‘Lean startups’ can happen anywhere

Lean Startups and the entrepreneurial energy that fuel them, aren’t just limited to lone visionaries in garages or spare bedrooms.

In today’s hyper-competitive global economy, large organisations need to have startups under their roofs to survive and thrive.

A couple of decades back, some visionaries were floating the idea of “intrapreneurs,” motivated innovators within organisations that pull together ideas and resources to make new things happen.

In his latest book, Eric Ries, creator of the Lean Startup methodology, builds upon this idea, and outlines the 5 key principles that should make up the foundation of any lean startup effort and, tellingly, the key takeaway is that startups can happen anywhere, at anytime:

1. Entrepreneurs are everywhere. Ries argues that startups are everywhere, which he defines as an “institution designed to create new products and services under conditions of extreme uncertainty.” Groups of people working within Fortune 500 corporations or large government agencies, could meet the definition of a “startup.”

2. Entrepreneurship is management. Ries argues that “entrepreneur” should be a job title in all companies, regardless of ages and sizes.

3. Validated learning. The main purpose of a startup is to learn about customer needs. Run frequent experiments to see what ideas stick, and more importantly, which do not.

4. Build-measure-learn. A successful startup needs to operate within a continuous feedback loop. This loop consists of turning ideas into products, measure how customers respond, and “learn whether to pivot or persevere.”

5. Innovation accounting. Startup leaders still need to focus on the “boring stuff.” : measurement, milestones, and prioritisation of work. “This requires a new type of accounting for startups, and the people who hold them accountable.”

While startups may seem chaotic and more driven by passion than management, sensible and accountable management is still needed but the bottom line is that it can and will happen anywhere and everywhere.

5 questions to improve your results!

Here are 5 great questions to help your business thrive in any economy:

1. How many leads am I generating each day from my website / blog? Our sites should be a constant source of highly targeted sales leads. If your site is not currently generating as many leads as you can handle, you need to fix that immediately. I’m constantly amazed how many business owners pester people for leads at networking events, when their website or blog could be generating high quality leads for them every day.
2. How easy would it be, for someone to write a manual, which explained how to do my job? Whilst every human being is of equal value, those in business with the highest commercial value do work that matters, which can’t be neatly explained in a manual.
3. What am I doing, to ensure that the next 12 months will be better than the last 12 months? If business hasn’t been good over the past year, we need to change our direction. It’s way too easy to mistake movement for progress and end up working hard, doing the wrong things. If hard work alone were the secret to success, our grandparents would have been millionaires.
4. If my business was perfect in every way, what would it look like? Write your answer down in as much detail as possible. Include everything, from; the type of projects you would be working on, your profit figure and the length of your working day, to the number of hours you would work each week and the location of your business. The clearer a picture you can build of your ideal business, the easier it becomes to direct your current business into that image.
5. If my business were to stop trading on Monday, how easy would it be for my clients or customers to replace me? This is similar to question 2, but is focused on the unique value of your business. The easier it is for people to replace us as providers, the more volatile our client list will be and the harder we will find it to attract new clients.

Institute of Risk Management issues new guidance on risk appetite

The Institute of Risk Management (IRM) has published new guidance on the subject of risk appetite and tolerance aimed at helping organizations better understand the risks they take when pursuing their strategic objectives.

IRM's guidance document has been endorsed by the Chartered Institute of Internal Auditors, the Chartered Institute of Management Accountants, the Institute of Chartered Secretaries and Administrators, The Chartered Institute of Public Finance and Accountancy and Alarm, the public risk management association.

IRM Deputy Chairman Richard Anderson, the main author of the report, explained: "Risk appetite today is a core consideration in any enterprise risk management approach for organizations of all types, yet there is little widespread understanding about what it means and how it can be applied. In the light of the explicit requirement in the UK Corporate Governance Code for boards to understand the nature and the extent of the risks that they face, IRM decided to take the lead on drawing together some practical guidance on the subject, aimed at board members as well as risk professionals.

We are particularly pleased that other respected professional bodies are supporting our work - risk is everyone’s business and a common understanding and approach helps us work together to address this challenging area."

Anderson continued, "Our underpinning precept is that organizations can only progress by taking those risks that they need to embrace and managing down those that they wish to avoid.

Our recommended approach to risk appetite, based on the wide experience of our members and also benefitting from an extensive consultation exercise earlier this year, is intellectually rigorous as well as highly practical.

We think we have managed to outline a process which should be proportionate to an organization's risk management maturity, capability and culture and, most importantly, supported by appropriate data.

Nevertheless, we do not think that this is the last word on the subject in such a fast-moving environment and we are extremely interested in receiving feedback on this work."

The IRM paper Risk Appetite and Tolerance is available for free download at http://www.theirm.org/publications/risk_appetite.html

Managing cloud risks

Adopting cloud computing may save money, but how does it change risk? The cloud allows the procurement of IT services from both internal and external suppliers to be optimized because the services are delivered through the Internet in a standard way.

The cloud is not a single model, but covers a wide spectrum from applications shared between multiple tenants to virtual servers used by one customer and hosted internally.

The key benefit of a cloud approach is one of scale; the cloud provider can potentially offer a better service at a lower cost because the scale of their operation means they can afford the skilled people and state-of-the-art technology necessary to deliver a secure service.

In general, a large cloud provider is likely to provide a better and more secure IT service at a lower cost than a small to medium sized enterprise could provide itself.

While the public cloud offers applications shared by multiple customers, the private cloud provides applications and infrastructure that are dedicated to a particular organization.

It allows organizations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources.

The price to pay for this is that the costs are likely to be higher than for a public cloud because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.

The information security risks associated with cloud computing depend on both the service model and the delivery model adopted. The specific risks depend on the organization and their individual requirements.

The common security concerns across this spectrum are ensuring the confidentiality, integrity and availability of the services and data delivered through the cloud environment.

The approach to managing risks from the perspective of the cloud service user is one of due diligence - ensuring that the requirements are clearly understood, the risks are assessed, the right questions are asked and the appropriate controls are included in the service level agreements.

The principal information security related issues that organizations adopting cloud computing need to address are summarized below. Because of the wide spectrum covered by the cloud, their priority will depend on the cloud model adopted and the individual circumstances:

- Ease of purchase: anyone can buy access using a credit card. Your organization may already be using a cloud service without a proper assessment of the risk.

- Service contracts: those offered by cloud providers are often ‘take it or leave it’ and may contain less onerous obligations on the provider than a normal SLA. Key issues include: who owns the data, and how difficult would it be for you to get it back?

- Compliance: identify the business requirements for compliance with laws and regulations and ensure that the cloud provider is able to answer how they will meet these needs.

- Service location: identify the legal issues that relate to the jurisdiction of the geographic location of the cloud provider, the service and the data, and ensure that service contracts address these issues.

- Data security: identify and classify the business data that is involved and specify the security requirements for this data in terms of confidentiality, integrity and availability.

- Availability: identify the service availability requirements and assure that the provider is capable of meeting these.

- Identity and access management: specify the business needs for identity management and access control and assure that it will be delivered securely.

- Insider abuse of privilege: confirm that the cloud service provider has processes and technology to properly control privileged access.

- Internet threats: determine the level of protection needed against Internet-based threats and ensure they the steps to be taken both by the cloud provider and internally are adequate.

- Monitor: Within the cloud service, meet the business and legal requirements of the client while separating the data relating to different clients.

Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides. COBIT provides guidance to:

- Identify the business requirements for the cloud-based solution. This seems obvious but many organizations are using the cloud without knowing it.

- Determine if the functionality is currently provided by an existing internal service. If so what are the options?

- Determine the governance needs based on the business requirements. Some applications will be more business critical than others.

- Develop scenarios to understand the security threats and weaknesses. Use these to determine the risk response in terms of requirements for controls and questions to be answered. Risk IT: Based on COBIT provides an ideal framework for this.

