InfoSec 101


Security is the state or outcome of protecting assets from danger through controls (also called safeguards or countermeasures). Assets are anything of value. Value is anything of importance, significance, or use.

Information Security is a discipline to protect information and information systems from threats through security controls to achieve the objectives of confidentiality, integrity, and availability, or CIA for short. Information is useful data; an information system is a system that converts data into information; a system is a collection of related elements that work together to achieve a common goal. A typical information system comprises such elements as data, computers, operating systems, software, networks, data centers, people, business processes, and so forth. Kindly be reminded that a CISSP is a Certified Information Systems Security Professional.

Risk is the effect of uncertainty on objectives. Risks with positive effects are opportunities, while negative effects are threats. Information Security, which not uncommonly emphasizes addressing threats more than opportunities, is a subdiscipline of risk management.

This post answers the Brain Burner Questions.

Strategy Execution Framework

Strategic Management is one of the most important issues of information security governance which can be divided into strategy formulation and strategy execution.
As a CISO, you have to think strategically to develop the information security strategy and align the InfoSec strategy to the business goals and objectives and the upper-level corporate or business strategy.

Reviewing the mission/vision statement, BCG Matrix, SWOT analysis, Porter’s value chain, and five forces model are useful tools for you to develop the strategy.

After the strategy is crafted, the PMI OPM (Organizational project management) strategy execution framework is an ideal one to implement your strategy. Other frameworks, such as COBIT or ITIL, are alternatives in terms of strategy execution.


從1989年接觸8086 PC開始,就註定了我投入IT產業的職涯;而1992年第一次站上電腦講師的講台,從此激發我對教育訓練的熱情。從DOS, ET, KC, Multiplan, DB3, Paradox, Access, SQL, Ami Pro, Office; Windows, NT, Novell, Slackware, MCSE, AD, Azure, AWS; Assembly, C, Clipper, VB6, COM/DCOM, SOAP, C#, MVC, ORM, RESTful, TypeScript, Angular, Android; Waterfall, UML, ICONIX, XP, Agile, Scrum; management, governance, vision, mission; 一直到self-awareness. 我看到除了錢以外, 落在自己肩上的責任與使命。如果我有一個夢, 那就是有朝一日能看到台灣人民, 即使面對排山倒海而來的各種壓力, 能在自主的意志下決定台灣的前途與未來。太陽花,讓我對新一代的年輕人產生無比的敬意!

N年前,台北的天瓏書局難得看到一本簡體的電腦書; 反而台灣出版的電腦書被翻譯成簡體版熱銷。

台灣的低薪,其實反應創業的現實。這也提醒每個工作者,不論創業或就業,都必須具備真本事、為自己負責及接受成敗論英雄的現實標準。因為,除了自己,沒有人能為我們自己的人生負責。白話的說,在這個強烈競爭的年代,企業的生存都面臨強大的挑戰,能有什麼條件、能力與優勢照顧員工一輩子? 而員工又有什麼義務或熱情為一家企業賣力一輩子? 未來的職場,只有真本事的供需交換;從理想面來看,有能力的須多照顧能力相對弱的,真正的弱勢就只能由政府的社會福利制度來補救了。

台灣很棒! 棒到連我們面對挑戰時的抗壓力都退化了!
台灣很讚! 讚到我們無法面對外界早已劇烈變化、讚到我們忽視早已看不到香港、新加坡及南韓車尾燈的殘酷現實!

台灣真的太棒了! 我們有融合歐、美、日、中及本土特色的台灣文化、我們有東方的人文與西方的理性、我們有獨特的人情味、我們有優質的公務人員與行政體系、更有我們自己看不見價值卻舉世傲人的民主制度!

台灣的美好,需要我們用盡全力去保護、去捍衛。要讓台灣更美好,須要從我們每一個人自己作起! 提升自己的能力,就是加強競爭力;讓我們一起走向國際、由世界走向中國! 期待有一天,我們能拿台灣的護照到中國旅行! 天祐台灣!!

Why does everybody learn CIA?

WhyCIAIt’s quite interesting that almost every CISSP aspirant learns the CIA triangle (Confidentiality, Integrity, and Availability) but just a few know why they need to know about it.

It seems to be a simple or straightforward question. However, it lays the foundation of information security and risk management and plays a vital role on your way to success in the CISSP exam.

Why do you think it’s imperative to learn about the CIA triangle? Your feedback and comments are always welcome!

Which is more important? Accuracy or Acceptability?


Which criteria is the most important consideration for the selection and deployment of a biometric authentication system?
A. Crossover error rate (CER) or Equal error rate (ERR)
B. processing speed

I’m a little bit confused

Shon Harris 5th e

This question is a post from Ehab Badawi in Luke’s SNT group on 2019/05/04 6:59 AM Taipei Standard Time.

It seems to be a simple question at first glance. However, I would prefer B to A. It deserves more attention to think about the criteria for the selection and deployment of a biometric authentication system.

The accuracy of a biometric system can be evaluated by using well-known performance indicators, e.g., False Accept Rate (FAR), False Reject Rate (FRR), and Equal Error Rate (EER).

The value of the EER can be easily obtained from the ROC (relative operating characteristic) curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is the most accurate.

Based on the information above, EER or accuracy is an essential factor to consider when selecting a biometric authentication system.

However, when evaluating a biometric authentication system, there are other factors to consider, such as cost, acceptability, and so forth. Processing speed affects acceptability. Let’s consider the following case:

  • System A, EER=0.2, Processing speed=20,000 matches/sec
  • System B, EER=0.2, Processing speed=18,000 matches/sec
  • System C, EER=0.3, Processing speed=15,000 matches/sec
  • System D, EER=0.4, Processing speed=20,000 matches/sec

If our criteria to purchase a biometric authentication system is EER < 0.3 and Processing speed >= 15000. System A and B are the qualified alternatives. In general, we will select and deploy System A as it has a higher processing speed. In this case, the processing speed would be more decisive or more important.

So, which one is the most important consideration? EER or processing speed? And what does “important” mean? Undoubtedly, we have to take both of them into account to select and deploy a biometric authentication system.

I would treat EER as a selection criterion while processing speed the deployment criterion. EER depends on use cases, security first or convenience first; processing speed affects system throughput and user acceptability. In practice, I would prefer to choosing a system with higher processing speed from alternative systems with similar or equal EER. That’s why I prefer B to A, even though it seems that Answer A, CER or ER, is a more popular answer.




Scrum Practice Question


You are the head of the research and development (R&D) department of a pharmaceutical company and the Product Owner of the Scrum team developing an application that handles the most sensitive data for your department. You are concerned with the protection of the application data stored in the database. As a product owner, how do you address the concern of data confidentiality in the database?

A. Assign any development team member to develop a proprietary cryptographic module to encrypt the data in the database.
B. Assign the most senior development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
C. Outsource the task to a professional cryptographic vendor and require them to use a standard cipher that is openly reviewed and certified.
D. Add the encryption requirement of a standard cipher that must be openly reviewed and certified, into the product backlog and let the development team decide the implementation details.

PS. Scrum is quite popular these days. It’s good for security professionals to fulfill the security by design principle in the context of the agile setting, while Scrum is one of the mainstream frameworks.