen! Ga heen! Ga heen!

    Cees Budding (Dordrecht 7 aug. 1918 – Dordrecht 24 nov. 1985), Nederlands dichter en prozaïst, debuteerde met de bundel Het geïrriteerde lied (1941), maar maakte vooral naam met zijn Gorgelrijmen (1953), verzamelde nonsens-poëzie. Zijn literaire loopbaan liep langs uiteenlopende tijdschriften, zoals het anekdotische Criterium, het experimentele Podium en het nieuw-realistische Barbarber. Zijn poëzie is onder meer beïnvloed door het surrealisme en de jazz. …

    My husband has suggested that I translate this poem into English. Now there is a challenge…

    The Blauwbilgorgel poem is a bit like Lewis’ Jabberwocky, but unlike that poem, the Blauwbilgorgel does have meaning through its apparent nonsense, well, a bit more. Maybe. Which is interesting in itself, shade of meaning of nonsense. Judge for yourself.

    Jabberwocky

    ’Twas brillig, and the slithy toves
    Did gyre and gimble in the wabe;
    All mimsy were the borogoves,
    And the mome raths outgrabe.

    “Beware the Jabberwock, my son!
    The jaws that bite, the claws that catch!
    Beware the Jubjub bird, and shun
    The frumious Bandersnatch!”

    He took his vorpal sword in hand:
    Long time the manxome foe he sought—
    So rested he by the Tumtum tree,
    And stood awhile in thought.

    And as in uffish thought he stood,
    The Jabberwock, with eyes of flame,
    Came whiffling through the tulgey wood,
    And burbled as it came!

    One, two! One, two! And through and through
    The vorpal blade went snicker-snack!
    He left it dead, and with its head
    He went galumphing back.

    “And hast thou slain the Jabberwock?
    Come to my arms, my beamish boy!
    O frabjous day! Callooh! Callay!”
    He chortled in his joy.

    ’Twas brillig, and the slithy toves
    Did gyre and gimble in the wabe;
    All mimsy were the borogoves,
    And the mome raths outgrabe.

    from Through the Looking-Glass, and
    What Alice Found There
     (1871)

     

     

  • Amuses

    A beginning

    The Wheel of Time turns, and ages come and pass, leaving memories that become legend. Legends fade to myth, and even myth is long forgotten when the Age that gave it birth comes again. In one Age, called the third age by some, an Age yet to come, an age long pass, a wind rose in the Mountains of Mist. The wind was not the beginning. There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.

    From: The Wheel of Time by Robert Jordan