Psychology & Security & Breaches (Oh My!?)
I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing ideas or ways of doing things, and the best one(s) won. Some may have hitched themselves to a winning idea. They may be bad ideas. But on both a design and a psychological level, change is hard.
On the design side, there are arguments that I haven’t heard. Some of which may be good. Someone may think that our situation isn’t really so bad, and so we don’t need change. I think that they are wrong, but I have to overcome that argument. I’ll set aside the origin of our situation and the argument from conservativeness, and turn to the psychological.
At a human level, change involves loss and and the new. When we lose something, we go through a process, which often includes of shock, anger, denial, bargaining and acceptance. The new often involves questions of trying to understand the new, understanding how we fit into it, if our skills and habits will adapt well or poorly, and if we will profit or lose from it.
These are the sorts of issues which confront managers as a company goes through changes, and they are difficult and challenging. Companies change because the market changes when new competitors or new products emerge, or old ones go away. Often times, it is easier to ignore these changes and keep doing what you have been doing, rather than to change.
Many American companies chose to react this way. They created a rust belt.
The world in which we worked as security professionals has gone through upheavals in the past. Things changed when UIUC released the Mosaic web browser, things changed when Aleph1 released ‘Smashing the Stack for Fun and Profit,’ and things changed when Cantor and Seagul sent their email. Things will change again.
Preventing the effective flow of information is one way to avoid change. If we can claim everything is the same as it has been, or if we can sweep things under the rug, we can keep doing what we’ve been doing. We can avoid change because change is hard, and the consequences long term. We’re supposed to be good at thinking about such things here in security.
Sometimes, in security, when we talk about psychology, it’s interpreted as an attack. This not intended as an attack on anyone. I’m trying to draw out all of the reasons why people are opposed to change in disclosure habits, so we can overcome them.
Sometimes true things are uncomfortable. Sometimes going to the dentist is uncomfortable. Being in denial about the state of things is often worse.