• PhD

    There and Back again

    Suddenly, I find myself at the end of the first month of a new year, jolting awake. What happened? Well, I was off work for a blessed six weeks from the end of November, so I might spend that time writing on my dissertation. Like all grand quests, things never go entirely as planned, but I did make some very interesting discoveries that I would like to share. And yes, you Tolkien fans, you have correctly identified the title of this blog. We watched the movie yet again at Christmas. Wonderful.

    First, I discovered that Austin’s speech act theory is not a theory in the traditional sense, which kind of shocked me. Rather, it is more of a field guide for studying language in a natural setting. This led me to question the validity of subsequent speech act theories. Now you might wonder, “Why is this important?” Well, Austin is supposed to be the grand inventor of the Speech Act theory. Except that he was not, and that what he invented was not speech act theory.

    These are bold statements. In the philosophy of language, they are akin to saying that one plus one does not equal two. So I need to explain myself. First off, you might recall that I read at Oxford and hence have a feel for the place. I sort of know how they think because I know how it feels. Of course, I was there at the beginning of the 1980s, whereas Austin made his mark just after World War II. But that only means I caught the effects of what he started. And what did he start? Well, this is actually documented, but I did not know about it until I read metaphysical animals, which is about four women philosophers: Elizabeth Anscombe, Iris Murdoch, Philippa Foot and Mary Midgley. During WWII, they were undergraduates while “the men” were away, the men being the newfangled breed of “analytical philosophers.” When they came back, there was a kind of power struggle, which the men won but only at great cost to the philosophical debate. Austin, who wasn’t always a language philosopher, decided to become a language field researcher, which is similar to a biology field worker, as an analytic-style response to philosophical ideas that he thought, were too vague and wordy. He even phrased it as a conscious choice between publishing and teaching. So he established a novel kind of research-and-teaching tradition, modelled on his intelligence unit during the war and barring all women because apparently he did not like them much. He became a kind of Wittgenstein counterforce (those two did not appreciate each other at all), although he was never considered on a par. Wittgenstein, of course, was at Cambridge at the time, and rarely came up to Oxford, or if he did, only at the personal invitation of Anscombe.

    Source: existential comics

    There is a lot of archived material on Austin, some of which I can’t access online but which piqued my interest. I quite lost myself in the newspapers from that time about how these great philosophers behaved, especially toward one another. It is like reading a tabloid—very gossipy. Mostly, they were not very nice people, these analytic philosophers, not a at all. Anyway, I have promised myself to go up to Oxford this summer and visit the Balliol College archives, which hold Austin’s personal papers. It seems that he was enamoured of a particular scholar, also at Balliol, and I suspect he got his “speech act” ideas from there, via German scholars such as Adolph Reinach who first discovered them but called them “social facts.”

    I think the research tradition that Austin established has much to commend it, not least because he helped sever the connection between language and truth. However, it does not amount to a theory, let alone a speech act theory; and he did not think so himself. So in that light, it is a bit strange to have studied other speech act theories, like Searle’s or Bach’s which base themselves on Austin’s “theory.”

    Reading about Austin and his time also gave me insights into why philosophy was conducted at the time and how philosophy of language was conducted. It seems very much a case of haphazard social connections and who-knows-who-to-influence-someone else. I discovered (yes, Husband, thanks to you if only I had listened earlier 🙂 a set of interviews by Brian Magee in the 1980s. Wonderful. These give a feel for the kind of people these philosophers were. Observe the difference between Searle and Bernard Williams in these interviews—they are worlds apart. Searle is insecure (he lashes out at Williams at future interviews, complaining about Williams’ good connections with the British Royal Family, which, as an American, he can only dream of). Williams observes from an enormous distance and is ever the gentleman. Both speak of the same thing: what to make of language and the new ideas that were coming out of Oxford. In the end, I think that Searle’s “solution,” to bring “intention” into speech act theory, is a mistake, and one I intend to correct if I can.

    Second, I realised that there is currently no model for language interaction. Without a model to work with, I decided to develop my own. This model draws on the work of Bicchieri, who studied norms, the ISO norm for dialogue annotation (Bunt), the ViolEx 2.0 psychological model for expectation update, and the theories I examined for my master’s thesis. With my new model, I try to find a way to connect theory and practice. In real life, people use language to say what they mean and what they want to say, but it can be hard to figure out exactly what they mean or what they want to say. My model incorporates elements of normativity and expectations, which help explain the context in which a speaker’s words are spoken. My model also considers the role of the listener. Listening is an active process, and the person who is listening must be able to understand and respond to what is being said. In my model, this is done through an expectation update, which helps to bring clarity to the conversation.

