Posts

Lessons from preschool: gamification

‘Gamification’ – making a business activity into a sort of game - is very popular as a way to make training more engaging, as well as to test business planning and readiness and raise awareness of issues. In our business – information security – we use ‘tabletop scenario’ games: playing out, with a team, the response to some kind of fictional but realistic information security incident. Everyone agrees they are a great way to learn, to test and practice responses: but nobody really has any systematic way to measure their effectiveness – to assess their actual business value. In my semi-retirement I have continued my engagement with universities by supporting student projects in our field. This year I’m pleased to be working with a student on a project I proposed for his MSc Cyber Security dissertation. The idea is to come up with some systematic way to measure the business value of tabletop cyber scenario exercises. The problem with play is that everyone enjoys it but it isn’t easy to

It's a People Problem

I had the privilege of being invited to the Cyber Leadership Symposium organised by Lancaster University and Templar Executives. It was a great event, bringing together many of our best cyber security leaders from government, public service, industry and academia to engage with each other and with us mere mortals. I am far from being a cyber leader, though I think I may have been the oldest and longest serving in the field: being a family company focusses your ambition and perhaps limits it. I had a few hidden agendas in attending. First, we are working with four students from the Lancaster MSc in Cyber Security on projects that are basically my brain children: some might say my pet projects or even 'bees in my bonnet' - more about them in a later post; so this was a nice opportunity to chat with those students and with their tutors, which was enjoyable and rewarding. Second, and perhaps because I have throughout my career worked with many students and new entrants to the profe

Early Years

 I always wanted to be a teacher. Well, not quite: I wanted to be a superhero with a magic flying Rolls Royce Silver Phantom: then, briefly, during Apollo, an astronaut, and then an RAF fighter pilot but they wouldn't have me because my eyesight wasn't good enough so I transferred to the Flight Navigator program but they rejected me for having no personality or leadership qualities. But by the time I applied to University I wanted to be a teacher: to study physics so I could be a primary school teacher and teach physics - and maths - differently, as I, in my teenage arrogance, felt it should be taught. I've wondered since why I felt that way: what was wrong with maths and physics teaching, that I wanted to go to University to study and learn how to teach it better? Mr Wyatt started it: he was our primary school teacher and he went on a year's teacher exchange to Canada and when he came back he showed us how to make hot air ballons out of plastic bags and cotton wool and

The Matrix That Isn't

Image
 Being invited to offer a tutorial on the MATLAB and Gnu Octave matrix languages, for cyber security specialists, prompted me to revisit a question that has bothered me for some time. In cyber security, as in many other fields, a ‘Risk Matrix’ is a table of likelihood versus severity, into whose boxes one places various risk events. Likelihood times severity gives a useful metric for the ‘likely severity’ – called ‘impact’ - so we can focus our attention on the most likely and severe events. Likelihood Severity Low likelihood Medium likelihood High likelihood High severity High severity High severity Low likelihood Medium likelihood High likelihood Medium severity Medium severity Medium severity Low likelihood Medium likelihood High likelihood Low severity Low severity Low seve