- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Wednesday, June 15, 2016

Augmented Security





The following are notes I have taken from the book launch of "Augmented - Living Life in the Fast Lane", by Brett King on the 8th June 2016 in Singapore. I have taken efforts to make sure that the information here is as close to what he had said during the launch as possible. If there are any misrepresentation of facts, they are probably mine.  Please accept my apologies in advance.
========

Fundamentally Moore's Law has been proven right since it was coined - that computer processing power will double every two years. What we have in our pocket mobile phone is many times the processing power of the early computers that occupied an entire basement of a large building.

Four points that the book is based on:

1. Artificial Intelligence (AI) - that it will take over many aspects of our life. It executes many tasks better than humans. For instance, automatically driven cars are safer. It has a lower accident rate than cars driven by humans; AI diagnoses cancer with a 90% certainty, whereelse a  human oncologist can achieve only a 50% certainty. This is because AI is fed a lot more information to execute the tasks than a human being can handle. Besides, AI remembers the data and a human-being may forget some data during his analysis or diagnosis.

2. Internet Of Things (IOT) - Everything will be connected via the internet by the year 2030. There will be more robots than humans by then, though the former comes in different forms. That is, not all robots will look like humans, nor should they be. It depends on the tasks the specialise in.

3. HealthTech and Genome - The progress of HealthTech and Genome, thanks to the computer processing power will result in more early detection of diseases and fixing the problem via genetic engineering. This may cause a upheaval with Big Pharmacies, who now face a challenger that can fix health problems better and faster.

4. Smart Infrastructure - Solar power will be half the price of the nearest cheapest fuel by the year 2030. Coal mines will not be economical. Eg. Recently, China has laid off 1.5m mine workers. They know that it will not be economically feasible to mine coal.

The cheapness of solar energy and other alternative free energies, will disrupt the commodity markets and decimate it.

-----


Every leading company will be a technology company by 2030. If you are not, than you are not making profits. Profitability in large technology companies like Apple, has a profit per employee of around $0.5m, compared to $30k for walmart or $50k for banks.

The service industry will be disrupted dramatically in employment patterns. People will not live their life "working for a living". Governments may be compelled to give a universal basic income (covering lodging, food, electricity...) to everyone for free. Humans will adjust to this new state.  There will be new jobs like geo-engineering, that aims at reversing the climate change, while many traditional jobs or jobs that are here now, will be gone. Perhaps some of us will be re-invented as robot psychiatrists to counsel misunderstood and mishandled robots!

Global population growth will flatten by the year 2050 at around 9.5 billion people. People will be living longer and longevity itself will be a challenge. For instance, if we are all going to live till 200 years old, then all of us here in this hall are mere 'teenagers' within our lifespan. Major culture shifts will be needed.

If you do not have a digital persona, you may be treated with suspicion, pay a lot more for things,...etc. It will  be impractical. In ten years time, 60% of our online purchases will be handled by an AI agent.

Banking will be required in the future, but not banks. Banks that base their business on the conventional business streams of credit cards, POS,... etc will be gone. There will be contextual credits evaluated when you walk into a store that will handle your transaction.

Not all entities that hold a bank account will be humans. For instance, autonomous driving cars will have bank accounts to get on with their 'life', like to pay for their Electronic Road Pricing (ERP) fees, electricity top ups, for receiving payments for ferrying people around like an Uber cab,...etc.

AI, robotics...etc will become so much part of the system that we will not even think about it, like electricity - we just switch it on and use it and hardly (if at all) think of it as 'technology'.



Governments will be the last industry to be disrupted and replaced by technology.
---------

Do you agree with Brett King's projection of the future?

But let's just say we take it just as an exercise for now. That should the projections come true, how will we protect our information?

Some of the security issues that I predicted 15 years ago are now a reality.

  • For instance, wearable computers are now easily available and affordable by the man-in-the-street, so it won't be practical to check them at the gates. 
  • About collaborating for collective intelligence among big companies, especially banks. This is now happening via cloud-based Web Application Firewall providers.


