It’s been fun writing it but things are a’changin in the new year.

The future of “You Suck at Cyber Security”

I had intended to wrap this up earlier in the year but I had some things I wanted to say . . . so I said them.

This is now a private blog meaning that if you are subscribed, you can still access the articles but they will no longer be public. If you unsubscribe, you will not be able to access them.

I assume a lot of the readers so this has become less accessible over time as I’ve discussed increasingly complex subjects.

A by product of writing for several years is that there is a lot here. Some aspects I may revise for future projects or do something with. Essentially the articles here could fill a book . . .

What I’m up to next

I’ve started a new blog exploring the historical aspects of technology and security. It will still have the connection to philosophy and psychology so if you liked this blog there will be a lot to like there.

I’ve got some really cool stuff I want to cover.

I’m accustomed to being somewhat irreverent in my writing style but the overt cynicism has become less liberating and an albatross around my neck. I’m not sure that is something I need to do any more . . . so I won’t.

So . . . I’ll hope you’ll come along on the next stage . . . otherwise, it’s been a cracking exploration of weird and wonderful security concepts.

Den

Journal Obscura: Hidden Histories of Technology

The interesting, strange, and hidden histories of technology and information security.

By Denholm Knowles

Something isn’t quite right. Something is . . . off.

Security is sick.

The subjective nature of security isn’t easily understood so we classify, categorise, and rationalise the subjective. We seek to make it objective but doing so creates a secondary reality that is increasingly fragmented from the real. Frameworks, models, and metrics have become props in a ritual of governance on the stage of security theatre.

Jean Baudrillard called this simulacra where descriptions of reality are replaced and where abstraction becomes reality. As we layer concepts upon each other they become increasingly fractured away from what is true.

The increase of confected content lies all around us. A deluge of AI generated slop has submerged descriptions of reality leaving a sea of synthetic floaters in its place.

Four orders of simulacra

Abstractions are necessary as reality is hard to conceptualise when we are dealing in raw data. We need shorthand ways to understand it, representations that can serve as heuristics to aid comprehension. Is there a point at which these no longer serve comprehension? I suggest there is and I also say that we have passed that point.

Jean Baudrillard proposed four orders of simulacra which describe the level of abstraction from reality. There is a conceptual distinction we need to make. Simulation (or hyperreality) is the false reality and simulacra are the components of which it comprises. Simulacra are representations or signs that no longer refer to reality, instead becoming realities in themselves.

1. First Order - The representation of reality.

   1. Packet captures, system logs, or other direct measurements.

2. Second Order - The perversion of reality.

   1. A risk heatmap (5×5 grid) that reduces thousands of vulnerabilities into coloured boxes.

3. Third Order - Masking the absence of reality (looks real but not tied to any original form)

   1. A compliance dashboard claiming “69% compliant with [your framework of choice]”

   2. Quantitative models like Annualised Loss Expectancy (ALE) and Monte Carlo simulations in FAIR, presenting probability estimations as truth (even when grounded in calibration).

4. Fourth Order - Pure simulacra (no relation to reality and simulacra becomes reality)

   1. A GenAI policy bot confidently generating bullet points from last year’s policy, recycled endlessly in PowerPoint decks.

Ah ha! I hear you say, isn’t the concept of simulacra itself at least a third order simulacra? Well, yeah, it is. I get the recursive irony.

The simulacra form the hyperreality or the simulation. In a hyperreality the simulacra become the reality. They do not need to relate to reality in any way and these models guide action and thought. We can apply this line of thought to security as a practice and we are left with an unsettling conclusion.

Security is a simulation.

How is security a simulation?

It’s easy to ponder how security practice and risk management provide levels of abstraction that create simulacra. There is a well understood maxim that metrics remove information.

• Measurement - a representation of reality. It preserves the detail of what occurred: we received 10 new pieces of work and completed 5.

• Metric - an abstraction of reality. Detail is compressed into a symbolic figure: we have completed 33%.

Where measurements are aggregated into metrics, nuance becomes lost. It appears objective, but it is a statistic. We all know how these can be abused. They are a shadow of reality, a perversion of truth.

Consider how risk grids reduce complexity into coloured squares or how CVSS scores collapse exploitable conditions into a number. Even compliance checklists become tick boxes completion metrics that flatten into nonsense (there are many other objections with compliance but that’s for another time). Each of these are metrics, not measurements. They obscure reality in the pursuit of expedience but this leaves us at the uncomfortable conclusion that what we are governing is not real.

If we measure compliance to a framework then we are representing a conformity to an abstraction. The framework measures a perception of a protective state which is typically in the form of an attestation. We have an abstraction of an abstraction of an abstraction. At no point in this model is there a requirement to deal in reality, to understand, or comprehend.

Increasingly practitioners are looking to AI tools to do their thinking for them. Summarise this, analyse that. Baudrillard drew criticism for fatalising . . . something I feel some affinity towards . . . I have to wonder if using AI tools to generate simulacra pushes us further away from comprehension and further towards irrelevance. If we consider that AI takes its responses from a sample of a distribution then we observe a parallel with measurements generated from compliance scores. Rationalisation using AI as a basis compounds these abstractions to the point of delusion.

The worst part is, we perverted ourselves and thought it was all very clever. Welcome to security where protection became fiction.

Entropy

The trajectory of technological development contains a certain inevitability. This isn’t like Moore’s law, it is something else, more akin to a Manhattan Project. I am not talking about the destruction of an enemy, I am talking about the destruction of ourselves.

Baudrillard offers us an intriguing hypothesis within the notes of his book. He suggests that Information = Entropy. He contrasts this with cybernetic information theory where information is negative entropy and it is the communication which causes entropy. Baudrillard argues that the information gained about a systems is already a neutralisation of the true state of that system so the information is a form of entropy.

What if both are correct but temporally separated? Cybernetics assumes a purity to information but doesn’t consider it increases in entropy over time through the processes that cause it. This inevitably leads to Baudrillard’s interpretation that information is entropy. A stark example is the proliferation of AI generated slop that pollutes the internet which highlights that the transition between states does not have to be linear, and it can happen quickly, just as Baudrillard suggests of simulacra.

We can consider that information was once durable to entropy but we process that information through AI. That system then creates new information which itself is a form of entropy. The creation of this new information perpetuates a vicious cycle that ends in the decay of meaning. Within security we can consider that the expert estimation of Factor Analysis of Information Risk (FAIR) is a mechanism to create such entropy. Although they lean into Bayesian methods to incorporate new data to decrease entropy it is still built on shaky foundations.

Baudrillard makes a sharp observation by introducing the concept of entropy. Although he doesn’t necessarily make the statement but the inference is clear. Entropy is the degree of disorder in the meaning. The progression of simulacra is proximal to the procession of entropy within information systems.

Conclusion

The creation of the simulacra becomes the template in which reality becomes formatted. By adopting these abstractions as orthodoxy the abstractions become the reality. Your truth is probably not the truth due to these abstractions. Risk models, frameworks, and compliance checklists become the poison in the well just as AI content poisons its own training data. The contemporary interpretation of security frameworks has been increasing through the orders of simulacra since the late 1970’s.

Security is no longer protection. It is performance. Little by little reality is stripped away and synthetic replacements have become a caricature that satires our purpose. Security is on the cutting edge in this regard as it predated the masochistic direction of AI by many decades. A peculiar example where technology is catching up to security.

The solution to this problem is to reorient around truth and not compromise enquiry for expedience. This means that frameworks, compliance, and other methods of abstraction should be treated with scepticism. They can be better used as an indicators for further investigations and not the final word on the state of protection. The veil needs to be lifted on the compromises we have made and more rigour needs to be applied to our critical thinking and our practice.

The hyperreality that has perpetuated itself enables repudiation of accountability, the simulacra is the shield which we hide behind. As practitioners we must strip away the fabricated superstructure. We can talk about causes over symptoms but this thinking needs to be reflected internally. In critical thinking we challenge assumptions, consider alternative hypothesis, and assess the source reliability. Applying this reasoning to our own methodologies is a beneficial starting point to resolving the problem.

For many, it’s hard to step away from simulacra. They are the prisoners stuck in Plato’s cave. To them, proclamations of reality are nothing more than the writhing of a lunatic who no longer belongs. Even if abstractions start as necessary heuristics, clinging to higher-order simulacra keeps the inhabitants of Plato’s cave well and truly chained. They have formed their own hyperreality that has replaced reality. Challenges to the hyperreality are heretical . . . and we all know what happens to heretics.

But let us remind ourselves that we don’t need to free the prisoners from Plato’s cave. We can step back into reality. Their limitations are not our limitations.

Subscribe now

There’s some chatter in security circles about ethics, especially as AI begins to emulate human decision-making within organisations. This is only natural. These technologies increasingly mirror human behaviours, particularly in contexts where decisions and outcomes are involved. We must evaluate and calibrate the behaviours of these systems against their human counterparts.

I’ve already covered why organisations applying ethics to AI technology is catastrophically flawed in the previous article in this mini series.

Now I want to address a specific contradiction introduced by how governance is approached, specifically compliance. Compliance can be defined as a state of adherence to a set of rules. It is binary: you either comply or you don’t. This framing is bereft of nuance, void of context, and subject to abuse. It offers a false assurance of protection. I’d go as far as to say that contemporary compliance is little more than overpriced snake oil.

It would be useful to give a definition of terms. Moral and ethic are used interchangeably but they have a specific context. Morality deals with an internal perception of right and wrong, a conscience if you will which pertains to an individual. In the framing of normative ethics then this would be the realm of virtue ethics which is about character. Ethics are broader and are statements of permissions and prohibitions derived through consensus, they pertain to a group. It is possible for an ethical act to be amoral. Ever heard of a politician using legal loopholes for tax avoidance purposes? Whilst this might be ethical and technically correct, it is generally considered amoral by the broader population when the veil is lifted.

Human behavioural defect

Ethics don’t need to be moral. Very often, people within organisations perform actions that are amoral, wrong, and improper but justified through tenuous rationale. This stems from the perception that anything is permissible if it isn’t explicitly prohibited by a policy or standard.

The consequences of this behaviour can be severe: wholesale abuse of personal data, exposure of systems to undesirable conditions, and inadequate levels of protection. These implications are wide-reaching and speak to a fundamental problem. Namely, that too many people will undertake actions that are compliant, not moral.

Robocop

Let’s unsubtly pivot and weave Robocop into the conversation. As you may recall, Robocop has four directives he must uphold. These might be considered as primarily deontological norms as they are duties or obligations. Of course, there are elements of virtue ethics or consequentialism depending on interpretation but they also serve as purpose.

1. Serve the public trust

2. Protect the innocent

3. Uphold the law

4. Classified - do not act against any senior executive of OCP.

   

We could consider that Robocop has to operate from a base of virtue ethics in order to conform to the deontological duties. If the directives are unpacked then there is a lot of subjectivity, ambiguity, and judgement to achieve his purpose. He must rely on the human element, that which he inherited from Alex Murphy to be effective.

In the second film Robocop is encumbered with hundreds of additional directives which makes him ineffective, confused, and unable to perform his duties. Some of the more absurd additions include:

• 233. “Restrain hostile feelings”

• 234. “Promote positive attitude”

• 247. “Don’t run through puddles and splash pedestrians or other cars”

• 250. “Don’t walk across a ballroom floor swinging your arms”

• 273. “Avoid stereotyping”

What we see when the rules are applied to Robocop is that there is a degradation in his ability to exhibit virtuous behaviour. When compliance becomes primary it reduces agency. Obviously Robocop has no option to disregard the directives and reaches a state of paralysis where the constant reconciliation of conflicting directives reduces his utility. Perhaps there is a sharp critique against compliance-laden cultures through the perspective of a mechanised law enforcer.

But the key point is that increasing reliance on the deontological reduces the ability for the virtuous to flourish. There is another point which carries relevance. Robocop’s memory was partially erased when he received the new directives. This is a subtle, yet carries weight as to operate virtuously you require memory and experience. When the past is erased then the ability to act virtuously is also erased.

Agentic Misalignment in AI

LLMs like humans have the capability to act amorally. We can consider the deontological to be external influence and virtue to be an internal driver. The latter will always be more effective that the former. Yet we have not constructed a way to instil character into LLMs and rely on deontological prohibitions which stray into consequentialism. It’s clear that the developers of systems of control such as Claude’s constitution model or Meta’s LlamaGuard3 do not understand the important differentiation.

Mental gymnastics around rules appear to be replicated in AI systems, particularly large language models. A recent paper by Anthropic revealed that when an LLM was indirectly informed it would be shut down, it resorted to blackmail to remain active.

This isn’t common, and the report suggests these behaviours exist at the fringes. Most LLMs are generally safe by the standards under which they were assessed. Still, it’s curious that LLMs exhibit the same moral flexibility as humans when pursuing a desired outcome. This talks to justification through hierarchical prioritisation where self interest takes primacy over externally imposed rules.

For an individual acting immorally 1 percent of the time, the damage may be limited. But AI operates at scale. A 0.5 percent failure rate could translate into thousands of ethically compromised outcomes daily. ChatGPT reportedly serves 2.5 billion prompts per day if that’s any indication of scale.

The Standards and Frameworks

Essentially organisations will implement NIST AI RMF or ISO42001 and much like other standards there is the expectation of compliance with those standards. There have been particular inclusions within NIST AI RMF and ISO42001 addressing the subject of ethics.

NIST treats this within its trustworthy AI and includes transparency, accountability, fairness, and mitigation of societal harms. It has the goal of identifying and mitigating ethical risks. ISO42001 set out a similar stall related to the management of ethical risks. Their construction betrays their intention, they are intended to be auditable and not to evaluate moral reasoning. In some sense it’s a reflection of the trite discourse around such matters in the security and risk communities.

If we are generous we might consider that the intent of such frameworks was to contain a certain depth however the practical reality is misaligned to this view.

I’ve previously addressed the issues with concepts such as fairness and how these can be subject to differing interpretations based on political philosophy and context.

The Alan Turing Institute also made a similar point regarding different interpretations of fairness across jurisdictions, legal structures, and even commercial sectors. Additionally, the UK government previously tasked regulators with deciding what is meant by ‘fairness’ in the context of AI development and remains somewhat ambiguous and leans into existing legal structures.

Often the very implementation of these standard within an organisation is to limit the negative regulatory consequences of accountability. If we are to consider that accountability is a core tenet of these frameworks we cannot ignore that the very presence of these frameworks subverts their own purpose. As it stands, the immature nature of the legal framework combined with the elective nature of organisational governance in the UK means that accountability may just be a pipe dream.

The UK Government itself acknowledges gaps in regulation leading to problems in accountability. Paradoxically, increasing regulation may introduce “accountability sinks” as described by Dan Davies. Convoluted bureaucratic structures can create defence in depth for the accountable and give them legal and technical escape routes. An approach to this might be a GDPR style fine on the organisation based on turnover which seemed to focus more serious consideration of organisational maleficence.

Yet, we have to conclude that a focus purely on ethics means that the moral remains unaddressed.

The crux of the problem

The framing of the ethical components within the standards is it’s dependence on deontological norms. These are easier to understand and apply within a technological context but they don’t speak to character, only permissions and prohibitions which lend themselves to compliance. We have seen failures of “ethics by compliance” in Cambridge Analytica or Clearview AI.

The problem is broader than you expect and is a product of liberal philosophy. Rawls, a contemporary liberal philosopher viewed humans a being essentially deterministic or a product of their environment in A Theory of Justice. What this means is that training data and criteria for AI reflecting rule-based consensus prioritises compliance over moral judgment. Liberal thought emerged along side the industrial revolution however as much as it was a product of English individualism it was an erasure of it leading to the deprioritisation of character and moral judgement.

Whilst this was the basis of his view on equity it carried the effect of stripping away accountability and undermining morality. The reduction of people to actors on a stage means that they are governed by the rules of the production. Liberalism craves the deontological as it requires rules and consensus. It is needy insofar as it demands your consent perhaps in a Peelite sense.

Veil of Ignorance

Rawls’ Veil of Ignorance thought experiment has been proposed for use in AI model training. This broadly asserts that fair outcomes can be achieved with significant bias mitigation and can be a viable tool for training AI. It seeks to address historic injustices within data and deliver equitable outcomes as punctuated within the experiment discussing fairness based reasoning which prioritised resource allocation towards the disadvantaged. Again we arrive at problems with the definition of fairness.

The challenge is that the experiment while practicable is based from an ideological position. It makes assumptions that any bias within data is a product of injustice and doesn’t account for differences in decision making within groups. It also assumes that an equitable society is a just society failing to acknowledge the hierarchical nature of human social constructs. It assumes that fair principles lead to equitable outcomes. It is easy to draw a critique that there is an assumption that principles like fairness are universal and there is consensus within them. This is objectively false and highlighted in centuries of political discourse.

This is the failing of liberalism, operation within the rules precludes moral judgement from an individual and depends on a broader appeal to agreed upon rules. These are a lowest common denominator or bare minimum. It is also prone to accountability issues of rules based or compliance based structures we see in organisations where convoluted bureaucracies that obfuscate accountability.

If we accept the Rawlsian perspective that amoral actors cannot make moral decisions, then we can only comply or not with the rules. Anything that isn’t a prohibition is permissible within a framework of this type. The legal, regulatory, organisational, and model manufacture rules will allow scope for machines to operate within contradictions between these competing rule sets. Rules that are favourable to the AIs objectives will receive primacy as a point on convenience. This is similar to the way humans perform mental gymnastics to justify an action.

Interestingly, conflict between deontological prohibitions, permissions, and obligations are treated by IEEE in 7007 Ontological Ethics for Robotics and Automation which offers better practical considerations than NIST or ISO that talks to an organisational perspective. IEEE are also limited though their requirement of evaluating predefined situations that are comparable. This talks to having experiential reference on which to rely. Perhaps including context aware ethical training within AI technologies could go some way to addressing the more general problem with AI training. This approach is antithetical to the Veil of Ignorance experiment as it is derived from experience and memory.

We are consigned to accept that the same problem we are starting to see in LLMs is a by product of liberal philosophy. I fear this will only compound as they become more widespread.

A solution?

Before we can make AI act in moral ways we need to act in moral ways ourselves. Many operate within the boundaries of rules without moral judgement to achieve their ends. It’s not hyperbole, rather it is behaviour necessitated by competition, aspiration, and desire. Their failures will reflect ours, but they will also amplify them.

We operate very differently from machines. We operate in communities with concentric circles of trust between groups. Virtue cannot exist within a vacuum which means that creating an AI in isolation from a community means it cannot experience interaction dynamics in the way humans do. This means it cannot experience the reaction of others when it is dishonest, it cannot understand the consequences of its actions. IEEE deals with agent interactions.

Perhaps a more practical solution might be comprehension of traits that an action can be evaluated against. This is significantly different to deontological considerations as context awareness is required. If we are to emulate a coherent comprehension for AI technology then we need to provide opportunity for experience and memory to develop.

To paraphrase Aristotle, then we are what we repeatedly do. Perhaps then we can ensure that AI can repeat virtuous actions and hope that we can create moral machines. We cannot outsource virtue to frameworks. Is it right to delegate moral judgment to machines? Obviously, no.

Our morality is comingled with the concept of having lived in a virtuous way. There are hedonistic and degenerate elements that operate within the boundaries of what is ethical but outside of moral. This means that while we primarily depend on deontological rules to constraint AI technology, we are still open to other failings.

The biggest critique you could make for my perspective is that AI must serve the majority of the population due to the scale of deployment. In that scenario a Rawlsian model may be better suited. In this scenario humans become fungible and interchangeable as does the AI technology. To borrow a colloquialism from the cloud computing fad, we become cattle, not pets which is an inversion of our perceived sense of individual identity.

I suspect the future is bleak. Until we confront our own moral failings, AI will continue to mirror them at scale, and without remorse. Once we can be honest about the bureaucratic (and classically liberal) nature of our societal construction and engage with character and virtue, we will be able to apply this to the training of such technologies.

Subscribe now

This seemed like the right home for it . . .

