The Desolation of Awareness – 4 – Buddha Was a Hacker

By Uri Biber

 

The root of all problems, Baron Münchhausen, why “no” fails, and why Buddha was a hacker.

 

Prologue

Please, don’t continue reading. Unless you’re willing to give up everything you thought is true about information security awareness I gently ask you to stop. If the only thing you’re interested in is how to distribute an awareness material to the employees in the organisation you belong to this series is not for you. If you think that you can make people aware of anything by explaining it to them this series is not for you. If you believe that computer based training can make anyone aware, please stop, this series is definitely not for you.

Awareness is an experience, not a target. You (think you can) acquire targets, you live an experience. Information security awareness is an experience, not a target. Targets are by nature predefined, finite. True experiences are personal, subjective, multi-layer. True experiences are challenging, life changing, painful, breath-taking, beautiful, unique. Targets gives you the illusion of achieving something without taking into consideration the whole picture.

Are you truly willing to change the way your organisation perceive information security? Are you truly willing to let go of old paradigms? Do you really understand what you’re asking for when you say you wish to make people more aware of anything? If you wish for targets, this series is not for you, so please don’t continue, and thank you for reading so far.

If you choose to continue because you realised that what we do right now in order to create a shift in awareness to information security does not work, may I gently remind you that the previous three articles can provide you a better insight to this article? If you choose to continue, know I’m here for you, that I love you for your courage. Thank you.

 

NO!!!!

 

The mini-bus that took the six kids from the special needs school to a two days packed activities near the sea finally arrived to the parking lot near the school almost an hour later than expected. As the door opened one child outburst outside screaming, shouting, and crying.

That child was my son, Rephael.

When Rephael saw me he run towards me. I opened my arms, and he just came, hugged my body and cried. I hugged him, held him tight to my body, allowing him to cry his heart out while finding shelter in my presence.

As Rephael was hugging me I saw how other kids get off the bus with a big smile, excited to come back to their beloved parents. “It’s OK”, I told Rephael, “It’s OK”.

After a minute or so the school manager who arranged the trip and was with the kids at the sea came to me. “What happened?” I asked this wonderful woman who has been taking care of Rephael for the last 3 years. “Oh, the ride back was horrible. Since we entered the car Rephael refused to sit quietly. He just said “1 2 3 go” and tried to make us stop. He tried to open the door while we were driving, he was screaming and shouting and it was really, really hard. Other than that everything was ok with him during the trip”. As she was speaking I felt the experience had left a deep trauma not only on Rephael but on her as well. Rephael suddenly stopped hugging me, went to my car, opened the door, went inside and shut me, the school manager and the rest of the world behind him.

 

Rephael is non-verbal, which sometimes makes his life extremely frustrating. He can say one word (such as the name of his sister, his brother, food elements, etc.). He remember sentences from animation movies (e.g. “Toy Story”) and can say them yet he seems to be unable to create his own sentences. When he is extremely tired this inability to express what he wants, why he wants it, or how he want something can sometimes makes him loose the endless smile, laughter and love he radiates. However, there is one word in the universe of words we verbal humans say that Rephael never was able to accept, and that word is “no”. Even hearing that word creates pain in him: his body goes into a shock state, he starts to cry, all his tenderness goes into a phase of breaking down. To me it feels he fears the word “no” like most people fear … death.

 

Most “normal” people will look at Rephael and don’t understand it. We consider it as “drama”. This is why Rephael is experiencing so much pain in his interaction with us, the “normal”. Most of us don’t understand this deep pain because we are “no” experts. We are so good in saying “no” that if there was an academic path to “no-ism” we all were entitled to receive a PhD in it.

What most people don’t know is that we all have autistic traits within us. The reason why our inability to accept a simple “no” is invisible to us (and sometimes to others) because this is buried under years of society confinement and behavioural code that were engraved in us before we were even aware of them. Deep down inside of us we all react to “no” the same way Rephael does, and the difference is that we learned to suppress it, to find ways to not re-live that pain, to make it unconscious. We might be experts in saying “no” but almost all of us (me included) are far from being experts when it comes to understanding ourselves, and reality.

 

If you ask yourself why did I wrote about Rephael remember Nancy Reagan and her “Just say no” approach to drugs. If your approach to information security awareness include a lot of negative statements such as “do not click on links in an email from an unidentified sources” or “do not give away your password”, or even “if we do not implement [information security technology] we will be vulnerable”, what you are doing is igniting a unconscious storm within the person you are communicating with. They might be able to suppress it, but sometimes, like Rephael, the storm will be so strong that they will not be able to resist their body and brain, and will leave them acting in a way that will create a trauma for them and the rest of the organisation he is part of.

It might be hard for you to accept the above statements. If so, please know that I feel you. Accepting the fact that we don’t understand ourselves, realising that whatever edition of reality we subscribed to and whatever story we been told or told ourselves about reality is nothing but a fabrication is counter intuitive, and against what our mind is telling us.