Pervasive Security

With IOT, the hacker playground has enlarged. Whoever hacks in will have connectivity to hack the next adjoining device, affecting another community which will be likely dispersed worldwide. Surely this sounds much more fun to the hacker than it is now.

With device getting very small and many of them embedded, it will be impossible to rely on perimeter security. Security controls will have to be pervasive. Already in the present day, every business process will trigger six or seven other security processes. 

For instance, just to transfer money in an ebank, the following non-business processes are triggered:

  1. Identification - the user is a bot or human.
  2. Authentication - if the user is the user he claims to be.
  3. Double authentication - to make sure that the user device is not hijacked. This possibly using technologies like cognitive biometrics. 
  4. Authorisation  - to check the extent of the privileges the user is entitled to access.
  5. Central data logging - to log all transaction data such that if need be the transactions can be easily reconstructed.
  6. Prediction - with the large amount of data logged, it becomes possible to predict if the transaction is a fraud. If suspected, then transaction logging will be stepped up.
  7. Notification - notifying the user by an alternative channel of his transaction. 
Many more processes will be added over time to make the transaction even more secure. And even item 1, will have to be re-assessed when non-human entities legitimately have bank accounts, eg. autonomous cars. 

How will we be able to safely identify one robot from another? Do they have unique characteristics and behaviour, like humans, beyond their (encrypted) id tag? Will accumulated machine learning in the robot develop habits and character in them?

Data Ownership

Also, in an IOT world, who owns the data? When there is a hack, who is the custodian that has not kept the data well and had resulted in some people (or robots) violated? With so much data generated, it will be impossible to manage data ownership. To compound the problem, some legitimate data owners may not want to own the data, as ownership comes with responsibilities.

Quantum Computing
When Quantum Computers come into the market, many computers will be hacked in the interim period, before information systems had time to convert to quantum cryptography to protect their systems.


What are your thoughts?

I am sure you can come up with many other scenarios from now to the next ten years and how we can pre-empt security breaches.


----

Brett's view of the future seems to be solely based on the advance of Moore's Law. That computers will get more powerful and progress is mostly enabled by more number crunching and processing. 

There are other visionaries that embraces, in my opinion,  a wider scope of how progress may come about, like Buckminster Fuller, Alvin Toffler and Peter Schwaltz. They dwell into the future with scientific fundamentals and a scope beyond computers. Not surprisingly, many of their projections have even come true.

Here are other technologies that we may see in the future:






Saturday, April 16, 2016

Pre-empting Cyber-Fraud in Investment Banks


An investment bank is a hive of activities helping businesses or banks to raise capital by issuing stocks or bonds; and finally underwriting and distributing the issue. They also sell securities, manage assets/personal wealth of high networth individuals and help in corporate mergers and acquisitions. These activities expose them to a myriad of operational risks, legal risks, market risks, credit risks and reputational risks.

A common thread among all these risks is CyberFraud, amid today's highly computerised and networked world.

CyberFraud is multi-dimensional and it is targeting citizens, businesses, and governments at an alarming rate. They can also be conduits for organised crime and terrorism, and pose a threat to national security.

Stolen financial data is now an illicit commodity. With the required data, money can be siphoned through fraudulent credit card transactions, bank transfers, or other instruments. Given the impersonal nature of the crime and that the fraudsters can be seated at a physically remote location, an underground industry for Cybercrimes have rapidly grown. To compound matters, fraud can also originate both from outside and inside the bank.

The broader aspects to contain the growth of CyberFraud have to be worked together with the police, central banks and cloud-based security services like web-application firewalls, online biometric services,...etc. Sharing of such information among banks via central authorities is key.

Within the bank, besides having a secure IT infrastructure, it is  essential to have a centalised log server, where if need be, is capable of reconstructing any transaction to provide sufficient forensic data to bring the fraudsters to court. (This is a regulatory requirement stipulated by many central banks, like the Monetary Authority of Singapore). With the wealth of data in the log server, it is possible through data analytics to predict where the fraud will come from, and pre-empt them from occurring. It would be useful to use software like Splunk to facilitate the indexing, searching and monitoring of the logs, some of which may not even be structured.

For more details on a secure banking architecture, click here.

The common patterns of suspicious activities usually exhibit abnormal transaction volumes, trading volumes, fluctuating data feeds,... etc. A rules engine will have to be agreed between the businesses, fraud management department and cybersecurity department of the bank. 

For more details on applying data analytics, click here.

There are also cognitive patterns of user behaviour that can be captured and analysed. Several cognitive biometric systems, like BioCatch, are now capable of differentiating an online bot from a human user; and for the case of a human user, the capability to authenticate his identity.

These new implementation will require more sophisticated technical and awareness training. In a world where the criminals are connected with shared expertise, banks will need to have all their staff educated in an effective manner.

Many banks have resorted to quick online multiple-choice quizzes to measure the awareness level of their staff.  But truly, how many cases in our lives work the same way as such multiple-choice tests? Hardly, to say the least. Therefore, realistic scenarios must be written and rehearsed to leverage on the participants' other cognitive senses. To be effective, the training methods must be experiential and immerse the participants in role play, to truly understand the scope of managing CyberFraud and applying the knowledge in their daily work.

For more details of how to apply role play in cybersecurity training, click here.

Naturally, the above activities will take time to implement. Senior management will have to be convinced that they are worthy to commit the necessary resources.  The savings from CyberFraud management will have to be enumerated and quantified. But it is no longer just the case of preventing or managing financial losses to Cybercrime, banks now also have the moral duty to prevent funds from reaching terrorists and organised crime, for national security.

Conversely, if you are in the Senior Management of the bank, you may like to read about the 5 types of technology salesmen out there waiting to pull the wool over your eyes. :) 
Cick here.


Last but not least, while it is crucial to have the technical infrastructure and controls, predictive analytics and  technical and awareness training; no fraud cases can be effectively closed without the good old fashion offline work of committing troops to the ground. Common detective work of recognising clues, hints and motivation of crime are equally important. So are cultural understanding and language skills. The latter being particularly useful for high tech big data keyword searches and interpretation. Ultimately, the investigator will need to be able to hear a conversation in a noisy room, has a concern for detail and a sense of urgency. 















Tuesday, August 18, 2015

5 Types of Technology Salesmen




This post is a little light hearted, but I hope it helps you too.

I have met many technology salesmen in my time, and can group their techniques into five categories, namely:

1. Selling by Sex
These are the good lookers who would try to seduce you with sex, or at least let you think that you are going to 'get it'. Sex sells and this works for many people, both men and women.

2. Selling by Bossing Around
These are the motherly/fatherly types, who curiously close sales by bossing their client around. It works for clients who are short of confidence or  paternal/maternal love.

3. Selling by Fighting for the Customer
These ones are fiercely loyal to their customer. They will fight for the customer rights, until they win, even if it means that they lose their job.  Consequently, they have a loyal following and customers follow them when they change jobs.

4. Selling by Fear (and Dropping Names)
These are the ones that give a strong show of dutch courage, threatening the client that their project will fail without buying his product. He will further strengthen his claim by dropping some of his (purported) big name clients. It works for buyers who need big names to cover their ass.

5. Selling by Technical Know-how
Of the five, these ones are the most honest. They know their technology inside out and so hide behind their strengths to go into monumental details of the product, unaware that the buyer may be looking for something else. This works for clients who already know what they want and are delighted to hear direct from the seller's mouth.

You may have met other types of salesmen. Tell us about them. :)



Tuesday, July 14, 2015

Data Analytics and How We Think.


I found this interesting syndicated article "Algorithms may echo human bias, study finds", on Today 14-July-2015, page 36. 