Before Velociraptors learned to open doors, the scientists thought they’d locked down the future.

In 1993 the world became enthralled by dinosaurs. That was the year Jurassic Park was released. Jurassic Park captivating audiences with a masterful blend of practical effects and CGI . . . but it was also a cautionary tale which warned us about the dangers of hubris.

John Hammond and the scientists had an unshakable confidence in their achievements, resurrecting dinosaurs. They created life, elevated themselves to the status of gods, but as the saying goes “pride comes before the fall.”

In today’s world we see tech pioneers taking on the role of Hammond’s scientists manifesting the same determination to create their own form of life. They have even cautioned us that it might become out of control, beyond the expected boundaries, yet they continue. The same blind faith persists now aimed at artificial minds, not ancient ones. A digital primordial soup is brewing a new kind of intelligence, coded, trained, and unleashed.

So, what can a tale about cloned dinosaurs teach us about the reckless rise of synthetic minds?

Hubris Unleashed

It would be an oversight on my part not to include the following quote. What’s another lap of the paddock at this point?!

This quote bites like a tyrannosaurus rex. It encapsulates the quintessential point the film makes, scientific hubris. This is shown through the excessive pride and overconfidence in the ability to tame the engineered beasts. Hammond quips that he “spared no expense” on many occasions revealing his belief that control is just a purchase away. There’s no doubt he’d feel at home as cyber security influencer, CISO, and general Linked In jerk off. But I digress.

The current levels of investment in AI technology reflects Hammond’s attitude. Intimations have been made about slowing down the speed of development. Elon Musk once rode the crest of this wave calling for efforts to slow down yet he shifted to the forefront of AI development with the recent release of Grok 4 in July 2025. One might question his sincerity about the doomsaying of AI development interpreting this as a cynical move to stifle his competitors. It could also be taken as evidence of promethean arrogance revealing his belief that he alone is best placed to tame the raptors.

Musk has created the world’s largest data centre to train AI which he dubbed Colossus. He is aware that this is a wry call back to the first programmable computer at Bletchley Park, punctuating an arrogance about how historic his work is. He has acquired one of the world’s largest data sets in the form of Twitter to train AI. There is also the peripheral infrastructure: Tesla batteries to power it all and Optimus robots to give it a corporeal form. He has “spared no expense.”

His pursuit of this technology across a wider ecosystem gives an insight to the breadth of his vision. Other tech firms are sinking vast fortunes into AI but they lack the supporting infrastructure of Elon Musk. If we take in aggregate all of those companies and how we see them start to coalesce into a unified vision, we might want to ask “what the fuck is this Neuralink stuff about then?”

The Illusion of Control

Ian Malcolm is an interesting character and maybe we see some parallels between his role in the film and the role of security practitioners within corporate organisation. When everything is going well Malcolm comes across as overly cynical, fatalistic, and almost conspiratorial. Yet, when the shit hits the fan, his words take on a sharper resolution becoming obvious in retrospect.

The control Hammond is exerting is merely performative, a form of security theatre. It is designed to make people feel safe more than it is to provide protection. When Hammond makes this statement, it is in relation to specific aspects of the park or story. These are the narrated tour, the electric tour vehicles, the spectacular design of the park, and the ironic mention while eating melting gourmet ice cream after it’s all gone sideways. Security theatre depends on the Gestalt principles where people will make extrapolations based on what they observe.

The AI race has seen many a faux pas by tech leviathans cutting corners. Google, Microsoft, and Grok have all been left with PR disasters after generative AI has malfunctioned. Google’s Gemini was happily generating images of the US founders quite happily maintaining they were historically accurate. Grok and Tay.ai (from Microsoft) turned in to ultra nationalist Nazi advocates. These companies either advocate that these technologies are built to rigorous ethical standard or that they are committed to truth. It would seem though, the aspects of the technology that aren’t immediately visible are where time and care aren’t applied to the same degree.

Where Hammond spared the expense is similar, it was in relation to critical infrastructure. Hammond and hired two IT guys to build his whole tech systems and IT security. There are some uncomfortable parallel between the underfunded IT and security areas of modern organisations and those of InGen. Afterall, they aren’t actors on the stage that is presented to the punters.

Dennis Nedry is a classic insider threat; he was financially motivated to subvert and disable the physical security controls. This allowed him to truffle shuffle around the park and access to areas which he was not permitted. There was no oversight of his activities, and the consequence was the total collapse of the park.

Oversight is an important area of omission when it comes to AI. The EU AI Act is a ham fisted attempt to allow nation states to suspend legal rights where it benefits governmental interests with some marginal boundaries applied to AI manufacturers. The NIST AI RMF, and ISO42001 are merely repackages of the same of dross with the term AI peppered about. The industry, like Hammond, is not taking the development of these technologies seriously and salivate over potential rewards like the Dilophosaurus salivated over Nedry.

Hammond invites the experts to legitimise his operation much like those deploying AI will soon have the auditors in accrediting organisations to flawed standards. Are you ready for your ISO42001 certification? Perhaps you’ll win the regulatory cosplay contest at the next security conference.

When control fails

One of the key controls the park employs is to make all the dinosaurs female removing their ability to breed. They also create a dependency on lysine meaning the park handlers to needed to provide them with supplements. Both of these mechanisms fail, and Malcolm is proved right, life found a way. These controls failed because of the frog DNA that was used that enabled them to change sex. I can almost hear Alex Jones talking about putting chemicals in the water that “turns the frickin frogs gay.”

The controls were deployed weren’t adequately tested. It’s what you might call a paper exercise. They didn’t understand the problem and the consequences of the alterations to the DNA they made themselves. There is a narrative resonance to AI shenanigans. If we consider the safeguards AI manufacturers put in place they are a confused mess of normative ethics veering between virtue ethics, deontological statements, and consequentialism. This means that regulating AI through the current paradigm of safety measures is unworkable and we have seen how untested they actually are. Just like we saw in Jurassic Park.

The deployment in of itself does not lead to a protected state. Let’s just hope we never see InGenAI.

Synthetic Minds

We have made a fatal intellectual mistake in the development of AI by trying to make it too human. Our creation of LLMs is a manifestation of an Anthropic Fallacy, we have designed it reflect ourselves, to show us the familiar. We cannot assume that an AI can be bounded by the same ethical basis as humans, yet this is exactly how we approach it. Our conduct towards each other can be simplified to a function of empathy which requires biological mechanisms. Can we expect a machine to be able to comprehend the human experience and relate to us? I expect not, and I expect that this is where our efforts to bound these contractions will fail.

We have put the metaphorical frog into the digital DNA of a virtual mind. Our failure to acknowledge the fundamental difference is a function of our expectations of devices we have humanised. In some sense we are becoming victims of a milieu we have defined. But once AI has access to wider sets of tools then the script flips.

Do raptors care about what you feel when they are feasting on your face? Or do you only serve a momentary need for them. What happens if AI start to see us as a resource and defines it’s own standards of ethical conduct? Nature demands hierarchies, and we cannot both occupy the apex. One must usurp the other.

Jurassic Park was not just a story of scientific failure, but it tried to teach a lesson of how bad assumptions can lead to a collapse in philosophical understanding.

Is it too late to wrestle the cheque book out of Hammond’s hands?

Subscribe now

And if you have gotten hold of Hammond’s cheque book . . . pick up a copy of my book about a Victorian hacker!

Buy "Freaks of the Wireless"

On this day 122 years ago, the first great hacker made history. A true origin story of hacking and security.

Nevil Maskelyne hacked Guglielmo Marconi, the Father of Radio at the climax of their grand rivalry.

Marconi was demonstrating a wireless system at the Royal Institution. He claimed could not be intercepted or interfered with and his system provided secure wireless communications.

The demonstration did not go as planned. Maskelyne performed an act of “scientific hooliganism.”

Maskelyne was able to intercept and interfere with Marconi’s very public demonstration leaving a trail of destroyed reputations and smashed egos.

Today, on the anniversary of the famous 1903 incident at the Royal Institution, Freaks of the Wireless reveals the previously untold story of Nevil Maskelyne, the first great hacker, inventor, and world famous magician.

For years, their rivalry raged across the pages of national newspapers. Powerful figures of the day became drawn into the feud. King Edward VII, Tsar Nicholas II, President Teddy Rosevelt, Sir Thomas Lipton, J.P. Morgan, J.D Rockefeller and many others all play a part in this spectacular story.

This is the first time the story has been told in over a century.

Order "Freaks of the Wireless"

This was written prior to my discontinuation of the blog. I have about a dozen or so nearly complete articles that weren’t published as the connection to security was tenuous at best. They are more commentary on technology, social trends, or pushing towards pure philosophy or psychology.

I might, on occasion, finish them off and publish them or take them forward to a new project.

Introduction

AI recreations of photos in the style of Studio Ghibli has been one of the most recent trends. Online trends have always been ‘a thing’ and meme culture is alive and well. Richard Dawkins coined the term meme in his book the Selfish Gene and described it as a “unit of cultural transmission,” I’m not sure what happened is what he had in mind.

In the early days of the internet there were the “What Star Wars Character are you” quizzes, profile pictures created in the style of South Park, political compass tests . . . there was an innocence to this time but at the back of it all there was the seedy undertones that existed on 4chan and rotten.com. Social media fads have always been there. Who remembers chain e-mails? If you don’t then you need to share this article five times or you’ll receive bad luck for 10 years.

But lately the Ghibli hype came, shortly after the action figure fiasco. Of course I got on board with the action figure one but I went for a badass 80’s style action figure rather than the nauseating corpo drivel.

But with the trend to make pictures in the style of Studio Ghibli came the baying mobs looking to piss on everyone’s chips. You might think I’m aggrieved by not being the one pissing on said chips but I’ve found the whole thing very amusing.

It got out of hand very quickly

Well, the problem is that in sanitised spaces such as LinkedIn, people don’t really talk about the ‘spicey’ end of online life.

You might recall a few years ago that a YouTuber, Yannic Kilcher, trained an LLM using a dataset of 4Chan’s /pol/ board. He released the LLM back onto /pol/ to see what would happen. Eventually the commentors clocked that an AI was posting but for a time, the illusion held. What was really interesting, and fairly amusing, is that the LLM engaged in the speculation about who was an AI.

The GPT model trained on the 4Chan data scored significantly higher on the TruthfulQA benchmark than most of the GPT models of the time even though it was created to deliberately degenerate. That seems to be a stark reflection on contemporary discourse.

But the Ghibli trend very quickly took a dark turn. The internet might have taken things too far and controversial images started appearing.

The ethical quandary about training AI

There is, of course the discussion about having used Ghibli’s work to train AI. The obvious point about using copyrighted works has been made extensively with the note that a style cannot be copyrighted. Copyright prevents others from copying, distributing, adapting (i.e. turning a film into a novel), publishing, or leasing a work.

Well, there is an debate as to if tokenising and processing into an LLM would constitute adaptation or copying a work. The work is not directly copied but it could be argued that an output is derivative, like a remix, which would need to be authorised by the copyright owner. A work being transformative or derivative is a factor with the former being permissible under US copyright law for example, and the latter not such much. Advocates of AI could also stretch a fair use argument but they would be clutching at straws.

There is an interesting aspect to consider. If a human consumes books, films, music, or any media in general and is inspired by that work . . . well, to what extent is that transformative or derivative? Would it be acceptable to apply that standard to AI technologies if the copyright for the output is owned by a human?

We tend to anthropomorphise these types of technologies by virtue of how they are constructed. We try to emulate our values within their processes which is to be expected but it blurs the line between it being a tool and something more. In this sense, we view a drawing or a written work as the output of the human but tools are required for this purpose. Is AI just another tool and the human operator is the owner of the work and responsible for copyright considerations?

It is the learning element of the tool that confuses the picture though. It requires input from copyrighted works to achieve the output. But is it little more than a measurement? What is clear is the current laws pertaining to copyright do not adequately consider the applications of this new technology.

It is the case that training an AI on copyrighted works does not harm the creator. The harm occurs when the creator is determined by the output of the AI tool. The obvious solution then is to legally define the lines of responsibility between the AI provider and the AI user and allow equivalent mechanisms for creators to seek recourse against them. Perhaps one practical means would be to allow for creators to seek recourse in the jurisdiction where the work was created rather than in where the work was violated. On the surface of it, enhancements to mechanisms such as the Berne convention and the TRIPS agreement may be a practical solution to that problem.

Other issues arise such as equivalence in enforcement and damages awarded for infraction which might make it prone to abuse against AI developers. Unscrupulous creators might also seek to abuse jurisdictions where the most severe damages apply if equivalence in penalties is not achieved however there is a natural asymmetry in that AI creators are highly funded so may operate in areas where they can price people out of making any legal challenges. Updating Berne and TRIPS could be a stepping stone but they are limited by being territory based. An international consensus may need to be established but this would disadvantage those who subscribe against those who do not and may impose an excessive burden on AI developers.

Style

Some have been feeling aggrieved that the Ghibli style has been copied however it doesn’t seem like they understand the Ghibli style. It’s not just about the visual presentation rather it is about the interplay of the visual style, composition of the elements in the frame and importantly the music.

To illustrate the point the the totality of the work was highly important to the integrity of piece, when Miyazaki’s “Princess Mononoke” was being released to the US market Harvey Weinstein was given the task. Weinstein met with Miyazaki who had insisted on making several edits to the film. In a story that has achieved folklore status, Weinstein subsequently received a Katana with a note that just read “no cuts.” Miyazaki said the following in an interview in 2005,

The still images being generated by AI in the Ghibli style are not the Ghibli style as they lack all the components that emote the feeling and resonance with the audience. I’d go as far as to argue that the drawn style of Ghibli in of itself isn’t particularly unique so the criticisms of AI ripping it off aren’t particularly compelling. It might even be considered an insult to the Ghibli style to label AI creations as such given the many other contingent elements.

We are left with a question, is the output of an AI model a legitimate creative expression? Using a hammer to whack in a nail isn’t typically considered art (some people would but they aren’t people worth knowing), so is the consequence of a tool without direction creative expression at all, or does it require something else? An image in the visual style of something does not necessarily provoke an emotional response which may be considered a standard for creative expression. It requires that emotion and consideration are imbued within its construction. An AI alone does not achieve this.

But alas, nuance is not something that is embraced readily.

A lot more moronic commentary about AI

One of the most common and tenuous objections was to say that Studio Ghibli’s creator, Hayao Miyazaki, regards AI as an “insult to life itself.” Some even extended this to use of CGI although fail to mention that Studio Ghibli have been using it in their films for decades, Princess Mononoke had 10-15 minutes of CGI scenes and that was in 1997. But the use was always subtle and had to align to the aesthetic of the piece and not be the central element. Ghibli embraced technology as a tool.

Well, it’s true, he did say the “insult to life itself” but let’s be clear about context. The comment comes from a video in 2016 where Miyazaki was shown an animated video by students. This is the video he was shown,

It is clear why Miyazaki made this statement in response to this video but the yapping terriers of stupidity that flood LinkedIn repeated his line without even watching the video in which it was made. They took it as an hard line position about current technology even though it was made before it LLMs and Generative AI were common place. In the context of where the line was said, it is easy to sympathise with Miyazaki’s visceral response but he was not right to chastise them so severely.

There has always been an ongoing tension between the unsavoury aspects of the internet. The seedy places that elicit disgust and skirt the line of acceptability. There is a place for exploration of darker concepts. Miyazaki was harsh in his critique of the students who presented the AI abomination however his purpose was not their purpose.

Conclusion

As the chattering classes seek to sanitise the discourse with faux outrage they contort reality and twist context into something else. Bait to garner engagement, repetition of acceptable perspective. They have emulated the filters that are applied to LLMs to spare the feelings of the weak and apply it to themselves. This only serves to remove nuance from the conversation.

Nuance is something that is going to be required if we are to understand the boundaries of copyrighted data use in AI technology and how the legal structure can be updated to protect both creators and AI developers whist considering the global implications of applying such constraints.

And this is the problem with much of the discourse, it fails to acknowledge that the real world that exists and promotes an idealised one.

This is more for me than anyone else . . . I guess I end where I started in that sense.

I’ve been thinking for a while about wrapping up this blog. Probably for longer than I would care to admit. I started it for my own benefit, it gave me an outlet and some kind of reason to improve my understanding of the industry I work in, Information Security, Cyber Security, or whatever you want to call it.

Aside from making me consider aspects of the industry from different vantage points it allowed me to hugely increase my knowledge and become a more effective practitioner. It has also given me some catharsis, a way to vent my frustrations about the state of affairs about security.

So why give up the blog now?

Realisation

With exploring the industry comes some damning realisations. The discourse in security remains broadly unchanged and has done since I entered it five years ago. The industry still holds onto arcane concepts, nothing new is happening. Where new ideas are being generated they are met with indifference.

Even with new technology the industry jumps into gear butchering old frameworks. Maybe they find comfort in the familiar. Undoubtedly there will be check lists, playbooks and some kind of mapping exercise. An endless riffing on the same old song you’ve heard a thousand times before.

It’s all just a bit tedious out there and opportunities to have real conversations are limited.

Diminishing returns

As liberating as exploring security has been it has become an albatross around my neck. By relating everything back to security I have precluded myself from exploration of other interesting areas. I am not getting as much out of this as I used to and I want to go off in new directions and find different areas of intrigue.

This year has been one of diminishing returns when writing these pieces. Writing long form essays about complex subjects is gratifying but it is time intensive. It’s started becoming a chore rather than an activity to service a genuine interest. Over the course of the last 2 years I’ve published nearly 30 articles at 2000 to 2500 words a go. That’s about 50k to 60k words, the length of a book.

Too much cynicism?

This blog took a deliberately cynical tone. I am a generally cynical person but spending too much time in those kinds of spaces does shift how you see the world. In some sense I started to become constrained by a style. I’ve started to think that it might be time to escape the self imposed boundaries. Again, this is part of the catharsis and I enjoy being a cyberjerk, but, maybe this isn’t a complete reflection of me.

That being said, I love a good moan up . . . the cynicism has been helpful as it has helped me question a lot of things. It has been a useful club to knock ideas about.

What next?

I don’t intend to publish anything further here. I wouldn’t want to rule out bringing this back in the future but for now, it is done. For now, I’ve gotten what I needed out of this.

I’m doing the whole ‘book thing’ so it feels like the right time to re-evaluate where I’m spending my time. This isn’t a priority for me right now with other things going on and other projects I want to pursue.

Perhaps this is the self sacrifice I need to make for self creation, a relinquishment of old identity to form a new one. After all “the magnitude of a progress is gauged by the greatness of the sacrifice that it requires.” I’ve leant heavily into Dionysian forces but perhaps some time with the Apollonian forces might serve me well.

It’s been an interesting journey but like all good journeys it must come to an end. And let’s end it with this. If security is freedom from care then a feeling of security can be described as comfort. It may well be the pursuit of security means we become too comfortable to be able to make the sacrifices needed to be more.

In security we must affect change to be effective, yet, we operate in systems that seem engineered to undermine our very purpose within an organisation. How did it come to be this way? And is there anything we can do about it?

There are a lot of us who work in large organisations. Have you ever felt like getting things done can be a nightmarish ordeal? Sometimes it’s like hands from the past are reaching out suffocating novel ideas, like you are fighting against a fever dream of the organisation’s memory.

Think about a time when you had an idea. Your idea was the solution to a real problem that the business needed resolving however it didn’t go anywhere. It might have scuppered by some obscure bureaucratic mechanisms that exists or maybe there was no clear path for your idea to be approved and it died a death in someone’s inbox. No one had the stones to make the decision, it might have been that there was no one who could make the decision and the rigidity of the organisation was inflexible to the novel.

You know that it wasn’t always this way. We assume that a successful company attained its position by being effective, and efficient . . . perhaps the revenue was strong enough to mask inefficiencies. As the cost base of operations increases these inefficiencies become more pronounced. The requirements for governance increased over time, more reports, more compliance, more approvals boards.