 

Baron Münchhausen

Our tendency as information security awareness experts is to focus on “the problem” which is usually summarised with something like “lack of awareness to information security”. This approach, a target oriented one is similar to treating a patient that that is complaining about severe pain by administrating them pain killers without identifying the real issue which could be a fatal disease such as cancer. Sure, a pain killer will supress the pain but by not handling the root-cause you’re not really helping your patient, you’re actually killing him.

The root problem of all problems is (the) mind itself…Unless you know the nature of the mind you will not be able to solve any problem (in) your life. …No individual problem exist, mind *is* the problem.” (Osho)

 

OK, root cause analysis is finished. We can finally start to…. Wait, the mind is the problem? How exactly? I think therefore I am! My mind is the only problem? Not the hackers? Not the NSA? Not the stupid users? Not even my mother?? I’m sorry, it doesn’t make any sense!

“It doesn’t make any sense” means something that is not understood. As long as we don’t understand our mind (which is a sense) we are left with a sense that doesn’t make any sense.

We do try to understand it, at least some of us do. We try to understand the reality around us using our minds which is why we fail, because our mind has a limited understanding of the system we call reality. Unless we recognise that our mind is a sense, and that it is limited when we try to solve our problems we act as if we are trying to get ourselves out of the swamp by pulling our hair with our hands. There is only one man in the history of humanity that this had worked for him (and his horse) – and that’s Baron Munchausen.

We are lucky that we have an answer to that problem, and we had it for at least 2500 years.

 

The Fresh Prince of Kosala

The story of Siddharta Gautama, which most people know as Buddha is fascinating because Buddha was a hacker. The system he was hacking is our perception of reality, or life as we know it. Here are some elements in his story to support this claim:

  • Buddha was born into a world that tried to protect him from experiencing a system via various restrictions.
  • Buddha discovered that there are some painful elements of the system he cannot escape (four noble truths).
  • The internalising of that fact ignited his personal journey to explore the system. Buddha gave up the comfort of the protective world (closed system).
  • Buddha realise that the path he is choosing at any given time allows him to experience the system regardless of the previous experiences one had with the system.
  • Buddha tried various techniques in order to reach the understanding of the system he was investigating, but he realised that none of them were adequate enough. He started to enhance them.
  • Buddha then started to develop his own tools, a new approach, one that he called “the middle way”. This was a state of tuneful harmony, a way in which was operating in alignment with the system. He theorised that the best way to own a system is not by trying to over control everything in the system, or to ignore elements in it. Buddha theorised that the best way to own a system is to become an integrated part of the system, to become the system.
  • Like all great hackers, he came up with a cool name for his finding (what is known today as state of mindfulness).
  • Buddha didn’t only developed a theoretical approach – he experimented with the system by himself, taking upon himself a huge risk and great torment. This experience allowed to be fully aware of his system, to understand it, to “own it”.
  • Buddha didn’t keep his findings to himself but dedicated his life to sharing his knowledge with his community for free. This made him admired by many people in that community (also known as humanity). Buddha is one of the world’s most legendary hackers, and we all owe a deep gratitude to his, even though he lived 26 centuries ago.

 

What type of a hacker was Buddha? Some people divide hackers into groups: black, white, grey. If you would have asked Buddha’s dad I’m sure he would have told you that his son was a black hacker – he broke rules, he broke the system without approval, and he did it for his own personal gain. However, even his own dad acknowledged at a later stage that his son made the system stronger via his actions. Next time you read about a hacker, ask yourself if you can observe his action without the judgement which is based on your perception of reality.

 

Buddha’s findings can provides us an understanding why the current perception of reality we hold is mistaken, and why our perception (aka “awareness”) to information security is the root of the suffering we experiencing in it.  The next article in the series will dive into the teachings of Buddha, and what we can learn from them in the way we approach information security as a whole and awareness in particular.

 

Blessings and love

Uri

© All rights reserved 2014

The Desolation of Awareness – 3 – One Sense to Rule Them All

By Uri Biber

 

What do the colour blue and information security have in common? The fascinating world of the mind.

Prologue

One sense to rule them all, one sense to find them,

One sense to bring them all and in the darkness bind them

In the Land of the mind, where the Shadows lie.

(Paraphrasing J.R.R. Tolkien)

 

Reminder – please read the previous articles in the series to better understand this article.

 

Feeling Blue

 

A sense of information security will be a sense of the mind, but how would it feel to sense such thing? As far as I know it (and as far as Google can tell) there is one paper on the subject called “Information Security and the Psychological Contract: A Trust Perspective” by Mitchell R. Wenger who wrote it in 2006 when he was in Virginia Commonwealth University.  It’s good, but it talks about an approach which is based on the science of psychology, and no discussion how that sense, that particular sense would feel like.

We can describe a sense with words (such as we do in a psychological approach) but these are just words. For example, no words can fully cover what a sense of compassion feels like, and no words can truly describe a sense of information security, which puts most of us in a real challenge because many of us assume that if we can’t quantify information security with words we can’t educate our target audience.

