Thursday, January 15, 2015

Groups, Security and Behavior Economics

I'm currently reading a book by behavior economics authors Cass Sunstein and Reid Hastie, Wiser: Getting Beyond Groupthink to Make Groups Smarter. Cass Sunstein is one of the authors of "Nudge", which is seen by many as a seminal work on the idea of "Choice Architecture". All this is related to my currently favorite research topic, Behavior Economics on Information Security.

Wiser is interesting for us because a lot of decisions and processes in security involve groups. There are groups working around risk assessments, deciding about security controls and measures and also doing incident response. The way that groups fail to behave in an optimal manner and how to correct that is thus important to infosec. A good example on this just came up in a recent Twitter exchange.

Richard Bejtlich was talking the use of a "red team" to mitigate the risk of groupthink during an attribution exercise. This is a perfect example of techniques to improve group work being used on security related processes. He followed up on the twitter exchange with a nice post on his blog.

(I understand Zanero's point from a logical point of view; the fact that you can't prove A doesn't necessarily means that B is truth is the universe of possibilities is bigger than A+B. However, I don't think that's the objective of the red team in that context. The red team is there to reduce the trend of the group to rapidly converge to a decision without properly considering the alternatives. This is a decision making aid tool, not a logical argument)

No comments:

Post a Comment