In the field of cybersecurity, particularly when dealing with behavior change, problems can be categorized as either “tame” or “wicked.” Understanding the distinction between these two types of problems is crucial when developing strategies to improve security behaviors within an organization.
Tame Problems
Tame problems are well-defined issues with clear solutions. They are typically easier to manage because the steps required to solve them are straightforward and the desired outcome is clear. Here are some examples:
- Strong Passwords:
- Problem: Creating and using strong, unique passwords.
- Solution: Clear guidelines can be provided on password complexity, such as using a combination of letters, numbers, and special characters. Password policies, user prompts, and password strength checkers can enforce these rules. Encouraging the use of password managers is a slightly more complex but still tame solution.
- Regular Software Updates:
- Problem: Ensuring that software is regularly updated, especially for critical security patches.
- Solution: Users can be prompted to update their software, and automatic update mechanisms can be implemented.
- Two-Factor Authentication (2FA):
- Problem: Enhancing user authentication through additional verification methods.
- Solution: Implementing 2FA, such as sending a one-time password (OTP) to a user’s phone, is a straightforward and effective way to increase security.
- Security Awareness Training:
- Problem: Educating users about potential threats and how to identify them (e.g., phishing).
- Solution: Training sessions, prompts, and regular assessments can be used to improve user awareness and behavior. The success of these programs can be measured by predefined metrics, such as the percentage of employees passing phishing tests.
Wicked Problems
Wicked problems are more complex, ambiguous, and difficult to solve. They often involve multiple interdependent factors, making it challenging to define the problem clearly or to identify a single solution. Examples include:
- Changing Security Culture:
- Problem: Cultivating a positive security culture within an organization.
- Challenges: Security culture involves various factors like adherence to security policies, established norms, and employee attitudes towards security. These variables are not always clearly defined, and it’s difficult to pinpoint when a positive culture has been fully achieved. Additionally, these elements can be interdependent, complicating efforts to effect change.
- Eliminating Cognitive Biases in Security Choices:
- Problem: Overcoming biases like optimism bias, overconfidence, and status quo bias in security-related decision-making.
- Challenges: These biases affect how individuals perceive risks and make decisions. Since these cognitive processes are often subconscious, they are difficult to address through simple interventions.
- Balancing Usability with Security:
- Problem: Enhancing security without compromising usability and user experience.
- Challenges: While some aspects of usability and security can be addressed through straightforward solutions, balancing the two in a way that maintains productivity and user engagement can be a wicked problem. The complexity arises from the need to align security measures with the specific needs of the context while ensuring they do not impede users’ routine activities.
- Managing Third-Party Risks:
- Problem: Ensuring that third-party contractors and service providers maintain appropriate security standards.
- Challenges: Third parties often have their own security practices, which may differ from those of the contracting organization. Managing these relationships effectively involves establishing trust and understanding their security posture, which is not a straightforward task.
Books and References
To explore these concepts further, you might refer to the following:
- “Wicked Problems, Righteous Solutions: A Catalogue of Modern Software Engineering Paradigms” by Peter DeGrace and Leslie Hulet Stahl: This book, though primarily focused on software engineering, provides a foundational understanding of wicked problems, which can be applied to the context of cybersecurity.
- “The Design of Everyday Things” by Don Norman: This book explores the balance between usability and security, offering insights into how to create systems that are both secure and user-friendly.
- “Security Awareness: Applying Practical Security in Your World” by Mark Ciampa: This book provides a practical approach to implementing security awareness programs, touching on both tame and wicked problems in the process.
These references should provide a solid foundation for understanding and addressing both tame and wicked problems in cybersecurity behavior change
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.