Senses are impossible to capture with words. If you never experienced a colour you can never know how it feels to experience it. You can try to describe to a person who is colour-blind how does red looks like from now till the end of days but he will not understand it because he is unable to feel how you sense a red colour. The sense of red is unique to each and every one of us.

It gets worse – actually, the sense of colour is so unique that sometimes we can’t even name a colour even when we see it. Don’t believe me? Ask the Greek. William Gladstone, who was a British Prime Minister back in the 1800s did an extensive research of The Odyssey and The Iliad to map all the colours mention in it and he discovered that the colour blue was never mentioned. The Greek barely saw colours and described the world around them mainly in black and white (and a little red). It’s not like they didn’t had the capability of seeing the colour blue – our eyes was able to see it for millions of years, but they couldn’t see it. This is not unique to the Greek – Lazarus Geiger, a Jewish German philosopher in the 19th century did a research across all cultures and he discovered that the colour blue appeared last in all of them. The order of colour appearance in cultures was black and white, then red, then blue at the end. For more on the subject I highly recommend listening to the RadioLab podcast called “Why isn’t the sky blue?“.

This makes the ancient philosophical question “If a tree falls in a forest and no one is around to hear it, does it make a sound?” a real life related question – If a blue is here yet if no one saw it for thousands of years it did it even existed? The answer will be both yes and no – it was, but no one experienced it, so it wasn’t.

Osho told a story in one of his seminars about a childhood experience. He used to go to the river when it was an early morning hour. When he came back home his mother would ask him what he did he would answer “nothing”, and she would get upset because she would say to him that he must have been doing something. As Osho explained, both of them were right. Sure, he was washing in the river, swimming in it, and watching it. But the experience was much bigger than just specific elements in it. As he said:

Even in ordinary life you feel the futility of words. And if you don’t feel the futility of words, that shows that you have not been alive at all; that shows that you have lived very superficially. If whatsoever you have been living can be conveyed by words that means you have not lived at all.

(Osho – “Tantra, the supreme understanding”)

Life, my beloved friends, is literally what we make them to be.

Let us dig deeper into this “thing” that is responsible for our blindness and our ability to experience – the mind.

 

A Sense of Mind

In my previous post I suggested that we first need to develop a sense of information security in order to have information security awareness. We tend to sub-categorise a lot of the mind activities to what we call “senses” such as sense of fear, duty, honour, pain, even truth, and we don’t see the mind as a sense which contradict the Buddhist view. In this section we will look at why such approach make sense.

A lot of people assume senses are all about the brain. This is partially true, because we feel our senses, and feeling rely on our emotions. According to the view of neuroscientists, feelings are crucial element in our ability to reach decisions, and they are formed upon our emotions which are a neurological reactions. So in order to define an information security sense we need to create a feeling for information security, and in order to do that we might wish to map the emotions that are flowing in us. I used the word “emotions” and I can see my information security geek community running away like it was a plague. We? train people about their emotions? Mummy!!!!

Desolation? You Betcha!

(For more on the connection you can read an interview with Antonio Damasio from 2005 called “Feeling our emotions”.)

However creating a map between emotions and feelings is not as straight forward as we would like to believe.  To assume senses are solely a brain activity is a very simplified and inaccurate view. Take for example the sense of fear, which is very primordial sense: when we experience it we feel it in our body, and a brain scan (fMRI) of a person was being exposed to images or sounds that will ignite the fear will show different areas in the brain that “light up” during the experience (best known area is the amygdala). This might lead a person to assume that by looking into brain activity we can clearly define certain mind activities. This is wrong due to many reasons, here are only few:

First of all, the brain has a unique plasticity which means it re-organise and reshape all the time, even creates new neurons. This means that one person might have a very different “brain activity signature” for a sense than another person. This is not only true for complex social senses but true for “normal” senses. Blind people, for example, use large part of their brain which is used for visual signal processing and assign it to other senses such as smell, taste, and hear.

Second, the communication between neurons which sends connector to each other (AKA axons) is very dependent on the signal travelling on time between them. To do that the brain is covering the axons with a layer called Myelin. After years of focusing on Neurons scientist now look at this process and discover it has huge impact, and yet fMRI will not show that. Other technologies do, but integration of analysis is not full at this point (and we are far from it).

Third, Neurons also send messages to themselves, processing signals between different receptors, which is very hard to observe using current technologies.

Forth – memory – where is it? Memory is being used in all senses, and even though some areas are known to be “popping up” on the fMRI screens when a memory recall is being done this does not explain the way the memory works. I’ve seen research that shown that memory is a quantum phenomenon, and to anyone who knows anything about quantum physics this is enough to throw away everything and give up because … well, that’s a subject of a much longer article :)

Last but not least mind-oriented senses are relate to many elements in the way we perceive reality, thus harder to “pinpoint”. A “sense of honour” for example will relate to society code – good luck trying to find out via fMRI scan which part of the brain is “responsible” for that.

