When people think about information warfare, the image that comes to mind are hackers, worms, radio jamming, etc. While these do make for good news-worthy topics, the real day-to-day war is done at cash registers and in places as mundane as the checkout line in the grocery store. Let me replace the word war with game to describe in general the framing of some conflict. In this posting, I would like to talk about the game patterns that Alvin Toffler pointed out in his book Powershift published in 1990. If you follow this pattern, you will see how power can shift once a common identifier is introduced and technology is leveraged to change the players advantage. I conclude with the assertion that this shift will happen in the compliance marketplace and again it will be all about the advantage of information superiority.

In order to see this game play out, we have to go back to a period between 1950 and 1980. It was a time when the balance of power had the giant manufacturers on the top and the wholesalers and retailer at the bottom. The giant manufacturers had control of the market information and could claim information superiority. These manufacturers had often over 50% market share and when their sales person came to call on a supermarket, the sales person did all the talking and the supermarket did the listening; they had to listen hard or else.

The giant manufacturers were the experts. It was also a time between the 50s and 80s when mass advertisement was their tool. They controlled the airwaves during America's popular events like the World Series and the Miss America Pageant. The point here is that the giant manufacturers controlled the information going to the consumer and it also controlled the information collected from the customer. When I say that they had information superiority, I simply mean that the manufacturers knew more than any of its retailers about how, when, and to whom its products would sell. It is important to note that they maintained this position by remaining between the retailer and the customer.

Then something happened. In April of 1973, a single standard code was agreed upon by retailers which we now know as the Universal Product Code (UPC) or simply the Bar Code. The committee which brought this weapon to the game had no idea the impact it would have in the shift of power; they were trying to simply solve a problem of long checkout lines and some errors in accounting. With all the products having this unified ID space, computer companies raced to bring to market optical scanners and infrastructure to make use of this bar code. The bar code did much more than just help manage the checkout lines, it transferred power; it shifted the information superiority from the giant manufacturers to the retailers.

Let me stop here and say a little more about information superiority. This does not mean that through the bar code, scanners, and computers, that they just acquired more data; more data does NOT mean information superiority. Information superiority is when the proper synthesis and analysis is done with the data so that you can outwit or maintain just a marginal (knowledge) advantage in the game.

Given this transformation or shift in power, some of the giant manufacturers invested heavily in these analytical tools and proposed to the retailer (still in transition) that it would help them model and analyze their strategy if in turn the store would share the data with them.

Let us recap: lack of common identifiers, vendors having much more domain knowledge than the consumer, very little automation in the consumer's environment, and everyone but the consumer defining the game play. Sound familiar? The consumer must find a way to control the acquisition of that information (re-orient themselves in the game play) and be able to control what information is collected, synthesized, and analyzed. They must achieve information superiority over their vendors and their adversaries.

If this makes any sense to you and you think this transition will help you, email me or post your comment. These identification standards (common ID space like UPC) need to happen and they are not going to happen if we don't make them happen. While those standards are stabilizing, we need to come together on automation. Consumers need multi-vendor automation, not single vendor automation. In closing, this is the information war or game I am most excited about fighting. There is a long road ahead but with the perspective of the consumer, we can all make it through the transformation in a way that there is more value created for everyone.

--tk

I've been a reader of WIRED magazine since it was released back in the early 90's. The April 2007 issue was all about business exposing themselves or as the cover suggests "Get Naked and ..." The articles essentially talk about how business can benefit from this new ultra transparency. It is critical that we understand the fundamental issues underpinning this strategy and while printing the word "Naked" might sell more copies or get your email caught in a SPAM filter, it has little to do with the core factors of change.

Alvin Toffler would probably point to this article and claim that this is yet another transition that must happen to our economy as we move from the assembly line mentality of the industrial past to the software mentality of the information age. He is right and to the people who still look at the future through rival-goods colored glasses, it is going to get really weird.

I'd like to say to the readership of this blog that information technology practices are still being based on the machine models of the industrial age and the removal of these rival-goods glasses is not going to be a painless process. Risk models based on keeping the business from running around naked is going to go the way of the dinosaurs. This change is not technologically driven; it is epistemologically driven.

As I see it, the 'Get Naked' theme of this WIRED issue is entertaining but could be a little misleading. The pattern is not that an outer layer 'thing' is being removed to show an inner layer 'thing' - we are not removing the skin's skin to show skin; the pattern is that for the first time we are seeing the entity for what it truly is and that being a set of processes and not things. The key shift is that the industrial age brought us an epistemological model based on things and nouns, and the information age is NOT about things and nouns but about processes and verbs with a focus on how an object comes in to being.

Businesses today must make the shift from securing "things" to securing "processes that cause things to come in to being". The efforts to take information and force it in to a package that works with our non-rival economy (think DMCA) will not be the dominant strategy. This shift from things to processes or from nouns to verbs has a profound effect on the risk models that exist today. I continue to lead a team that is researching new models based on an economy of non-rival goods.