Basically it says that eventually, algorithms are created by humans, together with the human influences and biases. In other words, data analytics algorithms are merely human attempts to model a scenario mathematically with the help of very large amounts of data.

For instance, by applying graph theory on a social network platform, we can assign weightings on links to friends that have common interests with us and find who our closest friends are, who our best friends are or even who our spouse is. In plain language, we are looking for 'birds of a feather that flock together'.

There is also an algorithm that detects expense claim fraud, that analyses the first digit of each expense claim item. So if only a few  digit values are used and very repeatedy so, the expense claimant is flagged for further investigation. This probably based on the tendency that human beings will not think of  broad ranges of numbers when cheating. 

I trust that algorithms for data analytics have a symbiotic relationship with human psychology. So, it pays to observe patterns of human thinking through the data they manifest. May be some old proverbs may offer inspiration.


--------------------------------------------------------------------
Algorithms may echo human bias, study finds 

NEW YORK — There is a widespread belief that software and algorithms that rely on data are objective. But software is not free of human influence. Algorithms are written and maintained by people, and machinelearning algorithms adjust what they do based on people’s behaviour. As a result, algorithms can reinforce human prejudices, researchers say. 

A new study by Carnegie Mellon University researchers revealed that Google’s online advertising system showed an ad for high-income jobs to men much more often than women. Research from the University of Washington also found that a Google Images search for “CEO” produced 11 per cent women, even though 27 per cent of chief executives in the United States are women. 

Algorithms, which are instructions written by programmers, are often described as a black box; it is hard to know why websites produce certain results. Often, algorithms and online results reflect people’s attitudes and behaviour. The autocomplete feature on Google is an example — a recent search for “Are transgender” suggested, “Are transgenders going to hell”. 

“Even if they are not designed with the intent of discriminating against those groups, if they reproduce social preferences even in a completely rational way, they also reproduce those forms of discrimination,” said Mr David Oppenheimer, who teaches discrimination law at the University of California, Berkeley. 

The Carnegie Mellon researchers built a tool to simulate Google users who started with no search history, and then visited employment websites. Later, on a third-party news site, Google showed an ad for a career-coaching service advertising “US$200k+” executive positions 1,852 times to men and 318 times to women. The reason for the difference is unclear. It could have been that the advertiser requested that the ads be targeted towards men, or that the algorithm determined that men were more likely to click on the ads. 

Google declined to say how the ad showed up, but said: “Advertisers can choose to target the audience they want to reach, and we have policies that guide the type of interest-based ads that are allowed.” The New York Times

Monday, June 15, 2015

Information Security Across New Frontiers


New technology and business motivations
Consumer devices are getting smaller, faster and cheaper. With that, they have become mobile and convenient to execute online purchases, payments, administration and a host of other chores swiftly, many of which were not possible just a few years ago. Such consumer conveniences also generate massive amounts of data. Not just transaction data, but also other personal data, like location, user behaviour, and user relationships with other entities. These information are valuable for businesses to profile, target their potential customers and cross-sell products.

What is Valuable?
Data means different things to different people. One man's information is another man's bland data. For instance, company staff directories are treasure coves to executive headhunters, but are merely data to the layperson. In other words, data is 'King', but data in context is information - a 'bigger King'. Further, in the online world of rapidly flashing ether, data in context in immaculate timing is 'King of Kings'. For example, time-sensitive market data exploited for high frequency trading in the financial markets, is a 'King of Kings'. They make millions of dollars literally within seconds. Here, we are referring to immaculately precise and timely operations happening in orders of nano-seconds.

Who are the CyberThieves?
And there are those who lurks in the dark side of Cyberspace, waiting to deceive, steal and disrupt. While the bulk of hackers are 'script kiddies', the ones that we should be worried about are the determined, clever and focused, who vies for  monetary, non-monetary, business, political or social objectives.  It may also be worthy to note that the bulk of security breaches still comes from within organisations. Inside, it is easier to hack. Being in the system, it is easier to know the loopholes and how to clean the tracks once the intrusion is complete. A survey of 100 banks across 30 countries by Kaspersky estimated that internal hackers may have stolen up to a $1 billion in the year 2013.

