So far in this study, we have introduced the complexities of 3 of the 5 Domains or “faces” of Data as a complex system: Form Factors,[1] Applications,[2] and Categories.[3] Now, in Part 4, we consider End-Users.




These are the different users and user-groups who can and do, make various uses of the data.


Level 2 (provenance): As the ultimate consumer, that end-user can be any or all of an individual or a group, a business or business group, or a government or government agency, or government collective. Hence, at this level, we have placed just two options: (i) Insiders, who are the known and permitted users of the data, and (ii) Outsiders, who are the not permitted but sometimes known users of the data, if and when a breach can be tracked-back to its point of origin,[4] or when the user without permission can be found.


Level 3 (management): Here, the end-users can be categorized into three separate groups for management purposes. (i) Vetted, are those end-users who have been cleared and properly credentialed for data access. (ii) Unknown users are those with spoofed or un-trusted credentials – whether it is hacked passwords, expired security certificates, or other sharp workarounds of security protocols that allow data access. (iii) CMC, are those criminal, malicious, or compromised users who may appear to be vetted or unknown, but who have ulterior motives. The essential and constant challenge for all IT security and IT governance professionals is to ensure that the vetted remain vetted; the unknown do not become or appear to be vetted; and that the CMC remain on the outside of the trusted data-user community. [5]


Level 4 (security): As with earlier installments, there are on this level, categories for: (i) identity and access management (IAM); (ii) management “controls for risk, encryption, and security technique” (CREST); and two categories for regulatory compliance, being (iii) Regulatory Compliance (generic) which includes privacy and Intellectual Property Rights (IPR); and (iv) Regulatory Compliance (specific), which includes subnational, national, and transnational rules, and any industry-specific codes of compliance.


Level 5 (attack vectors): Here, we will specify the attack vectors as targeted at or emanating from, one or more of these five distinct groups. These are: (i) individual; (ii) family; (iii) group or network; (iv) business or business group; and (v) government, or government agency or collective. The individual might be a hacktivist, or someone with a form factor that has been unknowingly compromised. The family, again, might just be the innocent victim of a botnetted[6] machine within the household that identifies their IP address as the attack’s malicious source. The group or network may have third-party packet sniffer software installed that its Sys-admin does not catch, or chooses to ignore and/or not disclose to others. And then, the business or business group may be compromised directly, or through a third-party vendor.[7] Recent revelations about alleged government cooperation with internet and technology companies,[8] show how this fifth attack vector might stand alone; might combine with the third in a complicit Sys-admin (who does or does not see a lawful warrant); or might even combine with a targeted intelligence operation by a government agency that sees a keylogger, for example, installed on a business or household form factor known or suspected to be used by, some person of interest.[9]


Level 6 (aggregation): Finally, data end-users can also be found and aggregated across 6 spaces. There are two, under each of: (a) being at the individual’s option (such as for biometrics and geolocation, or other consumer-friendly applications – as opted-into or “not” opted-out of); (b) the commercial need and machine-driven (such as for SCADA/Supervisory Control and Data Acquisition, RFID/Radiofrequency Identification, or other business-inspired or business enhancing applications; and (c) the Government-aggregation (for various overt matters including health, morals and welfare, on one hand; or for covert matters, such as law enforcement and intelligence-driven surveillance operations, on the other hand).



The depth and breadth of Data as a complex system continue to be enhanced by the interactions of its five Domains, and of the many faces therein. Having now considered Form Factors, Applications, Categories, and End-Users, our next and final installment will consider the “Scale” Data Domain.[10]



Ekundayo George is a sociologist and a lawyer. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in legal, technological, and societal milieux.


Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams. See, for example:


Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.


This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published on, November 1, 2013. Online: ><

[2] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 2 – Applications). Published on, December 27, 2013. Online: ><

[3] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 3 – Categories). Published on, February 4, 2014. Online: ><

[4] Both insiders and outsiders can be sources of significant threat to any business, or other data producer or data consumer. However, some research shows that the most significant threat comes from the outsider. See e.g. Ericka Chickowski. Should Insiders Really Be Your Biggest Concern? Published on, April 23, 2013.   Online: > <. See contra. Ponemon Institute. Fourth Annual Benchmark Study on Patient Privacy and Data Security. Published on, March 12, 2014. Online: >< In the medical field with regard to patient data security, insider risk is greater.

[5] There is a technical, definitional difference between unauthorized and non-credentialed. Credentials, such as passwords, pass keys, and biometric inputs all grant access, and so a properly credentialed user may be vetted and therefore authorized to access data on system A, but although vetted, “not” unauthorized to access data on system B. That user on system A may nevertheless try to gain access to data on system B, as a CMC (criminal, malicious, or compromised) user. On the other hand, if one gains access or attempts to gain access to data on system A or system B with stolen or spoofed credentials (apparently vetted), or through a credentials workaround (clearly non-credentialed), then this is essentially a non-credentialed access by an unknown user (absent the availability of more information), and it is unauthorized.

[6] Jeremy Reimer. FBI: Over one million computers working for botnets. Posted on, June 14, 2007. ><

[7] Brian Krebs. Email Attack on Vendor Set Up Breach at Target. Published on, February 12, 2014. Online: ><

[8] Anthony Wing Kosner. All Major Tech Companies Say NSA Actions Put Public Trust In Internet At Risk. Published on, December 9, 2013. Online: ><

[9] Declan McCullagh. Feds use keylogger to thwart PGP, Hushmail. Published on, July 10, 2007. Online: ><

[10] See Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 5 – Scale).  Published on, May 15, 2014.  Online: ><

%d bloggers like this: