Critical thinking in Security
Introduction
I’ve recently read Pherson and Pherson’s “Critical Thinking for Strategic Intelligence”. They outline tools, techniques, and skills that form critical thinking. Pherson and Pherson don’t deviate too far from a traditional Business Analysis set of tools and we can see direct comparators or straight ports however they give a different emphasis on the importance of areas. Greater emphasis is given to the logic and argumentation than in BA practice. As a BA in a previous life I had a natural affinity towards their approach. The model is well formed but is not a complete one when placed in the context of a security function. There are gaps in the Pherson and Pherson model and some areas of note where security practitioners need to exercise judicious application.
One of the key points that Pherson and Pherson assume is the upward trajectory of the information presentation i.e. it is being presented to someone more senior than the analyst within organisational structure. And this is a point of note due to the asymmetry of the power relationship. What Pherson and Pherson give is a considered and structured approach for us to build on refocusing pre-existing analytical techniques. It does everything it needs to, and it does it in the right order.
Critical thinking in security
It is hard to say that critical thinking takes place in any meaningful way within security. Granted there are some green shoots of insight but there is a pre-disposition to rely on hand outs, playbooks, templates, and frameworks. We do this in part as doing so means that we don’t have to define anything ourselves and this habituated style of working has built in repudiation mechanisms. Perhaps these talk to a lack of competence and is a manifestation of the Peter Principle, or maybe it’s something else. This might be Manson’s law of avoidance perhaps? We built these structures into our identity as security practitioners and moving away from that, for better, or worse, threatens our identity. Our group identity might be part of the problem. As we saw in Zimbardo’s Stanford Prison Experiment, in-group formation occurs quickly and is reinforced by language and behavioural conformance.
Little of the analysis that Pherson and Pherson discuss is generated within security in my experience. We would not see elements like hypothesis testing, or source validation in any structured way. As best, this is treated ad-hoc and lacks maturity.
By way of example, we throw down anchors to remediate vulnerabilities. Have we ever confirmed the report before remediation activity? Not just checking a version, but someone showing that the systems are in an exposed state. I’ve rarely seen that happen, yet we are comfortable taking down systems the businesses rely on to transact. We base this on a report from someone we don’t know, using a score calculated on unsound assumptions, from a database that assumes the most vulnerable configuration, always. This is not informed decision making, this is the application of fear.
We only need to look superficially into the evolution of security to know things aren’t right. Security orients itself heavily around a single core model, the CIA triad. CVSS is based on this. Without going into depth, we know this comes from a NIST paper in 1977. Think about that for a moment, we conceptualise security in a way that was conceived from before the internet was invented and from before Doom was released. We don’t live in an expanding universe of knowledge, rather we are consigned to a Hoyle’s steady state. Our structures are some kind of perverse and self referential appeal to authority which of course is a logical fallacy.
This all points to a practice that has not considered its own foundational principles and premises. It has no sense of how we should be approaching analysis other than what we glean from change methodologies. This is the current state of critical thinking in security. Security would benefit from the structured approach that Pherson and Pherson propose (with some caveats).
Squaring the circle of Pherson and Pherson’s model
The model is incomplete although it does a good job in its area of focus. Little emphasis is given to understanding organisational structure and power hierarchies. The model is discussed in the form of the singular and seeks to identify an individual client’s needs. Some of the methods such as checking calendars could be crossing ethical boundaries and could foster the creation of an environment whereby principled people act in unprincipled ways. Could we inadvertently be giving practitioners grounds to operate outside the boundaries of what is acceptable. This reinforces the need to have solid values and the mechanisms of self-reflection lest we become Browning’s ordinary men.
We know from Professor Bob Garratt that organisational structure is important and will have a direct lineage to what influence your client has within their organisation. If our aim is to influence, then we must also understand the power hierarchies in play as these can exist below the surface as we know from Machiavelli and Robert Greene. But there is a further omission and that is one of the organisational values. Pearson and Pearson discuss depoliticisation however we know that analysis is required to support political objectives. Looking to Garratt we can state that organisations are required to report on ideologically driven issues such as ESG. Political motivators will likely be manifest within the organisational structure in terms of power hierarchies and reflected in the policy documents. I did appreciate the rigor they articulated in sticking to their process and principles by advocating reformulation of questions.
The question of values does remain unaddressed by Pherson and Pherson. Garratt talks about the board setting the values and emotional context of the organisation. The subjective elements of organisational emotional context are not something that can easily be captured as data points. It is imperative this is understood by the analyst as this will aid in the establishment of relationships with the client and frame their needs to the analyst in an appropriate way.
Pherson and Pherson discuss the use of quantitive methods using probability, confidence levels, likeliness expression but there are dangers in using this in a security context. The FAIR methodology is an extension of the basic idea of impact x probability but is fraught with conceptual errors making quantative methods flawed on many fronts. It would be easy to see how some of Pherson and Pherson’s tools could be misused.
Pherson and Pherson discuss how to make analytic arguments, but this is not the basis under which people make decisions. They assume that logic is the tool to influence but don’t extend to discussing emotional response. Garratt notes that directors tend to downrate hard facts which is a problem if we are relying on analysis as the currency to create our credibility. We know from John Maxwell that emotions can move people to action. Granted that Pherson and Pherson discuss narratives and storytelling derived from Stephen Denning and have some passing allusions to empathy but the whole endeavour is a one-sided affair oriented around the practitioner. Where Pherson and Pherson discuss influence it’s typically in a form of quid pro quo however this sets a transactional nature to relationships rather than ones built on trust. The tactics outlined don’t fit neatly given the implied asymmetry of the power relationship.
