Bright Stove

Reflecting information risk journey

Archive for October 2009

Clockwise or anti-clockwise – taking a different path

leave a comment »

I like to run outdoor to enjoy the openness, the morning or evening sunlight, the soft blowing winds, and the surrounding scenary that changes with the distance. A long running path that is safe and free of disturbances or irritants is however often hard to come by. Most often, I would end up going round a park or blocks of buildings or houses for several rounds to make the distance rather than taking the main road that is often dusty and risky. While not the ideal experience, it is certainly better than feeling suffocated in an enclosed gym.

When going round the park or the garden pathway in the housing compound, the question of whether I should run clockwise or anti-clockwise often emerge when I set my foot out. Why does it matters? In fact, the question of whether to go clockwise or anti-clockwise has been a subject of argument in many domains. In the development of the ISO/IEC 27001 standard – "Specification for the Requirements of an Information Security Management Systems" (commonly known as ISMS), there was such a deliberation before as well. The issue was whether the Plan Do Check Act (PDCA) cycle should be depicted as a clockwise cycle or an anti-clockwise cycle. The decision was finally made to have it depicted as an anti-clockwise cycle. According to Edward Humphrey, "the reason why it is anti-clockwise is that this is mathematical correct – a rotation of 90 degree is always anti-clockwise whereas a rotation of -90 degree is clockwise".

Back to my running, over time, I made a few observations. Some parks have distance markings on the floor, so if you run along the same direction, you could use the marking to check your distance. But I  usually use an electronic distance/pace tracker (the latest gadget I am using is the Polar’s S3), so the floor marking is not really relevant. Whether it is the direction of the sun light or the wind, they appeared to be relevant at the beginning of the run, but shortly after, it becomes irrelevant since you are looping back to the starting point each round. This is like when we take on a new venture, a project, or just bought a new gadget. They always looked best and most relevant to what we wanted to have or do. After some time, the anxiety would diminish, and some times, they become an obstacle or hindrance to what we’re after. Just like the sun shining right at your face again, or the wind blowing so strong against you that it becomes harder to move forward, when they could be the "supporting" elements at the begining.

I discovered during the running sessions at the KLCC (in Kuala Lumpur) this summer just passed that taking a different direction could make the run more interesting when there is a crowd. At KLCC park, each round is 1.2 km and many people go there to work out in the morning and evening. For no specific reason, I chose to take a clockwise direction round the park that evening. Shortly after, I started to see a gush of joggers and runners heading towards me. Indeed, most people at the park were actually taking the anti-clockwise direction. So now the cons of running against the tide became clear. I have to make sure that I don’t knock into someone who were looking at their feet as they run/jog, especially those who were already exhausted. After two rounds, I also noticed that the number of times I crossed path with each runner was more than the number of rounds that I have completed. For those who were running at a slower pace than me, I catched-up with them more frequently than those who were faster. There’s probably a mathematical approach to calculate the number of crossing precisely. I shall leave that to you as an exercise perhaps 🙂 I decided that the next time when I go jogging with a slower jogger, we should each take a different direction, and the outcome is that we actually see each other running more frequently than having one tailing the other. When one is slower than the other, the result would be a wider distance apart as the running continues, which isn’t fun. By running from a different direction you also look at each other’s face directly and not feeling that who is faster or slower.

Back in Beijing, the housing compound that I used to take the rounds (usually six rounds to make 4.2 km), during evening and early morning periods, there were often people walking their dogs. Once, I was running along the same direction as a dog walker (with her dog of course, I think it was a German Sheppard, quite a fiece one I remember). Somehow, the dog sensed my approaching from the back and turned around and started to bark, in a position ready to attack. I was taken aback and jumped out of the track then continued with my run forward. Behind me, the dog master (or madam?) started scolding the dog for making such a big fast over my approaching from the back. As I continued to run, I thought, the dog wasn’t at fault. It had indeed done the right thing. What if I was actually approaching to attack it’s master? Wouldn’t the master want the dog to protect her? Her response of scolding the dog may end up taming it to become indifferent to such a risk situation. I then noticed in other runs subsequently that if I’m running along the cross path where the dog could see me approaching, it would normally just stay still and watch me passing by quietly. In the information security domain, in many instances, hackers who were successful on their attacks were those who take a different path as well. By doing that, they create the element of surprise and therefore able to bypass controls that assumes a certain direction or path of approach. Years ago, I learned that the best way to tackle a dog is actually taking it face on, hitting directly at it’s nose, which is it’s most precious and vulnerable point. Attacking from the back may look logical, but that’s where the dog has the best defense established, as experienced during the run as well. To do well in our risk assessments, one should not just follow the methodology step-by-step, but think about different paths that an attack may be taken, and there may then expose the most vulnerable points on the systems. If the risk assessor just follow the markers left by the designer, she will likely miss the beauty of the assessment. Clockwise or anti-clockwise, the path is yours, it may well payoff to take a different one sometimes. They are like the notions of risk and opportunity.

Written by mengchow

October 7, 2009 at 7:48 am

Posted in Running

%d bloggers like this: