As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days. This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:
After listing uncertainties about what the future of privacy could be, we selected the two main uncertainties (though consensus). These were:
- how the privacy regulations evolve: high (strict privacy regulations which are enforced and with high penalties) or low (relaxed regulations, little enforcement and low penalties),
- privacy awareness: low (no-one cares) or high (a major concern and therefore potential differentiator).
Combining the two main uncertainties, resulted in the below four scenario’s.
The scenario’s are:
- In Tick Box-scenario regulations are very strict, but people generally don’t care. An organisation thus has to fulfill privacy requirements to satisfies lawyers, contrary to customers. One could consider this money wasted…
- In the Fear-scenario privacy is a hot issue. Both regulators as people in general care a lot about privacy, and privacy requirements are a major issue. A CIO should ‘fear’ not being able to fulfill privacy requirements. A company should invest in privacy-by-design, privacy-enhancing technologies and privacy expertise in general.
- In the Choice-scenario the regulations are relaxed, but people do care about privacy. There is thus a choice from the perspective of the business, and privacy is a differentiator.
- In the Ignore scenario neither regulators not people care, and privacy is not an issue for the CIO.
Is was interesting and fun to facilitate this session. By doing it in a session (starting in subgroups) we got everyone involved (wisdom-of-the-crowd). Since we, of course, had little time we did not go into details on the different scenario’s, but I think all of the participants (including myself) learned something on how privacy may evolve, and how to use scenario planning to be prepared for a unknown future.
IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?) The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.
From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.
Read the rest of this entry »
eRecognition (in Dutch: eHerkenning) has won, congratulations to Logius, ICTU, ministerie of Economic Affairs, all the partipating companies in eHerkenning and of course especially to the people that have contributed to eHerkenning! Below the official press release. What I’d like to personally add to this is that I think it is great that eHerkenning simply started facilitating business-2-government identification, with the parties that saw oppertunities to provide identity services and only a limited set of government service providers. It now has a growing usage, and is also targetting business-2-business.
Physically the award is a small statue (ceramics), from the artist Alexandra Veneman. A (bit shortened) explanation on her idea when she made this:
Read the rest of this entry »
For the third year in a row I’m responsible for the Novay Digital Identity Award, which Novay in collaboration with IDentity.Next will give to an innovation in the area of digital identity. The first winner (2010) was Ziggur (digital dealth service), last year’s winner was Edentiti (online identity verification).
We have an independent jury (which I’m not in), which picked three nominees for this year:
- Evolok – which combines identity & access mngt with a paywall system for online content. Easy-of-use for consumers, flexibility w.r.t. business model for online content providers.
- eRecognition – an identity trust framework from the Netherlands, for business-2-government (and also aiming for business-2-business). Ahead of similar initiatives in US (NSTIC) and UK, and usage is increasing.
- IDchecker – a company that is very big in a niche market: a SaaS service for verifying physical ID documents based on a optical scan, or, IMHO much ‘cooler’, using a mobile app.
I copied the official announcement/press release below (in Dutch is here). The winner will be announced on 20 November, during IDentity.Next in The Hague.
Read the rest of this entry »
The Dutch Banking Association (NVB) for a couple of years now makes internetbanking fraud numbers in NL public, with updates every half year. The damage for the first half of 2012 was €27.3M, compared to €35M for the whole of 2011 (see graph below, with the amount for 2012 calculated by simply doubling the first half of 2012) . The relative increase, again calculated by simply doubling the 27.3M to get a number to compare to the €35M, is roughly 1.5 times. This means the growth is less than it was the previous years (see the graph below). Also if you compare the first half of 2012 to the second half of 2012, the growth has decreased to 14%. This does not mean that I’m optimistic, the fraud still increases, and the absolute numbers are also becoming worrisome. With ~11M internet banking users, this is ~€5 per user, which is IMHO significant.
As one would expect, the NVB mentions that attacks are becoming more malware and less ‘old-fashioned phishing’ based. I’d be very interested to see statistics on internet banking fraud with the increasing popular mobile banking apps, but the NVB unfortunately does not provide these numbers.