Krzysztof 'Chris' Daniel
Would you survive the loss of your phone?
In this blogpost, I am showing how to use Wardley Mapping to increase resilience using personal security as an example.
Recently, I have been playing with the concept of using Wardley Mapping to achieve personal resilience or even antifragility. What I found very interesting is how my thinking has changed from 'achieving goals' to 'avoiding utter failure'.
'Utter failure' means anything that significantly limits your options and prevents you from seizing opportunities that you may not be aware yet. And in my case, almost everything depends on my online presence.
I am certainly not prepared for the long-term Internet outage. It does not matter what would cause it. Be it cyber-war, human error or malicious action - the effect on me and plenty of other people will be the same. But since it will be an event affecting masses, I expect some government help. But here is my action that I need to take:
[ ] prepare for the survival of a week without the internet
That should be enough to avoid any critical damage to my or my family life.
But if you look at the value chain below, which represents my online presence, you will notice that there are two single points of failure:
my laptop - I think I am following reasonable practices here. A loss of a laptop is painful but I can use my backup laptop which has all the critical documents I need synchronised through OneDrive.
my phone - that makes me sweat. 2-factor authentication depends on me having a specific device. Take it away, and I am done.
Losing access to the phone does not have to be very probable, but if it happens, I am in deep trouble, as I am cut off from plenty of essential services. And, in this case, it affects only me, so I cannot expect government help. This is something I have to solve by myself.
A bit of research has revealed that I have to decouple my online identity from the phone, which involves using at least two security tokens (see Fig 2).
The trick is that having multiple tokens (2 at least), one always carried with you and one back up one stored somewhere safely, enables you to use at least some critical services even if your phone is inaccessible, given that identity provider is out there.
Which brings three additional actions:
[ ] have at least two different identity providers for critical services
[ ] have at least two security tokens, one stored in a safe place
[ ] have contacts to important people stored in a traditional way (on paper), useful for recovery.
The cost of this set up should not be more than $ 100. Is that a fair price?
I know some of you will find it unnecessary. How do you assess the impact of losing your phone on you? How are you protecting yourself? I am very curious to learn your opinion.
Would you be interested in running a similar exercise for your organisation and see where you could improve your resillience? If yes, drop me a line.