Mental models and safety for good and informed decisions
The thought process of a security professional encompasses many mental models. These do not relate exclusively to hacking or broader technology, but cover principles that have broader applications.
Here are some general mental models that we can learn and their security applications:
1. inversion
Difficult problems are best solved when they are worked backwards. Researchers are excellent at inverting systems and technologies to illustrate what the system architect would have preferred to avoid. In other words, it is not enough to think of all the things that can be done to secure a system, but to think of all the things that would leave a system insecure.
From a defensive point of view, it means not only thinking about how to achieve success, but also how failure would be handled.
2. Confirmation bias
What someone desires, they also believe. We see confirmation bias deeply embedded in applications, systems and even entire companies.
It means that two people with opposing views on an issue can see the same evidence and feel validated by it. That’s why two auditors can evaluate the same system and come to very different conclusions as to its suitability.
However, confirmation bias is extremely dangerous from the perspective of advocates and clouds judgment. This is something that hackers take advantage of all the time.
People often fall for phishing emails because they think they are too smart to fall for one, or too insignificant to be attacked. It’s only until it’s too late that the reality sets in.
3. Circle of Competence
Security as a discipline is not monolithic. It consists of myriad areas of expertise. A social engineer has a specific skill set that differs from a researcher with expertise in gaining remote access to SCADA systems.
The number of tools in a tool belt is not important. What is far more important is knowing the boundaries of one’s circle of competence.
Managers who form security teams should evaluate the people on the team and create the circle of competence for the department. It can also help identify where there are gaps that need to be filled.
4. Occam’s razor
Also known as the “law of parsimony”, it can be summarized as: “Among competing hypotheses, the one with the fewest assumptions should be selected”.
In other words, it is a principle of simplicity relevant to security on many levels. Often, hackers will use simple, proven methods to compromise a company or its systems.
The same principles can be applied to securing organizations. It is worth keeping in mind Einstein’s quote that “an idea should be made as simple as possible, but not simpler.”
5. Second-order thinking
Second-order thinking means considering that effects have effects. In other words, it forces you to think long term when considering what action to take.
The question to ask yourself is, “If I do X, what will happen after that?”
It’s easy in the security world to give first-order advice. For example, keeping up with security patches is often good advice. But without second-order thinking, it can lead to bad decisions with chain consequences. Therefore, it is vital that security professionals consider all the implications before executing. For example, what impact will there be on downstream systems if we patch or upgrade the operating system on machine X?
6. Mental Experiments
A technique popularized by Einstein, the thought experiment is a logical way to conduct a test in one’s own head that would be very difficult or impossible to perform in real life.
The purpose of a thought experiment is not necessarily to reach a definitive conclusion, but to encourage challenging thoughts, speculations and to push people out of their comfort zone.
7. Probabilistic thinking
Although we cannot predict the future with great certainty, we subconsciously make decisions based on probabilities all the time.
For example, when crossing the street, we believe that the risk of being hit by a car is low. Even though the risk exists, you have looked for traffic and are confident that you can cross safely.
It is a method of thinking in which one considers all relevant prior probabilities and then gradually updates them as newer information arrives.
This method is especially productive given the fundamentally nondeterministic world we experience: we must use prior probabilities and new information in combination to arrive at our best decisions.
Conclusion
While there may not be a simple answer to what it means to “think like a hacker,” using mental models to build frameworks for thinking can help avoid the pitfalls associated with approaching all problems from the same angle.
Share any of the security mental models with robust active security tools like redborder and cover total protection for enterprises in a customized way, bringing security to the forefront and providing simplicity and agility in problem solving.