- Understand what the accreditations and audit reports offered by the cloud provider mean and actually cover.

Cloud computing can reduce costs by providing alternative models for the procurement and delivery of IT services.

Many organizations have already adopted an outsourcing approach to internal functions that are not core and this approach naturally extends to IT.

However, they need to consider the risks involved in a move to the cloud and good governance provides a way for this.

For more information, visit www.isaca.org/cloud for a free ISACA white paper.

What makes a great risk manager?

Active Risk, conducted a major survey of risk professionals in mid-2011.

Phase One analysis, based on over 250 completed responses from around the globe, has shown some surprising results and provides important advice for organizations implementing enterprise risk management programmes.

As demands placed on risk professionals increase and evolve, this new research has given an insight into the types of individuals organizations need in their risk team to produce the best chance of meeting corporate and project risk objectives.

The research also provided an understanding to the training and development required to grow and retain risk professionals; strategies to improve the effectiveness of communications between risk managers and other departments such as sales, finance, contracts and projects and the actions necessary to reduce stresses on the risk team.

Risk professionals completed an online psychometric survey based on the well-established DISC profiling methodology and received a confidential personalized profile report in return.

The cumulative results were used to identify the main personality types active in the profession. Three groups emerged.

The largest percentage (60 percent) represented ‘Technicians’ with the characteristics for accuracy and logical action traditionally associated with risk managers.

More surprisingly over 30 percent of those who responded to the survey emerged as ‘Evangelists’ who are optimistic and inspiring leaders.

This new breed of risk manager could prove instrumental when imbedding a corporate risk culture.

Finally, just under 10 percent of risk professionals who took part in the survey were ‘Drivers’ with determined personalities more usually associated with sales professionals.

To participate in the confidential survey and to download the Phase One summary report, go to www.activerisk.com/risksurvey

NIST: New Guidlines for Conducting Risk Assessments

Risk assessment is the topic of the newest special publication from the National Institute of Standards and Technology (NIST).

Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1), an extensive update to its original 2002 publication, is the authoritative source of comprehensive risk assessment guidance for federal information systems, and is open for public comments through November 4.

Overall guidance on risk management for information systems is now covered in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39), issued last March.

The updated SP 800-30 now focuses exclusively on risk assessments, one of the four steps in information risk management.

Information risk assessments help organizations:

• Determine the most appropriate risk responses to ongoing cyber attacks or threats stemming from man-made or natural disasters;
• Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image and reputation), organizational assets, individuals, other organizations and the US nation; and
• Maintain ongoing situational awareness of the security state of an organization's information systems and the environments in which those systems operate.

The guidance in the revised publication has been significantly expanded to include more information on a variety of risk factors essential to determining information security risk, such as threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence.

The publication describes a three-step process to help organizations prepare for risk assessments, successfully conduct risk assessments and keep assessment results up to date.

Guide for Conducting Risk Assessments also describes how to apply the risk assessment process at the three tiers of the risk management hierarchy outlined in Special Publication 800-39.

Sample templates, tables and assessment scales for common risk factors are provided for users to adapt to their own organizational risk assessments based on the purpose, scope, assumptions, and constraints of the assessments.

Guide for Conducting Risk Assessments (Special Publication 800-30, Revision 1) may be downloaded from here. Please send comments to sec-cert@nist.gov by Nov. 4.

Social engineering risks explored

Check Point has published the results of a new survey revealing that 42 percent of UK enterprises, and 48 percent internationally, have been victims of social engineering attacks, experiencing 25 or more such attacks in the past two years at a average cost of over £15,000 per incident.

The survey report, ‘The Risk of Social Engineering on Information Security’, shows the most common sources of social-engineering threats are phishing emails (47 percent) and social networking sites (39 percent).

The survey found that new employees (52 percent) and contractors (44 percent) were cited as the most susceptible to social engineering techniques, emphasising that hackers target staff that they suspect are the weakest security links in organisations, using social networking applications to gather personal and professional information on employees to mount spear phishing attacks.

According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognise social engineering as a growing security concern.

A majority of respondents (51 percent) cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge.

The highest rate of attacks was reported by energy and utility organizations (61 percent) with non-profit organisations reported the lowest rate (24 percent), reinforcing gain as the key reason for attacks.

“Although the survey shows that nearly half of enterprises know they have experienced social engineering attacks, 41 percent said they were unsure whether they had been targeted or not.

Because these types of attacks are intended to stay below an organization’s security radar, the actual number of organisations that have been attacked could be much higher. Yet 44 percent of UK companies surveyed are not currently doing anything to educate their employees about the risks, which is higher than the global average,” said Terry Greer-King, UK managing director for Check Point.

Further findings from the survey report are:

• The threat of social engineering is real – 86 percent of IT and security professionals (80 percent in the UK) are aware or highly aware of the risks associated with social engineering. Approximately 48 percent of enterprises globally (42 percent in the UK) surveyed admitted they have been victims of social engineering more than 25 times in the last two years.
• Social engineering attacks are costly – Survey participants estimated each security incident costing anywhere between $25,000 and over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage. 36 percent of UK respondents cited an average incident cost of over $25,000 (£15,000).
• Lack of proactive training to prevent social engineering attacks – 34 percent of businesses do not have any employee training or security policies in place to prevent social engineering techniques (4 percent in the UK).
• Financial Gains are the primary motivation of social engineering - Financial gain was cited as the most frequent reason for social engineered attacks, followed by access to proprietary information (46 percent), competitive advantage (40 percent) and revenge (14 percent).

While social engineering techniques rely on taking advantage of a person’s vulnerability, the prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute social engineering attacks.

Greer-King added: “An organization’s employees are a critical part of the security process as they can be misled by criminals, or make errors that lead to malware infections or unintentional data loss. Many organizations do not pay enough attention to the involvement of users, when, in fact, employees should be the first line of defence. A good way to raise security awareness among users is to involve them in the security process and empower them to prevent and remediate security incidents in real time.”

Read the report (PDF).

Cultural effects on risk perception

A new Chatham House paper, ‘Cultural Dialogue in International Security: New Thinking for Europe and America’ has highlighted how the perception of risk changes from culture to culture.

Written by Alexis Crow, the paper says that risk perception is highly subjective and therefore culturally specific: what may be considered a risk in one country may not be in another.

The paper explains how, in the context of attempts to develop dialogue in international security, it is important to understand a culture’s risk appetite.

Although not aimed at business continuity managers the paper provides some useful background information which may help when managing cross-border business continuity management systems.

Read the document (PDF).

Our security paradigm is out of date

At a recent Cloud Security event, the president of the UK & Ireland chapter of the Cloud Security Alliance (CSA UK & Ireland) said that the perception of security as a concept is out-dated.

According to Des Ward, the current focus on complying with the myriad of assurance frameworks is taking focus away from the obligations placed on organizations to identify and manage the risks to their information assets; which, in turn, places an inordinate and inappropriate burden on external service providers to satisfy the concerns of organizations with no common terms of reference.

“The discussion following my presentation was very interesting as it highlighted that, whilst security in the cloud services environment is clearly a concern for many IT security professionals, there is still a lack of assurance within the external supply chain as whole,” said Des Ward, President, CSA UK & Ireland.

“What this tells me is that, whilst the message on security is getting through to businesses, there is no consistent language to determine whether the service provider will operate the controls to a level that assures the client that their risks are managed appropriately.

This proves to me that the current security mindset is little more than managing risks to achieving compliance rather than empowering organizations to understand the controls required to manage the risks to their information.”

“It is important”, says Ward, “to understand that all organizations in the UK and Ireland, on both sides of the public/private sector divide, have an explicit obligation under law to ensure that personal and corporate information is managed in a safe manner.