Future devices now
New consumer devices easily available in the retail market are getting smaller and harder to detect. Wearable computers are gradually creeping into our daily life, in the form of spectacles (eg. Google Glass), wrist watches or wrist bands (eg. Apple Watch), spy pens,...etc. It will not be practical to restrict employees and workers from using such wearable computers.

New control doctrines
As such, information security controls will no longer be perimeter defence, but checks and controls pervasive throughout the system. No entity is completely trusted. There will be numerous cross-verification among users, processes, servers and technologies. Cloud-based intelligence sharing and collaboration will be paramount to keep the system secure.

And so we must implement: more adaptable supervisor-and-executor dual controls for transactions; persistent checks against user account takeovers; centralised loggings capable of reconstructing transactions; and leverages on Cloud-based Cyber-intelligence services.

Eventually, you will notice that for every business function, say a "Make Payment" request,  the application system will invoke six or seven security processes of identification, authentication, verification, logging,...etc. So be prepared for added computing power or suffer a deterioration in application response time.

New Controls
In moving across new electronic frontiers, merely implementing the conventional firewalls, intrusion detection system, malware detection system, encryption and identity access management is no longer sufficient.

Increasingly, new controls will be based on different root technologies, as it is difficult to arrest an intrusion with the same technology. For instance, it is difficult to use web technology to detect the Man-In-The-Browser attack. Such attacks are so elusive that they can happen right under the user's nose, without the realisation that his transaction is compromised. The user would be under the impression that he is safe, having observed all the secure procedures like, entering his id, password and even one-time code generated from a secure physical token, but oblivious that he has been attacked.

To detect such attacks, other technologies such as, cognitive biometrics and trend analysers, among others,  have to be deployed.

Cognitive biometrics recognises the usual pattern a user touches and moves his devices, and differentiates if it is from a Cyberbot or a human intruder. Trend analysers detect usage anomalies, like sharp jumps in frequency of usage, or the sums of money being transacted.

Extending beyond Security
Trend analyses require broader aspects of data collection and mining, leading to what is called 'Big Data' processing. And with the ubiquitous use of the Internet and the growing ambitions of businesses, Big Data gets bigger everyday.

Back in the early 1990s when I was in oil and gas exploration, we thought the seismic trace interpretation data we were processing were massive. These were data of induced and echoed sound captured from vast oil exploration sites stretching thousands of square kilometres in surface area and kilometres deep into the subterranean. Think of it as a gigantic 3-dimensional volume of sound amplitudes at one-hundred metre grid intervals. Upon collection of the data, we cleaned up the noise, modeled an algorithm and mined them for useful information with the goal of discovering oil and gas deposits. Much the same as in modern day generic Big Data operations. However, while those Petabytes of data were notoriously large to handle with the technology those days, they are no longer considered big by today's standards.

Besides the intimidating size of the data, diversity, data properties and data locations, are some of the other challenges. Data can come from varied sources, in structured and unstructured, formal and informal formats. In my opinion, using data just from the organisation's daily transaction gravitates towards 'Business Intelligence'. It is not just a matter of definition, it does have semantic differences in scope. In Big Data operations, data comes from many sources, and sometimes we may not even know what the real question is when we stumble upon unexpected and interesting patterns. When that happens, basic assumptions are challenged and re-established. We will then have to go back to the basics to clarify our objectives, before  moving forward.

The extent of Big Data is powerful. It can be used not only to detect fraud, but also to (for the case of banking) verify that clients are clean enough to bring onboard and and yet comply to central bank regulations against anti-money laundering (AML).

