Tuesday, December 17, 2013

Neuroscience, Risk and Security

For years I have been a student and practitioner of security – both cyber and physical.  My initial years focused on the “Security 101” elements with a “castle and moat” approach for both physical assets and cyber (i.e., the “walls” were “firewalls”).  Over time, however, I’ve realized that there is more to security than wondering about the bits and bytes or the sizes of chain link fence mesh.  Instead, I’ve begun to recognize more and more that the human element – that is the attacker and defender – needs to be studied and recognized as a key element.

(Artwork from Microsoft Open Source)

I’ve realized – with some considerable influence from Bruce Schneier in his seminal essay “The Psychology of Security,” and from other thought leaders in the security space such as Kirk Bailey at the University of Washington or Robert Coles at GlaxoSmithKlein -- that you need to understand what motivates the attacker and what helps the defender recognize new ways and means of defending against the wiley aggressor.

In other words, I came to realize that neuroscience should play a key role in helping security professionals understand the attacker’s “brain” so to speak and thus their motivations.

Samad Aidane PMP

Last night I had a fascinating discussion on this very subject with my friend and colleague Mr. Samad Aidane.  Samad and I first met in 2004 or so when I was the information security manager/CISO at the Port of Seattle.  Samad was a newly hired project manager.  Since then we have both expanded our horizons and Samad has evolved his expertise in the realm of neuroscience and project management as well as risk.

Anyway, our conversation tonight revolved around Samad’s new research and focus on the neuroscience behind effective project management and risk.  In fact, Samad has even begun a blog at Neurofrontier.com to expand his and his reader’s awareness of neuroscience and leadership.  I’d like to suggest you take a look at his blog and get a sense of his perspectives on this new science.

A key take-away from my conversation with Samad was that how the brain functions when analyzing risk may be excellent knowledge for security and risk professionals to leverage when dealing with risk analysis decisions.  Similarly, understanding how the brain functions when establishing attack and defense concepts may be very useful to the cyber and physical security defender.  And, of course, if you lean on the concept of “Assumption of Breach[1] for your enterprise cyber and physical defense, perhaps knowing how the brain functions and reacts could be very useful.

I am excited about the new ideas raised by Samad last evening and I look forward to our next meeting and discussions.  In the meantime, take a moment to look at Samad’s website and review some of his ideas.  You may see a sliver of some new concepts for the security profession to lean on as we try to stop the bad guys!

[1] For my past articles on this subject please go to my article in Asian Power at http://asian-power.com/node/11144 or my article in SearchSecurity at http://searchsecurity.techtarget.com/tip/Assumption-of-breach-How-a-new-mindset-can-help-protect-critical-data