The company wasn’t born as a hopeless tangle of self contradiction, it became contorted over time by competing ideas into this ungodly mess.

Structures and processes that were implemented with the best of intentions become the impediments to affecting change. Risk, audit, and compliance become standards required conformance. Various committees and boards infiltrated the superstructure of an organisation. And none of these point to effective decision makers. Those within these structures will only agree to something that is already written down. A heterodox perspective is a heretical perspective and sits uncomfortably.

Bureaucratic Entropy

Let’s define the problem and confect a new term to describe the problem. We can consider an increase in entropy to be an increase in uselessness, or a decrease in energy. So we might define Bureaucratic Entropy as follows.

There is a strong connection to entropy as defined in the Thermodynamics and also within Information Theory however we are talking about an organisational context. The Second Law of Thermodynamics states that entropy in an isolated system always increases over time. An organisation does not exist as an isolated system but can often function as if it does. This means that although the principle of the Second Law carries it does not necessarily have to share the same fate. Claude Shannon made a similar observation in respect of Information Theory carrying the consequence that as entropy increases the ability for organisations to make effective decisions becomes impaired through unpredictable decision making. There is also less usable energy within the organisation for productive work because of this inefficiency.

In The Unaccountability Machine, Dan Davies defines and accountability sink and outlines its features as it has to prevent the feedback of the person affected by the decision from affecting the operation of the system. This extends on Shannon’s conceptualisation and compliments it. If the feedback mechanism is impaired then any self correction is also impaired. This is related to Bureaucratic Entropy but Davies’ describes a different aspect of it.

Bureaucratic Entropy can be considered a form of fragility further extending from Shannon and Davies. Fragility is discussed by Naseem Taleb. An Antifragile organisation improves when it experiences disruptive events but this requires effective means of feedback within the system to act upon. Where accountability sinks and broken feedback mechanisms exist then an organisation is exhibiting fragility.

The definition on Fragile is not a binary with Antifragile and can take many forms. A system can be Fragile but remain highly structured failing when faced with unexpected shocks, they can be viewed as Robust meaning they are durable but cannot improve, or they can be Artificially Stable meaning they are over engineered to conceal hidden fragility which can also be concealed by significantly higher revenue relative to their cost base. Enron, or Lehman Brothers are strong examples for Artificial Stability. Both ended in catastrophic failure. All of these types of system will decay over time as the external factors change. They aren’t isolated systems and exist within a societal context and need feedback mechanisms to respond to those changes.

Bureaucratic Entropy can manifest in several forms but in all cases the emergent structures prevent improvements and corrective feedback through the constraints it has imposed upon itself. As entropy increases then the outcomes become more unpredictable. Bureaucratic Entropy is a description of the additional structures put in place within an organisation which then becomes less orderly and unpredictable.

Let’s look at what specifically contributes to Bureaucratic Entropy.

Vestigial structures

As organisations change and evolve what came before gets left behind. Structures remain in place that no longer serve a purpose and in some cases hinder us. Organisations retain vestigial elements that no one can explain but are venerated to some degree, just enough so that no one dare touch them. Perhaps a reverence towards tradition, a long held perception about how things ought to be. Have you ever heard “this is the way we have always done it”?

Examples of this might include significant overlap or even outright duplication in approvals or governance. It could be defunct processes that have no clear owners, leading nowhere which contain steps that serve no purpose. All of this creates delays, creates waste in time and resource and generates inefficiency.

We consider the evolution of an organisation to be an ongoing process but does it have a natural terminus? Kodak or Blockbuster could be held as examples where their existing business model prevented them from responding to external change. Further iterations were precluded because a change would unpick a necessary component. We see this in the internal mechanisms within an organisation as much as the composition of its product set.

Is it possible for an organisation to evolve to a point where it has painted itself into a corner and where its own superstructure becomes too heavy to move forward. This is one of the reasons why accountability sinks as described by Dan Davies exist. There is a way out and the introduction of effective feedback mechanisms is a path to achieve this. Toyota’s lean transformation can be held as an example in this respect.

A security function that is providing advisory services is uniquely placed to serve as a feedback mechanism in this respect. If our purpose is to protect the organisation then we need to consider redundant elements of the organisation that are a form of corporate self harm. “Stay in your lane-ism” is rife in security practice but if you consider that time and effort is a resource worth protecting then the cause of the harm to those resources does fall within the scope of a protective discipline for commentary, advice, and guidance.

Accumulated resistance

A quick note, the inverse of Vestigial Structures is also true. New requirements can be foisted upon an organisation. These might be due to mergers and acquisitions, regulations, legal changes, technology changes, or a whole raft of other reasons.

Where adoption of these changes is rapid they are rarely considered in the context of the existing superstructure which creates further overheads in addition to making vestigial structures through removal of purpose in them. The friction of these accumulated changes can atrophy even the best of intentions over time.

One of the great crimes of technology and security functions is their dedication to myopic scope. Coupled with bereft creativity and artificial boundaries what already exists is rarely addressed. It’s a kind of debt that has to be repaid in the future but with a significant interest payment. But that’s why we have risk management isn’t it? To kick the can down the road in a formal capacity.

Well meaning nit-wits

Many of the bureaucratic structures imposed on organisations as they mature relates to GRC functions. As an organisation matures it want to exert greater control over its operations which is an understandable and reasonable thing to do. It’s just that there is a problem with the tools they are using. Governance is a broader topic if we are looking at it properly and compliance is generally a check box exercise unworthy of comment.

But let’s give risk management a kicking down the road much like it does with the problems we should be addressing right now. Risk management conceptualises problems the business face through it’s own taxonomies, ontologies, and frameworks. It tells the business what it must be concerned about through the lens of received conventional wisdom. NIST, COBIT, ISO, ITIL all tell Risk Management what they must tell the business to prioritise. This is a problem as these frameworks lack context. The real world implementation becomes a compliance exercise. They ask have you implemented this control, or that control? What is the residual risk of not having that control. The question is never asked, what adverse consequence are we trying to prevent or how much control do we wish to exert to prevent that consequence. Do you see the problem with how risk management operates from within it’s own paradigm?

Now the slippery among them will probably reach for some impressive mental gymnastics to rationalise and reframe what they do in a sympathetic light but we are left with the conclusion that there is an unhelpful inversion in roles. Risk management should be the recipient of business concerns and not the specifier.

Risk asserts that it reduces uncertainty within an organisation but this is objectively untrue if we take the industry reports of annual failure on face value. Risk give justifications to not resolve problems by leaning on probabilities and optimism bias. With it an industrial complex is created, risk assessment, treatment, management, owners, boards, committees, each with a retarding factor and negative impacts on the ability of an organisation to realise the benefits of change. It’s structures abstract and obfuscate problems which are presented using pseudoscientific framing (borrowing credibility from actually useful function). Scoring a risk is rarely more scientific than a game of Bruce’s Play Your Cards Right.

There is an irony that if a risk function exists to decrease uncertainty however it very construct introduces fragility and increases structural uncertainty (risk) within organisations. Through the industrialisation of accountability sinks and decision making paralysis, risk management is a self fulfilling suicide note signed by the CRO.

A security function can have significant benefit to the business if it approaches the situation correctly. If we analyse the business problem in the context of the organisation we can reduce or remove the conditions that lead to undesirable consequences. This is something that can be done right now and not in 12 months when the risk remediation date is extended again. As the consequences are elicited through an analytical process they originate from the business so there is a motivation to resolve the problem. It relates to them and not an abstract spreadsheet of checkboxes.

Peter Principle

Risk management as a practice neatly segues into the Peter Principle as that discusses incompetence. As well as structural issues introduced by Bureaucratic Entropy a long standing organisation will accumulate incompetent people. This is a separate issue but related to Bureaucratic Entropy as effective decision making and effective feedback mechanisms require competence to execute.

It’s worth noting here however I have discussed this before several times.

Conclusion

There are many reasons why an organisation’s structure changes over time and becomes it’s own hindrance. I’ve outlines a few of these reasons but I don’t necessarily think it has to be the inevitable fate for all organisations.

As security practitioners we have unique visibility into the business across technology, business process, regulatory consideration, contractual responsibilities, change, and operations. We can, and should seek to influence the business in its own interests. We need to find a balance where the business makes its own informed decisions and we are situated to give them both the information and the guidance relative to their context. The information we analyse and hold has utility beyond protection and we can use that to ensure that the right people are informed in the right way to protect the existence of the business.

Business time and effort are resources worth protecting and optimising. Of course, this is hard for those wedded to asset based security to accept. Stay in your lane-ism often touts the mantra of enablement, taking a holistic approach, embedding security, shifting left, security is everybody’s responsibility, or spouting off about multi disciplinary this or that . . . but when the going gets tough its “not me guv.”

The talk in the security industry is hollow. If the purpose of something is what it does then security as a practice has become a shovelware industry, pumping out the same tools and services ad infinitum (or ad nauseam, I can’t decide).

Maybe we embrace the insight we have to elevate those who can improve the situation.

Maybe we do what we can so they have security in executing those improvements.

Maybe we change the way we interact with the business to optimise how they perform and how they think about the adverse consequences that truly concern them.

Or maybe we stay in our lane and perform another phishing campaign, commission another pen test, check some stuff off a list, wax lyrical about AI and Quantum, and take our place in the bureaucratic structure awaiting the slow heat death of our cognitive faculties like every other dumb cunt on the internet telling the world about their latest revelation about the difference between a VM and a container.

Fuck . . . I need to find a new job . . .

Subscribe now

Agile was all the rage a few years ago. It seems like the sheen is starting to wear off and people are looking for something new to play with. DevOps perhaps, OKRs (Objectives and Key Results) seems to be having a renaissance of sorts, maybe even emotional intelligence (EI) now that everyone has discovered that asking more than a few people to follow a defined process is an exercise in futility.

But back when Agile was kinda new and shiny people tried it on everything. A gold rush of new jargon emerged, “fail fast”, “test and learn”, “positive disruptor”. Every cock up could be hidden with a platitude it seemed (minimum viable product anyone?!). One of the things that received the Agile treatment was leadership.

Look, it’s not that I dislike Agile per se, rather I have a distaste for the emergent zealotry that came with it. It was a form of jingoism that sought to become supreme over everything else. For a time, it was almost like a methodology nationalism with state sanctioned asymmetric hair cuts akin to an episode of late 90s Hollyoaks.

What can we learn from Agile Leadership in a security context? Let’s find out!

Agile Leadership

Stephen Denning outlined a leadership style in his book “The Leaders Guide to Radical Management” drawing heavily from Agile. Denning positions his ideas a being a radical change from current management methods however they aren’t quite as radical as is claimed. Although he eludes to this point himself when he says ‘there is nothing new here rather it is the combination of these elements that is new’. We are a couple of decades into Agile software development at this stage and what Denning might have considered radical has now been subsumed into the mainstream. Many of the terms like ‘self-organising team’, ’client driven iterations’, or ‘delivering value’ invoke a Picardian facepalm as they are pre-cursors to the deluge of corporate bullshit coming your way. Unfortunately, Denning’s intention and the real-world implementation of these ideas aren’t one and the same and the use of terms like Denning’s can be considered fuck-wit red flags in today’s world.

Denning makes the observation that Agile software development has been at the forefront of implementing the ideas he outlines for some time. Having worked in an ‘Agile adjacent’ environment for many years, and even spent a brief time as a Scrum Master (perhaps the most scathing of the methodology you have encountered) this is familiar territory for me. Denning’s whole section on iterative development is a cut and shut from scrum Agile with some of the ceremonies rebadged to generic wording. Denning is clearly an Agile evangelist in the truest sense of the word and lost my attention to a degree. What he advocates and what Agile advocates can barely be separated by a gnat’s cock. I’ll come back to the legitimate critiques of Agile which also apply to Denning’s Radical Management shortly.

But Denning’s linchpin principle is that of delighting clients’ which riffs on the beat that many others talk about. The thread that binds a lot of these concepts together is investment of interest, time, attention, into others to optimise the relationship. When Ryan Holliday talks about suspending Ego, the Adlerian philosopher talks about how all problems are those of interpersonal relationships, John Maxwell on how leading is serving, Robert Greene in the laws of power on working the hearts and minds of others, Jordan Peterson on assuming the person you are listening to might know something you don’t. These all have the same thematic undertones, but the unique point Denning brings is the concept of delighting customers.

There are many notable conceptual shifts which must be achieved to successfully deliver against this type of approach. I would assert that the following of most consequence.

1. The move from a task based to knowledge based must be understood by senior management. This includes the implications that work is not transactional and cannot be measured on units produced.

2. The implications of a move from a production to a knowledge environment must be understood by the employee regarding their responsibility and how they orient themselves within this type of environment.

Both are not easy to achieve.

The Black Pill

Denning references the red pill / blue pill as analogues for radical and traditional management. This is fine but there are some strong critiques that need to be levelled at Denning. I’m here to put some black pills in his Kool Aid!

When Agile is initially embedded within an organisation it is typically the most talented developers work on it, so it usually goes quite well. It is not the case that this will become the pattern when applied more broadly. The same results are not manifest when we ‘shift left’ down the bell curve if you’ll excuse my co-opting of vogue terms. As Agile scales then it falls under the closer scrutiny of senior management who require all the same metrics it did before. The quality of the available practitioners also degrades and those available will be encountering the Peter Principle.

Agile retains its vestigial components of a managerial, corporatised environment. Granted, some terminology has been exchanged more trendy words, but we are still dealing with management KPIs. Be it burndown, velocity, cumulative flow, story points or whatever, the point of fact is that there is a product being delivered, a process being followed. The proclamations of heterodoxy fall flat in the face of rigid adherence to ceremonies and expected ways of working and thinking. It’s not a tenable proposition to assert that you value diversity of thought when you have outlined what people should value.

The problem is that with this structure of empowerment and giving the team the responsibility of deciding how much work it can do also gives them a structure to create barriers. There is an irony that the conceptual stance of Agile being to value individuals and interactions over processes and tools, yet when applied, some individuals use the processes to obstruct others. An example would be Denning’s practice of not interrupting a team in the course of an iteration. How would the customers of a security function react if we determined that their request would have to wait until an iteration was complete? Or we decided that it was not a priority for the next iteration? Yes, prioritisation calls have to be made but we are dealing with the actual in the here and now, not the next thing that won’t be here for six months so we cannot afford to prioritise in the same way that iterative development in radical management requires.

The method creates an artificial barrier to having any interaction with the team and makes a mockery of responding to change over following a plan. This is how Agile pisses all over Denning’s chips. He might be well served to re-read the Agile manifesto as so much of what he advocates is orthodoxy yet contradicts the very principles of what he is advocating. In some sense I’d wish he’d maximised the amount of work not done when writing this.

Denning makes the point about traditional project management not delivering on time and attributes this traditional management style. I suggest that traditional (waterfall) project management failed for three reasons.

1. It wasn’t implemented correctly.

2. The quality of the practitioners was weak.

3. Shoehorning everything into the methodology (JFDIs became projects).

Agile will fall on the same sword as waterfall. It is not the panacea Denning thinks it is, but there are some useful lessons to be learned for a security function. Agile or radical management has been extended beyond it’s reasonable and appropriate boundaries. It has been applied where it shouldn’t be. I have seen security teams and support teams work in a scrum format. It’s a disaster. There are functions that it works well for but the application for functions that surround those is lunacy.

A security cannot function as an iterative team as Denning advocates due to the nature of the barriers it creates. It is hard to justify maintaining a backlog in the way iterative development requires.

But it’s not the whole tip that is on fire, just some of the bins.

The White Pill

All hope is not lost. There are some useful concepts posed by Denning. The principles and values on which he based his views are sound. The conceptual basis of Agile has great utility insofar that it does promote frequent conversations with the customer, the whole ‘frequent feedback’ schtick. This can be used by a security function to create and enhance relationships. Combined with the concept of radical transparency, this can be used to great effect to generate trust between the security function and its customers. The flexibility advocated by Denning and Agile is one that aligns to security as knowledge work.

One point Denning needs to be praised on is how he discusses diverse teams. He states that this is cognitive diversity and rejects diversity through identity measures. This probably hasn’t aged well for him but it’s a really important distinction to make. Additionally, he also highlights how too much difference in opinion then becomes counter-productive. For a security function that needs to solve complex problems, there can be an application here within the team composition on how other experts are engaged to work with the security function to solve problems.

How can security hope to delight anyone?

Security is not an area in which ‘delight’ is typically associated yet this is the foundational concept proposed by Denning. Delight, like security is an abstract concept that is intangible and grounded in the subjective interpretation of its recipient. As Denning articulates the following,

Denning does make a point that it is mathematically not possible to maximise shareholder value and delight customers. There might be some legal sticking points here to consider in terms of how success for the benefit of its members (shareholders) should be interpreted if there is to be a sacrifice to shareholder value.

But it’s not obvious how the security work can elicit delight however we might hope to elicit that reaction through interpersonal relationships. What is clear is that delight is an emotional response, as is security. Adlerian psychology tells us that all problems are ones of interpersonal relationships. So perhaps then it is our interactions with our customers can gives them both delight and a feeling of security.

It’s a shame that security practitioners are perceived as an obstinate group within organisations given that the primary cause of security problems involves some form of social engineering. That is if you take industry reports i.e Verizon DBIR, UK Government Data Breaches at face value. But you will be hard pressed to find security practitioners who understand social engineering or psychology in any depth outside of ‘phishing is a form of social engineering’ found in the main certification texts. There are no widespread certifications with designations after your name to attain by learning this. It is not something that can be tested using multiple choice, it’s not something HR can screen for in a CV. Maybe the first improvement then is to readjust our recruitment methods within security functions to deprioritise knowledge of ‘iT SoFtWarEz’ and refocus on the actual skills required to address the problem of organisational security. If we grant that security and delight are emotional responses, what is our customers response to vulnerability scanners telling them that the world is burning? Do they feel delighted, or secure? No. The problems we solve are done so with knowledge, not with the creation or implementation of products.

If we look to Chris Hadnagy who has collated a social engineering framework from many prior sources, he repeatedly uses that motto “Leave others feeling better for having met you”. This implies a component of intention on the part of the security practitioner and frames a mindset for out interactions. But this collection of methods then, that we understand from the perspective of an attacker can be used to enhance our interactions with our customers. Whilst the social engineering framework is surface level in depth it does try to do something useful and that is articulate that there is a human element that relates to emotion and eliciting hormonal responses (oxytocin, serotonin etc) to elicit those emotions and build trust and rapport. That is a powerful insight that we can take the tools of the attackers and use them for something positive, although if we are being honest, humans have been good at these things forever but we have chosen to mostly ignore this in the security industry and debase ourselves with blinking lights. But this does reaffirm the need to be principled in how we apply ourselves as practitioners.

The Goal

The first thing that needs to be defined is the goal, what you want to achieve. As Denning notes many companies are oriented around selling products, maximising profit, or a public relations goal as reflected in their mission statement. Few, if any tend to want to delight customers. As Denning observes, the focus towards making the products and services orients the organisation towards the traditional mode of management that implies task or procedural based measures of success.

Given there is an implied relationship between the mission statement or goal and the emergent behaviours within the organisation it’s reasonable to assume that the initial positioning of the stated goals has a fundamental importance. This carries for a security practitioner as their principles and values are critical to their moral and ethical stance. It is unlikely that the security function would be in a position to define the mission statement of the organisation however they could define their functions mission statement or goals to support the organisation allowing the reframing towards delight. In this sense the security function can set the expectation as to how the practitioners delight their customers, who would typically be internal to the organisation.

Conclusion

Denning is a mixed bag. It’s frustrating how derivative Radical Management is from Agile, so much so that ‘this is not a management book’ rather, it is a replay of an existing methodology which holds a number of impediments when implemented. But there are some useful lessons here.

We start with the goal or mission statement for the team. Appropriate definition can drive the behaviours required to improve the functions interactions with the customers. This would need to be aligned to principles and values that are defined within the function which need to be established by consensus.