So when thinking about the nakedness of company X, try not to think in terms of a giant assembly of nouns that together make up an aggregate noun named company X; think about company X as a set of processes Y that at any point in time manifest themselves as company X. The question then become not "What is company X" but "How does company X continuously come in to being". Understanding the latter requires a contructivist epistemology.

I am often told to relax or switch to decaf when I make a big deal about the words we use in our industry. I can usually walk away from most of the confusion but one that I cannot let go is the difference between data, information, and knowledge. This is a personal thing and I have come to know these terms through other domains like Library and Information Science (LIS) and the Knowledge Management industry.

What is the big deal? It is not a big deal until the time in which it is. It's like saying "This book is purely fictional except for those parts which are not". In your line of work, you may not at this point need a more granular descriptor; but for what I have been doing these past six years, I need all the help I can get describing these intangible notions that have no physical properties. Defining information as “stuff” is just not helpful.

We in information security and risk management have much to learn from other domains like Library and Information Science (LIS). I have been a very good study and I’m right in the middle of a great book on the Philosophy of Information; oh my god it is awesome. You may be thinking “Philosophy of Information, give me a break. I have a real job and some real problems to solve.” Great, and when you are done solving the problem at hand, think about other domains like the field of law for instance: while the majority of the field is made up of practitioners who serve the market, there is a small minority concerned with the intellectual underpinnings of the system. They are made up of legal theorists and philosophers that include the U.S. Supreme Court justices and their like. What I am saying is that what you may view as an unnatural imbalance in the community of experts is very natural and works quite well in other domains that face similar problems.

So let’s get back to this exploration of the difference between the terms data, information, and knowledge. Even with my years of concentration on this subject matter, I have only scratched the surface but intend to be up to my neck in the Philosophy of Information as it stands today in other fields.

Data
Data are described as a set whose members are distinct from one another but lack context beyond just their presents and absence. For example: 20 IP packets, 300 vulnerabilities, and 600 attacks. Value is created at this level by the sheer ability to capture the phenomenon, nothing more, and nothing less. Through some function X, data is transformed to information.

Information
We have come to understand information as an emergent form present when data are presented in context and a information connection is made between observer and that which is observed. Data from multiple domains are related and presented as a single form: information. Included in this synthesis are temporal factors that change the resolution of the presentation. Using the same examples above: "The first 20 packets from a TCP flow established between machine A and Machine B", "300 distinct vulnerabilities affecting our web-services over the past 5 years", "600 attacks originating from our servers"

Knowledge or Intelligence
A form of yet another higher order is knowledge or intelligence. I have found both of these terms interchangeable with the public sector biased toward the term intelligence and the private sector the term knowledge. Following the structure so far, knowledge then is data in context in context; the observer understanding the information in a context that is broader than what is presented at the time of observation. An example would be "Last night at 0100 hours, our sensors recorded 600 attacks originating from our extra-net servers with a destination of company X but the first 20 packets from a TCP flow established between machine A on our end and Machine B at company X showed that none of the attacks were exploiting the 300 distinct vulnerabilities effecting our web-services over the past 5 years."

As you can see, the value at each logical level is different depending on the processes you are involved in. The skill is to be able to jump around this cognitive model and with every movement, you the observer are growing your knowledge at a rate that is beyond the sum of what is being presented.

The form knowledge has some very peculiar properties that are worth mentioning. As we move further and further away from an economy based on rival-goods, these properties will no longer be in the background and will be center to our discourse.

[This collection noted by N. Wiener, A. Toffler, J Piaget, and others, comments by TK]

Knowledge is inherently non-rival
If I give it to you, I still have it. As opposed to rival-good where if I sell you something, in the transaction I sell you item A which then I no longer have and you pay me item B which then you no longer have.

Knowledge is intangible.
We can’t apply the domain of physics to it but that does not mean we cannot manipulate it.

Knowledge is non-linear
As we begin to develop more and more of a informational understanding of nature itself, we can see that non-linear patterns are much more common than linear patterns. Even in business, tiny insights can yield huge outputs.

Knowledge is relational
An observer attains meaning only when knowledge is held in some ratio to other knowledge.

Knowledge mates with other knowledge
This growth is exponential because the more there is, the more synthesis and analysis can be performed, the more new knowledge is created which is then fed back in to the system.

Knowledge is observer centric
There is a hermeneutic principle that knowledge follows: The hearer, not the speaker determines the meaning of an utterance. Piaget was quoted as saying “He who organizes his experiences organizes the world”

Knowledge is explicit or implicit, expressed or not expressed, shared or tacit.
It is at the very edge of our human knowing.

All of this research was done in the 1950’s and much of it has still not yet been applied because our community still suffers from what my buddy David Mann calls “Physics-envy”. The sooner we let go of the paradigms and language of the industrial age, the better. It really does not matter if you agree or don’t agree; it has already begun. Everything around us; our media, our social networks, our bodies are all transcending to a data/information/knowledge representation. I have a few ideas on how to go about managing risk and certainty that may or may not work out, but I can tell you that the methods we are using today are in their sunset years.

--TK