    Having to create a model means that I have to decide what modelling language to use. I have decided on BPMN, which focuses on modelling (business) processes. I am not sure I am sufficiently proficient in it, and I am also applying it to very different processes than those for which it was invented. But never mind. I am going to check in with a specialist to make sure I have not made any stupid mistakes.

    Below is my model of a standard interaction proces. I will need to extend 5 layers to 7, more about that in a separate post. The horizontal lanes are called “swim lanes”. The idea is that every lane is where it happens for a particular actor. I have made it a little complicated by dividing a single human in two parts, i.e. the part where mental processes take place and another part, where the internal representations of the outside world live.

    I am still working on the processes “manage communication” and “manage expectations.” The “manage communication” process is about what happens during an interaction. Not just the speech exchange, but also everything that is necessary to manage the conversation: greeting, feedback, correction, etc.
    “Managing expectations” is about what happens in the head of the listener when he/she receives a communication. It is matched against what is expected, desirable, etc., and then a response is formed.
    What is important—and you might find this obvious, but it took me a lot of time to realise this—is to see that there is no interaction until the listener decides there is one. It is also the listener who decides the initial direction of the conversation. Much like playing badminton (yes, thank you, Husband): having a shuttlecock thrown at you means nothing. Return it and there is the game.

    Little happy baby boy is playing badminton

    What is next? Well, I have already discussed the model with my supervising professor, and he cannot find anything wrong with it. Mind you, that is no guarantee that he won’t find anything wrong later on, when I detail the details. Also, it is worrying that he found it “impressive,” because that might mean that he simply does not understand this way of conveying information. But for now, it is encouraging. So I will continue to detail the model. And then take out the bit that I need for my field research. I have documented my approach in my new dissertation-online. It is very much a work in progress, but if you like, you can have a look here on this page. Mail me for the password if you don’t have it. There is quite a bit on how I plan to use the ISO norm for dialogue interaction to investigate specialists’ understanding of other norms. Of interest only to methodologists, but I know you are amongst my followers 🙂

    Now I return to earth for a few days. My husband celebrates a birthday, the family is coming over, and the country needs saving (the dayjob). So, until next time…

  • Amuses

    The art of misunderstanding

    I have been talking in this blog about my journey back into academia. But I have said little about why. There is a reason for this reticence. Well, several. First, I am not at all sure I will complete this quest, so the less said, the better. Second, I might change my mind. Seriously, after just 3 weeks I am already so filled up with new thoughts that anything might happen. And finally, well, you might laugh. But never mind all that. I will explain.

    In my day job I am a security architect. That is someone who thinks out a web of strategic and actual safety measures which will protect a company from bad people or natural disaster. There is a lot of IT involved.

    One might ask how a philosophy & psychology graduate ever ended up as a security architect. Well, I am not sure. It happened. And it involves being in a world of very serious, conscientious people who argue about …. words. It is almost impossible to get any work done because of these arguments.

    It is not about ordinary words.  It is about words in regulations and contracts, even laws. Anyway, you can read it all in the paper below. It is the one I wrote for “my” professor during the university acceptance process. I have also included the mind map I created before writing the actual paper. I was nervous, I had written nothing academic in 30+ years. Mind mapping is always a good idea. This one is colourful.


    Meeting expectations: the language of governance and compliance

    Meeting expectations: the language of governance and compliance

    Introduction

    Organisations are expected to take care of their assets.  This is especially true when damage or misuse has negative consequences for the public or the state. In this digital age, information is widely regarded as a major asset. It needs protection against many threats. Threats may range from common theft to a disgruntled employee bent on revenge; from industrial espionage to natural disaster; from human error to terrorist attack. In general terms, protecting information means ensuring its availability, integrity and confidentiality up to a pre-agreed level.

    On the subject of information security, in the past 20 years a multitude of (inter)national regulations and standards have emerged, and more appear every day. These regulations and standards guide, direct or impel companies to institute good information security governance and to report on the level of compliance achieved.  Failing to comply may be punished in various ways: a formal warning, a fine, a revoked licence, or public shaming; and may result in the loss of a job, bankruptcy or even a prison sentence.

    Because of the value of information assets, its many threats, and consequences of failing to institute proper protection, governmental and business organisations actually want to comply with regulations and standards.  