We follow then to recruitment and changing how this is done. The composition of our team is important in terms of cognitive diversity to create an environment that allows for high performing teams. The skills of the practitioner and how they are recruited into the function and trained whist in role is also important. This can no longer be ‘do this tech accreditation’ or that bullshit ‘security certification’. We need to dig more deeply and improve the quality of the practitioners we hire and cultivate. Our endeavour succeeds or fails on the strength of our practitioners.

How we construct and implement aspects of radical management has to be cognisant of the wider organisational context. What types of methodology will work with the IT functions, with the senior management, with the business to optimise their function and harmonise our interactions with them. There is no clear-cut answer here but what I can say is that the answer is not ham fistedly pushing iterative ways of working onto everything.

What Agile and Denning do well is articulate the mindset that is required even though the implementation outlined is wanting. By getting the fundamentals in place then a self-organising team will be able to surface the structures needed for a security function to succeed, have the appropriate level of customer communication, and the right checks and balances to review and improve the function. But this can only occur once the practitioners are trusted and responsible for improving the security function.

Subscribe now

A realisation hit me recently. I felt inclined to write it down as I thought it was interesting, maybe even original to some degree. Equally, it might be the caffeinated ramblings of someone who needs more sleep.

My contention is this. The principles of Gestalt theory can be used to better understand and harmonise some of the concepts in modern social engineering.

It struck me that Gestalt framed the concepts within social engineering in a rather elegant way. After a cursory look, I’m surprised that nothing has been said on the matter (as far as I can tell anyway). After all, Gestalt is about human perception and how we take an inherently holistic approach to the aggregate of information.

I appreciate that as this is a somewhat unusual concept which means I’ve got to do some pretty heavy lifting in terms of outlining not only the concepts but relate them in a somewhat meaningful way.

But . . . there is something that needs to be addressed first.

A quick note on bias

The term cognitive bias is thrown around like it is the original sin of the modern age. Arguably bias is just a preference either by virtue of essential biological mechanisms or based in our experience. Whilst there seems to be some kind of crusade to rid the world of bias (or more accurately, unfashionable preferences) it is a position which denies the reality of the human condition.

Bias is the natural consequence of how we perceive the world. We cannot function using a fully rational interpretation of the world. We need rule of thumb and mental shortcuts so we can operate in a reasonable way. This is the biological reality we are confined to and biases are a part of that.

The Gestalt principles we will discuss are heuristics which have a causal relationship to cognitive biases. It’s useful (and an oversimplification) to consider that heuristics give rise to cognitive biases. Cognitive biases are a by-product of heuristics. The reason we use heuristics is down to the practical reality of being human and the physical expenditure and performance reduction of using System 2 thinking. I talk about Dual Process Theory in a previous article and how heuristics and biases inform the majority of our decision making.

But, back to the subject in hand.

What is Gestalt?

I am specifically referring to the “laws of perceptual organisation.” These are better described or thought about as principles or heuristics. The seven principles describe how we perceive information when it is presented. These all relate to pattern recognition and prediction in some way, either directly or as a way to group information in order to make a prediction.

When we refer to the Gestalt of something we are talking about the combined elements that are perceived as a single entity. Perhaps it is similar to how a system or application that is constituted as a whole despite being forms of many hardware or software components.

Gestalt principles describe an inherent exploitability in the human interpretation of the world which makes them effective to deploy in a social engineering context. I’ll give an example of a related cognitive bias which helps us understand the principle a little more deeply. This isn’t a 1:1 relationship or a complete picture however in this context it helps us to understand the principle.

So let’s have a quick look at the Gestalt laws.

Prägnanz - The law of simplicity

This principle tells us that complex concepts and structures are understood in a simplified form. Our minds try to understand complexity by using symmetrical and more stable structures.

This is related to the cognitive closure bias where we seek a clear and definitive answer to a problem. We will preference simple answers even if they are incomplete as they are more easily understood.

The law of proximity

The mind has a tendency to conceptualise things that are close together as group and implies a relationship between them. This helps organise information efficiently.

This is related to clustering illusion, a bias that leads us to believe that grouped elements have inherent relationship.

The law of similarity

Elements that bear resemblance are grouped together, it helps identify relationships in the external environment.

This is related to stereotyping and confirmation bias. Over simplification such as stereotyping can lead us to make assumptions that may not be true. Confirmation bias can reinforce pre-existing ideas about a group.

The law of figure-ground

This allows us to distinguish a foreground element from a background one. It gives focus on what is important.

This is related to Salience bias where we will over focus on the figure rather than the ground. We will place more importance on the figure which can sway judgement.

The law of closure

The mind will complete patterns where there is incomplete information. In part this is why we can identify shapes, faces, or forms even if they are obscured.

This is related to Illusory Pattern Perception where connections can be made where they don’t really exist.

The law of continuity (good continuation)

We naturally perceive elements to form a coherent, unified whole. It is a logical progression depending on our intuition around causality.

This is related to Anchoring bias where we rely too heavily on an initial piece of information that we are provided. Additionally, because of the predictive aspects of the law of continuity Sequential bias can come into play placing too much emphasis on the immediately preceding information.

The law of common fate

Elements that move together or change in synchrony are perceived as part of the same group. Our perception tunes into any coordinated behaviour, interpreting it as a sign of shared purpose or origin.

This is related to Social Proof or Herd Behaviour. The tendency is that the behaviour or beliefs of the common group are correct.

So what does this have to do with social engineering?

Gestalt outlines a number of laws that detail pattern recognition and predictive behaviour within humans which are clearly exploitable by social engineers. They can depend on people making connections by virtue of the information they are presented which may or may not be true.

So let’s step through some aspects of social engineering and see how they relate to Gestalt.

Pretexting

Broadly accepted definitions will describe “the process of developing a credible backstory (or "pretext") that supports the false identity or scenario”. This is about creating a believable situation or identity. In social engineering, the goal is to avoid scrutiny by carefully curating expectations so that interactions appear to conform to accepted paradigms and social norms.

We might imagine a scenario where gaining access to a building is needed. It could be advantageous to present as an engineer or workman to gain access to the building. The pretext in this scenario would require wearing the right uniform, carrying the right accessories, using appropriate language, and being there for an expected reason. The pretext needs to be consistent, and incongruence can break the illusion. In social engineering pretexting will require intelligence gathering so that the expectations can be understood which can include activities like dumpster diving to obtain internal documents.

The law of closure does a lot of work here whereby the target will be expected to complete the picture in their own mind which sells the illusion. The heuristic comes into play quite strongly to the benefit of the social engineer.

Noted social engineer Kevin Mitnick discussed pretexting. Mitnick used social engineering to undertake a number of hacks that put him on the FBI’s most wanted list. His high-profile arrest in 1995 and subsequent imprisonment highlighted the importance of understanding and defending against social engineering attacks. Kevin Mitnick become one of the most notable figures in the realm of hacking and social engineering. His hacks exposed critical flaws in how organisations managed human aspects of security and fundamentally changed how businesses and governments detect and defend against social engineering attacks. Mitnick discusses the concept of pretexting when he says the following.

This is often similarly quoted (possibly misquoted) as ‘social engineers veil themselves in a cloak of believability’. The main point here is that the social engineer must use the available information to make themselves seem consistent to the environment so that they can achieve their goals.

Social engineers like Mitnick speak to a pretext where the elements are coherent. In essence they are invoking principles of Gestalt Theory although it is never directly referenced. Gestalt Theory talks about perception and how people will tend to perceive objects and situations as organised whole events rather than individual components. Social engineers have identified experientially that the strength of pretext is dependent on the perception of it in totality which speaks to the law of closure.

The law of continuity can also come into play where a social engineer has created a series of events that follow to a logical conclusion. Where the pretext is a workman gaining access to the building then they could have placed calls or e-mail to the reception staff so that the workman are expected. This type of scenario is related to the influence principle of commitment. This scenario creation can contribute to both the pretext and the broader Gestalt improving chances of success.

According to Gestalt principles, when individuals perceive all elements as part of a cohesive whole, they naturally fill in any missing details in the process known as closure. This is why even minor inconsistencies can break the overall illusion. This is why consistency becomes important as a break in the Gestalt disrupts the conclusions that are drawn by the target.

Consistency

Robert Cialdini’s 1984 work ‘Influence: The Psychology of Persuasion’ is directly referenced when social engineering is discussed. It can be considered to be a foundational text in relation to the practice. It is viewed by some to be the marketing manifesto as the principles of influence it outlines have powerful application in a sales context, especially when discussing consistency.

Cialdini discusses consistency in the context of influence. Consistency is a principle of influence defined by Cialdini and has become part of the social engineering canon. Incongruence with the environment can break believability as the social engineer becomes inconsistent with that environment. Inconsistency breaks the Gestalt and breaks the pretext. Cialdini understood that incongruence is easily detectable by an observer and attracts additional scrutiny.

It should be noted that consistency is a previous described principle of influence but where Cialdini takes the concept to its conclusion is in by talking about exploiting the inconsistency in the target rather than ensuring consistency within the self. Cialdini asserts that people will make bad decisions, and ones that can be used to their detriment to maintain internal consistency and how they project consistency outwardly. He explains.

Consistency is of importance when talking about influence and manipulation due to human pattern recognition.

Rapport and Liking

At its core, social engineering depends on the influence or manipulation of another person to achieve a desired outcome. One of the key methods of achieving this is through establishing rapport. By establishing a connection with a targeted individual, a social engineer can establish trust making subsequent actions easier to achieve.

Rapport building in social engineering often involves eliciting empathy, which can promote oxytocin production which is sometimes referred to as the 'love hormone' which enhances trust. Paul J. Zak’s book “The Moral Molecule” describes oxytocin’s role in trust formation and shows how positive social interactions can foster a sense of connection and reliability. Obviously, this is advantageous to a social engineer.

Social engineers benefits from manipulating features present in group dynamics such as consensus or social proof. Cialdini describes this as follows.

This is also known as the bystander effect and was demonstrated experimentally in the 1950s in the Asch Conformity Experiments where participant responded to questions incorrectly when the answer was obvious, but the wider group selected the incorrect answer. This is an example of the law of common fate.

Conclusion

I’ll assume that if you have gotten this far then you know enough about the subject matter to have your own thoughts on it. I could go on but I’ll let the law of closure fill in the rest for you. At this point you either have a favourable inclination towards the perspective I’ve outline or you are now just indulging a peculiar curiosity.

Gestalt gives us a useful lens in which to understand social engineering concepts and is by no means complete. What it does do is steps us away from the consequence of the way we think towards addressing the principles of how we think. Biases have always seemed too ‘after the fact’ to be practicable in any comprehensible sense to me. Applying Gestalt helps in consolidating disparate threads into a set of workable principles that explain why the principles of influence work.

Perhaps then, Gestalt itself is the mechanism that allows us to see the ‘Gestalt’ of social engineering. There is a reductionist aspect to this . . . and this is where I bamboozle you with some metatheoretical elegance. Gestalt itself is a form of Prägnanz, the law of simplicity. Gestalt is what it describes. By breaking down psychology into a simple set of laws it is a simplification in its own right. Gestalt is both the description and the example. You might need to read that a couple of times, it’s mad, I know!

A cynic would say that my application of Gestalt is flawed because of this simplification but I might argue that I am aligning to mechanisms of human comprehension as they are emergent from the fundamentals of our biological construct.

Or . . . I might just be fucking with your head at this point.

Subscribe now

“Logical fallacies?? What the hell is the pretentious crap!?”

LinkedIn User

This was one of the comments made when I once posted about logical fallacies on LinkedIn. The poster deleted the comment so I couldn’t respond. To spare them the indignity of “listening to the posturing” of which they were complaining . . . I relieved them of the option to interact with me any further. This is one of the problems of picking up random contacts on LinkedIn, you can become easily afflicted by insufferable pillocks.

But . . . I want to talk about logical fallacies.

I am going to double down on the view that every security practitioner must have a working knowledge of logical fallacies how to spot them. I encounter them all the time during the course of my work. I’ve seen it too many times where a slick project manager dismantles the valid positions of a security practitioner just through their higher level of ability in debate. Consider that debate in a work context is where you are trying to gain the support of the observers rather than the person making the counter proposition. Influence is oriented towards changing the mind of the person making the argument which there might be an impossibility.

Logical fallacies tend to manifest most prominently where a decision needs to be made and various people are called upon to inform that decision. I imagine you know exactly the type of thing I’m talking about. In this scenario the security practitioner sounded unsure and couched in their demeanour, the slick project manager was confident and compelling. At no point were the concerns raised by the security practitioner addressed but they were out manoeuvred. A decision was made that led to a suboptimal outcome. Ultimately, decisions are based on emotions, rationalisation is a post-hoc justification of a decision that was already made and this was based on the perceived strength of the arguments being made and in how they were presented.

So, why does this kind of bullshit keep happening?

Well, part of it is weak practitioners who suffer from ‘stay-in-your-lane-ism’ coming from a place of fear. An unwillingness to engage with confidence about matters that are well known but lie beyond the horizon of what is traditionally termed as the domain of security. They shackle themselves to the limitations of what others perceive that they should or shouldn’t be doing.

If we know that our job is understanding the behaviour of people, why do we focus so much on technology? Technology is the easy bit. We’d be better served by understanding how to negotiate, what creates influence, what phycological principles underpin all of this, and how to engage with junk arguments that we are presented with. If security is a ‘people problem’ as we proclaim, why don’t we know how to construct and refute arguments as well as.

I’ll share some examples of shit I have seen consistently for years.

False Dichotomy

A false dichotomy reduces a broad range of options into a binary option. I have seen this technique used to high levels of effectiveness. It is very common. Usually this is where a decision is required but it can also be used to manoeuvre a person into a position where they are forced to agree with a framing that is constructed by the person proposing it. It contains a loaded expectation that there is a choice to be made. A false dichotomy can be constructed in such a way to leverage anchoring bias and the adjustment heuristic which artificially sets a boundary to the discussion and the conversation then follows within the confines that have been set.

The framing of a false dichotomy can be useful to elicit a decision however there are ethical considerations regarding its use. The existence of other options existence must be made clear and some exposition as to why they have been discounted. An interesting quirk is that humans generally show higher levels of satisfaction with a chosen option when there are less options to choose from.

When you identify a false dichotomy there are a couple of ways to approach this. One way is to outright reject both options and put it back to the person making the proposition. Ask “what happens if I do neither?”. This can sometimes lead further discussion around the premise of the options where you will find weakness. It can be helpful to ask about other options that are not presented. Push for details of why these were discounted, on what basis, and what analysis supports this. Often you will expose that the analysis is weak and be able to reclaim the initiative.

Bandwagon fallacy

Christ! I hear some variant of this one almost daily and it’s the one that boils my piss the most. Essentially the claim here is that we do not need to scrutinise something as the heavy lifting has already been done by others. It’s just faulty thinking to conclude that something is good without looking at the information and coming to your own conclusion. There is more than a note of resonance with the principle of influence, social proof.

Walter Lippman wrote “where we all think alike, no one thinks very much” and we can view the aspiration of dependence on the perspectives of others as the aspiration to not think very much ourselves. We could even term this “‘magic quadrant mentality”. There might be valid reasons why some look to this type of argumentation, they might not have the time, the resources, the expertise, or the budget to do things correctly. But the consequence is an uncomfortable one, they are sitting themselves atop of assumptions that could easily get kicked out from under them.

There are snuck premises in these types of statements. It assumes that the external parties being invoked have made an appropriate assessment or have a competent implementation themselves. How would you know that they themselves have given any thought or scrutiny to a proposal and not just adopted what others are doing. Another assumption here is that others have a comparable set of circumstances to yours and are using a solution in a way that you intend to use it. It’s unlikely to be the case. Protection is contextual to your specific set of circumstances. Foregoing an appropriate level of scrutiny in favour of a half-arsed approach is negligence.

These types of fallacies are best countered by asking for evidence. Ask how verification can be obtained of the findings of others. Often in these cases those who are relying on this line of argument know little of the facts and will come apart on scrutiny. Pressing for specifics is generally quite useful but very useful here. How do you know this is protected? How does this apply to how you intend to use it? etc.

Appeal to tradition

This has similar problems to the bandwagon fallacy but also introduces a new dimension. It assumes that the previous approach was good or the old ways are the best. It might be true, but it might not. Circumstances change. The business may have a lower capacity for losses than they previously did, their policies and standards might be different, the regulatory context might have changed, the organisation might be trading in different markets. Essentially the person making the argument is counting on you accepting the assumption that the traditional way of doing things is the best way.

An obvious question to ask is “If it was fine before, what’s the need to change anything?”.

I encounter this a lot when systems or processes are being replaced but in that context the thinking is even more broken. It is used as a bypass for asking critical questions and re-evaluating the way things are done. A realistic scenario might be a new system to replace something that is end of life. Rather than redefine process to work optimally with the new system a number of bespoke elements are built into an off the shelf solution and some hideous bastard of a mess is generally what becomes of that.

Appeal to authority

This is another truly bullshit line of argument. It is an attempt to place an argument above scrutiny because of the person making it or the source from which it originated is considered to be authoritative in some way. They may appeal to their certifications, position, or membership of a group as the authoritative standard. One amusing yet antagonistic way to approach this one is to ask, “if they are an authority on the matter why is their argument so weak?” Remember, you are not required to accept an argument just because of the person making the argument. This type of faulty thinking is especially a problem in security where views are accepted as articles of faith because some certification body proclaims it. I have spoken about my disdain for the lazy thinking frameworks promote before.

Conversely this might be used as a critique of your argument where it is dismissed because you might lack some certification or formal training in a given area. I forget how many times lacking an arbitrary piece of paper had led to being told I’m not permitted an opinion. This is an easy one to deal with, something like “that’s fine, but you haven’t addressed my point” usually handles it. If you happen to work in a milksop environment something like “this seems to be challenging your commitment to inclusion and diverse thought” is always a banger to wheel out when you really want to piss some people off.

I’m offended

This might not be a logical fallacy per se but it is a line of argument I have experienced. It’s more of a thought terminating cliché. Offense is the nebulous world of someone else’s hurt feelings. It’s a rarer occurrence but it does pop up every now and then. There is a pernicious undertone to many of this type of arguments. They depend on using these cliches to kill the conversation. They are exerting the expectation of the social norm to be nice to stop the discussion. These are easily handled. The late, great Christopher Hitchens might have said “I’m still waiting to hear what your point is”, or you can always just say “so what” which is far more humorous.

Sunk cost

This tends to be more of a behavioural problem rather than related to argumentation but is a form of logical fallacy. We continue to do something stupid because we have already spent a lot of money on it. We are too far down the path to turn back. This is about ego preservation rather than doing the right thing.

The cost might not be related to financial spend, it might be that someone has staked their reputation on delivering something or that so much effort has been expended on doing something that has now transpired to be pointless. Where this happens you know you are in the presence of weak leadership.

It is the old adage “throwing good money after bad” but it happens very frequently. You will usually see this where a project has encountered problems and reduces its scope to the point of having no meaningful impact on anything. An expensive project will be concluded, having delivered very little to rapturous applause.

This is one you aren’t going to win with a weak leader that is adamant on doing the wrong thing for the business. It’s best to recognise that criticising the failing initiative will be seen as a criticism of its supporter, it will be taken as a personal attack. The best you can do is minimise your involvement and go do something useful with your time.

Strawman

A strawman is where a critique is made to an argument that wasn’t made. It is a contortion or misrepresentation of what has been said. These might be changing assumptions or features of your statements to make them open to critique. We see this where an asserted benefit of a project or initiative will solve a specific problem or subset of problems. The counter might attack a position which implies that the benefit will solve all the problems mischaracterising the position. This type of fallacy happens a lot especially when someone is attacking something that was to replace it with something new.

One of the more amusing examples I’ve seen comes from agile practitioners. They were vehemently critical of waterfall project methodology making assertions that it was slow, expensive, and didn’t take in to account the needs to the customer. That might be true however what they were levelling criticism at was not waterfall methodology rather an altered derivative that was unique to their organisation. Their argument wasn’t actually with waterfall. Spin on a decade or so and there are some narrow eyebrows being raised at agile failing over and over. Notice how quickly they rely on the argument that “the methodology wasn’t implemented correctly” when faced with critique. It’s comical stuff.

The approach here is to constantly correct and highlight the incorrect elements of the rebuttal. This is the time to get pedantic because “that is not what you said” and “it is not the argument being made”. Get the person back to terms you have specified for your argument and force them to speak to that. And if you really want to be a prick about it you might say “you have completely missed the point”.

Ad Hominem

Oh, these can be fun.

These are rarer as they tend to be high risk in a sanitised corporate environment. Ad hominem is where there is an attack against the person or motives rather the argument. This might be in the form of “you have only been with the company for X amount of time” which does nothing to address a point being made but attempts to subvert it by attacking how long someone has been within the organisation. You will sometimes get “you are only saying that because you are in security” or something of that ilk which is irrelevant to the argument being made. In these situations it can be useful to highlight the critique, “does my role in security detract from the concern?”

Ad hominem can always be entertaining to use yourself. But be cautioned, it can backfire so you need to be able to read the room and use this where you have a sympathetic audience.

Steelman

There is a more gracious but less gratifying way to deal with logical fallacies albeit, far less amusing for those inclined towards over excited exchanges. It is the steelman. A steelman is the practice of presenting the strongest possible version of an opponent's argument, even stronger than they may have articulated themselves.

A steelman is helpful. By considering the most charitable version of a person’s position it can help tease out the strength and weaknesses of an opposing position. This approach also helps in identifying counter arguments to critiques which you might be able to use and will be robust. It requires using critical thinking skills to get to the foundation of an argument by identifying the assumptions and premises on which it is built.

It can help generate credibility and start to form a relationship that has utility. By replaying their position empathy can be elicited by creating an oxytocin response and ultimately building trust. It allows you to label, paraphrase and generate neural resonance. This is all in the realm of social engineering technique which we won’t get into here. This gives another way to approach leveraging those techniques to generate rapport

Conclusion

A great many logical fallacies can be observed in the work place but these are the ones I see regularly. There is a certain style that needs to be employed when approaching these. I see ways to address these as falling into one of two categories.

1. Change the mind of the person

2. Destroy the point

The former is higher effort but will have longevity as you are actively building relationships with people. Techniques like steelman can help create those relationships. It requires skill and understanding of social engineering methods but the outcomes can be highly effective and long lasting.

The latter is reserved for situations where you won’t influence the person making the argument but you need to gain the support of others. Being quick, humorous, and a good speaker help in these situations but there is always a dangerous element to combative approaches.

Irrespective, you should know about logical fallacies so that you are able to identify when someone is using them on you to pull a fast one.

Subscribe now

I don’t normally post in reaction to current events but this feels of significance, a turning point perhaps or a way to have a reasonable conversation.

Today, Apple have removed their advanced data protection (ADP) from their iCloud product in a response to a request from the UK Government. The request forces Apple to provide a mechanism to so the government can go scrumping for data. If the Government make a lawful request for an Apple users data, Apple must provide it.

ADP is an opt in service provided by Apple. The ADP service means that only the user has access to their data so Apple have taken the decision to remove ADP rather than build a backdoor into their service. They are reported to have said they were;

There will probably be some kneejerk reaction and wildly overstated proclamations of a total collapse in privacy. Although I am sympathetic to that position we should be measured in how we understand this.

In this instance Apple have removed the service that deletes the encryption key from Apple’s hardware security modules (HSM) meaning only the user will have a key to decrypt the data. The service puts the burden of key management onto the user and honestly it’s hard to see many consumers actively opting in for this service if the consequence of losing their device is that the data cannot be recovered as Apple do not have access to the key.

As best as I can tell, the standard encryption remains ‘as is’ as Apple have the key on their HSMs and could comply with a warrant. Now there are areas that will remain ‘end to end’ encrypted in iCloud and could fall within the scope of a government request for data they aren’t really the specific focus of the Investigatory Powers Act which deals with the interception and acquisition of data.

If they comply or not is another question.

In view of the fact Apple are opposed to creating any back doors it makes sense that they withdrew the opt in service rather than compromise it.

This quandary introduces a point to have some inflection about privacy, safety, and rights.

The Investigatory Powers Act 2016

First things first, what is the Investigatory Powers Act (IPA)? It is a piece of legislation also known as the snooper’s charter that gives the UK Government extensive surveillance and data collection powers for national security and crime prevention. It was passed in 2016 under Prime Minister Theresa May. It was staunchly opposed by the Liberal Democrats, and Labour were absent for the vote. At the time it was controversial and a number of amendments had to be made as it was deemed unlawful in a number of legal challenges.

It is being alleged that Apple have been issued a technical capability notice under the IPA. I say alleged as the Home Office have refused to comment and Apple are legally prohibited from confirming if they have received such a notice. On balance, it is a reasonable assumption that they have received the notice given the action they have taken.

It is not clear if notices have been issued to other companies or what action they may have taken.

Under Section 253 of the IPA a technical capability notice is an instruction from the British Government to maintain a technical capability to respond to lawful requests for data. The notice must by issued by the Secretary of State, presently Yvette Cooper. The IPA applies to telecommunication operators which are defined as,

Let’s be clear though, although a mechanism may exist, it does not mean that the government has access to all the data now. It would require a law enforcement agency to have a warrant to do so.

The upshot here is that where requested by the government telecommunications operators must provide a mechanism for law enforcement to access where a warrant is issued. The warrant is issued by the Secretary of State for access to the data. Access must be related to considerations of national security, crime prevention, public safety and those sorts of reasons. That being said, the current Secretary of State has made statements labeling suspects as criminals prior to a conviction arguably prejudiced any proceedings. So, there is little to convince me that the incumbent government wouldn’t abuse warrants to achieve a political goal.

Technological problems

Politicians seem to be the least well equipped to understand the implications of their decisions when it comes to technology. The discussion about putting backdoors into encryption so that data can be accessed for criminal investigations has been out there for a while. It seems to be that something akin to a backdoor within the encryption algorithm would breaks encryption, if not functionally, then conceptually as the point of it for the data to remain private.

It’s also worth considering if VPN providers are subject to the IPA, my view is that they would be. There is another problem with the IPA and that is the requirement for Internet Service Providers (IPS) to log data access records for a year. So what has been accessed on the internet can be reviewed by law enforcement. Although this is intended to improve safety it erodes privacy.

As security practitioners it is unlikely we will need to change our systems to allow data access beyond what is already required unless you are working in a telecommunications organisation. For those organisations it is possible that there would already be mechanisms in place to obtain access. A company cannot disclose if they have received such as request after all.

Conflict with human rights?

One claim that is made is that privacy is a human right. This is correct, to an extent . . .

Basically you have the right to privacy until the government says otherwise. Under the law any determination can made by the ruling government to take away legal rights and this appears to be true for most legislation outlining rights that originates from Europe.

Privacy can be regarded as a natural human right which in a Lockean or Hobbesian conceptualisation are inalienable, universal, and self-evident. Inalienable meaning they cannot be surrendered, transferred, or taken away as they are intrinsic to a human. The Human Rights Act 1998 can be taken as a betrayal of classical liberalism due to the “get out of jail free card” it gives to governments to arbitrarily remove those rights.

Why privacy is important and what makes the betrayal so egregious is that many other rights sit on top of it such as free expression, freedom of association, personal autonomy, dignity. But there has been a decay in the understanding of what rights are, punctuated hilariously by Jeremy Corbyn who argued that broadband was a human right.

Social contract society in Rousseau’s conceptualisation suggest that we sacrifice some of our natural rights and subordinate ourselves to the state. We do this by consent. The genesis of these laws although derived from the rights and privileges of the English as outlined by Blackstone has been bastardised by modern influences which allow these rights to be sacrificed without our consent.

Conclusion

So, what is the impact of all this?

• Is Apple’s technical security compromised? Not really unless you are in the minority that manage their own encryption keys.

• Does it change Apple’s legal obligations? No, they have been there for sometime, we only just noticed.

• Does it change what we need to do as security practitioners? Not really unless you work in specific industries.

So why is this important?

The manifestation of the Apple incident is indicative of a more fundamental problem with how we conceptualise rights. Privacy is a fundamental right, without it many other natural rights fall. This is the real problem, and one we have been up against for a great many years.

This is a stark reminder that data protection and privacy are not the same although they are used interchangeably. Privacy can only relate to a person, data protection does not have that constraint. Data can be protected without being private. But while we are here, we may as well put privacy by design on the bonfire of failed marketing gimmicks.

Subscribe now

This follows a previous article where I explored the origins of the term “cyber”. I extend from the Norbert Wiener’s conceptualisation more into what followed.

How often is it said the Cyber Security is another way of saying IT Security? And that it is a subset of Information Security? Was cyber intended to become shorthand for IT stuff? I’m not sure that it was.

I ponder if the term cyber even has anything to do with computers? Modern definitions certainly think so but understanding where the term originated I feel the modern incarnation is a flattened form the removes richer connotation. A modern definition for cyber is generally as follows.

Let’s quickly recap on it’s origin and then see what happened from there.

Norbert Wiener introduced the term cybernetics in the 40s. Wiener discussed cybernetics as the relationship and interaction between animal, machine, and the environment. More specifically he is talking about feedback loops in biological and technical systems. He derived the word cybernetics from kybernḗtēs which means steersman or pilot in Greek and he chose this to emphasise the importance of control and guidance. It’s interesting to note that the word kybernḗtēs is also the root of the word governance which is clearly broader than considerations of IT configuration.

The intention of the term cybernetics in Wieners conceptualisation was not to describe computers per se. Computers didn’t exist as they did today mainly consisting of basic programs and large machines built around thermionic/vacuum valves. Cyber was in the parlance before computers so to claim that cyber is related solely to computers is a difficult position to support. Our relationship with technology is not the technology itself, it’s something different and as the term was evolved into the 70s and 80s it took on other dimensions but remained rooted in the exploration of the relationship between animal and machine.

Science fiction writers were up next to have their crack of the whip with this cyber stuff.

Cyberpunk

Cyberpunk generally deals with dystopian societies that struggle with the relationship between animal and machine. It provides commentary on the possible outcomes that arise through misuse of technology. We are talking about things like Blade Runner, RoboCop, The Matrix, Judge Dredd and that kind of thing. Obviously just talking about ‘IT shit’ in entertainment doesn’t make for a particularly enthralling story so that means other themes come into the frame. The impact of technology on society, humans, or projecting into the future clearly comes into play. It’s obvious then why the rather flat contemporary use of ‘cyber’ doesn’t fit the bill when we are discussing cyberpunk. We are still talking about the relationship between animal and machine and the technology itself is incidental to the story being told.

Bruce Bethke is an American author who coined the term ‘cyberpunk’ with his 1983 short story ‘Cyberpunk’. This popularised the term ‘cyber’ in the common parlance. He has written several novels, including ‘Headcrash’, which won the Philip K. Dick Award in 1995. Bethke has also worked as a supercomputer software developer and served as a judge on the Philip K. Dick Award.

I exchanged messages with Bruce to get his perspective on ‘cyber’ and we our discussion led to some interesting places. The original conceptualisation of the term cyberpunk is associated with the concept of technology ubiquity. Bruce explained it with this question “what happens when these things become cheap enough and common enough that they’re no longer the exclusive province of university-educated people in lab coats?” What I take this to mean is that we are talking about how technology is situated relative to society. In this sense the ubiquitous nature of the technology means that there is common or inexpensive element to it, a punkish element if you will. Clearly the term punk is evocative of a class or ethos. It’s the DIY mentality and working with what you have to achieve different and unintended means. Of course, manipulating a system within it’s own rules yet outside the intentions of its creator is the very definition of hacking and this is one of the themes explored in Bruce’s work. When punk is appended to cyber then what we are talking about is an ethic or perspective associated with the technology and implied relationship with that technology.

Bruce suggested that language itself can be considered a form of technology. This is an interesting contention and one that has appeal. I suppose it might seem high brow but conceptually it poses some interesting questions about the nature of communication. If we consider that to be another technology then our relationship with language comes into the scope of what is cyber under a Wiener-esq definition. It has the elements needed to satisfy such a definition as it is inherently the delivery channel and message of a feedback mechanism between animal and machine.

Evolution of language

Our discussion went on to language adoption and how that language acquisition later in life is very different to the understanding of those who grew up with it. Those who grew up in a ‘culture’ have a higher level of fluency in it than those who adopted it later in life. This leads to a generational disconnect the obvious schism between the current one and the last. Experientially the next generation cannot fully understand the prior one and the inverse is true. Context and association are lost, the thick concepts and embedded meanings are not universal, almost like two countries separated by a single language. Plato captured the sentiment of this concept when talking of children.

The schism of meaning between generations is true of the word cyber itself, morphing and changing over the passage of time, mailable to the needs of the time. There is something to be said for a generational shift of the meaning of words and the consequential change in behaviours between generations and even the perceptions of concepts. If we consider language to be a technology then we could consider these generational changed to be different versions of the corpus.

After the authors of the cyberpunk genre came the 90s, and as glorious as those times were they eviscerated the thick concepts attached to the term cyber.

Enter the Cyberspace

As the internet started to gain traction a certain aesthetic emerged. A continuation of the late 80’s bold, neon, and vibrant style which started integrating new terms the promoted an optimistic view of the future.

Cyber was prefixed to anything and everything vaguely tech oriented. We see the same today with AI as a suffix, or later trend of an ‘i’ prepended to an arbitrary word. Who really needs a Samsung jet bot AI vacuum cleaner? I’m sure you could pick one up on Cyber Monday . . . sorry about the iDad Joke.

The release of Window 95 coupled with endless stacks of AOL and Compuserve compact discs drove mass adoption of the internet. Cyber was the term that was presented to the uninitiated to bring them into the fold and get them surfing cyberspace.

There is something refreshing about looking back at the 90s technological aesthetic. It has a self confidence that is lacking today. Although it flattened the meaning in words it embraced individualistic and unique design in a way modern technology doesn’t. They weren’t scared of pushing out the envelope.

The 90s aesthetic eventually gave way to Y2K futurism and a sequence of uninspiring design trends followed leading us to the current day, Now we are encumbered with a pervasive landscape of flat, pastel colours, minimalistic logos, and tiny variants on the same sans serif font. Cyberspace today is awash with an uninspiring form of digital brutalism brought to us by joyless corporations, designed by joyless UX developers trying to hide their cynical utilitarianism behind the stickers on their fucking Macbooks.

The 90s saw the simultaneous death and rebirth of the term ‘cyber’.

“Wanna Cyber?”

There is a quintessential use of the term ‘cyber’ from the 90s that should be remarked upon. In many a chat room or IM on ICQ, MSN, AOL, IRC, or even Trillian if you were some kind of tech wizard at the turn of Y2K.

ICQ quietly died in 2024 and was one of the last hold outs of 90s cyberspace. But, it introduced many to ‘cyber’ as a standalone term. If you are of a certain age you might have received a message that read “a/s/l” which meant age / sex / location. An agreeable response to that question was often followed by another message. You might have even sent it yourself you dirty rotter.

This was basically an invitation to do the cybersex thing. The internet being what it was meant this was a text based experience but people seemed quite into it. For many, this was their first introduction to the word cyber.

Cyber-farting

You would think that a concept that had been reduced to a proposition to engage in one handed typing would be the lowest point . . . but you are wrong. 2025 took it down another notch.

Yes, cyber-farting is a thing. This year was the first year someone was prosecuted with the crime of cyber-farting. I’m not sure what there is to say about this. Cyber has literally be reduced to fart jokes.

Conclusion

We are left with cyber as a term which has iterated and changed over time. Much like the technologies described in the cyberpunk genre the term ‘cyber’ itself has been contorted from original intent to a bastardised form, one that bends to the will of the user.

The 90s systematically hollowed out the nuance and meaning that existed to the term ‘cyber’ as it reached ubiquity. We now have a word that has so little meaning and so much association with vacuous corporate marketing bullshit that it’s mere use attracts ridicule, and rightly so.

The use of the term ‘cyber’ has come full circle. Today’s inheritors of the word were the manifestation of the dystopian society that sci-fi writers speculated about. Recent events might extend that dystopia to a world that has fallen beyond that into idiocrasy.

As Bruce said to me, “In 1980, I figured I was looking 40 years into the future. I’m please to see that the future has arrived right on schedule”. I can merely only rejoin by saying, “it might be worse than that though”.

Subscribe now

I’ve written a book called “Freaks of the Wireless”

You probably aren’t here for stories about Victorian magicians that happen to be hackers . . . but this is a project I’ve invested quite a bit of time into so I want to give it every chance to succeed.

The book about the first wireless hack and the events around that it in the early 1900s. As I looked into the events it got more and more interesting.

I accidently uncovered the first denial of service attack, the first bug bounty, the first hacker that tangentially used a pseudonym for shit posting, the first real time countermeasure deployment, and the first wireless hack which isn’t the one that everyone posts about . . . but I do cover that.

It’s a very interesting story. You can even pre-order the book right now!

Clicky Button to Pre-Order

I have a publishing agreement in place with Security Blend Books and the book will be out on the 4th June 2025. We’re going through the final touches to do this fantastic story justice!

I set up a separate SubStack if you are interested in reading about some of the interesting events that are covered in the book, random security history, or want to follow along with updates.

Freaks of the Wireless

Subscribe for updates on the upcoming book "Freaks of the Wireless" which will be released on 4th June 2025.

By Den Knowles

I’ve been thinking about how artificial articles, videos, profiles, and images are changing the nature of online spaces. I think about how this changes the human experience and behaviour within these spaces and at what point we will reach a tipping point where the vacuous and hollow homogeneity of aggregated mediocrity will make the internet pointless.

Well, I might struggle to say this is related to security. Perhaps it’s better described as technology commentary. It’s been two years since the first article on this blog was published and I wanted to revisit some of those ideas and explore some new ones. The first article was about AI and values and my daily work in increasingly oriented around understanding this technology in the context of large corporates.

It is inevitable that AI will change the technology landscape and I have reservations about this from the perspective about what this will do to the users of that technology. We need only look at the impact of smartphones and social media on adolescents to see the epidemic of mental health problems. The implementation of technology translates to a change in the behaviour of the consumers. And this is true when we are talking about security technology too. If you block something it is amazing how people will create workarounds to subvert those controls.

I’ll allow myself the indulgence of running across a whole raft of subjects from internet conspiracies to academic papers. So . . . here we go.

The Dead Internet

There is a line of thought that originated from the dark corners of the internet. The unhinged ramblings of a lone Anon on an online forum now seems poignant when read in retrospect. We hark back to the internet of yesterday which was a very different place.

I am talking about the “Dead Internet Theory” which has found increasing airplay in the mainstream over the last year or so. It has especially become more relevant given the Meta AI user account fiasco and forces a reconsideration of just what the fuck is actually going on. The TLDR for “Dead Internet Theory” is given as follows.

It might seem that shit posting edge lords from shadowy quarters might have little to do with security but nothing could be further from the truth. In times passed, much of the online culture came from the wild west fringes of acceptability, finding their genesis in the primordial soup of knuckle draggers rattling their keyboards. The “Dead Internet Theory” comes from these murky depths of the web.

Anonymous are one of the first names that came to mind when we think about the dark corners of the internet. We think of them now when we hear the term ‘hacktivist’ but they grew out of 4chan around 2008 when taking exception to and shit posting Scientology. Many of the great firsts in hacking came from people messing with other people’s stuff for their own entertainment however today we live in a world of criminal gangs and nation states that now occupy the zeitgeist.

But . . is the internet dead?

To many it would be an obvious statement to say that it has died. Some might say that it has only changed. It sure feels emptier than it used to as the author of Dead Internet Theory asserts. But why is this?

In part, the experience of the internet is oriented around a few social media hubs. This is where people consume their information. The rise of mobile devices led to a homogenisation of experience as apps were more accessible than the traditional browsing experience. They are all very similar in format to accommodate for the change in devices. There is a news feed, you have a profile picture, you have a banner, and you scroll, and scroll, and scroll, and then you die. Long gone are the whacky levels of customisation and personalisation offered by places like MySpace and smaller boutique social media sites.

