Passwords, LinkedIn and the White Rabbit

With the news this morning that your eHarmony or LinkedIn password was posted on a Russian website, people are frantically changing their passwords today. Or so one hopes.

Why all the urgency?

Should anyone be concerned that some troublemakers are going to hack your LinkedIn profile and change your Harvard MBA to one from Ohio State (oh the humanity) or change your eHarmony preferred mate preference from athletic to BBW (oh the humanity)? What you should really be worried about is that your stolen password can also be used to access your bank accounts or email. (Oh, I hadn’t thought about that!)

In truth, the posting of passwords probably doesn’t matter because according to a 2011 study of passwords, it was revealed that the most common passwords are the following:

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

Shocking isn’t it? (I can believe people actually use ‘monkey’ as a password. Huh.)

This article also goes on to list some suggestions for creating and maintaining a secure password:

1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.
2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.
3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

I recommend one takes security a step further and also applies the same methodology that author Charles Lutwidge Dodgson employed in selecting his pseudonym Lewis Carroll.

Select a two word password and convert the first word to Latin and then back to English. Next take the second word of your password and convert it to the Latin and then back to Irish. Switch the first and second words and you have a password. Oh ya, and add one of these thingies too: & % $ or @.

Read Full Post »

Real Human Beings and the Elephant Man

Perhaps one of the most famous movie quotes from my childhood was from the 1980 movie ‘The Elephant Man’ based on the life of Joseph (John) Merrick, a severely deformed man in 19^th century London. At one point in the film Merrick cries out to an angry mob “I am not an animal! I am a human being! I … am … a … man!”

After all, does it really matter what we look like, how much money we make, where we pray or who we cuddle up with at night? No, because we are all just human beings.

Last night I had the pleasure of attending an event by Dave Howlett, RHB. I had met Dave a few times over the last ten years as his wife and I were B-school classmates. I had heard about his lectures before so when the opportunity arose to attend I jumped at the chance.

Dave is not Tony Robbins, Dr. Phil or some other third guy who talks about stuff. Dave promotes the philosophy of Real Human Beings. Dave just wants everyone to be a “good guy”.

This is not new idea but the recent Occupy Wall Street protests suggest it is gaining steam. Ted Coine recently asked “What ever happened to the common good”, and I echoed his sentiments in my December 2011 post.

The premise of being a good guy is pretty simply. While everyone would benefit listening to his presentation, you can literally learn the good guy rules from a t-shirt:

• Assume everyone is intelligent
• Have passion for what you do
• Get over yourself.

After I heard Dave’s good guy philosophy I thought “hey, I am a good guy, I am already doing the good guy things, I am a Real Human Being”.

So when you think about it, if you’re a good guy don’t you only want to work with and for other good guys? I would.

Read Full Post »

Maslow, Ned Stark and the Common Good

Last week Ted Coine asked ‘what ever happened to the Common Good?’ At some point people stopped doing the right thing and started putting their individual selfish interests ahead of those of their organizations, countries or kingdoms: UBS, the nation of Greece, Queen Cersei, etc.

These days we see squabbling in Washington over the budget because no one wants to do the right thing for the country. Everyone talks to the hand about cutting costs so long as it is not in their backyard.

Just read Sen. Tom Coburn’s (R-Oklahoma) new report on wasteful government spending issued this week to learn about the $936,000 spent to stimulate online soap operas or $75,000 to promote awareness about the role Michigan plays in producing Christmas trees & poinsettia. Dr. Coburn writes: “Over the past 12 months, politicians argued, debated and lamented about how to reign in the federal government’s out of control spending. All the while, Washington was on a shopping binge, spending money we do not have on things we do not absolutely need. Instead of cutting wasteful spending, nearly $2.5 billion was added each day in 2011 to our national debt, which now exceeds $15 trillion.”

What happened to spending for the Common Good?

For those of you who believe $75,000 is not material when compared to $2.5 billion I say shame on you. It’s all those small, stupid expenses that add up. When times are tough at home we stop buying $5 lattes and eating out and shift our spending to what we need and make peanut butter sandwiches every day. (See Maslow.)

