Why Can't We Have Nice Things? Conflict Resolution in InfoSec

sorry oh yeah I make your size now down no I won't touch it so my name is Doug Spindler I'm one of the organizers for bsides this year thank you for attending today we have Rachel in ner Rachel and you're a prolific blogger right no no that was somebody else's bio sorry I don't have a Blog you have anyway your presentation is why can't we have nice things and I want to know why can't we because we can't resolve conflict I see so you can tell me sit down and listen to your presentation and then I'll have the answer and I'll join you in 25 minutes okay all right so go for it thank you okay hi everybody my name is Rachel

linger I've been in information security and risk management for about 12 years and I'm here to tell you why we can't have nice things don't worry too much about notes there's going to be a handout at the end we're going to put it at the end there but I figured if I brought it out early everybody would be reading instead of watching the information security field is pretty notorious for having trouble getting along with management with business with technology with each other there's just a lot of conflict is that no I don't know what you're into I mean in a rule 34 sense maybe but no with all the uh problems we have it can

be easy to forget that the opposite of conflict is not Harmony the opposite of conflict is group think and dumbass decisions we don't need less conflict we need less stupid conflict yes so a lot of conferences will have this talk and I'd always go to them and I'd always come away kind of unhappy um there were always two problems one it was just stories anecdotes and the personal pet peeve of the speaker and maybe projecting their own issues it was kind of hard to tell I mean do we really not collaborate enough do we really lack empathy there was never any research the other problem was the answer pretty much always boiled down to have better social skills this is true

it is inarguable it is also completely in actionable at least it was for me if I could have better social skills just from being told I would not have been going to those talks I wouldn't have needed to since I was 10 since that's about when I started hearing it so I went to school and I got my masters in organizational leadership also known as remedial office politics I took a lot of courses on negotiation and dispute resolution and found out for sure what I already knew I was terrible we'd have these role plays in class and I wouldn't get a deal even on the really easy ones my professors were kind of baffled because the problem

wasn't that I was too aggressive or too passive and that's the common thing I would just get really stubborn and it was really ineffective overall so I kind of wondered maybe our whole field does something like that I didn't know what but something like it and this slide did not come out anyway so in dispute resolution field we talk about conflict resolution Styles or negotiation styles and you sort of have one access that's your degree of assertiveness how much you care for your own outcome and another access that is your degree of cooperativeness how much you care about the other person's outcome no one style is better than any other supposedly um everybody all of them are

useful at different times everybody tends to have little different preferences if you're interested in conflict resolution and negotiation in general bargaining for Advantage by shell is a great book and again I've got a handout with not references and it has a test of your um style preferences at the end so you can check it out so let's go through the different [Laughter] styles if you're very assertive and also very cooperative ative that's the win-win style that's collaborating it's great when you have plenty of time when the stakes are pretty high when it's really important to find innovative solutions it's not as great when you don't have the time or the stakes just aren't worth that effort

or the people you're working with are not going to collaborate back if you're really assertive but not very Cooperative that's the win- lose style called the competing Style it's good when it's very important that you get your way and you don't have to work with them again it's not so good if you still have to work with them later if you're kind of middling on both if you're kind of middling on both cooperativeness and assertiveness that's compromising it's kind of a win some lose some it's quick it's easy it's fair it's great if you need something that is quick and easy and fair it is less great if you need innovative solutions it's also not good if the illusion of

fairness means you give up stuff that's really important maybe without even realizing it if you're neither assertive nor Cooperative you are avoidant sometimes being avoidant is a good idea when the stakes are too low or the risk is too high it can be a good stalling tactic diplomats are supposed to be these great negotiators but the research actually shows they're really great at avoiding stuff how of course sometimes too much avoidance can lead to miscommunication and resentment finally if you're not assertive but you are Cooperative that's the accommodating style that's a good idea when the issue at stake isn't important to you but the relationship really is it can also be a good idea if

you're going to lose anyway and you might as well get points for being gracious it's a bad idea if you give away all the important stuff right away so here was my research question again how do the conflict resolution style preferences of information security Personnel compare with the norms for the US Workforce there are a bunch of tests for this I use the Thomas kilman conflict mode indicator which it's been in use for about 40 years is kind of corporate astrology but you know there's a lot of research for it so you can say it means something to be honest I didn't expect to get much in the way of results most research just doesn't to my surprise I did my sample

of 45 Information Security Professionals were significantly different from the norms for us Workforce so what did I find I found that we were significantly less accommodating than everybody else the median I know right the median was at the 30th percentile but the mode where most of us landed was at the 16th per. I'm sorry was that 16th or 16th 16th you know that's like you say no just to say no it's the I call it the cut off your nose to spite your face orientation how many have done this yeah I see some people okay so what this means is that we have a really short supply of one of the basic tools of negotiation when everything you have

when all that you have is a hammer everything looks like a nail if you don't have a hammer nothing looks like a nail we don't accommodate even when it would be in our best interests even when it would be a good idea I don't know why we're like this it makes some sense our job involves saying no a lot I don't know if the field selects for people who do this or if you know we just weed out all the people who don't like it or can't stand working with us I'm not sure every other style preference was pretty normal collaborating was the same as everybody else competing a avoiding and compromising just the same

so why do we get told all the time that we need to collaborate more I thought about it and I've Got a Theory one of the ways you signal a willingness to collaborate is by accommodating a little in the beginning you have to give some to get some if you don't do that or let me rephrase that when I didn't do that people would not try to collaborate with me because it's actually stupid to try to collaborate with someone who won't collaborate back it does not work so I was basically telling them yeah don't collaborate with me ever unfortunately this is a big problem Robert cini's book influences really big deal um for all the research in Psychology and

persuading people and the number one thing is the law of reciprocity you do something nice for them they'll do something nice for you if we reflexively avoid doing anything for anybody else if we reflexively avoid accommodating we're we don't have one of the basic tools that we need I'm not saying that we need to be become accommodators obviously we can't but what I am saying is we could do a lot better with the social influence stuff now now a lot of Geeks or at least I had a big problem where I you know sincerely and stupidly believed that using anything other than my Vulcan logic to persuade people was manipulative and wrong um this is

silly it's one of the basic ways we convince people to do things that they may not yet understand is in their best interests also the idea that people are or should be purely rational is just not correct even in the Neuroscience this is a pretty cool book dart's erir by Antonio damasio it one of the case studies is someone who had a traumatic brain injury and everything else was perfectly normal he was reasonably smart he was you know unimpaired except for having you know no emotions he was purely rational he was almost completely functional besides would you rather be right or would you rather get things done being right and five bucks might get you a cup of

coffee you know I found this book really helpful for finally actually learning about office politics so what can we actually do you know first of all that book influenc law of reciprocity start with concessions find something to concede I'm not saying give away you know the security Farm I'm saying look for something you can accommodate people on and do that when they tell you to pick your battles um what they don't say is you also need to pick battles to lose one thing I realized was that if I didn't care about something I really just didn't care about it it wasn't that I would never accommodate on anything sometimes I did on stuff I just didn't

care about but I never really framed it as being accommodating so I never got points for it so that's something that we need to do is bring the donuts and when we do pick the battles that we want to win we should make sure that there are ones that actually matter there has been a ton of research over the years about how little a lot of password requirements actually help complexity how often you change your passwords and stuff it doesn't do that much so why are we still fighting that we should stop it another important thing is to understand what we're actually asking this is a pretty classic paper in information security it shows that users

are being rational when they ignore security advice we ask them to spend more time doing some some things than any expected benefit they would get that's totally rational we have a bad habit of asking users to do stuff that doesn't really benefit them as much we should feel bad my next

suggestion my next suggestion is one of my favorite admitting you're wrong is really hard the first few times it's kind of like pulling out fingernails why are you making me do this but it helps and has some really surprising effects first of all you don't have that stupid argument over who's right and who's wrong you people will come to you more because they know you won't have that stupid argument over who's right and who's wrong they're more likely to listen to you because they know that if you're wrong about something you'll concede that and you know this one really surprised me but if you admit you're wrong e early and often and just move on and there's no argument people

forget you were wrong in the first place you start getting a reputation for always being right this is super cool you should totally try it another important tactic is to let people save

face I used to think that allowing people the illusion that they didn't lose badly was manipulative that was dumb people will forgive you for winning an argument they will not forgive you for making them look bad so stop it don't do that you know I still have a hard time with this interest based negotiation is what most people mean when they talk about collaboration the idea is that you have an interest in say passwords being sent encrypted that interest might come with a position everybody should use ftps but maybe they don't like ftps I don't know why someone wouldn't like ftps I don't know why someone would care but there are people that genuinely do not like ftps would IPC or connect

