Last week I was at the recent Department of Homeland Security’s Government 2.0 Privacy and Best Practices conference. Not surprisingly the subject of transparency came up again and again. One thing that definitely caught my attention was a comment by one of the panelists that efforts towards government transparency are too often focused on data transparency rather than process transparency. While we have Data.gov as one of the current administration’s steps towards furthering government transparency, we do not have an analogous Process.gov. Said another way – we get the sausage but don’t get to see how it is made. This isn’t transparent government but translucent government.
From what I’ve seen I’d say that enterprises have achieved the opposite kind of translucency with their identity management programs. Though enterprises have achieved some degree of process transparency by suffering through the pains of documenting, engineering, and re-engineering process, they haven’t been able to achieve data transparency. Identity information has yet to become readily available throughout the enterprise in ways that the business can take advantage of. Identity information (such as entitlements) has yet to achieve enterprise master-data status. Worse yet, the quality of identity data still lags behind the quality of identity-related processes in the enterprise.
For those of you attending the Advanced Role Management workshop at Catalyst this year, you’ll hear me and Kevin present the findings from our recent roles research. Throughout our interviews we heard identity teams discuss their struggles with data management and data quality. Finding authoritative sources of information, relying on self-certified entitlement information, and decoding arcane resource codes were just some of the struggles we heard. No one said that identity data transparency was easy, but without it enterprises can only achieve identity translucency and not true transparency.
Two weeks ago I was up in Brattleboro, VT competing in the 2nd Traditional Chinese Sword League tournament. Before I continue, I have to thank our hosts and all the people that help make the tournament work. Sensei Donahue and his school, the Brattleboro School of Budo, were wonderful hosts. The traditional nature of the school along with the diligence of their practice makes the school a special place.
This year, I prepared in a fairly different manner from last year. I believe the training paid off. As with last year, there was a round of pool matches to determine the seeding for the final tournament. As with last year, I won the pool matches, earning me a bye in the first round. Unlike last year, I did not get knocked on it in the semis. I faced a tough opponent who beat me in the pool round. Beating him, I faced my classmate Greg in the finals.
I truly enjoy my matches with Greg, or as he is known around the school, Mugen. For our pool match, I fought him left-handed with the thought that as we face each other so often, I’d come out and show him something different. That worked and work well. Our match was fairly short. For the finals, I got greedy and fought him using my left hand. I went to the well too many times, trying the same attack that works so well in the pool matches. He clocked right across the eyes after a few exchanges; he won outright.
Compared to last year, I am far happier with my performance. My focus in my matches was much tighter. As my teacher commented, he would ask my opponent if they were ready and they would respond. One glance at me and he knew I was ready to go – no need to ask. Overall my stepping and waist movement was better than last year. More importantly I know what I have to work on this year and I have much better sense of how to do it.
It has been a year since William Nicholson has passed away. The head judge of the first tournament, pillar of the Great River Taoist Center, and most importantly loving family, we all miss William “The Black Death” Nicholson. I have a feeling he would have really enjoyed the matches this year and I know he’d be there to help me train to take on Mugen next year.
Do I wish that my foot and shoulder weren’t tweaked? Yes.
Could I practice more? Yes… but I fear with diminishing returns.
Muscle memory accounts for a lot. You’ve got to train the basics into the bones, by passing the brain. Deflections, counter-cuts, basic cuts, stepping – all of it has to be trained into the bones so that you can execute anything and any time.
Until this sort of training isn’t done unquestioningly then you can fight practice match after practice match and not get a bit better. You’ll be stuck thinking about what to do as supposed to doing it.
But, at a certain point, that training ceases to return the same kind of gains as it once did.
And that’s when the training gets much much harder. It becomes all mental.
I’ve been playing my opponents in my head now for a few days. Thinking about what they like to do and considering what my response will be. Thinking about what people who I’ve never faced will likely do and what my responses would be.
This may seems easy, but it is exhausting. Exhausting and crucial. For me, now, this is the most important part of my training. And I’m not sure if I am training well. Guess I’ll have to wait until Saturday to see how things go.
Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:
But, to me, there was something missing from the list – product design.
Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact. First the special sauce gets codified, then the chrome is put on and product gets a face. It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place. These types of products make problems internal to the product problems for the end-user and this can lead to very bad things. See Three Mile Island as an example. Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback?
At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security. As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products.
“Is everything okay with the mother ship and should we blow up Russia?” This is the question presented Buckaroo Bonzai and I think I’ve seen a form of it as a dialogue box in Windows. Would it be considered user error if an end-user pressed the “Yes” button and nuked Moscow? Bad design is at the least confusing and at the worst dangerous.
I did talk to Ed afterwards and he acknowledged the role of design in product development. As he said, if we only attempt to improve one of the three areas product devolvement or system administration or user behavior we won’t improve cyber-security; we have to improve all three. User experience design as a part of an improved product development processes can directly lead to better more informed user behavior. Okay you product managers and designers make your voices heard – better safer products through better design!