Spring is here, and so are all of its delights. My small garden is full of roses I have planted over the years. I used to order one every year from a specialist rose farm. Some of them survived, others did not. The ones that survived are spectacular. I feed them, Husband prunes them, and they are just everywhere around the house. Even our grocery delivery person comments on them. My biggest success and my biggest failure is no longer with us. Husband had to kill it, alas. It was a Kiftsgate Rambling White Rose. Have a look at the original here. It is gigantic, encapsulating three trees.
“Kiftsgate” quickly covered our small patio in the back garden and attracted a million bumble bees. For a couple of years. But it just kept growing. And growing. I suppose the worst thing about this rose were its thorns and its stems turning to rock-hard wood. Of course, the disclaimer said “not for small gardens”. Which is sound advice if your back garden is only about 5 x 5m like mine. But I sort of overlooked that in my enthusiasm. Well, it is gone. Somehow “Kiftsgate” inspired our honey suckle into a growing spurt, covering the patio, so all is well.
Another delight that really is not a delight and hence must be resisted, is hay fever. It was staved off by the rainy weather but now all grasses seem to have bloomed at once. It is terrible. The Dutch hay-fever-radar sites colour a deep red, which is the worst there is. I have good hay fever pills now, keeping me from the worst, but this years is really quite extraordinary. I have to cover my eyes in vaseline and preferably stay indoors with all of my air-cleaning equipment turned on. And the tiredness! Even Husband complains, although he does not have a sneeze in his non-allergic body. Son, however, is still in denial, buying hay fever tablets off the counter, just this once … Well, hay fever is a predictable reaction. Once you pass a certain threshold of pollen, and start reacting, that is it. For years. But I suppose what amuses me most is his denial. He is so like me :-). Like: if I don’t wear my glasses, no one can see me (that was my favourite at his age). Anyway, the hay fever will be gone by July.
We live quite near Paleis Het Loo, which is the palace where Queens Emma and Wilhelmina and young Juliana lived before the war. It is being restyled – a many-years project which is already overextended. We walk the outer grounds every night. The coming week I will visit it properly, on the inside, with Husband and my good once-red-haired friend who has just come out of chemotherapy and a friend. Anyway, as they were also restructuring the landscape around the palace, putting in what looks like wild-flower areas, I just could not resist. I adore poppies. They are wild and beautiful and resilient. So I ordered a pile of seeds ( a few thousands) and threw them about on the newly prepared fields. Son did his bit as well. So far, only few have come up. So then we planted about 40 poppy plants which were sent to by the nursery I bought my seeds from (thank you!). And I have ordered more seeds. And more. In a few years, the whole place should be incandescent with poppies, I have decided. It will be my heritage. Much nicer than money or material things.
There are lots of other wild flowers on those fields surrounding Paleis Het Loo. I know because we have been using this app called “obsidentify” to get to know flora and fauna. It is quite remarkable. Like playing Pokemon but for the elderly. Much easier to use than my old Flora. At some point, I will use it to find edible greens and mushrooms. But already I am enjoying being able to identify plants and flowers and trees. Amazing what I remember from early childhood – I must have had a great interest in nature, because I can still identify so many plants off the top of my head; fortunately, with the obsidentify-app, I now have the means to check and find new ones. For instance, the yellow plants (weeds) growing in my front garden are called “stinkende gouwe”, i.e. “smelly gold”. I now have much fewer qualms about pulling them up.
Another disruptive thing I did was to have my hair cut. It had grown long throughout the Corona years when I did not dare to go to the hairdresser, so I just left it – well, Husband cut it for me to one length once. It grew way down my back, getting heavier and hotter every day. But I had this idea that with long hair I would turn into this patient, wise woman, such as below (the third woman from the left). The wild wise woman. Something my sister Sigrid is becoming in her amazing priest training, which is nearly finished now.
But alas, it is not for me, the long hair or the temperament! So I went to my old hairdresser who was amazed to see me – she thought I had gone elsewhere until they saw the length of my hair. Very amusing. Even more amusing is that my curls have returned. After 10+ years! Really tight curls that won’t be tamed. Which makes a mockery of the sleek, stylish hairdo I had selected, but who cares? I regard those re-emerging curls als evidence of my inner rebel – yes , the theme of this blog.
The decision to cut off my hair came at the end of a lovely holiday. We usually take one during the first or the second week of May. I don’t like to be home on my birthday because it is Remembrance day, and also because May is such a wonderful month. Spring, not yet hot, there is no pollen, everything a lush green and flowers everywhere. We rented a wonderful little house at the edge of a wood near the beach. Son came over on his bike because we were near Leiden where he lives, and we celebrated both our birthdays. We also did a lot of walking and photography and walking along the shore. One day we went to the Keukenhof. I had always wanted to go, and now I had turned 60 I felt I had a right 🙂 Husband was a true sport and came along without grumbling. Took a million pictures, but one will have to do for this post.
The holiday marked the beginning of my return to health. If you remember my last post, things were pretty bleak on that front – my worst CFS flare up in years. But I should have remembered, just when I start to cry that I just cannot go on, things always get better. I had ordered a pile of supplements which might counteract the CFS bad-fuel problem, the anaerobic metabolism that causes my muscles to behave like they have run a marathon. The science is all here, in a PostScript. Anyway, I have been taking these supplements for two months now, and they are really making a difference. I don’t have more energy, but most of the aches and brain fog and stiffness have gone. Husband says I seem to get stronger. Great. I aim to be a super fit pensioner. That is still seven years away, so I might make the deadline :-).
Whilst on holiday, I took some time to think about work. Normally I don’t, because there is not much I can change, but I was experiencing some kind of inner revolt which was bothering me.
- Revolt against our political system, which I feel has been eradicating the social fabric of our society for the past 20-odd years. In civil service (the day job), such changes become more and more visible in the way we deal with the public and vice versa. I loathe neo-liberalism beyond anything I can put into words.
- Revolt also against my day-job, which is about (information) security. I had been researching the threat landscape, both at work and for my PhD. It looks as if citizens are becoming squashed between criminal organisations and governments, neither of which can be defended against. So what is there for little me to do against all that?
A bit bleak, eh? But there is nothing for it, other than to look the monsters squarely in the face, take a deep breath, and do what I can in my own little world. Or so I resolved. I must find some more colleagues to pass on my experience and knowledge on. That is a much better idea than running around, trying to save the world by myself. Meanwhile, I keep an eye on the lottery, but I never win. Well, as they say, lucky in love unlucky in gambling, which is fine with me.
Another thing that was worrying me is whether we should move house. We have very steep stairs, so if we become old and feeble, we won’t be able to make it upstairs. We had the stairs measured for one of these chair-lifts, and it will fit! Well, you would have to duck your head a little, but it fits. So that is one problem less. Time to revamp the place, coz it is a while since we did any painting. We will need help this time around. So Husband and I have decided to save up a bit before we start. We will start on the study. Husband has already made a maquette to scale. Exciting.
The PhD is also back on track. My professor advised me to stop reading and start thinking. Which turned out to be very hard advice to follow – whenever I think up something, I am inclined to check if someone else has thought of it, and what they said, and how they developed the thought, etc. And this habit was making me feel as if I was catching snowflakes. It is strange, somehow just thinking does not feel like work whereas reading does. It is the Protestant Work Ethics lurking inside me; I suppose. Anyway, I have been “just thinking” for over a month now (with a bit of reading on the side, I will admit), and things are progressing again. I have developed a mini theory which I am expanding on. I have also run into some interesting contacts.
- A German guy who is introducing companies to autopoiesis. The thing is, it seems to work and they are ecstatic, but no one seems to worry about why it works. Autopoiesis is about living cells. Organisations are not.
- Some interesting IT guys, external contractors, approached me. They have developed a new way of approaching problems, which is a bottom-up empowering style, rather than the traditional top down “blue” design thinking. I like them and their style very much, but for now I cannot make much sense of what they are doing: it seems to be a pot-pourri of original thoughts, sound scientific theory, well-thought out personal style and agile-style hypes. Must find out more. The conversation continues.