I just wanted to share with you the understanding that the more you “dive” into the subject of brain and mind you realise that it is sooooooooo complicated that trying to look at this piece of technology and say “I got it” will be like a stone-age human will look at an iPhone and say “I got it”.

Senses are a result of who we are. This is why I find it crucial to associate senses to the mind rather than the brain.

If you’re still not convince with the above think about pain. One person can experience the same stimulus to pain in a radically different way than another person, even an identically twin sibling. I rest my case.

Why should we gather all of the mind related senses to one sense and consider it as one sense? Because we already do it for even simpler senses. Take for example the sense of taste which can be divided into different categories of tastes that are capable of identifying. It has a “sub-sense of taste” which is a sense of bitterness; we even say “I sense bitterness is his words”, and even though we can identify bitterness and we can sense it, we see it as part of our sense of taste.

To conclude – information security is sense which is part of another “meta-sense” which is the mind, which is based on feelings, which are based on emotions.

Are we getting somewhere? You will have to wait till the next article to find out :)

 

See you soon

Love

Uri

© All rights reserved 2014.

 

The Desolation of Awareness – 2 – Making Sense

By Uri Biber

 

Welcome back. Is there an information security sense like there is a sense of smell? Can we evaluate it? Why our normal definition of information security prevents us from reaching awareness? In case you missed the first article, please start there before continuing.

In this article we will look at our senses. After all the definition of awareness is all about being able to notice, and we notice via our senses.

Awareness is the state or ability to perceive, to feel, or to be conscious of events, objects, or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event. (Wikipedia)

 

If you would ask people about senses, most people will state the usual five. Some will state an extrasensory perception (ESP) sense, also known as a “sixth sense”. There are Exteroceptive senses such as a sense of pain, a sense of balance, a sense of magnetic field, a sense of temperature, and a sense that allows us to know the position and movement of the parts of one’s own body. There are also Interoceptive senses that are senses which allows us to perceive the state of our internal organs.

There is one more sense that most of us tend to ignore the fact that it is one. It is the called Ayatana in Pali and Sanskrit, and it refers to the mind. The term was coined in Buddhism which see the mind as a sense, and in that sense ( :) ) it is in opposite to the way most of us perceive our mind which is a function that process our senses.

Our brain allows us to be aware, to perceive, to feel, or to be conscious of events, objects, or sensory patterns. In the case of the brain the events are mental events, the objects are ideas, words, definitions, and the sensory patterns are patterns of mental activities. Even though most of us don’t consider our mind as a sense it is actually easy to prove it is one – our culture has assigned expressions to describe brain activities which we sense – a sense of honour, wonder, a sense of doubt, duty, danger etc.

 

Information overload

This brings us to the fascinating question: Could there be a sense of information security?

To answer that let us look at what most people can relate to, which is a sense of “information overload”. It means a person cannot understand and/or make decisions due to too much information. People can sense that state, and its existence is sense is heavily used by technology companies with a never-ending feed of information, media organisations and marketing agencies.

Now let’s look at information security.

The definition of information security is …the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction (Wikipedia).

Let’s focus a little here:

The definition of information security is …the practice of defending information

Again focus

Practice

STOP

Awareness is the art of noticing, of noticing our senses, yet right now we consider defending of information as a practice. If we want people to be aware we need to perceive, to feel, or to be conscious of events, objects, or sensory patterns. If we want people to be aware of information security we need them to sense it.

This means that in order for information security to be successful we need to move from a definition of

…the practice of defending information…

to a definition of

…the sense of defending information…

 

Why does it even matter? It matters because before you can practice your senses you need to feel them. You can practice your sense of touch only after you experience it. If you’re blind, how can you practice seeing with your eyes?

By approaching information security as a sense we can also explain why it is so easily overwhelm by other senses. After all, our senses are a result of our experiences, some of which are transferred to us via the life experience of generations and species that came before us, and they are much stronger in grabbing our awareness.

The first task of an information security awareness training is to help people develop a sense of information security, then to work with them and help them to be aware of that sense, and then to assist them to develop an ability to respond with ability when they are aware of information security.

I do understand that what I am suggesting here means a very different approach to information security, one which requires us to re-think and re-feel what we do. But hey, I didn’t call this series “the desolation of awareness” for no reason ;)

 

[edit] – I received a comment on the article that made me realised that perhaps the reason we never looked at information security as a sense is because senses relates to feelings, and with an IT crowd which is overwhelmingly dominated by male population who simply LOVES to talk about feelings (NOT) it is no wonder we moved directly to practice. Technology is a great way to avoid feelings, not only the feelings of others but especially ours. And no, I’m not pointing fingers, I’m as guilty as everyone else :)

Sensibility Metrics

This leads us to another minefield which is measurement of senses.

How can you measure a sense of information security? If you wish to understand the state of information security awareness in your organisation, ask your users to tell you how they feel about information security. Not think, feel. Use open question here, allow them to reply in their own words and allow them one other option they can choose which will be “I don’t know” (please do not try to help them by providing them multiple options). Since we are in the age of twitter limit their reply to 140 characters.