“The current compliance overload over the past four or five years has led to an inordinate focus on managing risks to compliance rather than understanding the risks to information – and this focus has meant that we look to overuse of technical controls to show due diligence to ensure that when a breach occurs, that penalties will not be levied; it is not designed to reduce the likelihood of breaches themselves,” he adds.

“This approach is, in my humble opinion, unsustainable, as it does not look to the implementation of the controls and fails to address the business risk management issue that exists in most organizations.

This is turn has no more benefit to the business than placing money in the shredder.” he explained.

“A classic case of these issues”, he says, “was the ICO's recent engagement with Lush after the cosmetics retailer suffered a payment card breach; although the outcome was favourable for all concerned, the key lesson to be learnt is that the current compliance boundaries can now be crossed by another interested party.

What stops the ICO from looking beyond the compliance scope of PCI and entering its own jurisdiction which is the entire business?

“The current lack of corporate information governance in today's businesses will soon result in increased penalties and I feel that this case will be a tipping point; despite the clamour for more prescription from assurance frameworks, my own experience is that many implementations of the PCI DSS are tightly scoped and shows there is little appetite for additional level of prescription that comes with little more benefit than a licence to undertake business on the internet.

This proves to me that the current focus on compliance risk management as we know it is nearing an end, and something else is required to assist organizations to understand and manage the risks to their information going forward.”

BlackBerry downtime illustrates reputation risks of social media

The risks of using social media for critical service announcements were highlighted yesterday (10th October) when BlackBerry posted notices of downtime on various social media channels.

BlackBerry users in Europe, the Middle East and Africa were unable to use email, BBM and various other services due to a major fault. To inform users of the incident, Blackberry chose to utilise social media, posted a message stating:

“Some users in EMEA are experiencing issues. We're investigating, and we apologise for any inconvenience.”

This basic message resulted in a stream of abuse and negative comments, with 2,500+ messages being posted on Facebook alone.


The incident shows that companies need to think very carefully about whether unrestricted social media is an appropriate medium for customer service information.


If organizations decide to go down this route, it is critical that messages are not just posted and left; they must be monitored and customer care employees must proactively engage with customer responses.

The Financial Turmoil and Business Continuity

‘Eurozone at tipping point’, ‘Greece may be forced to default’, ‘Is the euro doomed?’ The headlines alone make you want to pull the covers over your head.

The Governor of the Bank of England, Mervyn King, tells the BBC: “This is the most serious financial crisis at least since the 1930s, if not ever.”

He then went on to call for a calm reaction to the crisis; which led to a few wry smiles!

If the financial crisis does get appreciably worse or, heaven forbid, the euro were to fail, what does this mean for business continuity professionals? Because, call the eurozone meltdown what you like, it’s certainly a crisis: and crisis is what we do isn’t it?

Contingency planning makes us all gaze into a crystal ball from time to time in an attempt to predict what might happen so we can plan accordingly and provide contingencies. But inevitably: ‘All plans imply an attempt to impose the values of the past...on the future.’

So it doesn’t mean we always get it right. But if the world’s economy or ‘just’ the eurozone does take a serious dive then at some point organizations are going to look to us to help get them out of this mess.

So what can we, as business continuity professionals, do to help: and how can our specialist knowledge be leveraged to help those trying to overcome the financial crisis?

We have a responsibility to understand as much as we can about the financial situation, but clearly it’s not our job to solve it.

For that there are leaders and governments; though some might argue it is just such people and institutions that got us into the crisis and of course within companies, particularly banks, there are experts assigned to investments, governance, auditing and PR who are trying to mitigate risk.

We stray into those fields at our peril. But what about the aftermath of a crisis? Many predict that inflation will go through the roof and this could spark further looting or civil unrest on the streets.

There could also be lengthy utility failures, fuel shortages, disruption to public transport and pressure on supply chains.

Perhaps staff won’t be able to travel to work or prefer to stay at home to look after their families. The fallout from these kinds of problems has our name written all over them.

The job of the business continuity professional is to identify risks and impacts to critical processes.

For each critical process we have to identify ways of providing a structure that enables these processes to be performed during or in the wake of a crisis.

Once the resources needed to perform these actions are identified this can form the basis of a plan, which can then be tested to see whether core critical processes really can continue to operate in extreme circumstances; and it doesn’t get more extreme than the uncharted territory that we would enter should the European banking system or the euro fail.

Unravelling a financial crisis may be way outside our skill set, but our business as usual is business as unusual and crisis our stock in trade.

Perhaps it’s a good time to review business continuity plans in the light of the societal impacts that could occur.

Social media risks explored

Social media poses significant risks to European businesses, according to a survey by the Federation of European Risk Management Associations in cooperation with the Institute of Risk Management (IRM).

Risk professionals from both organizations were asked which three cyber risks they thought were the greatest threats to business in general and to their own organizations. A total of 186 replied to the online survey during August and September 2011.

For business in general, reputation risk from social media was cited as a material risk by nearly 50 percent of respondents and loss of confidential information through social media by 20 percent.

These concerns ranked social media along with non-malicious operational IT risks, theft of customer information and malicious interference with IT systems as the greatest cyber threats to business in the eyes of the risk professionals.

The emphasis shifted somewhat when it came to respondents’ own organizations. More than half put operational, non-malicious IT risks among the top three, followed by 43 percent who mentioned theft of customer information.

However social media risks were next with 42 percent who included them among the biggest exposures to their own organization with 21 percent concerned about loss of confidential information through social media.

In response to additional questions to FERMA members, one-third of 36 responses said they had already been concerned by a denigration attack. One-quarter of the 98 responses said their company had suffered an attack on confidential information.

Other findings from the surveys:

- Risk managers are widely involved in managing cyber risks in addition to IT security; over 80 percent of the responses confirmed this.

- Most organizations have a policy for their employees on the use of social media (65 percent) or are in the process of implementing one (14 percent).

- Most organisations either map their cyber risks (53 percent) or are in the process of doing so (31 percent).

Ten early warning signs of fraud in organisations

Awareness of the signs and a sound approach to countering them can often deter many opportunistic incidents of fraud.

The list is as follows:

1. ERRATIC REPORTING: This sign is just as applicable to suppliers and contractors as it is to internal departments and functions within the organization. Erratic, incomplete, late or excuse-laden management reporting is often a classic sign that something is wrong. One of the possibilities is the existence of fraud. Further investigation will reveal that lip service and increasingly tenuous explanations are given assertively to thwart follow up activity. Common excuses used are often the frequent occurrence of IT failures, technology compatibility issues between different company systems or international systems. It is also often the case that once reports are complete there are typically delays in them reaching those who need to review the data.

ACTION: Insist on up-to-date reporting, within a set timetable and then build this into the internal GRC (governance risk and compliance) systems. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2. APPARENT PROCESS LAZINESS: A weakening of anti-fraud and data security systems can happen naturally, over time; and is normal – especially when things get busy. This occurs where precautions and risk-avoidance measures get by-passed or ignored in practice as time goes by. This could just be the natural adjustment of systems to the practicalities of working life and busy peaks, or it could be deliberate and sinister. However, with the seemingly right processes in place, top level management are often lulled into a false sense of security that they are actually being used, whilst the fraudster is busy at work getting around them.

ACTION: Make sure you implement the suggestions of your internal compliance managers and organize appropriate training to reinforce attitudes and practise. Ensure that the control processes, especially in tendering, purchasing, invoicing and customer controls and identifications are ALWAYS kept strong, managed and regularly reviewed. Where systems/processes are under pressure when used in practise, introduce a review process – and then adapt them promptly.

3. ORGANIZATIONAL CHANGE AND THE DESIRE TO DUMP DATA: A major indicator can be the act of deletion or pressure on staff to delete, remove or otherwise dump past records following a restructure, a new division launch, a JV or acquisition. An excuse of, “Oh I’m sorry those files were destroyed.” should be cause for alarm. It will be an even bigger problem where international operations are involved as it’s far harder to find or recreate evidence in a foreign territory.

