You are a walking organisational vulnerability
by James Turner
An IT security department has an obligation to be checking itself for blind spots, challenging assumptions and understanding the ‘unknown unknowns’, writes James Turner.
Recently I wrote a research note which analysed the role of unconscious incompetence in IT security. Unconscious incompetence is a concept which comes from the Conscious Competence learning model. The model states that there are four stages to learning a new skill and ideally we move from unconscious incompetence through to unconscious competence (where we perform the skill as though it was second nature).
At the stage of unconscious incompetence, people are unable to perform a given skill, they are ignorant of how poorly they perform the skill, and they are unaware of the importance of the skill. A classic example is the driving skills of younger drivers. According to a NSW Roads and Traffic Authority statistic, young drivers with a P licence are six times more likely to be involved in a fatal crash between 10pm and 5am than other drivers. Obviously there are a myriad of variables involved – different cars, use of alcohol, how many older drivers are usually out driving after 10pm. But the point I want to make about this is that it’s pretty reasonable to infer that, at the very least, overconfidence contributed to this disturbing statistic.
Overconfidence
Overconfidence is an ignorance of one’s own (in)abilities; we over estimate our abilities in the face of the task in front of us. (In a previous article I touched on the concept of hubris, excessive pride leading to utter destruction).
Now, if we were to rate these younger drivers on the conscious competency learning model, we would have to rate them as unconsciously incompetent. Speaking from my own experience, it wasn’t until I passed a pretty large kangaroo standing beside a road at dusk as I did 180km/h that I realised that if it had jumped in front of me I had nowhere to go and no time to brake – I would not have been capable of avoiding the accident. I had started the journey from unconscious incompetence to conscious incompetence. But it wasn’t until I did an advanced driver training course a year later that I really got to grips with how clueless I had been.
That was 15 years ago, now my driving skills feel like second nature. But when I was teaching a friend to driver earlier this year I realised that driving skills had become so automatic that I couldn’t even articulate them. In fact, I’d picked up a few bad habits while under the delusion that I knew what I was doing. So for some period of time I have been driving around with bad habits, thinking I was safe, but actually being a liability to myself, my passengers, and those around me. In exactly the same way, many IT professionals can become complacent in a familiar environment. This complacency becomes a vulnerability.
In my research note I used the phrase ‘unknown unknowns’ and got some decent ribbing from the team about quoting former US Secretary of Defence Donald Rumsfeld. Rumsfeld took a lot of mocking for saying it, but the phrase and explanation is perfectly logical. “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know. But there are also unknown unknowns. There are things we do not know we don’t know.”
Unknown unknowns
In the world of IT security, it is the unknown unknowns that undermine organisational defences. These unknown unknowns can only be identified by people who have not been instilled with the same assumptions that the organisation is already working with. It is only through encouraging designated people, and third parties, to challenge assumptions and voice dissent that organisations stand a chance of avoiding the trap of insecurity-by-consensus.
I was taught some time ago that one of the stupidest things you can do in chess is to make a move and hope that your opponent doesn’t see the weakness in what you’ve done. Of course, it’s even worse if you don’t even realise the weakness yourself, because then you are probably making consistently terrible moves. Hoping that an attacker will oblige you by playing by the rules of your delusion is living in a fantasy. Being oblivious to your organisation’s weaknesses is the overconfidence that results in destruction. You will not be protecting what you do not think needs to be protected.
This means that the IT department, and IT security in particular, has a duty of care to be checking itself for blind spots. What haven’t you thought of? What have you grown complacent about? What do you think will never happen? What is it that you don’t know you don’t know? Only someone else can help you discover this.