Analyse the responses. How many of them are statements without any feelings (such as “it’s important” or “it protect us”)? How many statements reflect a negative emotions (such as “It’s frightening”)? How many statements are positive (such as “I’m feel confident”)? How many combined both non-feeling and feeling? How many replied with “I don’t know”?

People who have replied only with a statement without any feelings do not have a sense of information security, and they have not assigned an emotional state to it. Most likely they think they have one. These people can and would be manipulated as they will not sense a change when an information security related object will occur. People who are answering with a reply that represent a negative emotion already have an association of information security to other senses. Try to identify the sense, usually it relates to a sense of pain, or a sense of suffering. This means that in case of an information security related event these people will not have the ability to operate in a way that will allow them to respond with ability as they will be operating in fight/flight mode. People who replied with positive statements should be evaluated, as this might indicate that they already developed a sense of awareness to information security and that they feel confident to use it. If you are not afraid of the sense of fear it allows you to operate even when you are afraid, if you are not afraid of the sense of touch it allows you to experience touch, if you are not afraid of your sense of information security you will be able to experience it. This group of people can be great candidates to become an information security ambassadors/champions in your organisation.

Finally – those who replied with “I don’t know” have no sense of information security but at least they are honest about it!

 

My next article in this series will be about… well, try to sense it and tell me what you feel :)

See you soon

Love

Uri

The Desolation of Awareness – 1 – The Art of Noticing

By Uri Biber


Why am I writing this series, and why awareness is not as straightforward as most of us perceive it to be.

Introduction

Awareness is a wonderful buzz word. From a very young age we are being expected to “be aware” of what’s going on and to be able to react accordingly, even though most of the people who are trying to make us “aware” have no clue what true awareness is. Blind to the beauty of true awareness we convince ourselves that we might not understand reality but at least we are aware of it, yet  nothing could be further from the truth.

Fast forwarding to “information security”, which is a domain in awareness that includes technology. There have been many discussions in our community about this topic: some people claim that information security awareness training is a waste of money and others claim it is a crucial element in making organisations secure.

 

Dear friends, I am well aware (funny statement) that many of you who will continue to read this article will soon sense an urge to stop and dismiss it for multiple reasons. To those who stop – I embrace you with love, and I understand you completely. If you will decide to continue on reading, all I can promise you is to be honest with you as much as I am honest to myself, and as you might soon learn that’s a much bigger statement than it seems.

 

And with that said, it is now time for my own reflection.

I remember “the good old days” when I used to wake up every morning feeling “aware” and assumed like everyone else that “this is it”. I lived my life via my mind, computers and knowledge allowed me to keep on being blind to my blindness, and everything made sense, or so it seemed – until Rephael was born.

Rephael, our third child was different. It took us 3 years to admit his severe autism, and it took much longer for me to stop trying to fix him, to realise that I am hurting him via my attempts to “cure” him, to recognise that I am not really aware to how he perceive the world. Worse than everything else I was hurting Rephael, regardless how hard I tried not to. For me, it reached a point that I decided that I rather die than continue hurting him. That led me to my quest to understand awareness, to become a fully aware human being. At first I tried the psychological path, then the neurological path, then the biochemical path, and even a spiritual path. While each of the paths gave me a glimpse of understanding none of them felt correct, none of them were giving me the understanding I was seeking for. None of them made me aware.

The path you will choose is not the chosen path” (Tao Te Ching)

 

Hacking from a very young age has led me to come up and perform many crazy ideas, most of them were related to technology. However, “Being a fully aware human being” is without any doubt both the most sane and insane idea I ever had. Sane because who doesn’t want to be fully aware, but insane because I can assure you I had no idea what that meant. If I did, I’m pretty sure I would have run away from it as fast as I could. You see, there is a reason why most people are unaware and why most of us spend most of our lives doing everything possible not to be aware, but that will be discussed at a later stage.

 

The art of noticing

Let us start with a definition:

Awareness is the state or ability to perceive, to feel, or to be conscious of events, objects, or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.

(Source: Wikipedia)

According to this definition of awareness, awareness is noticing. You notice a smell thus you are aware of it. You notice the waves of the sea, you notice your partner is getting upset because you don’t close the computer and go to bed, you notice that the message you just received in your mailbox and tells you that you won 5 million dollars, and you notice that it doesn’t make sense. Awareness is the art of noticing.

The first question you might want to ask yourself is awareness sufficient? If we follow the definition above an awareness of an individual to information security (or to the risk it poses) does not guarantee an ability of that individual to respond correctly, or even to understand what’s going on. I might notice a bad smell but I will not know what to do, I might notice a big wave but I might not react quickly to it and surf it, I might notice I’m upsetting my partner but I might not close the computer, and I might notice the message I received seems strange but still click on the link in it.