ACTION: Take care to establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records. They are not always the same person of course. Ensure that scanning, and indexing works properly and that no-one can intercept/edit documents. Also ensure that storage capacity is enough and controlled properly. Where acquisitions and mergers are concerned, ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails and staff contracts. In particular, if you are acquiring a business make sure that you have indemnities/penalty clauses built into the acquisition agreements that relate to the availability of data, logs, audit trails and so forth.

4. DATA INCONSISTENCIES OR ABSENCE IN THE ARCHIVES: Whether it is archive data or cross reference checks that are missing or wrong; factual inconsistencies will also occur naturally. The cheats who seek to defraud an organization will use the possibility to explain such inconsistencies and hide their fraud.

ACTION: Make sure that all files are electronically stored, with appropriate back-ups as part of your compliance systems and that no-one has the access to any files that include a delete capability. It is also worth having internal or external auditors sample check key files from time to time as a part of the audit programme. In addition arrange for the HR department to make it a gross misconduct issue to destroy data without recorded approval from above. This may not deter the fraudster but if nobody else is doing it the fraudster is more likely to be spotted at an early stage.

5. AUDIT-TIME DELAYS: Excuses, confusion or wild goose chases when disclosing to auditors, be they internal or external, can be a telltale sign too. We need to remember though that the audit team is not there to find fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection.

ACTION: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Where there have been delays or difficulties investigate why this was the case by drilling down into the detail. Make sure that the business critical and financial exposure areas take a priority and act upon all failings both quickly and completely; with follow-up audits if necessary.

6. BEHAVIOURAL ANOMALIES: These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specific questions are asked about processes or figures. These behavioural anomalies have probably already been noticed through the assessment process or by HR staff. Research shows that internal fraudsters are most likely to be either ‘youngsters who cut across the processes and systems’ or ‘middle aged executives with the authority and a gripe’.

ACTION: Get HR more closely involved. Then if you still have concerns about such people upon closer inspection, all the relevant files need to be pulled and checked, or you might even consider a private investigator to look deeper into the processes used by such high risk people.

7. GOSSIP MONGERS IN OVERDRIVE: Staff whispers and rumours “that all is not right” should always be taken seriously. These are, however, so often overlooked by senior management.

ACTION: Listen, take all such rumours seriously and investigate the reality.

8. TWITCHY NON-EXECS: Good non-execs provide a considered, independent and external perspective. Often they bring in specific expertise from outside the board’s immediate experience and their skills can vary from financial knowledge through to IT. When their comfort factor ‘goes south’ or when they have a ‘bee in the bonnet’ about something that does not add up or make sense, they often have good reason to worry. So must you.

ACTION: It is always good for the business to maintain a fresh supply of new thinking, new approaches and new concerns. Thus if non-execs have concerns about particular issues, one should fund their thinking by allowing them to bring in the appropriate specialist experts that can investigate matters more deeply.

9. UNOFFICIAL IT WORK: Technical staff working around the enterprise conducting unsupervised IT activity, often outside normal hours can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. This is more common in smaller organizations where some are working more to help themselves than to help the organization that is paying for their IT equipment and the software they use.

ACTION: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the look-out for data-theft, IPR theft, time theft (people spending all day on Facebook etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.

10. SCAPEGOATING: Where people are given a title but without actual responsibility, it can effectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed.

ACTION: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifications.

The Cloud± Service level agreements

Most discussions about cloud computing center on technology, software, or whatever exciting new service happens to be in the spotlight, but a lot of the times people forget about one of the most basic elements of the cloud: service level agreements. How will it perform?

Moving to the cloud means you're buying an outsourced service. Therefore, looking at computing from a service perspective, the first concern on the minds of both customers and companies should be the service level agreement, as well as the components of the service and it's fancy technological elements.

If you think of entering a cloud computing agreement in the same terms as entering a relationship. Before the cloud, customers and companies had a long distance fairly remote relationships, with only the occasional brief but passionate encounters, normally at the deployment stage, followed by long periods of waiting for new events; patches and updated versions.

Whereas, on the cloud, everyone is living together, in a symbiotic way, with no time apart. In this model, the most important thing is to avoid clashes and annoying others so much that they move out.

The service level agreement has always been the key to this. Establishing the ground rules, so everyone knows what may or may not be done and including, what level of annoyance each party will tolerate.

Availability

An important thing to realise is that the perception of quality in a service is relative to the needs of customers. I don’t mind if the electricity doesn’t work in my home while I am at work, but if the power goes out when I am sitting down to watch some TV, I will hate the power company.

The same goes for cloud services. If you give 99% availability, but the 1% failure always happens in the middle of the business day, customers will quickly abandon your service, despite it being within the agreed level.

The flip side of this coin is that most of us don’t really need that 99.995% availability; we need 100% availability whenever we decide to use the service. Since most usage habits are pretty predictable, a company offering a cloud service (especially software) can optimise itself so that offline periods fall outside peak usage times.

The cloud enables companies to easily and closely monitor usage patterns, so if you find out that people only use your cloud-based solution on the first five business days of each month during business hours (this could be a payroll application, for instance), you better make sure that your servers can handle the peak load and that you have round-the-clock support during this time.

At the same time, you can probably save money (and pass these savings on to clients) by reducing your capacity and having less support people the rest of the month.

Performance transparency

Another very important thing to remember is that a service level agreement is only as useful as the capacity of the user to monitor it. Transparency is key here.

If you are using a service, any service, you must have a simple way not only of checking if the service is online or offline (like flipping a switch to check if the power is on), but also to monitor whatever metric was established on the agreement.

If you are building a cloud service, remember to include a “control panel” so that your customers, the press, a regulator or ombudsman and even the competition can quickly see your status.

Remember always that transparency creates trust and tolerance: the most stressful thing about a traffic jam is not knowing what is going on and for how long it stretches.

So, if you are building a cloud service, or moving your company’s existing software to the cloud: think first about the service level your customers want and think again as to what you can offer, and from that you can build your new service.

Don’t simply say, “I’m on the cloud, I’ll be available 24×7″ and avoid frustrations on both sides. If you are purchasing a cloud service, make sure that you are not demanding nor paying for more availability than you actually need.

Good Luck, and I hope it will be silver linings all the way!

Why your coworkers may not trust you

According to a recent Civility in America 2011 survey, two out of three employees report that their performance has declined due to workplace incivility and bad manners. They also cite a “critical need” for training in manners and civility.

Most employees think that a breach of trust must be severe or even scandalous to take a toll on their relationships with co-workers. We all now that little breaches of trust over time are a big deal. Like death by a thousand paper cuts, they kill productivity, performance, and morale.

Here are seven reasons your co-workers might not trust you and show how to avoid the most common mistakes:

1. You withhold trust in others

Trust is a two-way street. If you want people to trust you, you need to trust them. For starters, avoid micromanaging. Instead, give your co-workers the latitude to put their full talents to work.

2. You fail to acknowledge effort

When a co-worker goes above and beyond for you, how do you respond? Do you take a moment to personally recognize his effort? Or do you just say “Thanks” in a perfunctory email and move on to the next task?

3. You miss deadlines

Life happens and you miss a deadline here and there. No big deal, right? Wrong. Every time you don’t deliver, you betray trust because your co-workers were depending on you.

4. You arrive late for meetings

When you consistently arrive late, your co-workers feel that you’re wasting their time. They also feel that you’d only be willing to do that if you think your time matters more than theirs.

5. You don’t admit your mistakes

By admitting your own mistakes, you not only acknowledge your humanity but also allow your co-workers to acknowledge theirs. As a result, communication opens up, mutual trust is built, and people feel free to take smart, creative risks.

