Archive

Archive for the ‘Psychology’ Category

Bias Thursday – Déformation professionnelle

February 4th, 2010 Josh No comments

While I am not a psychologist, a good understanding of psychological issues is an important part of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.

Déformation professionnelle (which Google translates as "professional distortion") is the tendency to consider situations from the perspective of your profession.  The classic example is the joke "when all you have is a hammer, every problem looks like a nail". What I've noticed, though, is that "profession" seems to apply to business divisions now. We're all getting extremely specialized, and that seems to create what we can call "a failure to communicate".

Take, for example, the concept of risk. In the security field, risk is bad and the steps that can be taken to avoid risk seem reasonable. However, in the business field, risk is viewed in terms of the potential gains that the risk can provide whereas the steps to avoid risk seem likely to cause problems and will therefore impact the bottom line. Similarly, admins and developers are likely to resist the perceived difficulties in implementing the mitigation strategies.

Again, there are both offensive and defensive capabilities to this bias. Offensively, simply knowing a target's profession can give you a good chance at predicting their responses. If you have a planned proposal, you can practice it against others in the same profession and tweak it before you present it to the people that matter. You can be aware of the context in which they will likely view your ideas and work on expanding their context before you get to the hard stuff.

Defensively, like most biases, you just have to be aware that you will likely view things within the context of your profession. Thus, if you are having conversations with those outside of your profession, there is a higher likelihood of misunderstanding. If you find yourself reacting negatively to something someone else says, you should check and see if maybe that reaction is because you are coming at things from different contexts.

As an note to this particular bias, I have occasionally been asked why I blog the way I do. Other than the fact that the Internet doesn't need yet another voice in the Security echo chamber, I find that forcing myself to consider issues from different contexts (mythological, natural, psychological, etc) allows me to understand the issues at a deeper level. I don't know if it gives me any advantage over the usual advantages that one gains by taking time to think things through and write them up... but it doesn't seem to be hurting.

Social Bookmarks:
  • Twitter
  • Facebook
  • Reddit
  • Digg
  • del.icio.us
  • StumbleUpon
  • Technorati
  • LinkedIn
Tags:

Related posts

Categories: Psychology Tags:

Bias Thursday – Pseudocertainty Effect

January 28th, 2010 Josh No comments

While I am not a psychologist, it's becoming increasingly obvious that a good understanding of psychological issues is an important facet of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.

In running through the List of Cognitive Biases on Wikipedia, I ran across the Pseudocertainty Effect. Simply put, this is the tendency of people to emphasize the positive over the negative when faced with a choice. The classic scenarios can be read at the Wikipedia link above and here.

Basically, this means that by phrasing a choice differently, you can guide people into making the choice you want them to. I've seen this used on the sales side of things, but I have to wonder whether it's an intentional abuse of this tendency.

As I see it, this effect is useful to note in both offensive and defensive capacity. On the offensive side, if you're needing someone to make a choice and you want them to take a risk, you emphasize the negative consequences, but if you want them to take a guaranteed path that may be incomplete, you emphasize the positive. For example, suppose you are pitching an idea to management. The idea has a 80% chance of success, but has a $10k cost. If you want them to accept your idea, you need to understand that the natural tendency would be to make the choice that preserves the certainty of saving $10k, rather than risking the 20% chance of failure. Thus, to be accepted, the proposal would need to either eliminate certainty altogether (perhaps tie the cost to averted loss offsets and phrase it as "between zero and $10k, depending on success") or focus on the certainties of the results. Thus, if the 80% projected success rate can be broken down into one set of guaranteed successes and some that are maybe 40% likely, the proposal can focus on $10k for a guaranteed success with a bonus opportunity for further improvements.

On the defensive side, you should be aware that it is natural to think this way and that others will try to exploit your tendencies along these lines. Whenever you are presented with a choice (well, one that matters anyway) you should ask yourself whether it is phrased positively or negatively. Then, knowing that you have a tendency to preserve positive outcomes but take risks to avoid negatives ones, flip the phrasing around and see if the other choice makes sense. If you find that your choice flips with the phrasing, then this bias is in play and you need to think things through more carefully.

Social Bookmarks:
  • Twitter
  • Facebook
  • Reddit
  • Digg
  • del.icio.us
  • StumbleUpon
  • Technorati
  • LinkedIn
Tags: ,

Related posts

Categories: Psychology Tags: ,