    However, there is a problem. These texts are hard to understand, and their meaning is often open to different interpretations. This negatively influences the quality of information security that can be achieved.

    Regulations and standards on information security

    Let us first identify common characteristics of relevant regulations and standards. As we will see later, some of these characteristics may be tied to interpretation problems within the texts themselves.  

    Regulations and standards on information security always are:

    • in written form only, typically containing a mix of persuasive, informative, descriptive and instructive texts.
    • intended for a specific purpose (a topic within the field of information security)
    • intended to regulate behaviour (should, could, must)
    • issued by a high-level body, such as a government, a board of directors of an (inter) national organisation
    • produced as a group effort, usually involving stakeholders, experts and policy makers. Typically, there is no mention of the author(s) in the regulation or standard.
    • created and maintained through a formal process
    • available to a large audience, usually the public, but may require payment
    • authoritative, either as an official directive or regarded as a de facto standard

    Examples of such regulations and standards, are:

    Organisations tend to treat regulations and standards as a single point of truth, taking texts as literally as possible. This is because of the need to demonstrate compliance. For the same reason, implementation is usually achieved through a top-down chain of command.

    Texts and meanings

    The text of these regulations and standards are riddled with meaning problems. Why should that fact be a problem? General wisdom dictates that if you don’t understand something, you should go and ask. Why does that not work here?

    • One reason is that there is no one to ask. There is no author to ask for clarification, nor is there an easily accessible expert group.  An additional problem is that reaching out to the publisher of the regulation or standard in question, must be done through proper channels, i.e. not something just any employee can do. Usually, the best that may be achieved is to send in a formal request for clarification – which may or may not be processed during a future maintenance window.
    • Another reason is that readers tend not te be aware of the different meanings of a particular bit of text, because they assume that there is only one meaning, namely the meaning they have assigned themselves. Only when one happens to be confronted with a different interpretation by someone else, will there be cause to wonder.
    • Yet another reason is in the field of regulations and standards: no one likes to admit to a lack of understanding or knowledge.  It is associated with losing face, particularly when the particular regulation or standard is implemented from the top-down. Power and knowledge of  important matters is supposed to live at the top, rather than in the workplace.

    The nett result is that texts get interpreted in different ways by different people who all believe they are right even when they are working at cross purposes. This generally results in a confused implementation of the regulation or standard, and ultimately, in compliance failure.

    The art of misunderstanding

    There are many causes which contribute to interpretation problems in these texts. However, let us begin with what, contrary to popular opinion, is not a cause.  It is not the case that the authors of these texts are unable or unwilling to use plain language. Rather, they arrive at the final wording through a group effort[1]. To achieve consensus, the outcome of a negotiation process, is much more important than clarity. Meaning problems which arise from this cause take the form of obfuscation and generally over-complicated text containing (too) many qualifiers.

    The same effect may be produced deliberately. Organisations that issue regulations and standards are usually funded by public money and derive their status at least in part from their authority of being accepted by all parties involved.  To keep that status and funding, they try to avoid any big confrontation with the intended audience. For that reason, expectations on compliance tend to be worded softly, so they won’t chafe too much, allowing for an escape. One way to do this is by introducing intentional vagueness into the text, for instance, by not being specific on whether something must, should or could be done.

    Context is another issue. The same words will mean different things in different contexts, or to different people, and these meanings may even be contradictory. Some examples:

    • the term special data (“bijzondere gegevens”) might be taken to mean data that need special care, or to  data that are for some reason special. Yet the term also refers to data which it is the special duty of the government to secure[2]. Within the context of the GDPR[3] it means something completely different again, namely data describing very particular human characteristics such as DNA, creed, race or political inclination.
    • the use of the word value (“belang”). In Dutch governmental regulations the term refers to anything which, when compromised, will negatively affect the Dutch state or its partners[4].  To security professionals, the term signifies the value of a company asset[5], expressed in either quantitative (money) or qualitative terms. In a business context the term usually refers to the interest of an important stakeholder[6]. In everyday speech, the term just means that the issue is deemed to be of some importance.

    Last but not least, there are knowledge problems. These take various forms.  

    • There may be a lack of knowledge at the level of the intended audience. The committee or group composing the regulation or standard may also have knowledge gaps. A knowledge gap may have an underlying cause, such as a belief about the extent to which it is possible or desirable to regulate behaviour, or an opinion about whether information security threats are real or may be countered.
    • Another area is the definition of knowledge itself.  Within the field of information processing various modelling languages have been developed, ranging from formal, mathematical models to more descriptive languages such as UML, BPMN and Archimate which have the added advantage of being designed to produce strong visualisations which can be shared with a less specialised audience. The problem with these ‘descriptive’ languages, though popular, is that the concepts they are built on, have been arrived at through trial-and-error and common sense. Inevitably concepts overlap, leave gaps, are overloaded or simply are not sufficiently clear for the use of capturing knowledge[7].
    • Within the field of computing, much interest has centred on the possibility of capturing information within an ontology in a formal language (such as OWL or WSDL) that can be processed by a standardised computer program or interface (semantic web service)[8]. In principle, this idea works for all kinds of information, including security, and may be used to construct theories, harmonise concepts or create computer-based applications.  Some real progress has been made in highly specialised sub-topics such as automatic threat detection in cyberspace. Yet that progress seems to have been possible only because there exists a straightforward cause-and-effect relation between a cyberthreat and the way to respond to it. Overall, security ontologies for sub-topics are developed independently from each other. In a recent survey[9] eight different families of security ontologies were identified. Despite considerable work, these efforts do not converge. There exists general agreement on the lack of a common body of knowledge, but this conclusion tends to be presented both as a cause and as a solution.

    Next steps

    The above presents a general overview of problems encountered when interpreting regulations and standards on information security and points to some possible causes. These causes may exist simultaneously and may interact. Much more work needs to be done on this to achieve a true identification of relevant causes and underlying factors. It might be possible to construct a diagnostic framework which may be used to identify specific semantic problems in regulations and standards on information security, such that agreement may emerge on how to avoid current interpretation problems. At the very least, a deeper insight into the art of misunderstanding may be achieved.

    Bibliography

    Europees Parlement, Algemene Verordening Gegevensbescherming (AVG). (2016, 04 27). https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-nieuwe-europese-privacywetgeving. Retrieved from Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/verordening_2016_-_679_definitief.pdf

    Figay, N. (2017, 8 8). Linked Enterprises: from ArchiMate language to ArchiMate Web Ontology? Retrieved from https://www.linkedin.com/pulse/from-archimate-language-web-ontology-dr-nicolas-figay/

    Gomes, H., ZĂșquete, A., & Dias, G. P. (2009). An overview of security ontologies. 9ÂȘ ConferĂȘncia da Associação Portuguesa de Sistemas de Informação . Viseu, Portugal. Retrieved from https://www.researchgate.net/publication/228692638_An_Overview_of_Security_Ontologies/references

    Mast, N. v. (2006). De zin van ambtelijk taalgebruik. In Rijksvoorlichtingsdienst, De taal van de overheid (Vol. 5). Den Haag, Netherlands: SDU uitgeverij. Retrieved from https://www.communicatierijk.nl/documenten/publicaties/2006/04/01/platform-5

    Minister van Algemene Zaken, BVR-2013. (2013, 06 01). Beveiligingsvoorschrift Rijksdienst 2013. Rijksoverheid. Retrieved from http://wetten.overheid.nl/BWBR0033512/2013-06-01

    NEN, NEN-EN-ISO/IEC 27001:2017. (2017, 03 1). NEN. Retrieved from https://www.nen.nl/NEN-Shop/Norm/NENENISOIEC-270012017-en.htm

    Soug, A., Salinesi, C., & Comyn-Wattiau, I. (2012). Ontologies for Security Requirements: A Literature Survey and Classification. In E. Bayro-Corrochano, & E. Hancock (Eds.), Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications (Vol. 8827, pp. 61-69). Cham: Springer International Publishing. doi:10.1007/978-3-642-31069-0_5

    The Open Group. (2012). TOGAF 9.1. Zaltbommel, Netherlands: Van Haren Publishing. doi:isbn: 978-90-8753-679-4


    [1] (Mast, 2006)

    [2] (Minister van Algemene Zaken, BVR-2013, 2013)

    [3] (Europees Parlement, Algemene Verordening Gegevensbescherming (AVG), 2016)

    [4] (Minister van Algemene Zaken, BVR-2013, 2013)

    [5] (NEN, NEN-EN-ISO/IEC 27001:2017, 2017)

    [6] (The Open Group, 2012)

    [7] (Figay, 2017)

    [8] (Gomes, ZĂșquete, & Dias, 2009)

    [9] (Soug, Salinesi, & Comyn-Wattiau, 2012)