6. You spin the truth

Do your co-workers know that they count on you to tell the truth or do they just assume you’ll tweak it? Tell it like it is. Spin never passes the sniff test anyway; people see it for what it is and, sooner or later, lose trust.

7. You behave badly

Be aware of your behaviour. Instead of berating a co-worker for missing a deadline, for instance, calmly ask how and why things got off track. Understand what that person needs from you in the future.

Meet the Entrepreneurs - Seema Pabari's TiffinDay

A major life change caused Tiffinday's Seema Pabari to radically rethink her life. The result? Some of the most delicious food you'll ever taste.

All prepared and delivered in an eco-conscious, trash-free way by a company with a sustainable, triple bottom line who believes in growth with a healthy, sustainable social model.

Adobe WebCam privacy invasion flaw in Flash - Fixed?

Adobe has fixed a privacy invasion flaw in Flash that allowed remote spies to turn on a computer user’s webcam via a rigged web site.


The vulnerability, discovered and documented by researcher Feross Aboukhadijeh, is a variation of the clickjacking technique and could be used to turn on a webcam and microphone direct from a web site without the user’s knowledge or consent.

In this video, Aboukhadijeh documents the attack scenario:



Adobe says the issue is now fixed:

Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website. No user action or Flash Player product update are required.

If, like me, you are paranoid about these kinds of bugs activating your webcam, do the smart thing and put a sticky over the camera.  Matter solved.

BYOD: ‘bring your own device’ How will it impact your company

In case you haven't heard, the Bring Your Own device to work strategy is doing the rounds in the more enlightened corporate IT world and is a very attractive option for Developers, Administrators and other IT geeks of that ilk.

That aside, as a non-geek, BYOD will require serious attention to the infrastructure and support policies within your organisation.

The one really good reason not to let employees use their own smartphone, notebook or tablet at work, is because it creates an IT management nightmare.

Firstly or blatantly, there are inherent security and regulatory compliance risks. Unless you have complete control or have great faith the responsibility of IT geeks to protect their own assets.

Even if you restrict and /or allow certain products or technologies that people can bring and use, it will be next to impossible to make sure everyone keeps their machines updated with the proper OS and application patches.

If you use the argument that BYOD will save the company money on assets, their maintenance and their depreciation, you may be disappointed. Many businesses supporting BYOD expect employees to buy and support devices at their own expense but the boundary between the BYOD asset an dthe infrastructure and security policies behind that may be blurred.

Consequently, there is a high risk of holes opening up in your Securoty, DMZ and Firewall. The money not spent on assets may have to be diverted to protect the infrastructure and will require the development of new IT management policies. Can you say your organization is BOYD ready?

To simplify small and midsize businesses (SMEs) should be prepared to sense BYOD and it's impact in the following ways.

#1: Your technology upgrade cycles will be shorter
Most smartphones are turned over every one or two years, because of carrier contracts. That means employees will be exposed to new features more quickly and be able to keep up with business enhancing features made available on open platforms e.g. Skype, Social media, etc.

#2: You will need to consider supporting or including more devices, not fewer
Even if your company chooses not to let employees bring their own smartphones, consumer tablets or notebooks into their work setting, it will need to consider adding more devices to the menu that allows people to work whilst travelling. Consider this an evolution of your corporate benefits or perks strategies. People should be able to choose their own device for work, even if they don’t own them outright.

#3: You need to rethink how you distribute applications
Thanks to Apple, most of us have become really familiar with the idea that you can download pretty much any application you need from searchable store. Over time, employees will come to expect the same from our IT team. Updates and upgrades will be enforced through alerts, much like the store concept.

#4: You need to raise your game on mobile security
Mobile malware and antivirus software packages exist, but they haven’t been widely used. If you allow people to bring their own mobile device, that needs to change. What’s more, your organisation will need to govern what data can and cannot be downloaded locally. That’s especially true in certain industries, especially healthcare or financial services where the Data Protection Act is very pertinent.

#5: You need to rethink the concept of mobility.
IDC expects the number of mobile workers worldwide to surpass 1.2 billion by 2013. Why would you provision someone with a desktop computer, even if it is a person who traditionally works in a back office position, if there is a chance that he or she might need greater flexibility in the future?

Forrester Research predicts that up to 60 percent of information workers will need to work in some location outside their office during the average workweek. Does that number fit well with your asset projections for notebook computers, media tablets or smartphones in your organisation?

Bring Your Own Device to work certainly has an allure and attraction from an financial asset management perspective and as a motivator for Developers and IT Geeks but have we thought this all the way through and are we, and our organisations really ready to adopt this strategy.

How Many (non-UK) Slaves Work for YOU?

Methodology:
How did SlaveryFootprint.org come up with the total number of slaves working for me?

MY TOTAL SLAVERY FOOTPRINT represents the number of forced labourers that were likely to be involved in creating and manufacturing the products I buy.

This is determined based on information regarding the processes used to create these products as well as investigations of the countries in which these stages of production take place for known slave labour (within these specific processes.)

This number is compiled from multiple individual product scores (see below).

To create individual scores, SlaveryFootprint first chose to investigate slave labour usage in the supply chains of more than 400 of the most popular consumer products. SlaveryFootprint used the following definitions of slave labour:

How do we define Slavery? (Forced Labour):

Anyone who is forced to work without pay, being economically exploited, and is unable to walk away.

Note: Forced Labour, also known as involuntary servitude, may result when unscrupulous employers exploit workers made more vulnerable by high rates of unemployment, poverty, crime, discrimination, corruption, political conflict, or cultural acceptance of the practice.

Immigrants are particularly vulnerable, but individuals also may be forced into labour in their own countries. Female victims of forced or bonded labour, especially women and girls in domestic servitude, are often sexually exploited as well.

After investigating the slavery usage in individual product components, based on the most common places in which they are mined, grown or made, we assigned scores to each of these 400+ products.

These scores were based on a complex algorithm that determines the minimum number of slaves (forced laborers) used to produce each product. This algorithm is graphically represented in the diagram below:

Product Score

Represents the likely number of forced labourers that have been involved in creating the product at some stage in the process of production. Slavery must be known to exist to a significant degree in some stage of production.

Source Score

Represents the probability that each source is produced in a country using slave labour in its production to a significant degree.

Manufacturing/Assembly Score

Represents the probability that the final product is manufactured in a country using slave labour to a significant degree.

Weights, Measurements, and Reports

Each score therefore represents the likelihood of slavery used in production. This likelihood was developed from investigations and research drawn from the following sources:
The five main reports used were:

• 1. US Department of State “Trafficking in Persons Report 2011” The most comprehensive worldwide report on the efforts of governments to combat severe forms of trafficking in persons.
• 2. US Department of Labour (DOL) “List of Goods Produced by Child Labour or Forced Labour 2010” A list of goods from countries that the Bureau of International Labour Affairs has substantiated used of forced labour or child labour its production.
• 3. International Labour Organisation’s (ILO) “Committee of Experts Reports 2011-2003” The US Committee of Experts undertakes investigations of government reports on ratified conventions. The Committee's role is to provide an impartial evaluation of violations of international labour standards.
• 4. Transparency International‘s “Corruption Index 2010” This index is used to measure and quantify the levels of public sector corruption in 178 countries around the world.
• 5. Freedom House “Freedom in the World 2010 Combined Average Ratings – Independent Countries” The Freedom in the World 2010 survey contains reports on 194 countries and 14 related and disputed territories. Each country report includes a narrative on the following information: population, capital, political rights (numerical rating), civil liberties (numerical rating), status (Free, Partly Free, or Not Free), and a 10-year ratings timeline.