Finally, in A Game of Thrones, when Ned Stark became the Hand, King Robert wanted to hold a jousting tournament to honour the new Hand. But when Stark met with his council and learned that the kingdom was practically bankrupt Ned insisted that they don’t hold the tournament as they could not afford it. And besides, he didn’t want it.

The point I am trying to make is that anyone can spend money; but it takes a strong, responsible leader like Ned Stark to not spend it and make the tough decisions for the Common Good.

Read Full Post »

Gladwell, crashing planes and risk management

 

In his book “Outliers”, author Malcolm Gladwell explains how “The kinds of errors that cause plane crashes are invariably errors of teamwork and communication” as opposed to mechanical causes. Also, they usually happen after a sequence of mistakes and misfortunes and rarely because of one event.

Our respective cultures dictate how we work and communicate with others. Gladwell describes how communication is very formal in many places where there is a social hierarchy between the “inferior” and “superior” person having the conversation. (Think customer and waiter, accountant and CFO, and co-pilot and pilot.)

Even though it’s a co-pilot’s role to take control of the plane when he or she thinks the pilot has made the wrong decision or is unfit to fly, in cultures where the inferior and superior roles are well defined, the co-pilot won’t do the right thing and take control of the plane. Literally and figuratively this type of behavior won’t fly.

Like pilots, CEOs have dashboards with gauges to help them navigate the organization. They also have hundreds or thousands of co-pilots and flight engineers helping to fly these organizations who each have their own dashboards. Unfortunately, if someone hears a beep or sees a flashing light, not only is there no mechanism for warning the pilot, the culture usually won’t permit it. Even in an organization with a Chief Risk Officers or head of risk management, if the culture makes it socially unacceptable to speak up or tell the CEO he’s fucked up, the organization is destined to crash and burn.

The last word goes to Gladwell who solves this cultural problem by explaining: “Planes are safer when the least experienced pilot is flying, because it means the second pilot isn’t afraid to speak up.”

 

Original post http://riskczar.com/2011/11/10/gladwell-crashing-planes-and-risk-management

Read Full Post »

Risk management oldies but goodies

The good folks at Riskviews got me thinking about my least read posts. I’ve been doing this for a few years and understand that no one wants to scroll through over 300 blog entries to find some gems from 2006. So here are a few items you may have missed that might be worth your time.

A Common Sense Approach to ERM

In a sentence, The Riskczar says the common sense approach to describing the process of risk management like this: First you identify your risks, you figure out which ones are the most important, next you decide how to address and then you do something about it and tell everyone how you are doing from time to time.

Simple.

Fantasy football pool risk management

Risk Management Monitor addresses the concern about employees spending hours of company time researching and updating their fantasy football picks. Some argue that it’s disruptive – having fired employees or blocked access to certain websites from the company network – while others suggest it boosts morale.

Riskczar believes that fantasy football is merely another workplace distraction. If people were not spending their workday on sports betting, they might be wasting time on Facebook or Twitter. And in places where those sites are banned, your employees may be reading the online version of the Wall Street Journal, shopping on Amazon or searching for a new job on Monster. If we transport ourselves back to 1990 before the Internets, people used to hang out by the water cooler talking about football or the latest episodes Cheers and the Cosby Show. Unengaged employees have always found a way to slack off. Technology didn’t create that.

And what goes for the workplace often goes for the classroom. When I returned to school in 2001, only a couple of people had wireless Internet access from their laptops. One professor was upset that the surfing was going on and wanted to turn off the connection. Here’s my take: before wifi, people brought laptops to class and played Solitaire and before that people passed notes around or doodled on their hands. Today they probably play on their iPhones or BlackBerry devices. Unengaged students will always find a way to pass the time. Technology didn’t create that.

But in the end does it really matter what your employees are doing with their time so long as all of their work is getting done on time?

The CRO cannot be expected to do what only the CEO can do

Here’s an excellent op-ed piece in US Banker about the role of the chief risk officer and the CEO. This may be the best thing I’ve read in months.

Setting the tone for this article is Warren Buffet who recently wrote in the BRK shareholder’s letter: “I believe that a CEO must not delegate risk control. It’s simply too important. … If Berkshire ever gets in trouble, it will be my fault. It will not be because of misjudgments made by a risk committee or chief risk officer.”