The next challenge that is rising via the definition of awareness is the fact that it talks about “events, objects, or sensory patterns”. If you investigate on each of these terms you will discover that there is a personal meanings of each individual which is a result of previous experiences of that individual with the world around it. The meaning of “events, objects or sensory patterns” are always being experienced in a subjective way by each and every one of us, a personal interpretation of the experience we have, which in many cases is a result of our interaction with other individuals who were unaware to their lack of awareness to these experiences. I might notice the smell but since I never identified that smell before I will not know it is a smell of gas, I might notice the wave but since I’m afraid of waves I will try to stay still and not surf it, I might notice my partner getting upset but as my culture tells me life is all about me I will find excuses to ignore her (good luck sleeping on the couch tonight darling) and last but not least, I might notice that email I received and notice it doesn’t make sense but since winning a lottery is a dream I always had since childhood I will click on the link.

 

Last but not least awareness is not a binary value of “1” or “0” but a vast, multi-dimensional experience that creates a real challenge for anyone who will try to evaluate the level of awareness of individuals. To complicate things even more, what some of us consider to be a ‘0’ might be ‘1’ to others, and what we consider to be ‘1’ might be ‘0’ to others. I might notice the smell of gas but I might be a bit cold and it will not smell as a major leak, I might notice the wave but I might think it’s too big for me to surf (while a trained surfer will jump on it with no fear), I might notice my partner getting upset but since I believe I must finish working on my article I will assume she will get over it if tomorrow if will buy her flowers (and while she might notice my efforts she will think it’s too late and too little), and finally, I might notice I received a message of winning 5 million dollars but since I don’t care about money I will ignore it.

 

As you can see from the examples I made above, awareness by itself cannot provide the ability for individuals to respond with ability to what they are noticing. To do so, individuals needs to reach a different type of awareness, which will be the subject of the next article [edit - the second article called "Making Sense" is now published].

 

I will leave you with a simple suggestion – try noticing for one minute the fact you are breathing. Concentrate on it, focus on it, close your eyes if you can. Notice the parts of your body that are involved in the act of breathing, notice the movement breathing creates in you, notice the air flowing inside and out, notice the change in energy that occurs due to the breathing, notice how it makes you feel. Isn’t it funny how we are unaware of the most basic activities that keeps us alive?

 

Until next time,

Love

Uri

© 2014, all rights reserved

 

Personal message to the information security awareness community

The message

transcript:

So here we are, in this world. Trying to survive, trying to understand, trying to remember who we are, amidst constant drifting changes… and then one day, when we arrive to work someone presents us with a new requirement that says “you must learn this! You must understand it. You must change!”

And we look at it and tell ourselves “change? I barely hold myself together. Change??? The last thing in the world I need right now is another change of another force that I have no clue how to handle. About computers that remind me how alienated I am to myself anyway which makes me feel even more inclined to do any change. But yes, it is work, so I will try to do that, and saw all those things that I see in the news that tells me that this is scary and if I don’t change I would be hurt, and I don’t want to feel pain, I will try to change, but I don’t understand how to change. If I had the ability to change, believe me, there was a list of things that I would have changed, but I am already feeling helpless and useless in the inability to change this life that I am in.”

I mean, be honest, we try to change, and it seems we managed to, and then we are happy, and than we recognise that nothing had changed. So we go in and out, on and off, and we are lost.

My beloved, wonderful information security community:

THIS

IS

YOUR

TARGET

AUDIENCE

This is who you wish to “educate”, “teach”, “change”.

I know it doesn’t seems like that, but trust me, if it wasn’t like that then all the bars in this magnificent country would have gone broke because nobody would have entered them. And the tobacco companies would have been broke, and the sugar industry would have to move to organic cucumber manufacturing.

But we are not in that state.

Recognise your target audience. If you don’t recognise who you are suppose to work with what on earth would be your criteria to success when you haven’t even identified the individuals you wish to touch?

Awareness, ANY awareness can only come from a place of stillness, of silence, of observing this thing we call life via the most intimate feeling of love and compassion, which is the source of what all we are.

My dear friends, I’m well aware that we developed this magnificent schemes of training facilities, and training instruments, and awareness industry. Yet none of it is as effective as a loving hug of your target audience, acknowledging their pain, embracing them for what they are, loving them for what they are. And then – ONLY THEN we can talk about passwords, and heartbleeds, and all the other things.

If you wish, truly wish to change the awareness of your organisation, you can, as long as it is being done from deep sense of love and compassion, and understanding to what you’re trying to do.

Who are you? Ask yourself, and discover the truth.