Additionally, SlaveryFootprint utilised published data pertaining to forced labour issues. This included vetted data drawn from a variety of international sources. The following inclusion criteria were used:

• Drawn from ONE Internationally credible source with expert review i.e. ILO, International Office for Migration, World Health Organization (WHO), United Nations Security Council
• Referenced in at least TWO multi-national reliable sources i.e. CNN, Human Rights Watch, Amnesty International
• Reported on by at least THREE disparate and unrelated local news sources i.e. The Guardian, Swedwatch, Jakarta Post, Enough Project

Note: This data set will continue to be expanded based on emerging research and the results of further investigations that meet the aforementioned inclusion criteria.

Qualifications

To ensure peer review and confirmation of these data sets and their sources, methodology, and results, SlaveryFootprint convened experts on the issue from government, academia, non-government organizations, leading think tanks as well as independent experts.

Creating a Composite Score

To combine individual product scores into one composite score assigned to an individual, a survey was developed to assess and quantify an individual’s consumption.

To make this survey both meaningful and time-effective, iterative processes of inherent assumptions were utilised based on focus group assessments.

Assumptions were based on defining factors inclusive of, but not limited to, age, sex, domicile, and family size. Composite scores were quantified based conservative estimates.

Note: Slavery Footprint 1.0 is not based on specific brands or manufacturers.

For more information about SlaveryFootprint's methodology, scoring or organisation email info@slaveryfootprint.org or visit the SlaveryFootprint website.

Salary Negotiations: An HR View

As employees, we become nervous and concerned when entering salary negotiations but, as with all negotiations, it is good to know where the HR person is coming from. It always helps if you're both speaking the same language.

First of all, it’s not every company that tries to make their personnel derisory offers. All HR personnel want motivated and balanced teams, therefore individual satisfaction with your salary offer is important to them and is a big motivator for the coming year.

In one instance we have had HR personnel speaking about 'percentiles.' This is a very common way of talking about company finances and investments but employees may be less aware of it's significance in salary negotiations. The key factor is to ascertain that you are both on the same page and when it comes to stats, that may be awkward.

Your View of Salary Band

If, during the negotiation you are told they you are currently below the 50th percentile and you will be advanced closer to the 75th percentile, would you be pleased to accept this?

From your side, you will have in your mind a graph similar to the one above, making the 'logical' assumption that the salary band is divided from 0% to 100%. But that may not be the case in the HR stats world you are facing.

Your HR representative is looking at a different picture entirely.

We have had enquiries where HR personnel talk about percentiles but that is not normally the term used. HR would normally use the term “compa-ratio” and describe it around a midpoint on a salary curve. That midpoint is label as 100%. It’s the exact same graphical shape, except it is statistically 'labelled' differently. See below:

HR View of Salary Band

So, when a 'deceptive' HR person says you are getting paid at 75%, she wants you to think in terms of the first graph, believing you are getting more money than 75% of the people who do similar jobs.

This sounds OK, doesn’t it? The reality is, a compa-ratio of 75% means you’re getting paid less than the average person in the job. Not so good.

Salary compensation isn’t an exact science. A lot of it is pure guess work and gut feeling. Some companies do arrange salary surveys, but commonly, no two jobs are identical, even across organisations.

When, determining what salary band to slot a particular job into, a lot depends on what the manager is willing to pay for the positions and what's left in his budget. Unfortunately, Job Descriptions are often written or re-written, to fit a certain salary, not the other way around.

Additionally, most companies don’t allow your salary to be much more than 105% of midpoint anyway. You are never going to get 125% of “midpoint,” set your mind to it, that's just not happening.

Your potential for raises are also determined by your percentile. If you’re at 75% and have a fantastic performance rating, you probably believe you can expect a big raise. However, if you’re at 100% and have an even better performance rating, you may end up with a tiny raise. All this is because of that little bell curve and it's intransigent labels.

On principle, HR don’t want you going over 100%, so you won’t get a big raise no matter how fabulous you are. You have come to the point whereby to get a good raise, you have to get promoted into a different salary band, which is a whole different ballgame.

So, in reality, 75% is not a great place to be but in that position you’re nearing the top of what can be expected in that job, and you still have room for an increase in salary.

As a rule if you are given an updated salary offer, ask, “What is my compa-ratio?” and if they say, “You’re at 100%!” ask, “Is it possible for this job to be upgraded?” Because while you may be happy with the salary, you also know that come next year, you're getting no rise.

So, whilst you have the HR person's attention, ask about re-grading the job. They may roll their eyes and say no or they may say they will consider it but from your side, request a note be made in your file that you are reaching the ceiling and would like to advance your position. Worst case, you will sound ambitious.

NB: Negotiating salary is all about proposal and rejections: trying and taking risks. Sometimes offers are firm on salary. Sometimes they are not.

Sometimes companies will move more on benefits and other factors. Things like vacation, commuting and work schedules, which may be more important to you than a few dollars more.

Hopefully you can now enter the salary negotiations arena a little better armed. Good luck!

Paris Blocks Escalation of Rooftop Radiation

The Mayor of Paris has halted construction of additional cellular phone towers to the city’s roofs this week, according to Le Monde

The City established a pact in 2003 with mobile service providers to allow certain companies to construct cellular towers on municipal buildings within stated limits.

The decision to stop construction of the towers coincides with the end of the city’s contract with the mobile service companies.

Paris is the only city in France to have an agreement with cell phone companies which limits the exposure of electromagnetic waves to two volts per meter over 24 hours.

The mayor has accused the French Telecom Federation of allowing exposures of up to 15 volts per meter, levels that some reports deem unhealthy.

The European Environmental Agency reported in 2007 that health risks are associated with electromagnetic waves, though the threshold of a “dangerous” level remains highly contested worldwide.

Some advocacy groups like Ecoforum, based in the south of France, insist that levels above 1.5 volts per meter pose health risks.

In a public test at the beginning of this month in Marseille, Ecoforum’s president, Hugo Espinoza, tested emissions with a smart phone that registered eight volts per meter.

Despite the uncertainty of any imminent health risks, the 186 current cellular towers which spike the skyline of Paris may soon be removed.

Deputy Mayor Mao Péninou told Le Monde, “We are also looking at legal options for the facilities currently in place. They are no longer serving as experiment sites, so we will see how we can legally dismantle them.”

While Parisians can rejoice in the improved visual aesthetics of removing the cellular towers, the discussion on cell phone use continues in France.

Last Saturday, the French Association of Environmental health launched a new study in the south of France to study the effects of the waves in social housing structures.

Researchers hope to re-evaluate the safety French volt exposure limits, which remain higher than other European countries.

Politicians Peddling Fear and Terror

Why did the approval ratings of President George W. Bush, who was perceived as indecisive before September 11, 2001 soar over 90 percent after the terrorist attacks?

Because Americans were acutely aware of their own deaths. That is one lesson from the psychological literature on “mortality salience” reviewed in a new article called “The Politics of Mortal Terror.”

The paper, by psychologists Florette Cohen of the City University of New York’s College of Staten Island and Sheldon Solomon of Skidmore College, appears in October’s Current Directions in Psychological Science, a journal published by the Association for Psychological Science.

The fear people felt after 9/11 was real, but it also made them ripe for psychological manipulation, experts say. “We all know that fear tactics have been used by politicians for years to sway votes,” says Cohen. Now psychological research offers insight into the chillingly named “terror management.”

The authors cite studies showing that awareness of mortality tends to make people feel more positive toward heroic, charismatic figures and more punitive toward wrongdoers.

In one study, Cohen and her colleagues asked participants to think of death and then gave them statements from three fictional political figures.

One was charismatic: he appealed to the specialness of the person and the group to which she belonged. One was a technocrat, offering practical solutions to problems.

The third stressed the value of participation in democracy. After thinking about death, support for the charismatic leader shot up eightfold.

Even subliminal suggestions of mortality have similar effects. Subjects who saw the numbers 911 or the letters WTC had higher opinions of a Bush statement about the necessity of invading Iraq. This was true of both liberals and conservatives.