Implementation
Before proceeding to implement, make the aforesaid benefits clear to your stakeholders. Start your security controls small within the less ambitious goals, but make it known to your sponsors and stakeholders that these technologies can be extended to offer a lot more in the future.

Now, go down to basics  and define the Proof of Concepts (POCs) of the technologies that can solve your problems.  The challenge here is to define what constitutes a successful POC. For instance, if we are testing a cognitive biometric system to weed out fake users, is the product coming up with a lot of suspected users a better one than the one that comes up with lesser suspects? How do we know which one has more or less False Positives and False Negatives? It is all well and good if we are testing them on simulated data, but how would simulated data be of any real help? Ultimately, the real proof is in the pudding - that is, with real-time transactions, and for that, the results may be difficult to ascertain.

Then, we will have to dwell into the fundamental science the product is based on. If the vendor's description of what their product is based on are fuzzy and ill-defined (granted that they have to keep their trade secret), then chances are that they are not to be trusted.

Ultimately, a quantitative and qualitative POC definition success indicators is essential, before each technology is tested.

Once the POCs are proven, it is now time to take stock of your existing system to make sure that it is fundamentally sound. For instance, to ensure that the user authorisation, centralised log server and the fraud management rules engine are operating smoothly and securely administered, before the new technologies are added.

As usual, implement the new controls in stages starting with the quick and easier wins to convince your stakeholders, to secure the approval of the next phases of development.

Conclusion
New devices are attractive because they bring in new businesses and opportunities. Data cleverly harnessed are valuable and can literally make you millions of dollars in seconds. As with all treasures, there will be thieves lurking. Given all these new technological frontiers opening, we need better and more sophisticated controls. These controls, unlike in the past, comes from varied technologies and must no longer be perimeter defences, but pervasive throughout the information system. New pervasive controls are powerful and can serve beyond the objectives of data protection. These new controls can be leveraged to analyse business trends and manage fraud. Implementation must be approached step-by-step and iteratively, while keeping the management informed of their massive potentials for the future.


This article is a very brief summary. It dwells on the salient points of the new frontiers of information security and how we can proceed to implement the technical controls. There are a myriad of other business and managerial considerations in a real life situation. Given the limitation of space here, we shall leave those other discussions in another article, another time.



Note: We are now an official media partner with BIGIT INSIGHT. This article will be published in their magazine.

Sunday, April 19, 2015

5 Survival Tips when dropped into the ‘Deep End’






Instead of the usual technical blog posts, this one is a pragmatic survival guide. If you have been around for a while, chances are that you have been thrown into the 'deep end' of a project before.

With rapidly changing markets and business requirements, this is becoming more common, with budgets approved late, but with the expectations for a quick  delivery. This usually means a mad scramble to fill the project team, with the eventual result of the unfortunate new hires dropped into the ‘deep end’  a few months after the project had started. These latecomers, however, are still expected to hit the ground running.

So, here are some survival tips:

1. Update your knowledge of industry acronyms and products.

No matter how experienced you are in the industry, new acronyms and products are created every day. Google them and make a list, ready for you to refer to when required. But not to worry, a lot of them are just  new marketing slangs for old technologies, like “Cloud Computing”. So don’t panic. You just need to know the right slangs quick and appear cool.

2. Learn the business and project acronyms

Businesses and projects love acronyms and the people involved use them liberally, as if they are also second nature to you. Make a comprehensive list of such acronyms quickly early in the project, grab an old hand in the organization and sit down with him uninterrupted for one hour to establish the glossary.

3. Learn the organizational structure, the relevant departments and their spokesperson.

In the old days, the development team did everything from conception, programming, testing to acceptance stages. These days, organizations are structured to have specialized departments deliver various components in your project, for the benefits of economies of scale and efficiency. For instance, there may be a permanent generic testing team that tests all projects before they are released into production in the organization. Or may be some tasks are outsourced to a third party company situated in another country and another time zone, from a different culture and speaking virtually a different language.