Given the assumption that most executives will not have been through a structured process of critical thinking, we might assume that there would be aspects of intuitive decision making with retrospective rationalisation. Decision making taken outside of a logical process will lean into the credibility and the trust of the source. Therefore, managing the trust relationship and calibrating the analysis to be cognisant of possible emotional responses of the client becomes a critical, but unaddressed.
If I was to describe the main thrust of the Pherson and Pherson argument style it would be a logician approach. The model outlines working through rebuttals and identifying logical fallacies and even extending to presentation considerations such as the CREATE mnemonic. This is useful for self-reflection however there needs to be care where clients present challenges to the analytic argument. Logician form argument has its place however the negotiation form of Chris Voss and rapport building of Robert Cialdini’s principles of influence would have far more benefit and close the gap in this area of the skill set.
Pherson and Pherson outline critical enablers described such as engaged leadership as a part of the successful implementation of collaboration, as well as discussing having consistent policies. This is the problem with limiting stakeholder considerations to the client and not exploring the wider organisational structure. The critical enablers of the methodology remain unidentified due to the limitations of the methodology until the model is applied to itself.
Policies are the political will of the board as Garratt’s model outlines and form the boundaries of expected behaviour. Pherson and Pherson acknowledge that clear policy is a critical component of collaboration as is engaged leadership but lack consideration as to how to engage that leadership outside of presenting analysis.
The importance of critical thinking
Well, there are many reasons why I think critical analysis would be important in a security function. Pherson and Pherson give a model that requires challenge to assumption and source credibility. Security practice currently applied within enterprise would broadly relate to operational considerations, change related activities, and organisational governance. All of these require analysis from the security practice to inform decision making. Where Pherson and Pherson’s model gives applicable usefulness is within the sequencing of activities and the structure of how these should be undertaken. The structure and sequence are important as that creates the narrative line of analysis that carries from inception to completion that makes the analysis relatable.
It requires that scope is defined, that assumptions are documented, that information is verified and validated, and that stakeholder attitudes and perspectives are understood. It would allow upfront reflection on the need of the client rather than arbitrarily applying a check list. Pherson and Pherson’s model promotes looking beneath the surface and investigating down to the source of the claims being made to ensure that presented perspectives are valid.
There are some very salient points made by Pherson and Pherson that must be upheld for effective analysis to occur. Clear problem definition (or requirements), conclusion following analysis, specificity of criteria. These are all needed for the model to work. The advocacy of engagement and collaboration is of note. There cannot be the security at a distance approach where controls are recommended from afar. The analytical process itself creates the opportunity to form relationships with those the security practice will be working with.
How do we help them?
Once we are able to establish a trust relationship, having a standardised set of tool and methodologies can help decision makers and organisations to increase their rate of learning relative to the pace of change in the external environment as described by Revan’s axiom. Pherson and Pherson’s model is complimentary to Garratts concept of the learning board and gives us the tools to realise a grander design.
The learning cycles Garratt defines has a correlation with the intelligence and law enforcement cycles found in critical thinking. Both have the decision making at the centre. Monitoring of the external environment is an analogous to the intelligence cycle, the enforcement is analogous to the operational cycle. So, we can infer that the conceptual base for which information is assessed, presented, and decided upon has a high level of parity despite differing labels. This then means that the analysis we provide (assuming a learning board) can help to create the learning organisation.
How we structure and present information can help in give direction to decision makers in the reframing loop. This in turn will help inform the policy direction as a response to external factors. But this extends further. If we grant that intention is a good predictor of behaviour, how we then shape the intention of decision makers will translate to their behaviours and then propagate through the organisation.
The consequences of critical thinking in security
It’s intriguing to think what the consequences of critical thinking would mean to security. If we applied the critical thinking process with the additional components relating to interpersonal relationships, rapport building, and influencing, what does that look like? I suppose we would move from a position of being the ‘no brigade’ to being a position where our clients feel like their issues are being heard, understood, and useful insight is imparted to them. We would be establishing credibility and demonstrating competence. This fundamentally changes what a security function looks like within an organisation. We will be able to use factual information to give insights to the client. But the model would need to be supplemented as we covered.
What then happens when we apply these tools to ourselves? We will find something we don’t like a might even end up killing ourselves in a Mark Mason-esq way. A security practice might start focusing on the right problems and solving them. This could lead to an increase in fulfilment for individual practitioners as there would be resolution to issues as outlined by Manson.
A benefit of the logical approach is that the method encourages a degree of separation. This in turn removes the personalisation of the argument, it promotes objectivity. As Ryan Holiday would say, don’t be passionate, and exercise restraint. The critical assessment of the analysis and information sources help in the removal of ego. We might also see that security practitioners become less defined by their own ego.
What happens to concepts like CIA, frameworks, or playbooks. Would they stand up to critical thinking? I suspect not. It’s quite clear that a lot of security practice is habituated behaviour that is constrained within the boundaries of what has come before. If we laid out the counter arguments to the industry defined foundations, then it would be hard to generate rebuttals to those.
If we extend this, what happens to the security practice in the business context when we apply critical thinking. How are we then perceived in the organisational structure would inevitably change. As a competent and credible practice that demonstrates leadership, we will attract the attention of other areas. We may not make moves around the org charts but that is not the crucible of power if we look back to Robert Greene and Machiavelli. What is important is that we would be ascending competence hierarchies and creating the base of influence.
Conclusion
Critical thinking can be harmonised with other methods employed by a security practice to great effect. This is part of a wider set of skill and a useful one to provide insight to decision makers that will reinforce their role within the organisation. This is an important part of the wider understanding form previous texts and although very different in construct to those, is no less important. Even if it was implemented with the gaps outlined I would still see this as a positive step forward.