Shostack + Friends Blog Archive


Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing ideas or ways of doing things, and the best one(s) won. Some may have hitched themselves to a winning idea. They may be bad ideas. But on both a design and a psychological level, change is hard.

On the design side, there are arguments that I haven’t heard. Some of which may be good. Someone may think that our situation isn’t really so bad, and so we don’t need change. I think that they are wrong, but I have to overcome that argument. I’ll set aside the origin of our situation and the argument from conservativeness, and turn to the psychological.

At a human level, change involves loss and and the new. When we lose something, we go through a process, which often includes of shock, anger, denial, bargaining and acceptance. The new often involves questions of trying to understand the new, understanding how we fit into it, if our skills and habits will adapt well or poorly, and if we will profit or lose from it.

These are the sorts of issues which confront managers as a company goes through changes, and they are difficult and challenging. Companies change because the market changes when new competitors or new products emerge, or old ones go away. Often times, it is easier to ignore these changes and keep doing what you have been doing, rather than to change.

Many American companies chose to react this way. They created a rust belt.

The world in which we worked as security professionals has gone through upheavals in the past. Things changed when UIUC released the Mosaic web browser, things changed when Aleph1 released ‘Smashing the Stack for Fun and Profit,’ and things changed when Cantor and Seagul sent their email. Things will change again.

Preventing the effective flow of information is one way to avoid change. If we can claim everything is the same as it has been, or if we can sweep things under the rug, we can keep doing what we’ve been doing. We can avoid change because change is hard, and the consequences long term. We’re supposed to be good at thinking about such things here in security.

Sometimes, in security, when we talk about psychology, it’s interpreted as an attack. This not intended as an attack on anyone. I’m trying to draw out all of the reasons why people are opposed to change in disclosure habits, so we can overcome them.

Sometimes true things are uncomfortable. Sometimes going to the dentist is uncomfortable. Being in denial about the state of things is often worse.

5 comments on "Psychology & Security & Breaches (Oh My!?)"

  • speller says:

    Cantor and Siegel?

  • 6000 newsfroups says:


  • Adam says:

    I first got the Green Card spam in Sun-managers, which was gatewayed to a newsgroup. So I remember it as an email spam.

  • fubar says:

    A book titled “The Innovator’s Dilemma” is the classic explanation of how dinosaur companies become extinct. The idea is controversial and has various critics, some of whom have their own interesting spins on the idea.
    I’m not a business person so I can’t explain how the following social change theories might apply to the process of change as it relates to IT security in the private sector. Integral theory does provide a framework for understanding how premodern, modern and postmodern paradigms are formed and interact. Maybe someone else can connect the dots to IT security?
    Gebersian Integralism and business:
    “… Jean Gebser (1949/1985) considered the basic forms of perception (ontological perception) present in culture. Rather than focusing on transformations that took place within individually boundaried cultures, he suggested that there is a gestalt within which all spheres of cultures coexist (Kavolis, 1992). Gebser identified five perceptual formations (or ‘structures of consciousness’) within which cultures are organized: the archaic, the magical, the mythic, the mental, and the integral. His work can be used to identify elements of cultural formations which are located within different modes of awareness. Every cultural cosmology emerges against an ever–present aperspectival ground. There is a tension and interpenetration of
    these modes of awareness (dimensions of consciousness)–’the dividing, disrupting, and dissolving aspects’ that prepare the way for awakening consciousness (Gebser, 1949/1985, p. 284). The ways in which the elements are organized generates the parameters that comprise a given cultural system.
    Within a modern mental–rational consciousness, events and phenomena must be reduced to linear, mental–rational understanding to be understood/defined as ‘real.’ This spacio–temporal positionality fragments the perceptual field. Business leaders’ attempts to drive organizational change calls into consideration how shifts within the mental–rational structure of consciousness are inspired by
    co–existing modes of awareness. The next sections examine how archaic, mythical, and magical structures call forth change that is pressed into comprehensibility within the mental structure of consciousness. …”
    “Change has come to resemble the shape of the myth of progress. ‘Progress is not a sign of purposeful activity but becomes a self–referential and self–enhancing repetitive structure: Progress is for the sake of progress. It turns back upon itself and assumes a mythological structure of cyclical repetition’
    (Kramer & Mickunas, p. xxii). Various change programs have become so regular in organizations that they have been referred to as the ‘flavor–of–the–month’ (Fishman, 1997, p. 64), thus ‘change’ has become a static ideology. Kramer and Mickunas (1992) note that one of the more dangerous aspects of our current consciousness is the collapse of mythical and magical structures. The myth of progress itself is identified with the ceaseless incrementation of power; the myth of change similarly reveals this structural collapse.
    Myths are usually expressed by psyche, ‘characterized by unrational images and imaginings such as projecting, forecasting, prophesying, and dramatic representation’ (Kramer & Mickunas, 1992, pp. xix–xx). Business futurists
    advise others to become ‘architects of destiny’ in addressing what business people should know about the future (LaBarre, 1996, p. 50). ‘One threat to the accuracy of prediction is that changes that have not yet occurred,
    including ‘progressive’ ones, cannot be factored into a model very well. But the more insidious threat . . . is the fact that making predictions about the future helps to spur change that makes such predictions inaccurate’
    (Kramer & Mickunas, p. xv). The power of the word brings into awareness that of which one speaks–and alters the ‘trajectory’ for prediction. As Ed McCracken, CEO of Silicon Graphics stated, ‘Long–term planning weds companies to approaches and technologies too early, which is deadly in our marketplace’ (Slater & Narver, 1999, p. 256). The ebb and flow of change activities within an organization exhibits the mythic dimension. …”
    “…The two basic features of integral awareness are transparency and atemporality.