Awareness of danger and death can bias even peaceful people toward war or aggression. Iranian students in a control condition preferred the statement of a person preaching understanding and the value of human life over a jihadist call to suicide bombing.

But primed to think about death, they grew more positive toward the bomber. Some even said that they might consider becoming a martyr.

As time goes by and the memory of danger and death grows fainter, however, “morality salience” tends to polarize people politically, leading them to cling to their own beliefs and demonize others who hold opposing beliefs—seeing in them the cause of their own endangerment.

The psychological research should make voters wary of emotional political appeals and even of their own emotions in response, Cohen says.

“We encourage all citizens to vote with their heads rather than their hearts. Become an educated voter. Look at the candidate’s positions and platforms. Look at who you are voting for and what they stand for.”

Thinking of Creativity - Hold a meeting - Cartoon

UK NHS Privatisation and the Corporations Driving it

iPhone keylogger: Snooping on desktop typing

Security researchers have discovered they can detect the vibrations caused by using a computer keyboard and read off what is being typed simply by placing a smartphone with a keylogging app on the desk nearby.

Patrick Traynor and colleagues at the Georgia Institute of Technology in Atlanta were able to use the motion sensors inside an iPhone to read keystrokes from a keyboard 5 centimetres away with up to 80 per cent accuracy.

The sensors don't recognise the vibrations of particular individual keys, but for consecutive pairs of keystrokes they can tell whether the keys are on the left or right of the keyboard and how close together they are.

This information is then matched to a dictionary to recreate the typed word. For example, the word "canoe" breaks down into four pairs: "CA", "AN", "NO" and "OE". The first pair is classified as left-left-near, the second is left-right-far, and so on.

The resulting patterns aren't unique to a particular word, but they are good enough to reconstruct a message when you already know something about its contents.

The team tested their algorithm on a dictionary of 799 words such as "mayor" and "ballot" gathered from news articles about an election in Chicago.

The algorithm provided its best guesses for matching patterns to words, identifying the correct word as a first guess 40 per cent of the time and as one of the top five guesses 80 per cent of the time.

"Context can help us figure out what was really typed when mistakes are made," says Traynor – and a human attacker could fill in the blanks by making their own guesses.

Read more at New Scientist

Microsoft PocketTouch - YouTube

The second presentation innovation Microsoft has announced, is called PocketTouch and it is aimed at making smartphones receptive to touch gestures through fabric, such as a pocket, purse, or jacket.

The idea is that sometimes people want to quickly interact with a smartphone without having to pull it out. Microsoft refers to PocketTouch as an “eyes-free” solution. Here’s the description:

PocketTouch enables a rich set of gesture interactions, ranging from simple touch strokes to full alphanumeric text entry. Our prototype device consists of a custom multitouch capacitive sensor mounted on the back of a smartphone.

Similar capabilities could be enabled on most existing capacitive touchscreens through low-level access to the capacitive sensor… Our results suggest that PocketTouch will work reliably with a wide variety of fabrics used in today’s garments, and is a viable input method for quick eyes-free operation of devices in pockets.

PocketTouch are evolutionary steps of a larger effort by Microsoft Research to investigate the unconventional use of touch in devices to extend Microsoft’s vision of ubiquitous computing.”

It’s terrific to see Microsoft innovating on multitouch since it’s obviously a critical element of the future of computing. However, Microsoft Research has a track record of showing off lots of cool stuff that never comes to market.

They need to follow the lead of IBM’s prolific research devision, which is much better at commercializing and productizing its best innovations — or at least maybe IBM only shows off stuff that has a reasonable path to becoming a real product. Still, in this case, it looks like Microsoft has a couple innovations that aren’t just cute ideas.

Back from the Future! DeLorean to be resurrected

If you fell in love with the DeLorean in the Back to the Future movie series, the good news is that in 2013, you'll be able to buy a real one again.

It won't have a flux capacitor, won't time-travel and it'll still be a thirty year-old design (albeit styled by Giugiaro and structurally redesigned by Colin Chapman of Lotus fame after Delorean himself screwed up the first design).

It will have a 200+ bhp electric motor, not the original asthmatic V6 producing 130 bhp, and those awesome gull-wing doors and it'll be really retro cool.

It won't be called the DMC-12 any more either, because the 12 stood for its new price at launch - US$12,000. The new one will cost you between US$90,000 and US$100,000.

Background
Texas entrepreneur Stephen Wynne started the current "De Lorean Motor Company" in 1995 after acquiring the name and remaining parts inventory and since 2007, around 40 whole De Lorean cars have been produced from the spare parts cars.

Now the company is to go another step, and at an International De Lorean Owners Event in Houston a few days back, the new electric De Lorean was announced.

"Now we are working with electric-car startup Epic EV to put an all-electric DMC-12 into production by 2013" was the announcement on the De Lorean web site. The three-wheeled Epic EV just happens to use a 200 bhp+ electric motor too.

The Orginal
One of the original De Lorean machines used in the shooting of the "Back to the future" film franchise is to go under the hammer at an auction in December. The car is expected to fetch in the ballpark of $400,000-$600,000.

Check out the video of the new Epic EV below.

Use Any Surface as a Touchscreen - OmniTouch - Video

Watch the video to see how users can create a screen, move an image on the screen, zoom in and out, paint using a palette of colors, select buttons on a menu.

This week, Microsoft and Carnegie Mellon researchers are unveiling OmniTouch, a system that turns any surface into a touchscreen.

Composed of a depth-sensing camera and laser-based pico projector (more on that in a second), the contraption looks like a flattened-pancake version of R2D2 and sits on the user’s shoulder.

The user first creates a screen wherever he or she likes — such as a hand, arm, wall, table or pad of paper — and then, just like with any other touchscreen, uses fingers to navigate it.

The screen is created with the laser-based pico projector, which is an electronic system placed on a tiny chip. It transforms the image into an electronic signal, which then sparks laser lights of different colors.

Those in turn get copied and projected by mirrors, pixel-by-pixel, onto the selected surface.

The depth-sensing camera then detects when a user’s fingers are touching the “screen” (the surface the user has designated) and “pressing” a button on it.

To get the technology to work, the researchers needed to teach the system how to recognize fingers, which are crucial to the technology because they create screens, select buttons, zoom in and so on.

They dissected the qualities of fingers and developed a method for determining when a finger was “clicking” on something.

Researcher Hrvoje Benko said:

In this case, we’re detecting proximity at a very fine level. The system decides the finger is touching the surface if it’s close enough to constitute making contact. This was fairly tricky, and we used a depth map to determine proximity. In practice, a finger is seen as “clicked” when its hover distance drops to one centimeter or less above a surface, and we even manage to maintain the clicked state for dragging operations.

The technology was unveiled at the 2011 UIST, a conference on innovations in the ways humans interact computer in Santa Barbara, Calif., from October 16-19. Benko and Carnegie Mellon Ph.D. student Chris Harrison and Andrew D. Wilson of Microsoft wrote about the technology in this paper.

Siri: Apple Selling the Concept of Natural Language Computing?

One of the main iPhone 4S features touted by Apple during yesterday's announcement was the phone's built-in Siri feature.

Siri is a virtual personal assistant with additional dictation features that lets you accomplish various tasks simply by speaking to your phone.

If it sounds like a familiar concept, it is. Similar apps have existed for a while on other platforms and, until yesterday, even Siri itself was an app in Apple's App Store that worked on previous iPhone models.

The iPhone 4S version of Siri, however, has deep access to much of the iPhone 4S' core functionality and built-in apps, while the previously-available Siri app could only access a handful of third-party services.

While Siri's ability to work with natural language is impressive—see the demo video above or click here to watch Apple's keynote and skip ahead to the 71:30 mark, it'll be really interesting to see how many people actually use the iPhone 4S' voice command features regularly.

Being able to say, "What's the weather like today?" and having the phone open the weather app is cool, but seems like a marginal time saver compared to opening the app yourself.

But the slightly more complex actions like telling it to remind you to call your wife when you leave work, which will create a reminder for you and then leverage the phone's location features to sense when you physically leave your office before reminding you—are what will get people most excited about it.

The most important factors that'll ultimately determine Siri's success are whether Apple's able to truly make it an it-just-works experience, something Apple's pretty good at, in case you hadn't heard and, perhaps more importantly, getting as many people using the feature as possible.

While it'll just be available on the iPhone 4S at first, don't be surprised to see it creep into Apple's other product lines like iPads, iPods and computers.

In fact, it appears that while Apple's positioning Siri as an exclusive selling point for the iPhone 4S, there's really nothing keeping it from working on other Apple devices right away.

The iPad 2 and Mac computers have enough horsepower to run Siri, but I'll be interested to see if Apple also opens up Siri for use on the original iPhone 4 and even the iPod Touch in the future.

We may someday see that Siri becomes just an integrated feature of the iOS software running on all of Apple's portable devices.

If and when that happens, it'll then be a question of how ingrained the use of Siri becomes with Apple device owners.

If you see people barking orders at their iPhones, iPads and MacBooks in public instead of tapping away at their screens and keyboards, you'll know that the promise of natural language computing has taken another big leap forward.

Why 50+ ers Can't get re-employed

Employers' reasons for favouring younger workers over older workers are often inaccurate but are commonplace in the marketplace: Older workers have more experience and have a historic timeline to use as a salary touchstone.

Therefore, they will request or command higher salaries that smaller organisation are reluctant to pay.

The healthcare overheads, by way of time off sick and possibly health care costs can be higher than younger workers'.

Some employers or hiring personnel, mainly younger staff, view older workers in the same way as their parents i.e. dominant and stubborn, stuck in their ways.

They may also view older workers' current skills or attitudes, as outdated or not completely aligned with what they want. Something that can be easily overcome by training.

We do not condone age, or other discriminatory bias and you will hear very few HR and personnel departments admitting it exists in their organisation.

Clearly, all the reasons employers trot out to not hire older workers are superficially flawed, ridiculous and /or short-sighted. Unfortunately, ageism is real and it is preventing older job seekers from landing jobs in an already fickle, and hyper competitive job market.

It is also reducing the effectiveness and depth of skills available to smaller companies, rendering them less able to compete in tight market conditions.

Good managers can always assess, align and harmonise the views of their staff and by treating them as individuals, they can balance their strengths and weaknesses, to the benefit of their organisations. From this, you can surmise that any form of discrimination is an indication of poor management skills, lazy and short-sighted thinking.

WANTED! Telling LinkedIn Followers You've Been Laid Off

Many people who’ve been laid off feel like crawling into a deep, dark hole and hiding from the World, rather than broadcasting their new job status.

Fortunately, if you want to find another position, that’s precisely what you should do. Get over the past and get on with the future!

In the current economy, with so many talented people being let go, there is absolutely no shame or stigma whatsoever” in clearly indicating that you are 'out of work.'

You exude confidence by not being ashamed that you’re between jobs. LinkedIn, which functions as an electronic resume, is a valuable tool to help you spread the word.

Until they are laid off, some folks either don’t know how to use LinkedIn, or have a very skeletal presence on the site. Perhaps, mistakenly, they think of it as a job search tool and either aren’t looking or don’t want their bosses to know. Most just cop out and say they are 'too busy.'

LinkedIn has comeof age. Three years ago, senior people thought LinkedIn was for lower-level employees. Not any more. Now everybody is connected and checking each other out.

Hr personnel will look you up on LinkedIn, before they will consider asking you for an interview.

If you suddenly find yourself out of work, toughen up. Develop a “robust, 100% complete LinkedIn profile.

LinkedIn claims that their site is so user-friendly that even firt timers and newbies can find their way.

Those who need guidance have to rely on LinkedIn’s online tutorial or enlist help from a more experienced friend or passing tech-savvy teenager.

In creating a new profile or editing your current one, be very public about the fact that you’re looking for new opportunities. No matter how difficult this is, it's an issue you have to address as you wind your way though the key sections of the LinkedIn template.

Where do you start? Try this approach;



Professional Headline
In this line, which goes under your name, give a generic description of what you do or a sample job title (for example, Chief Security Officer, Senior Human Resources Officer).

Use this label of yourself as a guide to what you aspire to be and feel confident about, rather than feeling limited by what your last job title.

Current Position
You’re now out of work, so the “Current” heading should be deleted but before you do, cut and paste your previous company and job title into the “Past” section.

Now click “edit” and “delete,” and make the “Current” heading disappear. Don’t be concerned that your job shows an end date. It’s very acceptable these days to be 'resting' or 'between' jobs.

Summary
In a couple of short, pertinent paragraphs, make sure you emphasise your key skills and submit good examples of major accomplishments.

Conclude with a sentence that says “I am currently looking for new opportunities in ......" and mention specific functions and industries where you can prove your worth.

When trying to fill positions that are now open, both headhunters and in-house folks with responsibility for filling a job routinely comb LinkedIn for people who are out of work; it saves them the trouble of having to convince someone who is currently employed to switch jobs.

So, instead of pretending and feeling sorry for yourself, it’s actually to your benefit to indicate that you’re open to new opportunities.


Experience
Make sure your descriptions of past jobs adequately convey what you did. Standard rules of resume writing apply here: use active verbs, amply convey your responsibilities, and show results.

Since words are scarcer in social media, aim for punchy, and currently applicable soundbites. Get recommendations from your current or most relevant jobs that reflect varying perspectives. Managers, colleagues and more effectively, a client.

Education
For the over 40s and beyond, the dates and qualifications of a dark distant past are normally irrelevant. Experience counts for more when looking to recruit, unless the qualifications have been extended or form part of a professional code of conduct e.g. medicine, science, etc.

How do you know when you’re finished? 
Just remember you are not a artist painting a picture. There is a finite amount of information that you need to put in your profile but as a guide, LinkedIn tries to measure your progress.

When you’re in “Edit Profile” mode on LinkedIn, there’s a metric that attempts to show the percentage completeness of your profile.

Also, LinkedIn will make suggestions about what you’re 'missing' beit a job description, photo or recommendations. Keep revising until you get as near to hitting the 100% mark, as possible.

Then, to be sure, proof read it again vigilantly. you can also ask a friend or relative to check it for basic errors.

Good luck!

The Decision-Making Flaw of Powerful People

The decisions made by powerful people in business and other fields have far-reaching effects on their organizations and employees.

But this paper finds a link between having a sense of power and having a propensity to give short shrift to a crucial part of the decision-making process: listening to advice.

Power increases confidence, the paper’s authors say, which can lead to an excessive belief in one’s own judgment and ultimately to flawed decisions.

Previous research has shown that the quality of decision making declines when people stick too much with their own beliefs and discount too readily the advice of others; outside information helps “average out” the distortions that can result when people give a great deal of weight to their own opinions and first impressions.

This paper is among the first to examine whether power — defined as an individual’s “capacity to influence others, stemming in part from his or her control over resources, rewards, or punishments” — reduces or increases a person’s willingness to heed advice.

Using four experiments, including one in a real-world business setting, the researchers employed a form of 360-degree assessment to explore the relationship between power and openness to others’ input.

In all four studies, they found that powerful people were more likely than those with less power to disregard and mistrust outside perceptions and advice — and that men were more likely than women to disregard guidance from others.

The researchers further discovered that confidence was perceived by many as an important attribute of leadership.

They concluded therefore that many powerful people, over time, come to see taking advice as a sign of weakness, assuming that they should project total confidence in their views alone.

This, argue the researchers, can be a dangerous assumption.

Read more on this article: The Decision-Making Flaw in Powerful People