director something else worked for them maybe it would maybe it would be enough for the security issue maybe it wouldn't the point is to explore all those issues and find out the possibilities this is called EXP in the pie one thing that is important to note is that once you've expanded the pie and created all this extra value it's really helpful to have somebody who's good at the competitive style along with you so you get your fair share of this all this extra value another problem is that we forget that we are domain experts in a field that's really hard and counterintuitive to others we can see the patterns instantly other people have to think

them through very slowly and they might still make mistakes they're not stupid for that we are equally stupid in their fields the different types of thinking are discussed in Conan's thinking fast and slow it's a really cool book any security solution that depends on people thinking through rationally including security people is not going to scale it just won't Gary Klein's power of intuition is a book about how experts really make decision he's done the research they're not using that slow type of thinking they're using the fast pattern recognition stuff they're just really good at it the power of intuition helps you develop that ability if you want to understand what users are think and why are they are

doing the things that they're doing this is a great paper to start with it compares the behavior of expert and nonexpert users in protecting ourselves online their behavior is really quite different the non-expert users one thing that's worth noting a lot of what they think they have to do is stuff we were teaching them 10 years ago and insisting on we actually won we it's just it's kind of late now and Everything's changed and the message hasn't gotten out so we need to do better about that I've always been told that you need to make the other person think it's their idea how do you do that I had no clue the way to one way to do that is

called motivational interviewing it is a counseling technique for eliciting you know people's intrinsic motivation for doing stuff that's good for them but really hard like quitting drugs or doing exercise programs or whatever um is taken up by a lot of coaches it is being used by some people in information security they say it works great for them it's worth learning about and finally I thought I would talk a little bit about how I got better social skills for real it wasn't learning any of the tactics that I've been told since I was 10 it wasn't you know practice in social skills I needed to become a different person I need to become less reactive and able to

actually pick my response instead of just sort of like do whatever came naturally which clearly wasn't working two things worked for me one of them was developing an exercise habit if you like running run if you like yoga do Lo yoga I like lifting weights because life really changes when you can deadlift that person who is annoying you especially if that person is yourself you know another thing that helped was a meditation practice there's a lot of misconceptions about meditation and frankly a lot of meditators are kind of annoying I find this particular book really accessible for skeptical atheist types like me both exercise and meditation have helped me to be able to take a step back

decide what to do instead of reacting with my usual I'm a low accommodator I just say no it's easy so what can I do instead I can start with some concessions I can look for some concessions to find I can bring some donuts I can make sure I'm really careful about which battles I want to win and get the points for the ones I want to lose I can make sure I'm understanding what I'm asking and am I asking to do something that is actually reasonable for them to do does it benefit them at all or is does it just make my job easier we have a problem with that one I can admit when I'm wrong or if I'm

really really sure I'm not I can ask them to help me understand what what they're thinking help me understand why they think I'm wrong I can make sure I'm letting them say faith I can try some interest based negotiation find out what the interest behind the positions are I can look for patterns that maybe they're not seeing so they don't have to I can learn about what they're really thinking and doing or I can try some techniques for motivational interviewing so here's the deal I'd like you all to try this next time you're having a conflict and it's not not getting fixed and you don't know why try one of these and see if it helps let me

know I'm on Twitter you know tell me how it went and if it went badly I want to know that too because then I can stop people telling people you know maybe you should try this who knows any questions yeah um how do you encourage positive feedback grps how do you encourage positive feedback loops I have an examp so okay that's helpful um we don't want to be a incess says no so when a person reports or they say you know oh I clicked on this we don't jump on them we say oh thank you for reporting this um we'll take care of it please be careful don't want to be here a center of we don't um you know that's just a

matter I say just but actually it's really hard for some organizations make sure that everybody knows this is kind of like the admitting you're wrong it's more important to actually be secure than to look like you were secure Yeah question Lo have you been able to hi our propensity for not being accommodating to incentives that are unique to the security industry in other words because we're measured to be in a particular way that's why we're not accommodating like I said I didn't really research why we were like this that would be really hard to pick apart um I think the issue is just it's our job to say no a lot you know sometimes we just can't be accommodating and we

will select for the people who are comfortable with that and weed out the people who aren't and maybe also select for the people who like working with people who say no all the time and we all the people who cannot stand us yeah have you looked at um gender stereotypes in this research or the roles that you know gender contributes here I did look at gender stereotypes I actually found that um the style preferences for the US Workforce were not really there there was no significant difference between genders um and my sample of 45 was just not big enough for me to have pulled anything out there yeah no okay yeah that would be cool um basically I

paid for the all those tests myself and and so you know if anybody here would like to do a grant that'd be super cool all right thank you