 

Pray We See

Pray We See

About cows, dogs, naked women and privacy

By Uri Biber

Last week on the 27th of June the London ISACA chapter had an event on the subject of big data and privacy. Both subjects seem to interconnect in recent weeks due to the latest American movie blockbuster called White House Down, sorry Snowden and the seven deadly sins. I guess we don’t need to extend about it anymore, and I guess all of us are pretty tired from listening to endless repeated reports about the NSA. I can only wish I could say the NSA is tired of listening to us, but I’m not a politician so I will leave lying to the professionals.
Paul White was our first speaker, and he covered the subject of Big Data and the Compliance Challenge. Then Simon Rogers from IBM talked about the upcoming privacy related legislation changes that the European Union is currently debating on.
As Simon was speaking, you can see the personal pain he is experiencing watching what seems to be a new set of regulation that will change the way companies work. It is obvious that Simon feels the changes will create an even more chaotic privacy landscape in which a non-uniformed approach will eventually render the regulation either impossible to implement or implementation that will be so costly that no one will even try.
Perhaps at this point it is time for all of us to step back for a second and have a short discussion about the nature of privacy. Privacy is a social concept. You never see a cow that stands in the middle of the field suddenly rushing to find a tree so it can hide behind it while it releases her number 1 or number 2. You don’t see dogs waiting for their owner to leave the room before they start humping each other. If you were an indigenous person in the amazon or Africa most chances you would not be worried if the mother of your kids were walking around naked.

Privacy is a cultural element, and while there are many justifiable reasons we can think of to explain it all of them will be driven by enhanced activity of neural networks that are relatively new. Our brain systems that were there prior to the period we were thinking about thinking are designed to keep us alive as a living organism, and it is driven by our vast subconscious. Due to the high levels of brain plasticity in humans (the ability of the brain to re-wire itself based on the environment rather than our DNA) and due to the fact our ability to “control” the plasticity via what we call “our ego” (self-recognition) the most important period if a person’s life to introduce core elements will be from birth to childhood when the ego is formed and shaped. The problem is that “privacy” is abstract – privacy does not have a colour, or a shape. Privacy does not have a weight, or a size. It is impossible to “explain” privacy to kids in a tangible logical way. In many ways, privacy is even counter intuitive to them as anyone who ever saw a child peeing happily into a swimming pool can testify. Well, let’s be honest – we all peed into a swimming pool at some point of our lives, some of us probably do it even as adults :)

The problem of privacy education is serious because even as adults our ability to postpone a current reward to receive a future reward is limited – our brain is wired in such a way that current rewards assign higher levels of value to current reward, and future rewards are to us what a “I will buy you a bigger present for your next birthday” means to a three years old.
In sharp contrast to what our judicial system tells us, what economists hypothesize as a core assumption (Mr (Adam) Smith I’m talking to you) and what our wives think man should act like all “adults” should be viewed as children that learned to play a game we call “socially accepted behaviour”. In the centre of the brain of each and every one of us lies a neuron universe that is driven very much by the same things toddlers find fascinating. We are a complex adaptive system, one that we are allows our consciousness to appear in its human form it it. That consciousness is very much a prisoner of our previous experiences – and those include our DNA, the environment we grow into and the social programming we encountered (educational, parental, religious, spiritual etc.).
Even yours truly who is well aware of all the security and privacy hazards out there had done and will probably continue to make decisions that I am more and more aware of their cost – such as using Google services.

So what can we do? The easy solution is to scare the bejesus out of everyone, which seems to work … for about the time our neural networks find a way to ignore it so we could continue to live with it. When that fails, we can go with trauma – which seems like a great idea until you realize that trauma comes with a price which is a bias so strong others can use it against you – not to mention the level of unhappiness it introduce to our lives.

The only true solution to the issues of privacy as well as information security education is a human evolution, one that will provide us a constant feeling of metacognition (cognition of cognition) and a departure from the childish culture most of us grown into. This can be achieved via practicing mindfulness via meditation and by using technological assisted techniques such as biofeedback via sound waves (Isochronic and Binaural Beat), audio light devices, EEG and biofeedback. We can also use technology to assist us – for example identify our mental state and if we are extremely excited prevent us from doing stupid things like giving away our personal details for an instant reward, gambling all our money or getting married in Vegas (actually – the same thing). I do wish to remind people that relying on technology can make you do stupid things – as anyone who ever used apple maps can testify. Technology is as tweakable and as prone to errors as we are, and at the end of the day the only real solution is evolving human consciousness to a higher level via a love driven education, not one that is based on fear. Until that day the only thing left for us is to pray we see.
Namaste
Uri

PS
In case you missed Lewis Black segment on future technology, here it is:

© All rights reserved 2013

Don’t professionalize, innovatize

Don’t professionalize, innovatize

why the solution to the issues in the information security profession will not be come from creating (yet another) governing body but could arrive via innovation. (An answer to Brian Honan article on Help Net Security).

By Uri Biber

Brian Honan wrote an interesting article for help net security entitled “Is it time to professionalize information security?” It covers the discussion about the call to turn the information security into a licensed practice. I highly recommend reading Brian’s article; from it I derived the following points:

  1. Customers many times are unable to validate the professional level of the so-called-experts
  2. The quality of the work being done sometimes by so-called-experts is  poor
  3. There is no accountability when the work quality is bad and leads to incidents and no independent body has the ability to “un-license” the so-called-professionals
  4. We need independent bodies to provide counter advise to interest groups (I assume privacy is a good example here)

Brian believes that if we will “professionalize” the profession it will allow us to better present our opinion and expertise with leadership – let it be corporate or government. He does admit that there could be problems such as international issues, closed guild structures that will demolish competition, and preventing the advantage of big firms. However he thinks that the current state is not better than licensing the field.

