Tuesday 13 November 2012

Thought distortions, or why some of my infosec friends are alcoholics

@dinodaizovi recently quipped that infosec industry is a hybrid of "Mensa and a mental hospital," these are related thoughts.

You all know one or, more likely, many "security consultants" who are telling others that in order to improve security of $system they must do A and B, otherwise imminent failure will occur. Then these consultants go around being upset at their advice not being followed, they perceive the situation as personal failure, end up "burning out"...

Below is a list of cognitive distortions that, according so some theories in psychology, lead to perpetuation of a number of psychological conditions, including depression and alcoholism. I think I've got it from an iPhone app called "MoodKit" (by the way, try it). Have a think - aren't most of these associated with "security consultants," especially the internal consultants, in the eyes of their customers?

Common Thought Distortions

All-or Nothing Thinking 
Seeing people or events in absolute (black-or-white) terms, without recognizing the middle ground (e.g., success/failure; perfect/worthless).
"Without perfect security there is no security"

Blaming 
Blaming yourself or others too much. Focusing on who is to blame for problems rather than what you can do about them.
"These people just do not want to understand the importance of security!"
Catastrophizing 
Blowing things out of proportion, telling yourself that you won’t be able to handle something, or viewing tough situations as if they will never end.
"Ehrmergerd, these people just hate me, I will never be able to do anything to improve security here"
Downplaying Positives 
Minimizing or dismissing positive qualities, achievements, or behaviors by telling yourself that they are unimportant or do not count.
"Well, we got these vulns fixed, but there are soooo many more, probably!"
Emotional Reasoning 
Believing something is true because it “feels” true. Relying too much on your feelings to guide decisions.
"I have a gut feeling the attackers are out to get us!"
Fortune Telling 
Making negative predictions about the future, such as how people will behave or how events will play out.
"The company data will be breached in the most harmful way"
Intolerance of Uncertainty 
Struggling to accept or tolerate things being uncertain or unknown (e.g., repeatedly wondering “what if?” something bad happens).
"What if a firewall is misconfigured? What if there is a new RCE in Struts tomorrow?..."
Labeling 
Describing yourself or others using global, negative labels (e.g., making judgments about one’s character or name calling).
"These lazy developers just do not care!"
Mind Reading 
Jumping to conclusions about another person’s thoughts, feelings, or intentions without checking them out.
"I know they are not interested in fixing this stuff"
Negative Filtering 
Focusing only on the negatives and ignoring the positives in a situation, such that you fail to see the “big picture.”
Ok I give up with examples - the list is getting somewhat repetitive, but you get the drift...
Not Accepting 
Dwelling on an unpleasant situation or wishing things were different, instead of accepting what has happened and finding ways to move forward.

Overgeneralizing 
Drawing sweeping conclusions on the basis of a single incident, such as when we say people or things are “always” or “never” a certain way.

Personalizing 
Telling yourself that events relate to you when they may not.

“Should” and “Must” Statements 
Focusing on how things or people “should” or “must” be. Treating your own standards or preferences as rules that everyone must live by.
Who hasn't done that??? :)
One additional point for thoughts is that the above mindset is occasionally perpetuated by infosec vendors. Send them your therapist's invoice...