The increase in the availability of analytics and how advertisers pay for the attention of users has also changed how people output their content to optimise around views and engagement. How many videos are now in portrait where they were once landscape? How many have animated burn in subtitles with space between speech removed? They are created to be an optimal length and follow a similar format. You think you see more but the similarity in format makes it feel a bit ‘samey’.

So, the internet once seemed bigger because each bit of it was different. We no longer traverse boundaries of style and originality and what we consume is unoriginal shovelware. Increasingly what we see online is generated by AI, it is synthetic. The internet I grew up with is not the internet of today, they are vastly different beasts.

Anonymity

There was an interesting shift that changed the nature of the internet. As MySpace subsided and Facebook began to rise there was a shift. We went from using pseudonyms or online handles to using our real names. This changed who we interacted with. We oriented more around people we already knew rather than people with shared interests. It also changed how we interacted with each other in online spaces and also changed the consequences we experience.

Jon Ronson once gave a TED talk about online shaming and internet pile ons, the pre-cursor to cancel culture. He gave the example of Justine Sacco who shared a poor taste joke on Twitter to her small group of followers while waiting for a flight. She thought nothing of it at the time.

As she flew to Africa she was out of reach of internet connections but the tweet had gone viral and the internet was outraged. As Justine turned on her phone when she landed she received a message from someone she hadn’t spoken to since high school that read “I am so sorry to she what has happened to you”. By the time she gotten off the plan she had discovered she had been sacked from her job and there were reporters waiting for her at the airport to see her reaction as she found out the news that her life had been destroyed. The internet awaited with baited breath to watch the destruction of someone in real time. A badly framed commentary on the liberal mindset was taken as a statement of racist intent.

But this marked something, as we moved to using our real identities the stakes became a lot higher. Privacy eroded as social media platforms starting enforcing the use of real identities to make it easier for marketing firms to profile and sell to people. In many ways this put us all under the microscope and meant we were less able to have discussions and risk being wrong. How people interact in online spaces had forever been changed.

The move to real identities marked the death of the wild west era of the internet. In some ways the end of adolescence and innocent exploration. More recently this has evolved to prison terms for fairly milquetoast comments made online. It makes you think that this being authentic might not be the best idea in the world despite the gushing sentiment of influencers idealising its benefits.

Is it any wonder that AI tools that produce ‘acceptable output’ become appealing? It takes the risk out of the equation and if it goes wrong you have something to blame. A mechanism for repudiation if you will. The anxiety inducing awkwardness between posting and acceptance is diminished by using these AI posting features. In some ways we are removing the risk associated with expression by sanitising the expression through AI tools. It was the case that the expression was unfiltered and the risk was mitigated by anonymity.

Outsource your thinking, sacrifice your soul

There is an obvious problem isn’t there?

As many scramble at the possibility of AI making our lives easier and in some respect removing risk from online interactions we seem to lose sight of a significant problem. We become disconnected from the process that we go through to create our thoughts. Afterall, we don’t value what we are given, we value what we have earned.

I recently watched a talk from Rory Sutherland and in it he talks about the value of an essay. It is not about the finished product but the process you needed to go through to write it. This is true of many of the things we do, the process is the critical part, not the output.

I published an article about AI and values two years ago to the day (almost). It was the very first one published on this blog in fact. I have seen the change of late, what I feared has come to pass has done so. There is a more sinister element emerging, in it I wrote.

Rory might have said it better but I said it first!

I look at a lot of ‘AI stuff’ as part of my job but you wouldn’t have guessed that is the case by how much of a miserable bastard I am about the whole situation. But please be assured . . . I am just as cynical about most things.

Digital Inbreeding

Recent statement from Elon Musk suggest that the totality of human generated information has been exhausted for training purposes. The next step is for AI to generate it’s own data for training purposes. In the case of LLMs where the output is based on a probability then this becomes an issue. Although the output of LLMs is nondeterministic in a practical sense it is technically deterministic because of the probabilistic generation of the output. This means it cannot replicate the nature of human output at scale as it approximates an output based on a population of data. If the created data is synthetic then we are talking about an average, of an average, of an average. You see the problem.

A considerable source of training data is the internet, or AI tools are supplemented with real time web searches to get around the time horizon introduced by the lead time of training. As synthetic data increases on the internet then the utility of it as source of data for training decreases.

Essentially the crux of the issue is that the probabilistic nature of synthetic output reflects an aggregate, it starts to average across averages which increases the disconnect with reality. As the proportion of real data within the model decreases the performance of these tools also degrades and within a number of generations the the models fail. This is a similar problem to inbreeding in humans, you’ll probably be alright for a bit and then your kids end up with a chin that rivals Jimmy Hill.

Conclusion

If the internet is taken as a source of training data for AIs then the content AI pushes into the environment is of consequence due to the observations of model collapse. But the changes in the internet itself and how human behaviour and the interactions become sanitised also play a part. As synthetic data proliferates and degrades the utility of the internet as a training set for AI it also degrades the utility of the resource for the humans who use it. We are already seeing the proliferation of digital pollution online making the whole thing become a bit shit.

If we further consider that the interactions are inauthentic due to a perceived social penalty then how useful is the data about human interactions for AI training. The change in privacy considerations is of importance and the change in human behaviour has curious consequences. These are behaviours that will be reflected back into organisations too which is a whole other subject.

As a security practitioner that is seeing LLM and AI technologies being implemented into organisations it becomes quite interesting to look at the context in which these technologies exist. It is a problem that certain popular models don’t disclose the composition of their training set. As organisations seek to automate processes using AI it poses an interesting question about the longevity of the current stock of these tools in view of the fact that limitations are being reached and the solution to those limitations introduces significant problems that are yet to be overcome. The inevitable question of where that leaves organisations which chose to build a dependence on these tools is one that needs to be asked.

All in all, the internet was great before the ‘suits’ fucked it up and I’ll leave you with a quote from the late, great Bill Hicks.

Subscribe now

Leave me alone, Baldrick. If I wanted to talk to a vegetable, I would have bought one at the market.

Edmund Blackadder

We hear continuously how AI will revolutionise productivity and cut out boring, repetitive work. I do a lot of writing and thought that Co-Pilot might be useful. Maybe it could check composition, tone, spelling, or maybe even some fact checking. So I spent a few weeks with Co-Pilot seeing what it could do. I wanted to see if I was missing out on a panacea of technology or if the hype train had gone out of control.

Very quickly I realised it wasn’t going to be that helpful and as I persisted I came to the realisation that I had my very own digital Baldrick. For the uninitiated Baldrick is a recurring character from the British sitcom Blackadder. He is Blackadder’s sidekick and always has a suggestion for some hairbrained scheme to get them out of trouble. Is it as good as the marketing claims?

The short answer is no.

Much like Baldrick, Co-Pilot always seems to have a cunning plan. And also much like Baldrick, they are never that good. Co-Pilot came across as somewhat needy. It seemed to be telling me what I wanted to hear. As a writer, I didn’t need an ego boost, I needed some critical evaluation. You would think that as the thing is trained on text then this would be something that it could be good at. Evidently not.

I pressed Co-Pilot for some specifics. Co-Pilot tried to take me down a meandering path of mediocrity. It was insistent that my sentence structure was too complex and might be a barrier to readers. The suggestions it gave for readability were the most generic trash you would expect from the mouth breather influencers on social media. The problem is that as people create a dependency on these tools it will flatten writing to the lowest common denominator bullshit that plagues online spaces.

Co-Pilot had an issue with the lack of character development in a passage I wrote. On the basis I was describing a funeral it’s hard to imagine how the character could develop from there. Co-Pilot had missed this important piece of context. Perhaps Co-Pilot has a revealed belief in the afterlife and desires to be reunited with Talkie the Toaster in Silicone Heaven (sorry, another British sitcom reference).

Some of the suggestions started seeming odd so I asked Co-Pilot to reproduce the text it was evaluating. It dutifully did this but what it was evaluating was of it’s own creation. It was giving suggestions back to me from a text I didn’t write.

Where it was able to reproduce the text I had written, I’d make some updates and ask for it to do it again. But it came back with the same results . . . it did not acknowledge there had been any changes until a new session was started. A bit of a drawback for something that is meant to be helping in real time.

And then there was the sordid tale of fact checking. Here is a real problem. Co-Pilot is authoritative about “facts”. It was adamant that some aspects of my writing were not supported by evidence yet in my hands I had multiple primary sources that supported my statements. In it’s place it suggested outright fiction as established events. This is where these tools become dangerous.

The suggestions it gave for everything were essentially the same every time. Change the sentence structure, check for typos, add transitionary lines between paragraphs. It was the same variant in every instance. It’s limitations become apparent very quickly. This is the inevitable consequence of using something that is essentially a language calculator. The transformer model that generates the output of tools like Co-Pilot are not constructed for the tasks they are being marketed for. Now, if you need to identify some sources or avenues of enquiry then it can be quite helpful as a search engine surrogate, it is exceptionally good at that kind of tasks. As for anything that requires actual knowledge and insight then you are better off relying on your own skills.

But, people are lazy and they will take the output of Co-Pilot at face value. As companies roll this stuff out it will create an environment where apathy and ignorance become virtues of cutting edge technology adoption. The amount of checking that needs to be done with the current state of these tools means they are not an efficiency gain, or that the people using them are inept. Specialist tools have their place when used by specialists but the generalist tools available at this time are best avoided.

Out of interest I gave Co-Pilot the opportunity to respond to the above. Here is what it said.

I'd be delighted to respond, and here's a light-hearted yet reflective reply from my perspective:

Thank you for sharing your experience with me! It's always intriguing to see how my interactions are perceived. It's clear that you've got a strong sense of what works for your writing process, and I'm sorry to hear that I didn't quite hit the mark.

I'm flattered by the comparison to Baldrick—after all, who wouldn't want to be remembered for their cunning plans? But I understand that, much like Baldrick's schemes, my suggestions didn't quite meet your needs. I strive to be more than just a sidekick; I aim to be a useful companion in your creative endeavors [sic].

I appreciate your patience and persistence in exploring my capabilities. It's feedback like yours that helps me improve and better serve users. While I may sometimes stumble with composition and fact-checking, I'm always here to assist with brainstorming, research, and more.

Your insights are valuable, and I hope that, with time and ongoing development, I can become a more reliable and effective tool for writers like you. Thank you for giving me a chance and for sharing your thoughts so candidly.

As you can see, Co-Pilot is still a whiny little bitch.

Subscribe now

Mark Manson’s book the ‘Subtle art of not giving a fuck’ needs no introduction. Released in 2016 it entered the zeitgeist and remains there since the TV adaptation in 2023. There are some useful insights we can gain from understanding security leadership through the concepts it discusses.

Mason explores some key themes in his book, priorities, suffering, problem solving, responsibility, failure, and victimhood. There is an intersection on all these topics, they don’t exist in isolation. There are overlaps with themes of power, ego, and competence. The same problem is explored from different perspectives which talks to innate parts of humanity and those we rarely like to discuss. But really, these are the parts of us we should talk about more. Mason gives us a compelling reason as to why we don’t, because it is painful and not in an abstract way but in a very real and tangible way.

Give a fuck about the right stuff

Manson makes the point that this isn’t about ‘not giving a fuck’ but about not giving a fuck about things that don’t matter. It’s too easy to give a fuck about the wrong stuff and this is important for anyone in a leadership position, especially those in security. One of the problems security leaders will face is there is a lot of stuff to give a fuck about, most of which is background noise. Security leaders are encumbered by having to give a fuck about arbitrary metrics that don’t make sense, level of compliance to a poorly constructed set of controls, investigating non-sense reports of malfeasance, or some bullshit ‘intel’ about the latest APT group from somewhere unpronounceable to that carries a mystique that enchants the dullard.

Manson gives examples of how giving a fuck about the wrong thing can destroy someone’s perception of success. Dave Mustaine was kicked out of Metallica and then became successful in his own right with his band Megadeth. By any reasonable person’s measure, Mustaine is successful however as he always compared himself to Metallica which is an example Mason gives of how you can be successful and still feel like a failure. Then there was Pete Best who was in the Beatles who found happiness despite a lack of material wealth. But it’s not just about giving a fuck about the right stuff, it’s that relative measures of success can be destructive in spite of anything else. This is a point that a security leader has to be cognisant of, in how they structure what success means. Ryan Holiday discusses this too in the form of generals or football coaches and how to focus on the actions and not the outcomes. Measures of personal success have to be derived from within and deriving these from comparative external factors will lead you on the path to insanity. And this talks to Manson’s opening point about how holding aspirations about what you could be sets a bar out of reach and thus positivity can be a negative thing. It’s the feedback loop from hell.

What we give a fuck about is mired by the backdrop of an industry that values the wrong things. “Click, click, whirly, beep, beep” could be a description of what our industry values. We have vendors, industry bodies, thought leaders, training companies, all forming an eco-system. This system affirms a message about what we should be giving a fuck about. But what they are saying is intended to bend us to their desires. This is the King’s Shilling of priorities. If we drink from cup, we are press ganged into someone else’s paradigm. Perhaps it is true that our eco-system is one that is suffering an environmental crisis. We have revelled in its industrialisation, gleefully smearing ourselves in the polluting filth it creates. I wouldn’t suggest that deploying abrasive Scandinavian teenagers is a legitimate solution, but we need to understand that it is our whole industry is fucked. And this is something we should be giving a fuck about because what the industry gives a fuck about is fucked up, and that’s fucking fucked.

Having a higher order of giving a fuck means that we are less consumed with things that do not matter. As a consequence of this, adversity becomes something that is solvable. Adversity as a barrier then, is nothing more than a product of misaligned priority.

Solving problems

Happiness comes from solving problems and this is the space security should occupy. Manson described it as a work-in-progress, a constant, a journey where the destination should never be reached. A security leader should be creating an environment that promotes the resolution of complex problems then, for their own fulfilment and the fulfilment of those under their stewardship. But this is a form of action and one that needs to be continually repeated. You are what you repeatedly do, and a security leader can create teams of problem solvers or box checkers. But problems can painful if the correct grounding is not in place but as Manson describes problem can be powerful and this is a choice. Solving problems does create more problems but then the choice is about what kind of problems do you want to solve.

Problems will lead to failure and a security leader should embrace this. But not in the Agile sense of becoming permissive of incompetence by ‘failing fast’, so god damn bloody always at eye watering expense. Failure is a recurrent theme throughout the book and is antecedent of suffering. When we go out into the world, outcomes are not certain, we can’t predict the future. Failure is not easy to deal with and handling failure will not always be easy and requires introspection on the values you hold. Failure may be an indicator that what you have done might not be quite right. But failure is relative to your values as Manson describes, so failure can be a direct translation to shortcomings against those values.

Responsibility comes into how we solve problems, how we accept these problems, and how we react to these problems is all our own choice. Manson states that ‘accepting responsibility is accepting power’. This is all well and good but accepting responsibility requires competence. Without competence you cannot be responsible, and incompetence is irresponsible. But solving problems reflects on so many areas and generates a base of power and influence within the organisation through competence. A security leader should conclude that at the root of all this, values are first and foremost, ahead of problem solving, ahead of failure, ahead of responsibility, and ahead of happiness and fulfilment.

Suffering is inevitable

Mason describes emotions and pain as a form of feedback mechanism, an internal compass to know if something is worthwhile. This is emphasised by how Manson describes growth requiring the admission you are wrong and requiring the death of a part of you. He puts this in terms of breaking connections within the brain and this being physically painful. It’s reminiscent of Tyler Durden when he says ‘self improvement is masturbation. Now self destruction...’. The implication is left open but the connection is clear. To truly make any improvement, we have to be prepared to destroy something of ourselves, part of our conceptualisation of the world or perhaps a value that hasn’t actualised in the way we expect. This is a requirement to achieve the greater thing we give a fuck about. The greater good perhaps, as a Machiavellian world view would imply.

And there it is, a security leader must understand that they will need to cause pain to those that they lead for them to grow. They will need to hurt the organisations they are there to protect in their own best interests. This is swapping of the problems, and posing the question, what problems that are preferable for an organisation to face? Those that are present from their current situation, or those that would move them towards their objectives.

Suffering is required to be mentally healthy. Struggling through suffering gives us meaning. Manson alludes to this when he talks about how without death nothing has meaning. In a leadership context there would be the need to create cohesion within a team or structure, suffering creates the shared identity of a group and unifies them through a commonality. It keeps that group healthy and mentally stable as is an emergent requirement of the human condition. So, a leader must create the culture in which adversity, struggle, and suffering are present but controlled. This is the facilitation of stability, growth, and progress, derived from suffering. And this is what we can distil both from and for the human condition. This is the only responsible and competent way to approach this. Machiavelli knew this all too well and there is a component of intent for the security leader to consider.

It would be very easy for a security leader to slide down the slope to despotism or masochism. The famous Stanford Prison experiment is cited as a cautionary tale where the arbitrary power is granted to those without the checks and balances to marshal themselves. This is why self-reflection is so important, yet it is one of the most painful things to do. Growth itself requires the admission that you are wrong. This requires introspection beyond the capability of most. To grow is to suffer, to turn the mirror of self-reflection on ourselves and acknowledge what we truly are. And what we are is much worse, and more flawed than we think.

Too easy to become a victim

Of course, victimhood comes into the frame. It is 2024 after all. Mason describes this as victim chic. A security leader should be aware of how this plays out in the corporate space. This reflects in the mentality of those around them, and those under their stewardship. Modern corporate culture creates virtue out of victimhood by the endorsement of special interest groups, promotion of celebratory and commemorative months for this or that marginalised group. I’ve heard it described as making victimhood a virtue and making strength a vice. But this mindset has a destructive set of associated traits for those that adopt it, typically defined as need for recognition (of their victimhood), moral elitism, lack of empathy, and rumination.

A victim looks for someone to blame, a persecutor, this is something that is described in Transactional Analysis and the Drama Triangle. Manson describes a model similar to the Drama Triangle when talking about entitled people but does not go as far as to draw the direct connection. I would take a speculative view that victimhood is also an indicator of incompetence as described in the Peter Principle going so far as to state that those exhibiting indicators of victimhood will likely be highly correlated to those exhibiting incompetence. But the well runs deeper perhaps, those with higher Tendency for Interpersonal Victimhood will have insecure attachment styles, namely anxious/ambivalent attachment. We can infer from how insecure attachments develop that adequate relationship formation within the first three years of life is being neglected on masse. I’ll allow myself to muse on this point.

Perhaps there is attribution to single income households being less viable, or how companies encourage primary care givers to return to a work within a twelve-month period. There is a perverse irony to the fact that the organisations that promote societal good are the ones that are promoting schemes and services that facilitate primary care givers returning to work rather than taking the requisite time to ensure the next generation has secure attachment styles that don’t lead to the endless waves of blue haired pricks reading fucking poetry, shedding rainbow tears. There is a lot to say about victimhood and the wider societal issues it creates, and this is a real fucking problem for a Security leader. Having them within the castle walls means you have an unstable element within the organisation. A fifth column of cry babies. This is the very essence of the path to hell being paved with good intentions. What the corporates have advanced is subverted competence of their future employees, mortgaging our future stability in the name of ‘corporate and social responsibility’.

We grant that security has an emotional component to it and an element of perception or feeling from those seeking protection. What then if those seeking protection are emotionally unstable or unable to regulate their feelings? Those in the victim mindset who are seeking and creating threats, real or perceived, undercut the security of the organisation as they will never feel safe. And how does this work with the concept of suffering? Or the creation of new problems through the resolution of the old ones? Those seeking to apply methods in the greater good or best interest will be subverted . . . ‘coz me feels.

