This was one of the comments made when I once posted about logical fallacies on LinkedIn. The poster deleted the comment so I couldn’t respond. To spare them the indignity of “listening to the posturing” of which they were complaining . . . I relieved them of the option to interact with me any further. This is one of the problems of picking up random contacts on LinkedIn, you can become easily afflicted by insufferable pillocks.

But . . . I want to talk about logical fallacies.

I am going to double down on the view that every security practitioner must have a working knowledge of logical fallacies how to spot them. I encounter them all the time during the course of my work. I’ve seen it too many times where a slick project manager dismantles the valid positions of a security practitioner just through their higher level of ability in debate. Consider that debate in a work context is where you are trying to gain the support of the observers rather than the person making the counter proposition. Influence is oriented towards changing the mind of the person making the argument which there might be an impossibility.

Logical fallacies tend to manifest most prominently where a decision needs to be made and various people are called upon to inform that decision. I imagine you know exactly the type of thing I’m talking about. In this scenario the security practitioner sounded unsure and couched in their demeanour, the slick project manager was confident and compelling. At no point were the concerns raised by the security practitioner addressed but they were out manoeuvred. A decision was made that led to a suboptimal outcome. Ultimately, decisions are based on emotions, rationalisation is a post-hoc justification of a decision that was already made and this was based on the perceived strength of the arguments being made and in how they were presented.

So, why does this kind of bullshit keep happening?

Well, part of it is weak practitioners who suffer from ‘stay-in-your-lane-ism’ coming from a place of fear. An unwillingness to engage with confidence about matters that are well known but lie beyond the horizon of what is traditionally termed as the domain of security. They shackle themselves to the limitations of what others perceive that they should or shouldn’t be doing.

If we know that our job is understanding the behaviour of people, why do we focus so much on technology? Technology is the easy bit. We’d be better served by understanding how to negotiate, what creates influence, what phycological principles underpin all of this, and how to engage with junk arguments that we are presented with. If security is a ‘people problem’ as we proclaim, why don’t we know how to construct and refute arguments as well as.

I’ll share some examples of shit I have seen consistently for years.

False Dichotomy

A false dichotomy reduces a broad range of options into a binary option. I have seen this technique used to high levels of effectiveness. It is very common. Usually this is where a decision is required but it can also be used to manoeuvre a person into a position where they are forced to agree with a framing that is constructed by the person proposing it. It contains a loaded expectation that there is a choice to be made. A false dichotomy can be constructed in such a way to leverage anchoring bias and the adjustment heuristic which artificially sets a boundary to the discussion and the conversation then follows within the confines that have been set.

The framing of a false dichotomy can be useful to elicit a decision however there are ethical considerations regarding its use. The existence of other options existence must be made clear and some exposition as to why they have been discounted. An interesting quirk is that humans generally show higher levels of satisfaction with a chosen option when there are less options to choose from.

When you identify a false dichotomy there are a couple of ways to approach this. One way is to outright reject both options and put it back to the person making the proposition. Ask “what happens if I do neither?”. This can sometimes lead further discussion around the premise of the options where you will find weakness. It can be helpful to ask about other options that are not presented. Push for details of why these were discounted, on what basis, and what analysis supports this. Often you will expose that the analysis is weak and be able to reclaim the initiative.

Bandwagon fallacy

Christ! I hear some variant of this one almost daily and it’s the one that boils my piss the most. Essentially the claim here is that we do not need to scrutinise something as the heavy lifting has already been done by others. It’s just faulty thinking to conclude that something is good without looking at the information and coming to your own conclusion. There is more than a note of resonance with the principle of influence, social proof.

Walter Lippman wrote “where we all think alike, no one thinks very much” and we can view the aspiration of dependence on the perspectives of others as the aspiration to not think very much ourselves. We could even term this “‘magic quadrant mentality”. There might be valid reasons why some look to this type of argumentation, they might not have the time, the resources, the expertise, or the budget to do things correctly. But the consequence is an uncomfortable one, they are sitting themselves atop of assumptions that could easily get kicked out from under them.

There are snuck premises in these types of statements. It assumes that the external parties being invoked have made an appropriate assessment or have a competent implementation themselves. How would you know that they themselves have given any thought or scrutiny to a proposal and not just adopted what others are doing. Another assumption here is that others have a comparable set of circumstances to yours and are using a solution in a way that you intend to use it. It’s unlikely to be the case. Protection is contextual to your specific set of circumstances. Foregoing an appropriate level of scrutiny in favour of a half-arsed approach is negligence.

These types of fallacies are best countered by asking for evidence. Ask how verification can be obtained of the findings of others. Often in these cases those who are relying on this line of argument know little of the facts and will come apart on scrutiny. Pressing for specifics is generally quite useful but very useful here. How do you know this is protected? How does this apply to how you intend to use it? etc.

Appeal to tradition

This has similar problems to the bandwagon fallacy but also introduces a new dimension. It assumes that the previous approach was good or the old ways are the best. It might be true, but it might not. Circumstances change. The business may have a lower capacity for losses than they previously did, their policies and standards might be different, the regulatory context might have changed, the organisation might be trading in different markets. Essentially the person making the argument is counting on you accepting the assumption that the traditional way of doing things is the best way.

An obvious question to ask is “If it was fine before, what’s the need to change anything?”.

I encounter this a lot when systems or processes are being replaced but in that context the thinking is even more broken. It is used as a bypass for asking critical questions and re-evaluating the way things are done. A realistic scenario might be a new system to replace something that is end of life. Rather than redefine process to work optimally with the new system a number of bespoke elements are built into an off the shelf solution and some hideous bastard of a mess is generally what becomes of that.

Appeal to authority

This is another truly bullshit line of argument. It is an attempt to place an argument above scrutiny because of the person making it or the source from which it originated is considered to be authoritative in some way. They may appeal to their certifications, position, or membership of a group as the authoritative standard. One amusing yet antagonistic way to approach this one is to ask, “if they are an authority on the matter why is their argument so weak?” Remember, you are not required to accept an argument just because of the person making the argument. This type of faulty thinking is especially a problem in security where views are accepted as articles of faith because some certification body proclaims it. I have spoken about my disdain for the lazy thinking frameworks promote before.

Conversely this might be used as a critique of your argument where it is dismissed because you might lack some certification or formal training in a given area. I forget how many times lacking an arbitrary piece of paper had led to being told I’m not permitted an opinion. This is an easy one to deal with, something like “that’s fine, but you haven’t addressed my point” usually handles it. If you happen to work in a milksop environment something like “this seems to be challenging your commitment to inclusion and diverse thought” is always a banger to wheel out when you really want to piss some people off.

I’m offended

This might not be a logical fallacy per se but it is a line of argument I have experienced. It’s more of a thought terminating cliché. Offense is the nebulous world of someone else’s hurt feelings. It’s a rarer occurrence but it does pop up every now and then. There is a pernicious undertone to many of this type of arguments. They depend on using these cliches to kill the conversation. They are exerting the expectation of the social norm to be nice to stop the discussion. These are easily handled. The late, great Christopher Hitchens might have said “I’m still waiting to hear what your point is”, or you can always just say “so what” which is far more humorous.

Sunk cost

This tends to be more of a behavioural problem rather than related to argumentation but is a form of logical fallacy. We continue to do something stupid because we have already spent a lot of money on it. We are too far down the path to turn back. This is about ego preservation rather than doing the right thing.

The cost might not be related to financial spend, it might be that someone has staked their reputation on delivering something or that so much effort has been expended on doing something that has now transpired to be pointless. Where this happens you know you are in the presence of weak leadership.