First, a disclaimer – I’ve seen Brian talk in Brucon 2009, and I don’t remember if we had a chat after the talk but considering that that Brucon motto is “hacking for b33r” I can only hope we didn’t kissed during the event :).

I can understand the pain that is leading Brian to write what he did, obviously the points he raised describes a real issues, however I tend to be a libertarian here and believe that the solution will come via innovation and educating our clients rather trying to govern our profession.

 So, you think you’re smarter than a 14 year old autistic boy?

To support my claim I wish to bring a 14 years old. Jacob Barnett was diagnosed with autism at the age of two. He was silent for most of his childhood, stuck in his own universe, didn’t want to play outside, his teachers were sure he will never be able to learn anything – but now, at the age of 14 he is studying for his master’s degree, has an IQ higher than Einstein and he understand physics more than most humans on this planet.

In a recent TEDxTeen presentation he gave, Jacob explained that what made him become the genius he is “in order to succeed you have to look at everything with your own unique perspective…that means that when you think, you must think in your own creative way, not accepting everything that’s already out there”. He gives example in his lecture that due to his autism he was able to be able to think of things rather than consume information, he talks about Newton and Einstein and their ability to experience thinking about physics via their own perspective due to circumstantial reasons (for Newton it was the plague, for Einstein it was the discrimination against Jews).

Bring on the dancing masters

The dancing Wu Li Masters

The same idea was similarly echoed in Gary Zukav’s 1979 wonderful book “The Dancing Wu-Li Masters”, that provided the first non-mathematical explanation to quantum physics (Wu-Li is physics in Chinese). In his book Gary explained that when most people say “scientists” they actually mean what he calls “technicians”. According to Gary, a technician is a highly trained individual who is an expert in applying known techniques and principles, and he is dealing with the known. For him, a scientist is a person seeks to know the true nature of reality, and deals with the unknown. As he said “in short, scientists discover, and technicians apply”. He also added that “it is no longer evident whether scientists really discover new things or whether they create them.”

The nature of any governing body is to … govern. It governs based on its own perspective, and it will be biased because we are all biased (another article about it soon). It will be also political because it will be required to represent a group of people and like in every case of such event politics comes to place, there will be power struggles, and personal interest, and lies… we are all only humans, and our organizations are a reflection of ourselves.

The point is that trying to define who is a good information security professional will be like trying to define if a kid is mentally capable or not (e.g. Jacob). It doesn’t work for the true mavericks, visionaries and those who are unafraid of the unknown. It’s great for defining the level of skill a technician reached, but do you really think that the only people you should consult with when you face an information security challenges are people who are experts in applying known techniques and principles, and he are dealing with the known? You can, but you need to remember that in many cases the threats that you are facing are not a result of people who think like technicians but people who think like scientists. If we will quantify the level of expertise by the quantities we are aware of, we will be blind to the quantities we cannot see. We need both, and based on history we will end up pushing the information security scientist to the other side if we will prevent them from being able and practice their skills only because the “governing” bodies will find their ideas and methods too…non governed.

We already have professional bodies that provides different accreditations such as ISACA and ISC^2. Did it create a utopian environment that solved all the issues Brian raised in his article? Of course not, and in my honest opinion adding another body will not change the situation – because regardless of all good intentions it cannot.

Innovation is our middle name

So what’s the alternative solution? I suggest we should use the wisdom of the crowd. With all the big data discussions we had in our community recently I’m sure we can easily develop tools to identify which professionals are worth hiring, which professionals should be avoided – and let the clients decide what to do. We can use algorithms which are great ways to summarize data, and they should be open sources to make sure they are not being manipulated. We have a great community that can build such solutions that will derive its data from various sources such as social media and information security related sites. Sure, that could be manipulated, as always, but I strongly believe that our community have enough bright minds that will be able to make it work. Many of us feel great passion to our profession, and our freedom to express ourselves should not be limited by a governing body that will define who is good and who is not. We all know dictatorships are bad idea, but even in democracies any society that allowed its government to take over the private responsibilities of the individuals ended up badly as the latest scandals we see in the US clearly show.  If you still think regulation work… I will let Jon Stewart explain to you why you’re wrong:

Personal thoughts (or why the Beatles were right)

Being protected it is not about knowing information security facts, it is about living information security. When we feel information security we live information security. How we live is based on the story we tell ourselves what information security is. If we fear it, it will delay us, slow us, and gives us a false sense of security but will not allow us see the real opportunities out there. Only via loving information security we can reach a state of no fear, and only via lack of fear we can truly understand it. Love is awareness. Love is the sense unity, of wholeness, of nothingness. Love is the definition of true consciousness. This is our dream, it is up to us to decide how to live it, and instead of more governing I suggest to simply … love :)

Namaste

© All rights reserved 2013

Follow

Get every new post delivered to your Inbox.