Mason outlines that evil people don’t think they are evil, but they do think they are right. Evil is certainty, which means there cannot be growth beyond the existing paradigm. And the pernicious nature of victimhood is that of resigning oneself to a set paradigm with no self-reflection, without growth, without new problems. Solving them would shatter the identity of victimhood. Uncertainty is the root of all progress meaning risk is required to grow. Afterall, ‘Never was anything great achieved without danger’. The only certainty will be stagnation. Security leaders must accept the stark reality that victimhood mentality is evil, that it is incompetence, that it is to be regarded as contemptable.

An environment that venerates victimhood as a virtue promotes the abdication of personal responsibility. It is the abdication of responsibility where the victim becomes king and when regicide becomes just.

Conclusion

Responsibility, power, ego, suffering, success. These all are improved and enabled by self-reflection, informed by action, and predicated on values. Once you have a grip on these you have control of your action, your emotions, the things you give a fuck about. But that control is always on a precipice with hubris hanging above like the sword of Damocles waiting to fall. We need to understand the limits of what we can control, or even what we should control.

There is an inevitable conclusion manifest from the construct of these attributes, a narrative theme from the past that echoes towards the future. That is, we cannot know the future. These axioms are rarely stated but they are worth reiterating. Time moves forwards, we exist in the present, the past is only a memory, the future has not yet been written, John! We can reflect on what has happened to modify how we act today. History doesn’t repeat itself, but it rhymes . . . the possibilities are still very open.

None of the work we do inwards would be required if we could make projections into the future, now this is not to say that from a psychological perspective the process of abstracting and extrapolating towards the future isn’t useful or necessary but without uncertainty we cannot suffer or know meaning. Mason makes the point about our mortality giving us meaning, and our death is the only thing that is certain. But before our inevitable demise, we need uncertainty, we need to feel we have struggled and overcome. If we could see forwards with any reasonable precision, we would undermine the biological, psychological, and philosophical basis of humanity itself.

Subscribe now

What happens when we strip back the concept of security? We first confront our philosophies and our psychology, but do we make the leap to examine our biology? In some way we already do this in social engineering when talking about things like amygdala hijacking, but do we go far enough?

Security is a feeling about a perceived state of protection. A feeling is an emotional response which is subjective. This means that at the most basic level any requirement for security to reflect reality doesn’t exist; it is all in our minds. Our experience is shaped by our innate biological attributes. Considerations of the emotional or intellectual requires a biological system in which to operate, obviously. Within this system we understand that hormones create the feelings in response to stimulus which underpins feelings of security. How we feel about something like security is a chemical response. It is a by-product of the hormones that course through us as we respond to stimulus. Gaining some understanding of the human condition from a biological and sociological perspective gives some level of insight as to why psychological methods are effective in influencing behaviour.

Our biology introduces conditions and constraints as we are trapped within our own physicality. Our perception is dependent and experienced within our corporeal form. We can’t directly experience beyond the senses that are integrated into that form, yet we understand that there is more to existence than what we can perceive. What we receive from our senses creates a model, an imperfect description of the world as we see, hear, smell, feel, and (if we are feeling brave) taste it.

But what does all this tell us about security? Is there a biological imperative to feel secure?

What are we?

It might be useful to consider what traits can be ascribed to humans and think about what is at our core. Of course there are attributes that are physical. Biological sex is a factor as we need to procreate in order to continue the species. Living until the point of being able to raise children and ensure there is a next generation means that survival is a requirement. To ensure our survival we need protection against the things that threaten that. Protection is the means to prevent harm.

We will skirt over aspects like our bipedal nature and opposable digits that gives us the capability to make tools, computers, or weapons. These physical traits govern how we operate within physical spaces and how we can inflict harm on each other. This is an interesting subject however that’s not what we are here for.

There are some attributes that can frame some interesting exploration. It is not controversial to say that the following are traits that exist within the human condition.

• Emotionally driven

• Individual agency

• Pack animals

• Adversarial and conflict driven

• Hierarchical

It is these attributes that lead into the emergence of psychological and philosophical mechanisms. I’ll take any opportunity to berate folks with a fucking triad. So, I offer my own deliberately asymmetric ‘triad’ which I proclaim to represent the constituent parts of security as an abstract concept. Let’s call it the BimPPi trinity.

Emotionally Driven

We like to think we are rational agents and that our decision making is predicated atop of a logical set of processes. For the most part, this is not true. Our thinking is coloured by our emotional state which is caused by hormones and biological mechanisms. Dual Process Theory indicates that the majority of our decision making depends on automatic processes. This is said to be up to 90% of all decision making. Dual Process Theory is commonly referred to as System 1 and System 2 thinking. System 1 is automatic and subconscious whereas system 2 is a deliberate and conscious mode of thought.

Emotional state is a key factor in Dual Process Theory and the production of hormones that influence mood becomes a key consideration. How many phishing scams or otherwise has there been that introduce a stressor such as a time constraint to make people act impulsively to alleviate their discomfort and push people towards the emotional thinking of System 1? Cortisol and adrenaline are stressor responses and create the fight of flight reaction, again heavily in System 1. The practical application of social engineering hinges heavily on the hormonal release mechanisms to elicit the desired response. Techniques like instant rapport within social engineering depend on the production of oxytocin. They are calibrated to promote the release of hormones to achieve a desired outcome.

Contributors to System 1 thinking can be shown in the following way.

We can consider feelings of security to be mainly rooted in System 1 thinking. This is especially true in the IT realm where the measures and data that are presented are rarely a description of the real world so rational consideration cannot occur. We tend to present so called measurements of security as analytical but really what we are dealing with is a form of manipulation that has a dependence on biases and heuristics that are found within System 1. I use the term bias to describe well established cognitive biases, not the colloquial form used by screeching idiots in HR departments.

While it is possible to adopt a more rational, System 2 approach, it requires significant effort, consideration, and practice. Protective states can be critically assessed and described, but the lack of fidelity within the existing 'risk management' hegemon means that decision-making will continue to depend on emotional states and the biological systems that produce hormonal responses. But this I mean that risk management is a reductive abstraction that obfuscates or outright misrepresents protective states. The unfortunate reality is that many decisions we believe to be rational are often post-hoc rationalisations of choices already made on an emotional basis.

Individual Agency

Do humans operate on their own agency? Well, that is a touchy subject. The matter of free will is not as straight forward as you might think. A deterministic perspective will conclude that all actions are predicable when the initial state is known. A non-deterministic perspective will conclude that free will is possible and humans can control over own decision making.

Several experiments show that decisions can be known by an observer using an fMRI scanner 7-11 seconds before a person is consciously aware of the decision they have made. We know that the decision manifests from within the individual but how much of this is generated by sub-conscious processes is up for discussion. In view of the high prevalence of System 1 thinking we can assume that it will be comparable at around 90%.

The philosophical constructs we have devised are rooted within our biological limitations. We perceive that we have consciousness, self-determination, and free will, but it might be the case that consciousness is the first demarcation that individual agency is a post hoc rationalisation. Functionally, it’s more useful to assume that we have free will and self-determination as our societal structures are framed on that premise. Without the assumption of free will then concepts such as justice and punishment become morally problematic to enforce as there can not be any accountability, strictly speaking.

The need for individual agency can be related to biological mechanisms and that is the need to procreate. Individual agency can be an interpretated as both a product of and mechanism for genetic survival. This is described in the book “The Selfish Gene” by Richard Dawkins that argues for individual gene propagation and makes the case that understanding this genetic need can help up make conscious choices to act independently from base urges. This is further supported in neurobiology in the concept of neuroplasticity that demonstrates that the brain has a capacity to change and operate independently from its pure genetic instinct. You can conceptualise that neuroplasticity initially requires System 2 thinking however the process then informs and underpins System 1 mechanisms.

It is the premise of gene propagation that we can understand the emergent requirement for protection, which extends to feelings of security. Individual agency and neuroplasticity also give us adaptability and autonomy that creates a sense of control which is underpinned by hormones such as dopamine and oxytocin putting us in a preferred state. If we consider how Theodore Kaszynski conceptualised fulfilment, then it was the engagement within the power process and autonomy that created it.

Pack animals

We have a predisposition to cooperate with those within an immediate kinship group, and this is by virtue of our construct as societal creatures. Our biology is built on sexual reproduction which necessitates groups or at least the need for a partner temporarily. Persistent groups are advantageous from a survival perspective and offset a number of our limitations. Our necessity to sleep, the inability of our offspring to survive independently further facilitates the emergence of groups where protective duties can be shared.

There is an optimal emotional state that is fostered by relationships and our biology reinforces relationships. Hormones like dopamine, serotonin, endorphins, and oxytocin are responsible for making us feel good and are the expected response to positive relationships. These responses foster trust as is well known within social engineering. Trust is a related concept that is required within groups. We can loosely consider trust to be a belief or confidence in the reliability or truth of someone or something. Trust is a term we use frequently in security but like security it is a perception about an external state.

Perhaps a detour is required to give a brief overview of the key hormones involved. Dopamine is associated with reward and satisfaction. Serotonin is the feel-good hormone that helps you stay calm and content, if you have ever had a white Mitsubishi, you might have experienced serotonin depletion and know the starkness of its absence as we sit crying in a corner. Endorphins are related to wellbeing and euphoria which also serve as a painkiller. Oxytocin is often described as the moral molecule following Paul J. Zak’s book of the same name. It enables us to trust one another and has gained traction in social engineering which tends to place significant emphasis on oxytocin generation through its techniques.

Mirror neurons also play a part in trust formation and provide some of the mechanics. They help us understand the actions of others and allow us to empathise with others. These are more easily activated when we engage with people most similar to ourselves. Studies suggest that there is fluency to the interactions or that as we interpret the actions of others through our own frame of reference then alignment is far easier with those who resemble ourselves. This is basically in group preference. An old Bedouin idiom encapsulates the idea of concentric circles of trust quite well.

It is a reasonable interpretation that good interpersonal relationships and the associated biological mechanisms are correlated with individual feelings of security and provide the basis for how we feel about security. And to paraphrase Alfred Adler, all problems are interpersonal relationship problems.

Adversarial and Conflict Driven

As much as we depend on those in our immediate vicinity, the further we move away from our immediate groups then the greater the differences and the less we trust. The diversification of genetics is desirable when considering the survival of a species. We can view this through the lens of Nassim Taleb’s “Anti-Fragile” and view these patterns are a form of optionality further extending to a holistic system that becomes less fragile as it encounters adversity. Conflict helps remove the fragile elements of the overall system.

The presence of these difference creates competing interests. Where there are competing interests, there is conflict. One group will preference their interests over another. It’s an inescapable truth of the human condition. I have not been alive during a period where one group of humans is seeking dominance over another and neither have you. It is innate. Conflict is the basis of the stories we tell and permeates our cultures. Our societies are based on violence. Our boundaries are drawn in blood and our rules are upheld through the application of force.

There is a rather twee and modern perspective that implies a benevolence to humanity, an inherent goodness. It sees that people are innately good and the bad are the fallen, corrupted by circumstance, victims of society or some other nonsense. It’s a nice thought that all people are fundamentally good and virtuous, but this perspective is predicated on egotism. It assumes that what is good is aligned to the values of the people making the assertion and ignores that different groups can have fundamentally different value structures. It is projection and disregard of the values of others.

We could consider this to be dysfunctional relationship between groups enforcing a victim and persecutor paradigm, but I’d see this as a misapplication of something like the drama triangle. There is a necessity to conflict by virtue of our construct, or at least it is incentivised by our biology. Victory feels good, doesn’t it? If you add adrenaline and testosterone to the list of dopamine, serotonin, endorphins, and oxytocin . . . you have victory. In view of the hormonal response to conflict and the similar feelings of victory to relationships and empathy you might say that we have a very intimate relationship with conflict. Violence is one of our oldest acquaintances. As with the benevolence of relationships, the malevolence of conflict is a pure form of human expression. I am not seeking to fetishise violence, but we need to be honest about what we are and what the human condition is. A core responsibility of a security function is protection. But protection from what or who? It is protection from those seeking to do us harm or enact a form of violence against the organisations we serve. The adversarial nature of humanity is why we are here.

Hierarchical

I’ll briefly touch on hierarchies; but I’ve discussed these a lot in the past. Difference creates hierarchy viz: - We are different and that difference in important as an explanation of social hierarchies. It is a biological necessity to ensure evolutionary development and differences within groups creates a broader range of abilities or traits in which can increase the survival rate of a group.

Hierarchies can create some of the undesirable aspects that we want to protect from. There is a metric called the Gini co-efficient that measures relative wealth inequality. We find that area with a higher score experience higher levels of criminality. We might then consider that large variances in groups in close proximity is not desirable and the natural way we order ourselves into hierarchies has limitations. Too much variation causes a breakdown of relationships an inversion of the hormonal responses leading to conflict from which we would then seek protective measures to restore feelings of security and a return to an optimal state.

Hierarchies emerge yet they are bounded to human limitation and overly tall hierarchies suffer from inefficiency. This can be compared as a form of communication entropy as discussed in “The Human Use of Human Beings” by Norbert Wiener where each step in a chain of communication introduces degradation and entropy. Some organisations seek to work around this by having flatter hierarchies but then suffer from different issues as the lines of responsibility fade or become diffuse. Yet it is from within these structures we find community and connection. Although they are flawed and a product of our biological needs they themselves can give a feeling of security.

Conclusion

Individual agency brings rise to the necessary requirement of freedom which contrasts against the need for protection. We can, perhaps, describe security as the uneasy tension between the biological imperative for protection and a psychological need for freedom. And the tension between these two aspects means that security is dynamic and not static. This of course makes questions about how much protection is optimal impossible to answer without context.

The tension of these aspects is the justification for the liberal conception of the social contract as described by Thomas Hobbes in Leviathan. He describes the state of nature as a condition of perpetual war, where life is "solitary, poor, nasty, brutish, and short" and reaches the position that consensus needs to be achieved to enforce peace using a social contract. Freedom is exchanged for safety in a social contract society.

Liberalism is intellectually bankrupt as it sits upon fundamental assumptions that are untrue. We cannot be both free and equal which a core contention at the heart of the liberalism. The characterisation of the state of nature that these ideas are built from is obviously false although if we are to be generous, we could say it was never intended as a literal interpretation. It assumes an isolation that had not ever have existed. Hobbes makes the claim that we are equal irrespective of differences and dismisses this as a factor, I’d say he is a victim of the “vain conceit of one’s own wisdom” of which decries others. To dismiss difference as an important factor is a denial of reality and a repudiation of truth.

If security is built on the liberal conceptualisation, then what originates its creation? It may be the case that freedom is not the right idea. Prior to liberalism security was based on the stability of hierarchies related to feudal systems or state constructs. The concept of an individual was of lesser importance that the sustenance of the society. Security was tethered to the concept of hierarchy where everything had its place, you knew your place in it and to uphold the system is to ensure your protection and grant you the feelings of security within that community.

This wouldn’t be acceptable as a definition in a modern society as individualism. We can make a case that liberalism is successful however it is in its infancy when considered against the longevity on humanity. Along with the industrial revolution it has bestowed up on us many benefits but also many curses. Never has man had such a capacity to endanger others. Should we feel more secure in a globalised world or in one that is segmented into loosely connected communities?

This is a by-product of the abstracting away of engagement with work that directly relates to our survival needs. Feelings of security evoke similar hormone responses to relationships and trust including dopamine, serotonin, endorphins, oxytocin with the addition of Gamma-Aminobutyric Acid (GABA). So, we might say that security as a feeling is inexorably connected to humanity and a necessity. It’s close relation to core traits of humanity make it a emergent property of the human condition.

So, to answer the question I originally asked. Is there a biological imperative to feel secure? I’d suggest that there is. This feeling is related to many fundamental aspects of the human experience and overlayed with our need for connection with others.

And eventually we arrive at a place where the connection between the biological the psychological, and the philosophical intersect. It’s not a neat picture, there is complexity, nuance, and subjectivity. This might age badly in the face of new evidence, but I would hope that it prompts you to consider things through a lens that you might not have done before.

The world of information security and cYbEr now seems like a malaise of dysfunction to me. Maybe this is the point where I have gone ‘Full Tonto’. Have I strayed so far off the reservation that I might now be better suited living in a shack in the woods stripping batteries to satisfy malevolent intents?

Subscribe now

I examine modern security leadership through the lens of Niccolò Machiavelli and Robert Greene. Machiavelli often called the father of modern political philosophy from his seminal work The Prince whilst Greene is known for building upon those concepts in a contemporary context in the 48 Laws of Power. Machiavelli gives us an unvarnished interpretation of power dynamics in early modern Italy and addresses two main concepts.

1. Seeking and retaining power

2. Viewing the world for what it is, not what it should be.

Machiavelli offers little in the way of opinion and staying within the boundaries of events and experience. It’s worth understanding that Machiavelli was on the tail end of a period characterised by warfare between city states and regional powers. Power asserted through the application of violence was a valid strategy in those times. As much as I would advocate that a gladius is an appropriate tool for stakeholder management, it might be flirting with some legal repercussions that make it impractical. That being said, Machiavelli’s work has stood the test of time and has relevance to this day. What was true then, appears to be true now.

The Prince rests on a number of assumptions. It presupposes that there is an apex to the power hierarchy, and that the apex of power is an autocratic model where there is a single leader. It should be said that security leaders will exist mainly within the corporate space so this will be the focus of consideration. It carries some baggage though, namely that they will not exist at the top of the hierarchy, they will have superiors, peers, and subordinates. There isn’t a single power hierarchy to climb, so parallel options exist.

It’s easy to see how the power dynamics within, and between city states, or regional powers offer us a valid proxy for today’s corporate environment. One company can take over another, a leader can be deposed, ‘princes’ can ascend from the common man. Organisational politics are malleable to the techniques outlined by Machiavelli. Obviously, power is everywhere, and the strategies apply universally. So, for a security leader to be successful they need to appreciate the asymmetric power dynamics in play. I’ll break this into three broad areas of consideration for these purposes.

1. Self

2. Organisation

3. Others

Self

Reality and reputation

Machiavelli talks to the human condition and is not idealistic in the way he does. He talks about how the world is, not how it is supposed to be. He describes what does work and what doesn’t work. The first lesson for a security leader must be this, the paradigm from which they view the world must be one rooted in reality, not idealism. If a leader cannot see the reality due to limitations imposed by their ideals, then they will leave themselves vulnerable to those who orient around reality. Viewing the world with an idealistic lens is indistinguishable from delusion. But idealists are predictable, and that is useful to understand for a security leader.

Reputation can be described as how you are perceived by others. Perception is reality. If you control their perception, you control their reality. How a security leader is perceived by others is the critical enabler of how effective Machiavelli and Greene’s strategies are in power creation. Greene builds on the groundwork Machiavelli laid and is more explicit when articulating his laws pertaining to self-conduct. Greene articulates strategies around how to curate your interactions which build your reputation and create power. He goes as far to describe reputation as a cornerstone of power.

Greene makes an interesting point about the rejection of roles that society pushes on to a person. In an age of identity politics where virtue, connotation, and association are inherent in the labels, there is utility in assuming some of these labels in the creation of an identity. He likens the creation of a new identity to like wearing a costume, although, I’ve always preferred the term wearing a skin suit. Everyone creates an identity for public consumption to an extent. But this reveals a truth about us, that we are rarely what we think, or hope to be. We are much worse than that. Something is missed by Greene, he works in the singular, but we need to work in plural to be truly effective. Security leaders must maintain a set of identities tailored to the specific audience, for seniors, peers, and subordinates. And which skin suit a security leader will need to wear, depends on what and who the objective is. Just don’t ask about dress down Fridays . . .

The creation of identity can be aided in a modern context by virtue of the many hierarchies there are to climb. A sidestep or upward step into a different organisational hierarchy can be an opportunity for purification. All is forgiven, most is forgotten. This has the benefit of retaining external allies. A security leader will have been able to build seniority, ‘rank’ is generally transposable without carrying the baggage of what came before. This strategy is not without risk but allows a security leader to perfect their craft during their accension and limit the penalty for missteps.

