Free Your Mind: Battling Our Biases

all right uh is this appropriate distance everybody can hear me fine perfect uh yeah so this is free your mind battling our biases uh I'm Dade I'm a staff security engineer I don't know if my slides moved so just somebody thumbs up perfect all right uh I'm a staff security engineer for a pintch startup uh independent security consultant on the side I have a background in red team work at companies like Oracle and Intel which will be a little bit relevant later on uh and if you're interested in more about me you can find basically all my Links at ZX da. de uh quick disclaimer uh this is not a technical talk if you're here for the

latest buffer overflow in a poorly written C program this is not the place for you uh this is a talk about biases the unexpected benefits of being a beginner and changing the way we interact with our colleagues and peers and now I have to actually look at my slides cool now we are where we're supposed to be uh before we get started I want to take a brief informal survey I'm going to ask a couple questions and I just want you to raise your hand if the question applies to you uh have you recently done something that you later thought was dumb have you recently refrained from asking a question because you were afraid people would think you were

dumb have you recently been annoyed when someone asked a question that you thought that they should know the answer to and have you recently refrained from sharing a piece of information because you assumed that everyone already knew it uh it looks like we're all somewhat aware of our own biases at this point so that's great uh I I tried to pick some that were more likely to be common in more experienced people as well as people uh like who are more beginners are going to feel things so uh I'd like to start off by talking to the beginners in the room uh the people who are new to the industry or even just new to their

current job we're going to have discuss some common feelings and how they can be associated with various cognitive biases and then we'll chat with the more experienced folks and we'll end with a technique that I think can help us all battle our biases more easily uh we're only going to take a surface look at most of these because I had the audacity to submit this as a 20-minute talk before I started writing it uh hopefully it's enough that if you're interested you can go look them up yourselves uh I personally found a lot of value in understanding that several things that I felt and things that I believed were common enough that they uh not only had

names but they also had Wikipedia pages so uh I wanted to start with this phrase always be the dumbest person in the room uh I got this advice a lot when I was younger and I think a lot of business Guru type people will still give this advice today uh an alternative to this might be if you're the smartest person in the room you're in the wrong room the idea here is that we surround ourselves with people who are better than us and we will get better by proximity uh Loosely uh I speak from experience when I say this works really well if you want to rapidly level up your own abilities but it's also really exhausting because

you're going to constantly feel like you're behind all your peers uh it can work well though and we're going to explore a few unfortunate side effects of holding this belief about ourselves uh as a beginner we're not burdened by the curse of knowledge we know what we know we probably don't know some of what we know and we definitely don't know what we don't know uh we don't have years or even Decades of historical context around any given decision or around any given problem uh we look at it with completely fresh eyes and think of solutions completely unburdened from the shackles of reality this can be a superpower if we're in an environment that'll let it flourish uh

but it can also be a source of a great sense of Shame and disappointment if we're in a toxic environment I mean if we're the dumbest people in the room that would imply that we're the least valuable person in that room and if we're the least valuable person in the room then asking a question might just be a waste of everyone's time right I mean they have years of experience surely they've already thought of whatever dumb thing that I wanted to ask if we're the dumbest person in the room then when someone else says something they must know what they're talking about even if we don't understand it it must be right right I mean they're the authority

aren't they but what if everyone feels this way uh what if every one of us feels like we're the dumbest person in the room then we're all agreeing to whatever happens to be said regardless of if it's right or not we have created a bandwagon effect that just leads to worse decision- making in the long run I think it's important to remind yourself that you're not alone if you have a question there's a good chance that you're not the only person who has that question or maybe someone else had that question a few weeks ago and they can help answer it for you which helps you and it helps them to reinforce what they learned

if we choose to not ask that question or to not attempt that new project or not commit to a project because we think we can't do it we're engaging in a form of self-handicapping if we stick to only doing the things we know we're good at and never attempting to do something that challenges us that's self-handicapping self-handicapping can help preserve our self-esteem in the short term uh by helping us to avoid perceived failures but it can also hurt our confidence in the long term by preventing us from experiencing meaningful personal growth uh when our minds are free assumptions about how a system works uh how something should work we're free to be curious and experiment we're free to

ask questions we're free to try new things we're free to experience growth and development but we're also free to be wrong in fact we're probably going to be wrong a lot uh but being wrong isn't something we should fear being wrong helps us change the way we perceive the world perceive the problems that we're facing and helps us to overcome those problems when I was in third grade I did a report on Thomas Edison I didn't know all the things I knew about him today uh but to a third grade nerd he did seem like a good subject for a report on a historical figure uh one quote however apocryphal and paraphrased it might be

has stood with me ever since uh I've not failed 10,000 times I have not failed once I have succeeded in proving those 10,000 ways will not work this quote captures an essential reframing of the concept of failure uh reframing of the concept of being wrong being wrong doesn't mean that we're not successful being wrong is not it's just one stop on our journey to success it's a great way to reinforce what's right once we eventually figure it out there's another Concept in Psychology called uh the shared information bias which basically suggests that a group of people will spend most of its time and energy talking about things that everybody already knows and spend very little time on the things that only a

few people might know uh this isn't has some interesting business impacts if we think about it like if you're having a meeting and you want to make sure that the right people are in the room because you want to make the right decisions you want to reach some consensus and move the business forward uh but in business we don't really get the luxury of just sitting there and discussing the merits and shortcomings of every possible solution before we move forward it also means that sometimes we're neglecting to make the best informed decisions uh selecting the right people for a meeting is hard and relies on my understanding of what other people know which is flawed it leaves out people who might

know a great solution but weren't included in the meeting or maybe they weren't on the email thread I don't think there's a one clear solution to overcoming this tendency it's going to be a game of balance because we can't just entertain every idea that everyone has before we make a decision we can't invite everyone to every meeting we could write documents and make them more widely available but we can't ensure everyone's going to read it and in fact probably most people won't read it so is there still value in writing it if no one ever reads it uh if crowd strike crashes a Windows server in an airport and no one's around to take a picture of

it did it really happen so if you're an individual contributor like me you are probably more inclined to scoff at the idea of having to write down every proposed decision the context the consequences Etc uh cuz the more Nuance that we understand about a problem the more we realize that we will basically never stop writing if we try to do that if you're a project manager and executive or someone who just really loves formal process you're probably very excited by this idea though and also very annoyed about people like me who won't follow your process but we should definitely be thinking about how to overcome or rather counteract shared information bias and if you have tools

that you've used to help overcome this I'd really like to hear about them after the talk out there uh one am using Note I ized while writing this talk uh shared information bias would suggest that every person in this room already knows all the things that I'm talking about and that's why they're here because they wanted to hear more about the things that they already knew about uh so to the people who ventured outside their comfort zone to be here uh I see you and I appreciate you Switching gears I want to talk to the more experienced folks in the room uh those of us who have put 10,000 20,000 hours into our craft uh

those of us who have forgotten how much we know uh until we're randomly asked one day about some obscure problem and it all comes flooding back to us as we grow in our field we become more saturated with various biases even if we think we aren't biased or that we experience bias less than our co-workers that's a bias in itself called the bias blind spot we accumulate knowledge over the years and that knowledge helps us make informed decisions about our work that accumulated knowledge is why we're so valuable but it also represents a challenge for us as

well behind okay this is where I wanted to be nope well this is where I'm going to be in a minute anyways uh if we've been in the same environment for most of our careers whether that's the same job uh the same company or the same role within the industry we're likely to face the status quo bias or our tendency to prefer things stay the same because that's what we know who here loves Windows Vista right that's what I know that's what we're that's what we're here for uh so ultimately uh we become burdened by the curse of knowledge contrary to the beginners who didn't have the knowledge we do and makes it difficult for us to see perspectives of

people who haven't been popping or patching shells for as long as we have even if those perspectives might be better than ours in some regards we're probably going to have a hard time seeing it because of what our experiences have shown us we also face confirmation bias favoring the things that we're familiar with uh favoring the things that align with our pre-existing beliefs and sub subconsciously leading us away from things that challenge those beliefs I think several of these biases help steer us towards decision- making that makes it difficult for beginners to be heard they help Ste us towards the same decisions we've always made they help steer us away from anything that challenges our status as an expert on a

