Systems thinking is more than just a handy collection of tools and methods to explore complex systems with – it is also an underlying philosophy, an awareness of the role of structure in creating what we face, of powerful patterns operating on us, and of consequences of our actions.


  • Awareness of and finding ways out of circular reasoning and (group think or individual) bubbles.
  • Sensing more, and guarding minds with critical thinking, discovering new moves.


  • Open Space is a known technology for making waves, raising awareness, and grounding further privacy and security work.
  • Retrospectives are useful for learning to learn without making mistakes: That is, to be willing to make mistakes (not always playing safe), to not repeat the same mistake over and over again, to learn from the mistakes others make, and to learn from the mistakes of our teachers/mentors/coaches.
  • Decision analysis, the Satir way, has proven practical in tackling even the most complex problems, making it easy to compare (the possible effects) of decision alternatives.
  • Role-plays can be used to make visible what the left hemisphere would like to ignore, and can improve congruence and balance of a system.

Systems architecture

  • Making the complex (more) simple using (adapted) systems thinking tools.
  • Seeing and making more connections.
  • Evaluating existing system architectures with recommendations for improvements.


The confluence of surveillance and censorship, tight(er) regulations such as the GDPR, and lack of knowledge in using existing “free technologies” which improve privacy, security and quality of internet research for their context, people and purposes, is undercutting their effectiveness. Meanwhile, the data-mining and privacy and security business is booming and the siren song of certainty tempts people into wasteful spending and poorly informed decision-making, that is, if they even have such money to spend.

And without a mandate for measuring and reporting *actual* improvements in security, attempts at improving security make absolutely no sense. It all depends: On who the adversaries are, on the context, on what information needs protecting, on the assets (networks, software, data and information systems), on what is considered in scope and what not, and on the people using the system (i.e. the individuals working with the definition, implementation and maintenance of security policies).


Custom made workshops with fun role-play and other exercises that bring the message home.

  • If you don’t understand how adversaries could get into your systems, you’re going to have a hard time securing them. Learning how to hack can help you implement the strongest possible security practices.
  • Hacking forensics includes techniques for detecting and reverse engineering malware and advanced persistent threats, like Finfisher ...

Threat modelling

Threat modelling is a process by which potential threats can be identified, enumerated, and prioritised – from a hypothetical attacker's point of view. With a systematic analysis of the probable attacker's profile, the most likely attack vectors, and assets most desired by an attacker, defenders can focus on what is most important to protect.

Systems administration

  • System audits, for example for vulnerable endpoints like internet facing linux servers, with suggestions for (security) improvements.
  • And system administration itself.

Contact me for more information.