It is the old adage “throwing good money after bad” but it happens very frequently. You will usually see this where a project has encountered problems and reduces its scope to the point of having no meaningful impact on anything. An expensive project will be concluded, having delivered very little to rapturous applause.

This is one you aren’t going to win with a weak leader that is adamant on doing the wrong thing for the business. It’s best to recognise that criticising the failing initiative will be seen as a criticism of its supporter, it will be taken as a personal attack. The best you can do is minimise your involvement and go do something useful with your time.

Strawman

A strawman is where a critique is made to an argument that wasn’t made. It is a contortion or misrepresentation of what has been said. These might be changing assumptions or features of your statements to make them open to critique. We see this where an asserted benefit of a project or initiative will solve a specific problem or subset of problems. The counter might attack a position which implies that the benefit will solve all the problems mischaracterising the position. This type of fallacy happens a lot especially when someone is attacking something that was to replace it with something new.

One of the more amusing examples I’ve seen comes from agile practitioners. They were vehemently critical of waterfall project methodology making assertions that it was slow, expensive, and didn’t take in to account the needs to the customer. That might be true however what they were levelling criticism at was not waterfall methodology rather an altered derivative that was unique to their organisation. Their argument wasn’t actually with waterfall. Spin on a decade or so and there are some narrow eyebrows being raised at agile failing over and over. Notice how quickly they rely on the argument that “the methodology wasn’t implemented correctly” when faced with critique. It’s comical stuff.

The approach here is to constantly correct and highlight the incorrect elements of the rebuttal. This is the time to get pedantic because “that is not what you said” and “it is not the argument being made”. Get the person back to terms you have specified for your argument and force them to speak to that. And if you really want to be a prick about it you might say “you have completely missed the point”.

Ad Hominem

Oh, these can be fun.

These are rarer as they tend to be high risk in a sanitised corporate environment. Ad hominem is where there is an attack against the person or motives rather the argument. This might be in the form of “you have only been with the company for X amount of time” which does nothing to address a point being made but attempts to subvert it by attacking how long someone has been within the organisation. You will sometimes get “you are only saying that because you are in security” or something of that ilk which is irrelevant to the argument being made. In these situations it can be useful to highlight the critique, “does my role in security detract from the concern?”

Ad hominem can always be entertaining to use yourself. But be cautioned, it can backfire so you need to be able to read the room and use this where you have a sympathetic audience.

Steelman

There is a more gracious but less gratifying way to deal with logical fallacies albeit, far less amusing for those inclined towards over excited exchanges. It is the steelman. A steelman is the practice of presenting the strongest possible version of an opponent's argument, even stronger than they may have articulated themselves.

A steelman is helpful. By considering the most charitable version of a person’s position it can help tease out the strength and weaknesses of an opposing position. This approach also helps in identifying counter arguments to critiques which you might be able to use and will be robust. It requires using critical thinking skills to get to the foundation of an argument by identifying the assumptions and premises on which it is built.

It can help generate credibility and start to form a relationship that has utility. By replaying their position empathy can be elicited by creating an oxytocin response and ultimately building trust. It allows you to label, paraphrase and generate neural resonance. This is all in the realm of social engineering technique which we won’t get into here. This gives another way to approach leveraging those techniques to generate rapport

Conclusion

A great many logical fallacies can be observed in the work place but these are the ones I see regularly. There is a certain style that needs to be employed when approaching these. I see ways to address these as falling into one of two categories.

1. Change the mind of the person

2. Destroy the point

The former is higher effort but will have longevity as you are actively building relationships with people. Techniques like steelman can help create those relationships. It requires skill and understanding of social engineering methods but the outcomes can be highly effective and long lasting.

The latter is reserved for situations where you won’t influence the person making the argument but you need to gain the support of others. Being quick, humorous, and a good speaker help in these situations but there is always a dangerous element to combative approaches.

Irrespective, you should know about logical fallacies so that you are able to identify when someone is using them on you to pull a fast one.