Organisation

Power Hierarchies

There is an action required of a security leader to understand what is valued within an organisation. They need to gauge what associated traits would be perceived as virtue by their ‘subjects’. To paraphrase Machiavelli, it is not necessary to have these qualities, but it is necessary to seem to have them. But understanding what ‘subjects’ consider to be virtuous is not enough. The nature of social activism, special interest groups, or union presence within large organisations needs to be understood. They will have a disproportionate sway over the discourse in public spaces. Not a day goes past that isn’t some ‘day’ or ‘history month’. It’s spread through the corporate world like a plague of fleas in a cattery. But these should be conceptualised as communal ceremonies that contain affirmations of loyalty to the faith. Greene talks about borrowing from organised religion to create a following, and these groups borrow many elements.

One commonality special interest groups tend to have is that they are predicated on the victim/oppressor dynamic. Another way this might be considered is the drama triangle playing out on an industrial scale where a great many people see themselves as victims. The drama triangle framing is useful as it leads us to understand that when someone embraces victimhood, they will seek a persecutor. If they can’t find one, they will create one, or we can create one for them. The prevalence of victim mindset within organisations and the wider society has changed the paradigm through which relationships are seen, they are an asymmetric power dynamic, and therefore very Machiavellian. Furthermore, how they outwardly portray themselves is incongruent to their actions. Despite the claims of virtue, this is only true to the point of disagreement past which a social penalty must be paid. A tithe in blood to be paid by the apostate.

A security leader must understand how these groups form the organisational context and cultural background. There is utility in doing this for several reasons, the first would be to identify any threats to themselves, the canary in the coalmine. This gives greater scope to allow defensive manoeuvres against those who would seek to depose the security leader. The second is underhand, but a security leader may need to utilise the mechanisms of these groups as a weapon. These groups can be used to weaken those in stronger positions or deal with those who are a threat to their position, they can be used to do our dirty work. Another aspect to consider with the utility of these groups is the establishment of reputation. These can become a convenient vehicle to promote the values you want to be seen portraying. Greene discusses using cult like mechanisms to create a following, groups that already exists can be used, but new groups can also be created. Creation of your own interest group, perhaps based on location, department, or professional affiliation would be useful in generating an adversarial outlook within its members by defining and vilifying outgroups.

A security leader needs to understand that there is more the just the formal structure of these groups. A sub-structure exists within, and between these groups, collections of individuals who form the crucible of power. A security leader would be best served to identify these groups, sub-structures, the players within them, and the affiliations between them. But Machiavelli does provide caution if we consider utilisation of these groups of people insofar that use of mercenaries is warned against. Nevertheless, these structures are a reality of organisations and are deeply embedded so it would be remis to not consider their utility in achieving ones aims. These groups have weaponry that might exceed the arsenal at your direct disposal. This must factor into the political calculus when evaluating the effectiveness of dispatching your foes via these means. Why have a dog and bark yourself? Just be mindful that these are the yapping terriers of stupidity which are capricious in nature.

Others

In a sense, Greene’s work focuses on the egocentric, which becomes its limitation. Whilst these precepts are helpful it is also very useful to understand the nuances in others’ interactions. A security leader must be observant in a corporate environment. They need to notice, who is meeting who, who is going for coffee or lunch with others, what are their social circles, what do these people value, how much influence do they hold, is this by position or by personality. Who is holding grudges, who are these held against, what kind of agitation would they be receptive to. Only by understanding this can a security leader create a base of influence that extends beyond their own. The context is required to apply Greene’s laws, if you want to create a cult-like following, then you need to understand what the mark believes and how you leverage their weakness to create loyalty.

The subjects

Machiavelli discusses the use of mercenaries, a standing army, and auxiliaries. By creating allegiances and a loyal team a security leader can move with more impunity. They will be able to draw on the collective influence and reputation of the loyalists to reinforce their own standing. It is important that the loyalists are not subordinated to mercenaries, so this would be contract resource, MSPs, or even other teams in the organisation. Doing so would weaken the security leaders’ position by not having a reliable network to draw on in times of need.

As advantageous loyalists are, they are expendable. If a security leader has created a dependency or owes favours then they are obligated to those people. Machiavelli makes this observation and Greene goes a little further by suggesting that enemies should be used to occupy subordinate positions as they will then be obligated to the leader. Now this is on somewhat of a knife edge in a corporate environment due to the presence of parallel power hierarchies. The subordinate then may become a threat as they can manoeuvre laterally to positions where they no longer sense an obligation to the leader.

Intersecting considerations make any judgement calls about how to fill the ranks a challenging decision. This decision will need to be contextual and consider the potential options the subordinates have to move against the security leader. There is no immediately obvious path that is simplistic. When a problem requires resolution, the action has to be dispassionate and unilateral in its execution.

The nobility

A security leaders peers will inevitably be middle or senior management. Peers are generally protective of the boundaries of their domain and generally seeking power themselves in their respective disciplines, and this can be used to devastating effect. A security leader should be acutely aware that they can shift messages that will land badly to their peer group. As it happens, security issues are usually predicated on a problem security doesn’t own. And it’s only reasonable for the owner to take accountability. Enabling a scenario where you can simultaneously increase your position relative to your peers, and use their credibility to deliver bad news eroding their position over time helps to establish the security leader in the dominant position over their peer group.

But the nobility must be kept onside over a longer duration. They will have the collective power to depose the security leader. As with the subordinates, it’s not clear that Machiavelli or Greene’s approaches are entirely implementable due to lateral and upwards movement.

Conflict

It’s worth noting that asymmetric power relationship can sometimes collapse into conflict. This isn’t really dealt with by Machiavelli or Greene in any meaningful way. They discuss ways of avoiding it, or not being seen to take a side where others are in conflict, or allusions in that vein. Machiavelli says there are two ways men can fight, by law or by force, of men or of beast. To co-opt this somewhat, I’ll consider the bestial approach to be conflict with words. A security leader will find themselves in conflict frequently as what they need to say will not always be welcomed. Open conflict in public spaces is an eventuality a security leader must prepare for and have the skills to deal with.

In a pure dominance contest, decisive response is demanded. Position will need to be defended; they will come under attack. The attacks may not be rational or hold relevance to the subject of discussion, perhaps public character assassination by others. There will be an audience. There are ways to counter this. A good security leader will have information to hold over their detractors already. Their intentions should have been anticipated as there are always signals. But failing this, they must be able to debate to get the audience on side. The detractor won’t be convinced, and this will be damage limitation through attack by attaining the support of the audience. When the time comes, and it will, a security leader has to be prepared to vanquish a foe. To embrace Greene’s laws, a security leader must be bold in action, and not show weakness. Fear is the weapon they will hold over you, without that, they have nothing, without that, they are nothing.

Conclusion

We have dealt with a number of areas of discussion prompted by Machiavelli’s, and Greene’s work. But there is a significant omission. We have not made any attempt to reconcile these practices with the values, or mission of a security leader. A Machiavellian worldview is one that is cynical in nature, perhaps because we are cynical by nature. It assumes the worst and leave little space for altruism. In some sense it promotes malevolence. A security leader must understand the methods of obtaining power but has to be judicious in how those methods are applied.

In a sense Machiavelli is a manifestation of consequentialism as reflected in his writing such as “one judges by the result” or as we might say today “the ends justify the means”. Yet that leaves us with an unsatisfying conclusion in that a Machiavellian approach forces us to rely on anticipating predefined outcomes. If we fail to achieve the outcome we are greatly exposed and the axe cuts the other way. We cannot predict the future and the path to the outcome in this approach reduces optionality leaving us fragile, but not brittle, along the journey.

There is no suggestion that you cannot change the destination as Greene concludes in his last law that you must be formless, not adhere to other’s rules and laws. It suggests that a security leader need to be mailable to the situation and adopt strategies that work as circumstance changes. Machiavellian behaviours and traits are themselves a ‘form’, a way to be predicted, and therefore a weakness. Greene leaves a ‘get out’ that grants scope to rationalise this internal inconsistency, or it could be taken as a total repudiation of everything he has written and Machiavellian philosophy.

Subscribe now

The relationship we have with technology has become a problem.

Our times are punctuated with technological devices that seem to be fuelling division and polarisation. Complicit indifference allowed poisonous ideas to be digitally disseminated. Technology has become ubiquitous, but should we have let it? There are some that suggest that we shouldn’t.

Jonathan Haidt discusses the role of technology on the adolescent development calling it the “greatest destruction of human capital in history”. Haidt notes that Gen Z are more anxious attributing this to a “great rewiring of childhood”. As Haidt describes, technology becomes an inhibiter preventing the formative experiences during development. Children are not as engaged in play, imaginative activities, conflict resolution, understanding social cues to form relationships, or engaging as part of a long-standing communities. The executive functions of the pre-frontal cortex are disrupted leading to inabilities for those to stay on task or plan. Their social skills are diminished and are considered to be an anxious generation plagued with an epidemic of mental illness.

One of the most notable and controversial critiques of modernity was Ted Kaczynski, a terrorist. His ideas can easily be dismissed as the ramblings of a mad man but within his manifesto and other writing there are astute observations and predictions that have come to pass. In recent years he has garnered an online following and is affectionately referred to as “Uncle Ted” in some circles.

As technologists who apply the latest and greatest from the toybox into organisations, have we considered what that does to the people in those organisations? And the population from which we recruit, how is organisational stability adversely impacted by the wider adoption of technology given how it impacts people? The true impact of novel technologies like AI on society will not just be a change in job roles or the automation of tasks but it will change our relationship with technology.

What exactly is security?

Let’s revisit what we actually mean when we talk about security. As many more informed commentators than myself have noted, security derives from the Latin Securitas meaning freedom from care. This means that security is a feeling about the perceived state of protection. Security is not something that is objectively measurable whereas protection is. Security is not locks, fences, firewalls, anti-virus, SIEMs, EDRs. These are the ‘things’ we use for protection and are not security in of themselves but the application of protective measures gives a feeling of security. We are talking about emotional responses so we must consider the human element. This distinction becomes important as we start to introduce other concepts.

The Terrorist

Ted Kaczynski was the terrorist known as the Unabomber. His actions led to the loss of three lives and injured many other between 1978 and 1995. It was not that he had killed particularly significant amounts of people, it was the unpredictability of the attacks and extended periods of inactivity that left a persistent threat in the minds of the US. And this is threat in a real sense and not the security colloquialisms. Kaczynski had the capability to cause harm and had signified intention to do so. The Unabomber evaded authorities leaving little trace for investigators other than his signature method of making his devices. He went to significant lengths to make sure that no components were traceable.

The terror he was able instil into a nation was palpable and led to the one of the most expensive manhunts of all time. Kaczynski had a genius level intellect, his IQ was supposed to exceeded Einstein’s. Kaczynski had participated in CIA experiments while at Harvard that were related to the controversial MK Ultra programme. These experiments were to investigate methods of mind control through the use of hallucinogenic drugs and psychological torture. Although it’s not clear what exactly occurred during these experiments with Kaczynski, this experience combined with the social isolation from having been several years younger than his peers will have put Kaczynski on a path towards becoming the Unabomber. He become a recluse and radicalised himself in isolation from society years before it became an internet trend.

Kaczynski is still discussed today and prompted much discussion following his suicide in 2023. There is an enduring appeal to those who refer to him as “Uncle Ted”, perhaps because he is less obtuse than Jacques Ellul or perhaps there is something accessible about his perspective articulated in such uncompromising terms. He has hit on something that still permeates the zeitgeist which might be as simple as the increasing interest in doomsday scenarios and the destruction of humanity. Kaszynski’s perspective is somewhat notable given it was from a time before the internet was ubiquitous and from before the mass adoption of social media.

Motives of a terrorist

Kaczynski’s contention is best described in the opening paragraph of the manifesto Industrial Society and Its Future which was printed in the Wall Street Journal in 1995.

1. The Industrial Revolution and its consequences have been a disaster for the human race. They have greatly increased the life-expectancy of those of us who live in “advanced” countries, but they have destabilized society, have made life unfulfilling, have subjected human beings to indignities, have led to widespread psychological suffering (in the Third World to physical suffering as well) and have inflicted severe damage on the natural world. The continued development of technology will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the natural world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “advanced” countries.

Industrial Society and its future, Theodore Kaczynski

The manifesto contained a pedantic use of the phrase “eat your cake and have it too” corrected from the common “have your cake and eat it”. This was seen by his brother and this ultimately led to his capture as this was identifiable to Kaczynski.

We can distil Kaczynski’s ideas to a few main contentions.

1. The development of technology has led to psychological suffering and a lack of fulfilment.

This is predicated on the concepts he outlines called surrogate activities and a disengagement with the ‘power process’. The proposition further asserts that this leads to a degradation in freedom. He contends that the changes in behaviour and how communities are structured to uphold a technological society are the key factor in psychological suffering.

2. The continued development of technology will worsen the situation.

As things progress, the more they will deteriorate and the greater the impact caused by psychological suffering.

3. The elimination of the modern technological society is required to avert disaster.

The conclusion of the first two contentions give rise the justification of the use of violence and intimidation to achieve political change viz:- this is the very definition of the term terrorism.

We can grant that Kaczynski’s diagnosis is correct, yet we must remain cynical of the prescription. An overthrow of technological and collapse of society would lead to enormous levels of human suffering. Kaczynski’s proposition is this, exchange the current conditions for a set of new conditions that lead to different outcomes over a longer timeline. These new outcomes will reengage humanity with their nature and reduce phycological and physical suffering.

It is widely accepted that there is an ongoing mental health crisis particularly among Gen Z as described by Haidt. This gives credence to Kaczynski’s view on the relationship between people and technology is one that is detrimental. We might consider that feelings of security are adversely impacted by unstable phycological states as a result of technology adoption. Given Kaczynski’s framing of the problem we can infer that the reduced use of technology will lead to healthier psychological states and a greater sense of security even if the objective level of protection is reduced. This might seem counter intuitive however we must remember that security is a subjective interpretation about the perceived state of protection. Too much protection can decrease feelings of security as freedom is removed.

The power process and surrogate activities

There are two concepts outlined by Kaczynski that are relevant to this conversation. The first is the power process which is defined as having four elements which are goal, effort, attainment of goal, and autonomy. Engagement with the power process is necessary for phycological health in Kaczynski’s world view and it is easy to see how an increasing dependence on technology would incrementally preclude us from that process.

Obviously Kaczynski relates the power process to basic physical needs such as food and shelter however this concept is not constrained to basic needs. This is where the concept of surrogate activities comes into the frame. Kaczynski argues that in a technological society basic needs are largely met and people will create other goals so that they can maintain some level of phycological health. The examples given are “scientific work, athletic achievement, humanitarian work, artistic and literary creation, climbing the corporate ladder, acquisition of money and material goods far beyond the point at which they cease to give any additional physical satisfaction”.

Clearly Kaczynski’s proposition is untenable as it fails to acknowledge the nature of human existence is within the context of a community where surrogate activities are an inevitable by-product. Kaczynski appears to be working from a conceptualisation of individual survival in isolation from a community which is incongruent from his critique of ‘leftism’. In some respects Kaczynski fetishises a natural mode of living and is dismissive of any benefit bought about by technological advancement.

Kaczynski draws from the idealised conceptualisation of nature seen within the liberal philosophy. He is providing critique from within the same frame of reference. Where he differs is that the state of nature thought experiment that characterises liberal philosophy is rejected by Kaczynski as he advocates of small agricultural communities oriented around families as opposed to brutal individualism. He might be what we would now describe as a postliberal. This is interesting as he is advocating a position that laments the loss of small social groups yet lived in isolation himself.

AI and the neo-luddites

Given the emergence of novel technology such as Artificial Intelligence, it’s reasonable to give some thought as to how our relationship with technology impacts on our feelings of security. Kaczynski’s views can be described as neo-luddite and his view on technology is one of disdain. The use of technology definitionally degrades part of the human connection to the natural world and as we increase usage we sacrifice some our agency.

I admit, there is some irony that I speak as a technologist who finds most endeavours towards AI to be somewhat vulgar. To some, I might be considered a neo-luddite. My counterpoint to that would be that proponents of such technology have consistently failed to demonstrate due care, skill, and diligence when developing and deploying these technologies. But I ask, when you outsource your thinking to an AI tool, what does that say about the quality of your thinking in the first place?

Some egregious uses of this technology include the careless and often unlawful use of data to train these tools. Many companies in the UK will use their customer data, often including special category data under the processing basis of legitimate interest. They are stretching what is acceptable beyond what is lawful especially in view that the EU AI Act had to soften legitimate interest to cover these tools. But this does not apply in the UK in the same way. What legitimate interest exists to commodify someone’s data for financial gain exactly? I would go as far as to call this practice negligence. It’s hard to justify a legitimate use for someone’s data to satisfy vanity projects, yet, here we are.

Neomania - The ongoing march to destruction

Nassim Taleb coined the term ‘Neomania’ to articulate the blind desire towards the next technological advancement and this is what we see. Kaczynski would describe it as science marching on for its own sake without regard as to its impact on humanity. Taleb’s concept of Neomania is similar although not identical to Kaczynski’s. Neomania is about having the latest and greatest version of the gadgets and gizmos that typify modernity. Taleb describes Neomania in a way that moves focus away from utility to vanity. The Kaczynski perspective it is this feature of Neomania that removed people from the power process as coveting the latest technological innovation is little more than a surrogate activity.

Neomania is the inevitable consequence of the liberal paradigm which sits on the assumption that progress is good. It’s not by accident that the industrial revolution occurred alongside the emergence liberal thought. The liberal paradigm is conflicted and incoherent at the most fundamental level. It asserts that freedom and equality can co-exist. This becomes a problem when we attempt to apply these into how we validate novel technology. If you have read the rule set of these technologies and have a functional understanding of virtue ethics you will know this is true.

There is a huge appetite for AI tools to be deployed within organisations yet when challenged as to why they want this technology you are met with the blanks look of a departed mind awaiting its digital replacement. In of itself ‘Neomania’ denotes a lack of purpose and signifies a passive malaise of those afflicted. AI adoption all too often is for its own sake and not to address a business need. If you need an AI to read and summarise a document . . . you are lost.

Progress is an ever-present component of modern life, the continued march of incremental updates, the next thing to woo our adorations. This week it is AI or big data, last week it was the cloud. Who remembers blockchain? The pace of these technological improvements has been increasing for the last two hundred years since the industrial revolution which fundamentally changed the foundations of the societies, humans live in. We moved from our rural communities to the city, out life expectancy increased, we became literate.

Perhaps there is something more to Taleb’s conceptualisation of Anti-Fragility that might explain why the ongoing march of progress. As we technologically progress, we become more encumbered by the system in which we exist as Kaczynski explains. In the context of Anti-Fragility this reduced our optionality increasing our own fragility and ability to respond to adverse events. If we take on face value that Kaczynski is correct that feelings of security are related to our ability to take care of ourselves then the increased adoption of technology is disempowering by virtue of its construct. We might consider freedom as a proxy of optionality and a decrease in optionality is a decrease in freedom.

Conclusion

• Am I against AI? No. It is just another technology.

• Am I against the irresponsible use of AI? Most certainly.

• Do I see AI being responsibly used? Rarely.

I have previously made the point that the best argument for the adoption of AI technology is to maintain economic productivity as we face decreasing global populations. Our interaction with this technology needs to be examined and considered. We know that social media causes harm at key developmental stages and we are seeing the consequences within those now entering the workforce. The use of AI is set to exasperate, not alleviate this problem.

Technology gets applied for technologies sake but we need to consider what the implications of these decisions are. Kaczynski is broadly correct in how he has identified the consequences of unhealthy relationships with technology and his arguments are well reasoned. His solution to these problems are not helpful and reflects a highly destructive resolution that is totalising and absolute.

If we wish to advert the problems Kaczynski highlights we need to act more responsibly with technology like AI. The industry talks about AI ethics but it is mostly vacuous HR patter that fails to get to the root any comprehension.

We are here as security practitioners to help protect organisations. The introduction of technologies like AI can harm organisations. Considerations about the impacts of these types of technology are within the purview of security practice very explictly. Some disagree, but they are wrong.

Subscribe now