    Transparency indicates the mutual relationships and dependent differences within a culture. The integral dimension subsumes all other modes of awareness
    ‘which continue to operate in their own ways as specialties within a more encompassing design or as levels of communication within it’ (Kavolis, 1992, p. 168).
    The second feature of integral awareness is atemporality.
    Atemporality ‘signifies concrete awareness of time as integral, prior to its abstract and linear division into past, present, and future’ (Kramer & Mickunas, 1992, p.
    xxv). Atemporality enables aperspectivity–a way of seeing something from all perspectives at once in ‘space–time freedom’. ‘Aperspectivity and atemporality are essential to integrating differentials that allow for openness and yet transparent comprehension’ (Kramer & Mickunas, 1992,
    p. xxvi).
    Three trends within the life of contemporary organizations offer potential for integral awareness: organizational dialogue, spirituality in business, and organizational learning. … ”
    ” .. In magical consciousness, if two objects are similar in some way they are taken to be identical. Likewise a part of an object is taken to be the whole. So it is that I can harm my enemy by sticking pins in a doll that looks like him or contains some of his hair. I can turn myself into a
    buffalo by wearing the buffalo mask, or into a woman by wearing woman’s clothing. When it is time for the rains to come we dance the rain dance, and it rains. We always do the dance at this season and it always rains. If it does not rain this time, it is because we are not doing the
    dance correctly. We will have to keep doing it until we get it right. In our experience many organizational practices have these characteristics, particularly and especially in the area of organizational advancement – a more recent coinage for what used to be called organization development.
    They are amply described in an article by Robert Schaffer and Harvey Thomson who speak of activity–centered interventions: they speak of such rain dances as the ardent pursuit of activities that sound good, look good and allow managers to feel good, but in fact contribute little or
    nothing to fundamental corporate performance.
    We do not have to look very far to see this magical consciousness at work in some curious and often poignant ways. The chairman of the board gets frightfully agitated when some lesser mortal sits in his chair, as though
    power will leak out of the chair into the interloper. The bureaucrat gets a larger desk and a more imposing office and immediately feels (and becomes) more powerful. The department spends a million dollars on the latest in information technology and expects this ritual act to shift it from the nineteenth to the twenty–first century. Last time the firm was in crisis we sacked our chief executive (or we did a major re–structure, or we called in the consultants, or we got a new logo) and the crisis ended.
    The firm is once again in crisis, so we repeat the ritual. If it doesn’t work we know we’ve got it wrong somehow, so we repeat the ritual, hoping to get it right this time.
    Integral Transformative Practice:
    Michael began by discussing how humans classify and organize as a way of structuring experience. His goal is to become more aware of the categories and constructs. He is especially interested in the role of crisis and disorder to motivate someone to discover new ways of constructing meaning and experience.
    Constructivism has roots in both Eastern and Western philosophies. It is related to evolutionary epistemology (Popper, Don Campbell) as well as complexity studies (chaos, self-organizing, autopoeisis, dissipative structures of Prigogine). A lot of the recent intellectual climate has tended to deconstruction, which can be destructive. Michael loves Wilber’s comment that the deconstructive post-modernists are driven by the Tag Team from Hell: Nihilism and Narcissism. Hence, he is trying to work from a more constructive post-modern platform.
    The five main themes of constructivism as he sees it:
    Human beings are active, anticipatory agents in their own experience and development. They are not just reactive like a Newtonian object.
    The majority of our efforts go into organizing experience — seeking and constructing order. This is predominantly tacit, automatic, and emotionally motivated.
    Self-relational — Construction of the self is a process, much like a scaffolding. Limited ideas of identity are impediments to transformation; people will become stuck with an idea, a diagnosis, a disorder, or a developmental history and no longer see it as possible to live in any other way.
    Social-symbolic — Development takes place embedded in human relationships and includes charged emotional bonds, language, culture. The power of language has both positive and negative attributes. It allows us to fix things in certain categories, but life doesn’t exist in packets.
    Dynamic dialectical development — We are always growing, if only to maintain our sense of coherence as a system.
    Development can be thought of as the non-linear emergence of new forms through the active interaction of contrasts.
    Humans are thus embodied theories of self & world, seeking a Sisyphian balance — a “dynamilbria” — between old and new activity patterns. Dynamilibria refers to a moving balance, which is different than the static balance typical of equilibria. Michael uses Sisyphus as a metaphor because we never quite get there; we are always leaning into the next moment. A major contention of constructivists is that novelty is necessary for development. We need new perspectives and experiences to keep exploring that edge. Too little novelty –> no change. Too much –> systemic contraction or a lack of functioning. All living systems have a natural and healthy resistance to change. We can only take so much change at one time. The long term view resembles respiration, with cycles of breathing in and out.
    The main question for Michael is how we can help structure individually paced challenges that honor the current coherence needs of an individual while also presenting opportunities for experimentation and new ways of being. This is much easier said than done. It happens moment to moment in therapy. It happens in phases in relationship — opening and closing.


Comments are closed.