The author writes:
1)  CEO is directly responsible for thoroughly understanding and signing off on all significant risks embedded in the bank’s business strategy
2)  CEO is directly responsible for protecting the bank’s franchise against excessive or inappropriate risks that could derail the business strategy or damage the bank’s reputation and access to capital.
3)  CEO is directly responsible for creating a strong risk culture across the entire bank

Read this article then read it again. Print it out and nail it to the front door of your bank too.

What can Grover teach us about risk management?

In a book called Project Manager’s Spotlight on Risk Management by Kim Heldman, the author references The Monster at the End of This Book by Jon Stone and Michael Smollin to demonstrate the importance of having a risk response plan for dealing with monsters and threats in projects.

I took this allegory a step further and actually read this book to a room full of adults during my presentations on risk management basics.

In the book, Grover is concerned with the monster he is going to find at the end of this book. To mitigate this threat, Grover spends thousands of dollars on costly building supplies to prevent us from turning pages, so that we do not get to the end of the book.

As a risk management professional, I appreciate Grover’s proactive risk management approach, but unfortunately, our blue, furry little friend overreacts to the threat.

If he had only performed a proper risk assessment, rather than basing it on anecdotal evidence – he learns about the monster by reading the title page only – Grover may have realized that the monster did not have the catastrophic impact he expected it to have. It turns out the risk was not even material.

With more due diligence, Grover may have chosen a different risk treatment: he could have accepted the risk by doing nothing or transferred it to someone more naïve like Elmo.

This book is a great primer on risk management and one that your three-year old might also enjoy.

Read Full Post »

They will always find a way to screw you

I worked about six shifts at a Burger King in a shopping mall when I was in my teens. I quit because I didn’t care much for wearing the brown pants and hairnet. On my final night, the closing shift, I helped the veterans take the trash out. When we got to the Dumpster my colleagues ripped open a trash bags and pulled out a sealed bag that included dozens of Muppet Babies toys which they smuggled out of the store. Despite the manager’s belief that he had controls that were “watertight as possible” if your employees want to screw you, they will always find a way to screw you.

Years later, a trader who managed an arbitrage book explained that the bank hired him to exploit opportunities in the market because he was smarter than rival traders and institutional clients. He said to me that if he really wanted to screw the organization he could screw the organization. But he didn’t because he just didn’t.

Pick up any risk management framework to see a common approach to ERM: identify and assess your risks then do something about them. That part is academic. It’s just content. But the frameworks also have a communication and cultural component to them. Changing culture and making risk management a competency is not easy. That’s process.

Andrew Hill from the Financial Times writes about UBS:

Unfortunately, even risk managers working within a well-designed control structure are largely powerless in the face of an embedded corporate culture and a system of skewed incentives. Recent history – particularly in the financial sector – shows rules and processes are far easier to change than bad behaviour and big bonuses.

Remember anyone can generate a list of risks and even if you think “Risk is our business” creating a risk-friendly culture is where the real work needs to be done.

 

UPDATE: I love when I write something and someone crystalized my thoughts precisely after I wrote them. Have a look at this post on cnn.com “The catch-22 of catching a rogue trader” by Shelley DuBois as it complements my post. She quotes someone and writes:

You have to hope that your traders are the finest moral people around. Then, you set up your policies and your rules as if they’re all lying, cheating crooks.”

 

Read Full Post »

The risk of watching porn and masturbating at work

It wasn’t too long ago that women couldn’t breast feed infants in the workplace and now we have lactation rooms; they are a good way to help mothers transition back to work and continue breastfeeding their child. (That said we may call them “quiet rooms” because naming a room after mammary secretions is still sort of icky.)

In a related story, has a Brazilian judge gone too far by ruling a woman can masturbate at the office? The Huffington Post recently wrote: “A Brazilian judge has reportedly ruled that a 36-year-old female accountant can legally masturbate at work and watch porn on her work computer.” Apparently she suffers from severe anxiety and “combining work with pleasure” up the 47 times a day is the cure.

Despite being taboo, people still seem to manage to watch the porn at work as was reported last year when Pr0N was found at the SEC. What’s more, since she needs to treat her condition that frequently, does she really need the .jpg and .avi files? At 36 she should be an old hand by now, but I digress.