When you have mastered points 1 to 3, you are now able to follow what is spoken in project meetings and appear intelligent. However, you have not moved much yet, but merely holding your head above the water.

4. Build a rapport with the key persons in the project

Develop relationships. It is relationships that make things happen quickly and fairly trouble free. But develop appropriate relationships. Doing otherwise, will have repercussions later on. Karma is such a bitch.

5. Stick to officially sanctioned activities

In the old days, it is fine to help your team members with their work and sometimes with some informal tasks. Such tasks are usually safe short cuts necessary to make things happen quickly, but overlooked by the managers. However, it is more risky to do so these days, because all activities are owned, given milestones and deadlines. If you really want to help out, do so in the quiet. Don’t pen them down anywhere. The moment any activity is penned down, someone will come and ask you where this activity falls under. That to me, is a bother you and I do not need. If you are not careful, it can also make you look bad.



There are of course much more that needs to be  done in a project, but knowing the aforesaid five points is a good start.

You will then not feel lost in meetings and discussions, stop looking stupid and start to produce useful work.

Happy working!



Friday, October 3, 2014

5 Steps to Take in Security Incident Role Plays


Role plays are effective forms of learning. It is natural to all of us. When children gather they role play. However, as we become adults we mostly shy from role playing unless we see the motivation to do so.

Role play is effective because it involves all our senses to arrive at conclusions based on a scenario and some goals. It is way better than the archaic 'Sage-on-Stage' style of lecture.

But role play requires more preparation, time and patience. The facilitator must also be very knowledgeable in the domain knowledge to literally hit the ground running.

Information security is an ideal subject to be taught with role play. It is by itself dynamic and action oriented. Information security architecture, design and implementation of technical and non-technical controls, essentially pre-empts certain fraudulent or unauthorised actions from taking place. Given such dynamism, students of information security need to have the presence of mind to relate and react to incidents.

For facilitators, here are 5 Steps to Take in Security Incident Role Plays:

1. Create a scenario
  • If you have not encountered a real-life one, look them on the Internet.
  • Make modifications to the scenarios so that they protect the guilty and the victim in the incident.
  • Make modifications so that it is practicable for a classroom role play. For instance, if there is going to be roofs collapsing in the scenario, you have to think of ways to simulate it effectively.
  • Try to make the exercise visual. It is easier for your participants to react to.
2. Assign roles 
  • Put depth into your character. Give your roles the motivation and the penalties for failure.
  • Put boundaries to what they are allowed to do and otherwise. This is not to limit their creativity, but to pin them down to some realities in an incident. For instance, it is unlikely that they will have an unlimited  budget to solve the problem.
3. Break each role into groups for discussion 
  • Ensure that everyone in the group participates and there are no passengers.
  • Allow the participants to learn from their commonsense - effectively starting in the middle from an observation and building their findings upwards or downwards in the hierarchy of knowlege.
  • Sometimes, you may have to intervene to ensure that there is fair discussion, that no one is trying to impose their values on the other. Note that this is not necessarily taking sides of who is right or wrong.
4. Video the role play 
  • With today's very affordable access to technology, it costs next to nothing to record the performance.
  • It is fun and it compels the participants to take the exercise seriously. In odd cases, you may get groups of them giggling and laughing all the way through their performance.
5. Review of what is learnt
  • List down what is learned. 
  • Rationalise the list and compare it with what is established in the text book or industry practice. Are they different? Discuss why.
  • Note the gaps of what is still not realised or learned and plan them as learning goals in the next role play exercise.
I have listed the minimum to execute a role play. You can improve it further by carrying out the exercise outside the comforts of the classroom to somewhere as close to the real deal as possible; you can use props, real equipment and use audio-visual effects.   Most of which are very affordable these days.

Watch this space for the next article about "Learning Programme Development". 

There, you move to managing knowledge in the organisation, prioritising the areas of upgrade, planning internal skill mobility and leveraging the skills to grow the business.