Bright Stove

Reflecting information risk journey

Archive for the ‘Policy’ Category

Blog series on Responsive Security

with one comment

Written by mengchow

January 16, 2015 at 12:12 pm

Responsive Security – Be Ready to Be Secure

with 5 comments

After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.


The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.

If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press ( and also Amazon, where an e-book version has also been published.

Before the ashes turned cold

with one comment

Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”:

Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone does not stop us from using. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore. The killing power of nuclear had been experienced, and yet many countries continue to justify for its use.

Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decides to discard it, another may acquire or reinvent it, as long as there’s a demand.

Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.

In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning and knowing. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱,刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turned cold, Shandong had already rebelled; Liu Bei and Xian Yu (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.

Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.

Written by mengchow

April 6, 2013 at 11:34 am

Posted in Misc, Policy

We trust you

with one comment

I was having a second look at the photo taken at the Honey Stall along New Zealand motorway during the family vacation and found that in many ways, it is a rather interesting sign. As discussed in a blog below, it reveals the trust issue that the owner has somehow been challenged with, having people taken away their honey packs without paying and therefore putting up the sign to warn against such act indirectly also shows the level of trustworthiness of some of the passer-bys. On the other hand, it occurred that such a notice also depicts the owner’s policy of trust, and approach in dealing with it — by simply relying on a poster message, period. This form of trust will only make one completely vulnerable to the people that are being trusted. In the cyber world, relying on such trust policy not only loses your honey packs, but the entire stall will become something else very soon, operate by the people you assumed you can trust (by a warning message alone) and perhaps even using the stall to perpetrate other criminal activities.  Not managing information security (or rather, managing by trusting) is not an option. Somehow, some people still practice it, perhaps because it appeared to be the cheapest option when nothing happens. People often like to believe that they are safer than the others around.
NZ-20051211 119

Written by mengchow

January 14, 2006 at 6:01 am

Posted in Policy

%d bloggers like this: