icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an 

ongoing web column edited and published by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

The firewalls, the filters and the logged off

Defining the basics of governance of relationships for cyber security (and more)

How to cite this article?
Longo, Brunella (2016). The firewalls, the filters and the logged off. Defining the basics of governance of relationships for cyber security (and more). icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 5.7 (July).

How to cite this article?
Longo, Brunella (2016). The firewalls, the filters and the logged off. Defining the basics of governance of relationships for cyber security (and more). icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Online)], 5.7 (July).
Full-text accessible at http://www.brunellalongo.co.uk/

London, 9 January 2017 - Not long ago we would have talked about people management, not governance of relationships. But in a network economy businesses are rarely managed addressing people behaviours, choices and attitudes directly - especially if teams are distributed along a supply chain, belong to different organisations and not necessarily share the same values, languages, culture or time zones.

Within digital environments almost everything, from software to contents, from project management to records-keeping, is mediated by software interfaces, platforms, apps and automatic controls. Continuous or very frequent changes are also the main feature of the digital workplace compared to traditional settings, like retailing or manufacturing for instance.

Online, somebody has designed for you the workflows, the policies, the instructions and the questions and answers needed to join the team and do your job: get your username and password and come on board!

I will not discuss nor dispute here the innumerable advantages of working within a software platform and sharing the same project management tools or modelling languages. But I hope you have figured out what I am trying to say: we work in a digitised environment where we can only manage the way in which teams, processes and products are represented and connected through software. Not people actions and choices, not outcomes. Not cheating, not creativity. Here is one of the reasons why we do not talk about people management anymore, preferring most of the time other expressions - one of which, very effectively, is governance of relationships.

So, what? Sorry for the long preamble, I am getting older in asking difficult questions. So: what are the building blocks of this new discipline or practice, if any? Is there anything we should prioritise and look after, anywhere anytime to assure we make the best use of our relationships with people through the impersonal and dematerialised world of our digital workplaces?

And yes, I have an answer to this question: I believe the basics of governance of relationships for cyber security start with groupthink management - what the Oxford Dictionary of business and management defines as the tendency to drift into ill-conceived policies or decisions without adequate debate. This can be a result of various pressures including the illusion of group superiority and the wish to achieve consensus and avoid painful disagreements.

You may notice the above definition of groupthink is strongly negative: this has been the prevalent academic sentiment towards the notion until very recent, shifted into management and business studies from pedagogical, teological and political assumptions: an unconditioned positive evaluation of critical thinking has ideologised many professional bodies of knowledge and created the stereotypes of disruptive creative, often very talented, fighting personalities, intellectual trouble makers or rebels in the arts as well as in the workplace, in finance as well as and the entrepreneurial world (I will return on the social unintended consequences of critical thinking and media literacies in the next article).

Outside the classroom, in practical terms, groupthink management can be and it is generally good in my opinion, and in some ways inevitable, although it is true that even great leaders and managers are not always very conscious of how they use it. We all don’t know, even in the most controlled environments, when groupthink goes out of control and starts poisoning the whole organisation - receding people conduct in what Bion called primary group behaviours.

Look around you and you will find innumerable examples in which groupthink is used in effective, positive, transparent and ethically acceptable ways. In public relations, internal communications, agreement of contractual terms and conditions, psychotherapies, just to name few examples, groupthink management creates cohesive and consistent behaviours over time and through slightly different contexts leveraging on shared principles, values, the rule of law. It shapes and scaffolds consensus and prevents people from being isolated and frustrated by their own limitations, circumstances or handicaps. It reduces risks and allows best practices to be adopted quickly and seamless. We see innumerable examples of positive peer pressure in social care, in community engagement and of course in family relationships.

A positive example in groupthink engagement and management

Ten years ago I was asked to put together a training programme that should achieve an almost impossible double goal within my customer’s organisation: to promote the use of efficient and effective and above all secure software tools - that meant increase the acceptation of firewall and filters rules blocking the use of so called “bottom up” IT on one side. And on the other side I would foster the staff collaborative attitudes and skills, following up successful experiments made exploiting groupware services for online communications, such as instant messaging and live chats. The brief’s wicked aspect was of course consisting in denying, justifying and keep motivated or at least distracted the most geeki-sh members of the team (and in some respects myself too) about the restrictions put on the intranet and on access to many low cost internet public and open services and projects because of security concerns.

My programme, leveraging on the ideas of sintality (or togetherness) and lean organisation, allowed me to make the most of groupthink dynamics, asking everybody to give their contributions so that we could find technical compromises and satisfactory ways to manage the ordeal all together. To this extent, it was very important the proportion of time I assigned to my lessons on the idea of group work and the history of theories and techniques of collaboration in the modern workplace and society, starting from the early 1910s (actually such presentations seem to me, in retrospection, a bit interminably long, possibly exhausting! and yet I recognise they were offering a sort of intellectually and psychologically unavoidable melting and bonding substrate for new common, aligned, decision making processes).

The programme was successful: existing activities, services and products were only moderately disrupted, we could not find a better alternative to what the central IT had already made available but for few limited adjustments that were negotiated quite easily and conveniently. The re-engineering exercise emphasised team goals, skills, methods more than software products or features per se. From then on, the team focussed on consolidation of their own internal processes to share knowledge and “do more with less” - that is the essence of organisational learning and very often of any new data management software tool (for example Sharepoint) or any new collaborative technology (think of What’s App or any other new corporate messaging system, from Bloomberg to IBM).

Nonetheless, together with severe budget constrictions that followed the decision to prevent any further technological change that would compromise the existing firewall settings, the project caused a terrible unintended consequence: to frustrate the team’s morale towards IT innovations, so that no further initiative and creative way to rethink the organisation’s knowledge and workflows seemed possible anymore for several years - and the most geekish members of the team blamed the consultant for such devil’s deal!

Unfortunately, central IT functions and directors are still often unprepared against the so called shadow IT or bottom up IT (IT services and products designed and introduced by the same users): when it comes to empowerment in practice it is sadly true that IT directors seem wanting the cake and eat it. Anyhow, groupthink management allows other more formal processes to be in place in order to manage continual service improvement, to review both design and architecture of what is actually being used or not used and to incorporate users feedback, particularly when it seems business functions (marketing, sales) have the urgency of going on with something else that is unsafe and yet is seen as a priority by the board.

The negative example: the logged off mad behaviour

And here it comes the negative example of groupthink management I have recently had the opportunity to share with colleagues (software engineers, developers and cyber security experts) interested in considering the role of teamwork and groups dynamics for cyber security.

Last year, encouraged by a colleague that saw me as the outsider who can gear things up, I decided to break the glass ceiling of the Apple Bug Reporter’s website and registered as a developer. That allowed me to report what I believe is a major architectural defect in Apple operating system.

I wanted to point developers towards a serious cyber security bug in Apple OS that I called the “logged off bug” because of the circumstances in which I noticed it. The seriousness of it is in that: it enables all sorts of forgery and identity crimes that may qualify also as hate crime or stalking against victims of repeated cyber attacks.

Here is the report submitted for those of you that do not have access to the Apple Bug Reporter database to see in detail what it consists of:

London, 16 August 2016

Summary:

The problem falls into the category of spoofing (ACK spoofing, IP and MAC spoofing). It can be originated at various levels and through different networks and telecommunication devices but, in this instance, it is ultimately determined by Safari browser that cannot handle extensions consistently with firewall settings on a MacBook Air running either OS X Yosemite or Maverick.

The following environments have been identified on MacBook Air with Firewall settings ON but no activated FileVault:
- on OS X Yosemite: firewall on, no sharing, GUEST users can still access Safari
- on OS X Maverick 10.9.5: firewall on, checked options “automatically allow signed software to receive incoming connections”, no stealth mode enabled: corrupted data can be originated and transmitted (even without the guest user account) just through SharePoint extensions / plug ins.
Notes: The bugs are instrumental in carrying on identity theft and man in the middle attacks in that they allow:
- spoofing of IP address, MAC Addresses and other personal and transactional network data
- acknowledgment spoofing and other Link Layer Jamming reported in technical literature as attacks specifically aimed at preventing data from being correctly sent/ received and at corrupting the communication channel (the sender either believes the recipient has successfully received the intended data or does not trust him / her any further)
- “man in the middle” interferences that cause forgery of transactions and consequently of identity, contents and behaviours.

There is a very simple way to correct this bug in my opinion: it consist in disabling both the guest user and the browser extensions completely, together with remote management permissions, when the firewall is turned on. This means that the user would still have a choice to manage contents and services according to his or her security needs and contextual work, priorities or concerns.

Unfortunately, as my friend said, that would be conflicting the current way in which Apple customer services and technical teams and many IT services manage maintenance, recovery, backup, surveillance of end users resources.

In fact, the threat comes from what is at the same time a major defect and an implicit assumption in design - a sort of ideological error in some respects, legacy of the same history of personal computing and Apple’s history: that we trust people and machines we share resources with up to the point we enjoy to have guests. And yet there is huge evidence the bug causes a very large variety of possible fraudulent behaviours the users are not even aware of and the whole infrastructure of the open internet has not been designed nor made definitely able to prevent.

I added a description of what can be seen as the “victim view” of the problem, showing how through this bug an entire world of relationships - and therefore inferences humans and machines make - can be falsified:

Inconsistent behaviours of an identifiable user are apparently recorded through network analytics and remote servers logs in that: when he/ she tries to enter or update his or her personal details, the user is automatically “logged off”.

Virtualisation, cache memories and other automatisms can reproduce such conduct persistently through different remote authenticated servers causing the rejection of authenticated logins and transactions on a wide scale and potentially the origination of an absolutely fabricated user profile: the behaviour simulates the effect of a ban upon recognition of personal data such as IP address, MAC address or telephone numbers, whereas no banning policy or mechanism is in place against the user or any of the user’s devices.

However, the user tends to react emotionally and persistently tries to fix the issue, in that even aggravating the problem. In fact, if the user reacts panicking and sending email messages or reporting the issue via telephone calls he or she can be easily considered paranoid or manically obsessed with security issues by customer service officers without any specialist understanding of analytics and network architectures because the only evidence that system and network administrators can find of anomalies are events originated apparently by the same user’s devices: repeated password changes, login attempts through different devices and networks and frequent rapid disconnections / logoff sessions do not show any other anomaly than the frantic user “choices”.

The purpose of such a particularly nasty cyber crime is apparently to damage the reputation, to bully or to annoy the victim of what can be easily perceived in social media environments as a cyberstalking attack.

At a more careful level of analysis it is appropriate to consider the instrumental function of such interference crime that is to prevent the victim from acting and behaving within different online authenticated and trusted environments in such a way that his or her behaviour would dismantle abuses of personal details and legal names and make more difficult for cyber criminals to get away with identity theft crimes, forgery and tampering of personal details and other major fraudulence.

So, what does prevent exceptional technical minds from improving their tools, systems, working environments and even products offered to end users?

Once again, groupthink creates an environment in which the convergence towards the organisation’s disengagement form responsibility in respect of a particular technical fault becomes possible. We also see that a particular behaviour or avoidance of information passes on from a team to another with a snow ball effect that affects different companies of the same group, suppliers, partners and even competitors and regulators. Examples of such social contagion can be seen in innumerable recent cases of cyber security incidents but also scandals in the supply chain originated by a mismanagement of data and software features, like the horse meat in the UK or the VW defeat device: somebody has made an error somewhere, but nobody has thought it was in their remit to raise a concern, do something and alert the entire ecosystem.

In a recent HBR article introducing their book Wiser: Getting Beyond Groupthink to Make Groups Smarter (2015), Cass Sunstein and Reid Hastie warn about the danger of groupthink and highlight the need for leaders and boardrooms to manage this increasingly critical factor of any modern organisation. They write:

As a result of informational signals and reputational pressures, groups run into four separate though interrelated problems. When they make poor or self-destructive decisions, one or more of these problems are usually to blame:

The authors also suggest tactics that managers can implement to correct, avoid, prevent groupthink from becoming dysfunctional I could not agree more as I have myself experienced many of them in several different projects. But unfortunately tactics that apply in traditional organisations (with permanent employees, or where formal processes like training, research development or KPI are in place) are rarely suitable in the changing workplaces of this digital age.

In sum, that type of advice sounds to me wise and agreeable like ancient remedies, but not really applicable to governance of relationships in today’s networks and teamwork, particularly cross-borders and within small businesses. .

In the next icm2re articles I will try to point out what else can be done to assure we always use groupthink in managed, flexible, adaptable and positive ways preventing the most disgraceful consequences of it.