- Then there is this interesting guy, a business architect like me, but much more the suave boardroom type. He is clever, well read, and a self-styled philosophy with fixed ideas about language, the type of ideas that many people in the IT business have – they think that either language has a fixed meaning (being comprised of words) or that meanings come from intentions. If I can explain my ideas to him and get him to understand, that would mean that I have achieved sufficient clarity myself.
- Also talked to two security professors now. Both want to help me. One is offering to co-author my literature research on security professionals. Not too much work for him, but it would validate the paper, as I am a philosophy researcher, not a security one, despite the day job. So sharing authorship seemed ok to me. My professor agreed. Better to be generous.
I am a bit hesitant, but in my next post I will try to outline some of the ideas I have been working on. Must start somewhere, so I will start with you.
I have signed up for the reading challenge on Goodreads. A 100 books this year. I am heavily into “noir detectives”, and I don’t read, I listen. All the time. I have also been listing to some other stuff. This one: the Dawn of Everything, by David Graeber (anthropologist) and David Wengrow (archeologist). It is “is a reimagining of the history of humanity, based on new discoveries in the worlds of anthropology and archeology. According to the authors, new findings challenge what we thought we knew about hierarchies, inequality, property, and the state”. David Graeber, who died unexpectedly last year, was actually kicked out of Harvard for his anarchistic ideas, so that sparked my attention. A whopping 24 hours listening, but a fascinating book! The book is very detailed, so I will repeat the experience at some point. Recommended. For my Dutch friends, there is a Dutch translation: “het begin van alles”.
I have been talking in this blog about my journey back into academia. But I have said little about why. There is a reason for this reticence. Well, several. First, I am not at all sure I will complete this quest, so the less said, the better. Second, I might change my mind. Seriously, after just 3 weeks I am already so filled up with new thoughts that anything might happen. And finally, well, you might laugh. But never mind all that. I will explain.
In my day job I am a security architect. That is someone who thinks out a web of strategic and actual safety measures which will protect a company from bad people or natural disaster. There is a lot of IT involved.
One might ask how a philosophy & psychology graduate ever ended up as a security architect. Well, I am not sure. It happened. And it involves being in a world of very serious, conscientious people who argue about …. words. It is almost impossible to get any work done because of these arguments.
It is not about ordinary words. It is about words in regulations and contracts, even laws. Anyway, you can read it all in the paper below. It is the one I wrote for “my” professor during the university acceptance process. I have also included the mind map I created before writing the actual paper. I was nervous, I had written nothing academic in 30+ years. Mind mapping is always a good idea. This one is colourful.
Meeting expectations: the language of governance and compliance
Organisations are expected to take care of their assets. This is especially true when damage or misuse has negative consequences for the public or the state. In this digital age, information is widely regarded as a major asset. It needs protection against many threats. Threats may range from common theft to a disgruntled employee bent on revenge; from industrial espionage to natural disaster; from human error to terrorist attack. In general terms, protecting information means ensuring its availability, integrity and confidentiality up to a pre-agreed level.
On the subject of information security, in the past 20 years a multitude of (inter)national regulations and standards have emerged, and more appear every day. These regulations and standards guide, direct or impel companies to institute good information security governance and to report on the level of compliance achieved. Failing to comply may be punished in various ways: a formal warning, a fine, a revoked licence, or public shaming; and may result in the loss of a job, bankruptcy or even a prison sentence.
Because of the value of information assets, its many threats, and consequences of failing to institute proper protection, governmental and business organisations actually want to comply with regulations and standards.
However, there is a problem. These texts are hard to understand, and their meaning is often open to different interpretations. This negatively influences the quality of information security that can be achieved.
Regulations and standards on information security
Let us first identify common characteristics of relevant regulations and standards. As we will see later, some of these characteristics may be tied to interpretation problems within the texts themselves.
Regulations and standards on information security always are:
- in written form only, typically containing a mix of persuasive, informative, descriptive and instructive texts.
- intended for a specific purpose (a topic within the field of information security)
- intended to regulate behaviour (should, could, must)
- issued by a high-level body, such as a government, a board of directors of an (inter) national organisation
- produced as a group effort, usually involving stakeholders, experts and policy makers. Typically, there is no mention of the author(s) in the regulation or standard.
- created and maintained through a formal process
- available to a large audience, usually the public, but may require payment
- authoritative, either as an official directive or regarded as a de facto standard
Examples of such regulations and standards, are:
- Beveiligingsvoorschrift Rijksdienst, Voorschrift Informatiebeveiliging Rijksdienst, Voorschrift Informatiebeveiliging Rijksdienst – s informatie, and Baseline Informatiebeveiliging Rijksdienst; all published by the Dutch Government
- General Data Protection Act (published by the European Commission) and its Dutch add-on, the Uitvoeringswet Algemene verordening gegevensbescherming
- ISO/IEC 2727K family of standards on information security, published by the ISO/IEC Joint Technical Committee, Subcommittee 27, particularly the ISO27001 and the ISO27002; both European standards.
Organisations tend to treat regulations and standards as a single point of truth, taking texts as literally as possible. This is because of the need to demonstrate compliance. For the same reason, implementation is usually achieved through a top-down chain of command.
Texts and meanings
The text of these regulations and standards are riddled with meaning problems. Why should that fact be a problem? General wisdom dictates that if you don’t understand something, you should go and ask. Why does that not work here?
- One reason is that there is no one to ask. There is no author to ask for clarification, nor is there an easily accessible expert group. An additional problem is that reaching out to the publisher of the regulation or standard in question, must be done through proper channels, i.e. not something just any employee can do. Usually, the best that may be achieved is to send in a formal request for clarification – which may or may not be processed during a future maintenance window.
- Another reason is that readers tend not te be aware of the different meanings of a particular bit of text, because they assume that there is only one meaning, namely the meaning they have assigned themselves. Only when one happens to be confronted with a different interpretation by someone else, will there be cause to wonder.
- Yet another reason is in the field of regulations and standards: no one likes to admit to a lack of understanding or knowledge. It is associated with losing face, particularly when the particular regulation or standard is implemented from the top-down. Power and knowledge of important matters is supposed to live at the top, rather than in the workplace.
The nett result is that texts get interpreted in different ways by different people who all believe they are right even when they are working at cross purposes. This generally results in a confused implementation of the regulation or standard, and ultimately, in compliance failure.
The art of misunderstanding
There are many causes which contribute to interpretation problems in these texts. However, let us begin with what, contrary to popular opinion, is not a cause. It is not the case that the authors of these texts are unable or unwilling to use plain language. Rather, they arrive at the final wording through a group effort. To achieve consensus, the outcome of a negotiation process, is much more important than clarity. Meaning problems which arise from this cause take the form of obfuscation and generally over-complicated text containing (too) many qualifiers.
The same effect may be produced deliberately. Organisations that issue regulations and standards are usually funded by public money and derive their status at least in part from their authority of being accepted by all parties involved. To keep that status and funding, they try to avoid any big confrontation with the intended audience. For that reason, expectations on compliance tend to be worded softly, so they won’t chafe too much, allowing for an escape. One way to do this is by introducing intentional vagueness into the text, for instance, by not being specific on whether something must, should or could be done.
Context is another issue. The same words will mean different things in different contexts, or to different people, and these meanings may even be contradictory. Some examples:
- the term special data (“bijzondere gegevens”) might be taken to mean data that need special care, or to data that are for some reason special. Yet the term also refers to data which it is the special duty of the government to secure. Within the context of the GDPR it means something completely different again, namely data describing very particular human characteristics such as DNA, creed, race or political inclination.
- the use of the word value (“belang”). In Dutch governmental regulations the term refers to anything which, when compromised, will negatively affect the Dutch state or its partners. To security professionals, the term signifies the value of a company asset, expressed in either quantitative (money) or qualitative terms. In a business context the term usually refers to the interest of an important stakeholder. In everyday speech, the term just means that the issue is deemed to be of some importance.
Last but not least, there are knowledge problems. These take various forms.
- There may be a lack of knowledge at the level of the intended audience. The committee or group composing the regulation or standard may also have knowledge gaps. A knowledge gap may have an underlying cause, such as a belief about the extent to which it is possible or desirable to regulate behaviour, or an opinion about whether information security threats are real or may be countered.