And while this poor lady won her case in Brazil, could a man pull the same thing off (pun intended) in offices in Brazil or any other country? (If you’re a fan of Californication, you will certainly remember that Charlie Runkle was fired for doing it in his office.) 

Thanks to The Business Ethics blog for bringing this story to my attention. To read more have a look a these other posts about this story.

 http://www.theemployerhandbook.com/2011/05/court-rules-that-female-accoun.html

 http://businessethicsblog.com/2011/05/23/workplace-accommodation-of-masturbation/

 

 

Read Full Post »

When I say evacuate, I mean evacuate NOW

In today’s post, I write about the December 2010 article “To Leave an Area After Disaster: How Evacuees from the WTC Buildings Left the WTC Area Following the Attacks” by Rae Zimmerman and Martin F. Sherman. It compliments my earlier post about Amanda Ripley’s (2008) book, The Unthinkable.

For those of you who work in tall buildings and who are responsible for ensuring that your employees evacuate safely, this paper published by the Society of Risk Analysis is a must-read resource. It is a well-written 18-page paper that includes just the right amount of statistical data and tables obtained from surveys of people who evacuated the World Trade Center on September 11, 2001.

So the fire alarm just went off and a voice tells you to leave the building. What happens next?

The authors note that not everyone decides to leave their office area immediately to evacuate the building. Many people will make phone calls, gather personal items, look for friends/co-workers or make sure others are able to leave. In many cases, people did more than one of these things before they decided to evacuate.

Similarly, when people arrived safely on the street, not everyone left the area immediately and when that was the case, people indicated they stopped to see what was happening/get more information, looked for friends/co-workers, used the phone or simply didn’t know where to go. (See Table III for a complete list or reasons.)

As someone who is responsible for communicating evacuation information to the 150+ people on my floor, it is quite troubling. Despite efforts to provide fire evacuation training, the authors point out that only half the people “knew enough about the building to safely leave without directions from fire safety or security staff” and only 6% of respondents had “exited the building as part of the fire drills they participated in”. As I noted in my post about The Unthinkable (which I wrote before reading this paper): “I think fewer than 5% actually made it to the recovery site” (when my organization had an evacuation drill last year).

Once again, like all things risk management, it’s about planning and communicating and hoping that people take it serious enough so they get out when the disaster strikes.

Read Full Post »

The Unthinkable by Amanda Ripley

I’ve just updated the Risk Quotes page with a few lines from Amanda Ripley’s book  The Unthinkable. It’s an excellent read for anyone responsible for business continuity planning, risk management or even if your are just the fire warden on your floor or worry about what to do when you are caught in a huge crowd.

I organized the evacuation drill on my floor last Fall. Despite training half-a-dozen fire wardens, putting up signs, emailing all 130 staff a few times before the event, I think fewer than 5% actually made it to the recovery site. I recognize that it was raining and we were about 30 floors up, but there was no excuse for that weak effort.

Ripley describes the ways that people behave and think in an emergency (e.g., evacuating a banquet hall during a fire or the WTC on September 11, 2001) and explains why some people panic while others freeze.

My takeaway: training (doing) is the most important thing. Ripley writes on page 49:  “The best warnings are like the best ads: consistent, easily understood, specific, frequently repeated, personal, accurate, and targeted.” Despite my communication efforts, unless I can make people really evacuate and really walk down the stairs before the catastrophe strikes, when a real event occurs, I fear everyone will probably perish (except me because I am gonna be so outta there…)

Again: risk management is important, we just dont have time for it.

Read Full Post »

Starbucks risk management

In the interest of full disclosure, I love Starbucks. I admit that I was a Tim Hortons slave for the last decade but nothing gets me going every morning like my grande bold. (Incidentally, I’d like to thank the barista at the First Canadian Place concourse location for complimenting me on my tie this morning.)

But this post is not about my tie nor the risks of reaching across other patrons to grab my two Splendas and dairy canisters; it’s about Chris MacDonald’s blog post on thieves pinching your laptop at Starbucks.

I never leave my laptop unprotected and travel with a lock. I also leave the lock in my truck so I can secure my computer if I stop at the Walmart on the way home – which as the author notes is another hotbed of crime.

Read Full Post »