The Attributer's blog

What is the Attributer Blog?

This is a series of articles based around SABSA Business Attributes. Each article takes a new Attribute and discusses it in some particular context. As often as possible this context has some current topical interest at the time of publication, but some topics are timeless and can have a more general context. The Attributer has been publishing these articles since mid 2012 in Informatiebeveiliging magazine in the Netherlands. Whilst the magazine is a totally Dutch publication, this series of articles has appeared in English. 

Threat Modelled

The Attributer has become aware that threat modelling is enjoying some popularity at the moment. However, most of what is written and said about it makes little sense. It’s not the role of this column to ‘name and shame’, but if you doubt what is said here, just type the words ‘threat modelling’ into your favourite search engine and read what it brings up.


The introduction of GDPR (General Data Protection Regulation) in 2018 in the EU raises some new challenges for those involved in controlling and processing personal data, but it is also a great case study in risk ownership and governance. It demonstrates some concepts and principles that have long been central in the SABSA way of thinking. In this article we shall explore those principles using the GDPR as an example.


You wanna cry? Been staring at a ransomware screen? The Attributer hopes not, but we all know it happened to a lot of people. So, what can we learn from this global incident and what should we do about protecting ourselves in the future? Three years ago The Attributer wrote an article named ‘Patched’. We shall re-examine some of the principles mentioned then in the light of recent experiences with malicious software attack vectors.


There have been numerous media reports in recent times about the cyber-attack capabilities of nation states hostile to Western political and business interests. That of course raises the debate about our cyber-defence capabilities and what they should be in this emerging threat landscape. In particular some commentators have raised the issue of the purpose and motive on the part of the attackers – what do they want to achieve? What are their goals?

Traceably Owned

Today’s big buzzwords are ‘blockchain’ and Bitcoin, but the concept has been around since the 1990s. 

Info-Warfare Ready

It is January 2017, and as Donald Trump prepares to take over as the new President of the USA, the debate rumbles on about the possible hacking, leaking and disinformation associated with Hilary Clinton’s election campaign. So what should we make of these allegations? Let’s look at what we know.

In Control

The US Sarbanes-Oxley Act of 2002 has had a huge influence on both American businesses and those in the rest of the world, especially those who want to do business with or in the USA. Section 404 of the act tells us that the management has to be in control, and that the auditors must verify this. A manager must sign a formal statement to declare that he or she is in control. 

Business Strategic

The Attributer writes this just after the announcement by Yahoo that, back in 2014, “state-sponsored” hackers stole information from about 500 million users in what appears to be the largest publicly disclosed cyber-breach in history. What! And now you’re telling those users that they should “change their passwords”, some two years later. Isn’t that a bit late? Horses and stable doors come to mind.

Regression Planned

First reported in the Telegraph on 21st April 2016, and later by Channel Four News on 24th May 2016, was an incident affecting UK National Security that occurred during the previous year, on 13th June 2015.