- Another area is the definition of knowledge itself. Within the field of information processing various modelling languages have been developed, ranging from formal, mathematical models to more descriptive languages such as UML, BPMN and Archimate which have the added advantage of being designed to produce strong visualisations which can be shared with a less specialised audience. The problem with these ‘descriptive’ languages, though popular, is that the concepts they are built on, have been arrived at through trial-and-error and common sense. Inevitably concepts overlap, leave gaps, are overloaded or simply are not sufficiently clear for the use of capturing knowledge.
- Within the field of computing, much interest has centred on the possibility of capturing information within an ontology in a formal language (such as OWL or WSDL) that can be processed by a standardised computer program or interface (semantic web service). In principle, this idea works for all kinds of information, including security, and may be used to construct theories, harmonise concepts or create computer-based applications. Some real progress has been made in highly specialised sub-topics such as automatic threat detection in cyberspace. Yet that progress seems to have been possible only because there exists a straightforward cause-and-effect relation between a cyberthreat and the way to respond to it. Overall, security ontologies for sub-topics are developed independently from each other. In a recent survey eight different families of security ontologies were identified. Despite considerable work, these efforts do not converge. There exists general agreement on the lack of a common body of knowledge, but this conclusion tends to be presented both as a cause and as a solution.
The above presents a general overview of problems encountered when interpreting regulations and standards on information security and points to some possible causes. These causes may exist simultaneously and may interact. Much more work needs to be done on this to achieve a true identification of relevant causes and underlying factors. It might be possible to construct a diagnostic framework which may be used to identify specific semantic problems in regulations and standards on information security, such that agreement may emerge on how to avoid current interpretation problems. At the very least, a deeper insight into the art of misunderstanding may be achieved.
Europees Parlement, Algemene Verordening Gegevensbescherming (AVG). (2016, 04 27). https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-nieuwe-europese-privacywetgeving. Retrieved from Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/verordening_2016_-_679_definitief.pdf
Figay, N. (2017, 8 8). Linked Enterprises: from ArchiMate language to ArchiMate Web Ontology? Retrieved from https://www.linkedin.com/pulse/from-archimate-language-web-ontology-dr-nicolas-figay/
Gomes, H., Zúquete, A., & Dias, G. P. (2009). An overview of security ontologies. 9ª Conferência da Associação Portuguesa de Sistemas de Informação . Viseu, Portugal. Retrieved from https://www.researchgate.net/publication/228692638_An_Overview_of_Security_Ontologies/references
Mast, N. v. (2006). De zin van ambtelijk taalgebruik. In Rijksvoorlichtingsdienst, De taal van de overheid (Vol. 5). Den Haag, Netherlands: SDU uitgeverij. Retrieved from https://www.communicatierijk.nl/documenten/publicaties/2006/04/01/platform-5
Minister van Algemene Zaken, BVR-2013. (2013, 06 01). Beveiligingsvoorschrift Rijksdienst 2013. Rijksoverheid. Retrieved from http://wetten.overheid.nl/BWBR0033512/2013-06-01
NEN, NEN-EN-ISO/IEC 27001:2017. (2017, 03 1). NEN. Retrieved from https://www.nen.nl/NEN-Shop/Norm/NENENISOIEC-270012017-en.htm
Soug, A., Salinesi, C., & Comyn-Wattiau, I. (2012). Ontologies for Security Requirements: A Literature Survey and Classification. In E. Bayro-Corrochano, & E. Hancock (Eds.), Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications (Vol. 8827, pp. 61-69). Cham: Springer International Publishing. doi:10.1007/978-3-642-31069-0_5
The Open Group. (2012). TOGAF 9.1. Zaltbommel, Netherlands: Van Haren Publishing. doi:isbn: 978-90-8753-679-4
 (Mast, 2006)
 (Minister van Algemene Zaken, BVR-2013, 2013)
 (Europees Parlement, Algemene Verordening Gegevensbescherming (AVG), 2016)
 (Minister van Algemene Zaken, BVR-2013, 2013)
 (NEN, NEN-EN-ISO/IEC 27001:2017, 2017)
 (The Open Group, 2012)
 (Figay, 2017)
 (Gomes, Zúquete, & Dias, 2009)
Soug, Salinesi, & Comyn-Wattiau, 2012)