topic but I think we have to make room for beginners we have to actively encourage their participation their confidence to ask questions their sharing of ideas their ability to approach problems and new and novel ways sometimes we have to let them fail because if we know their idea won't work and we tell them as much they might not feel comfortable sharing those ideas with us again we also have to lead by example sometimes if we know the answer to a question it can be Val for us to ask the question anyways by actively making the decision to ask the questions that we think others might have we are encouraging a culture where asking those questions doesn't feel so scary or

overwhelming for others we're helping to make sure everyone in the room has the same information and helping make sure that others are more comfortable speaking up when they have questions or concerns our mental models of how systems work are often biased by our experiences and by the knowledge that we already have in any advanced system whether that systems compr comprised of computers of people or some combination thereof it's surprisingly easy for our mental models to quickly become inaccurate by making a conscious active effort to free ourselves of the constraints of our own mental models we can look at things in a new light and find interesting ways to improve them we can think critically about the things

that we otherwise take for granted but making this effort is difficult it requires going against every impulse our brain is telling us it requires challenging ourselves at fundamental levels but there are exercises we can engage in that help these challenges get easier and encourage us to more easily slip into this Divergent way of thinking in 2007 Sir Ken Robinson gave a TED Talk that posed the questions of whether schools killed creativity or not in that talk he brings up this idea of Divergent thinking the concept of seeing a lot of ways to interpret a question which opens up a lot of possible answers to the question he gives one particular example that I found myself using a lot

uh over the last 10 years or so how many uses can you think of for a paper clip most people in this room might uh come up with 10 or 15 PE most people come up with like 10 or 15 people in this room are probably a little bit better at that uh you know maybe 40 or 50 uses for a paper clip uh but people who are really good at it they might come up with 200 uses for a paper clip because they're going to challenge the the very like notion of the question uh they're going to say who said the paperclip was a conventional paperclip what if it was 200 ft tall and made of rubber uh

suddenly the uses for the paper clip can expand dramatically by just suspending our preconceived notions around what a paperclip is uh this is in my opinion the essence of red teaming uh I think red teaming has nothing to do with hacking computers though that's the way that our industry has hijacked the term uh the actual skill itself that makes someone a valuable red team member is their ability to think to think divergently their ability to look at systems and problems and think what if x was an X what if it was a uh when I got interviewed for my first red team job one of the interviews revolved around a scenario in which I was an electrician

in front of me was a light hanging from the ceiling and behind me is a light switch on the wall the lights currently on list 10 ways to turn the light off 10 components of a functioning light and 10 ways to tell if the light is off and finally 10 ways to prevent someone from being able to turn the light off uh this scenario originated from a document titled jack of all trades which dates back to 2001 created by Pete Herzog uh it state of purpose is to teach Security Professionals to think outside the box and learn to use their knowledge in different ways it puts people into scenarios that they're not likely to have a lot of experience in and then

requires that they come up with answers based on those scenarios I think this is a great example of an exercise that helps to develop our Divergent thinking skills uh it has formed the structure of uh dozens of scenarios that I've used in the past tailoring these questions to be more appealing to the audience uh about six years ago I was visiting home and was asked to come speak at the local Career Tech Center about my career in security I purple hair then not quite as many tattoos as I do now and I showed up in an all black outfit with like this really long extra black hoodie uh I look kind of like I got trapped somewhere between a Hot

Topic and the Matrix uh I talked to the kids about my experiences in school as well as experiences doing red team work for a large tech company I got to demonstrate The Perils of plugging in random USB devices such as the USB Ro rubber ducky as well as the USB killer uh to this day I'm very grateful for the generosity of the class teacher who let me destroy an old machine with a USB drive just to show it could be done uh I like to think that he also learned about the Perils of picking up random flash drives that day but I also used the opportunity to give a talk to the students about Divergent thinking I gave

them a scenario not unlike the Jack ofal trades electrician scenario but more tailored to something that might resonate with them you have a test next Friday does it say that on the screen cool but the new Call of Duty also comes out that day how do you get out of taking the test how do you get your friends out of taking the test how do you get the whole school out of taking the test I gave the students a few minutes to jot down some answers to themselves and then asked for volunteers uh to share some of their Solutions the initial answers were kind of boring I'm going to try to convince the teacher I'm

G to stay home from school I'm like I'm GNA convince my parents I'm sick that sort of thing um and then one student broke the Divergent thinking barrier and proposed that he would go around and break all the printers in the school because if the teacher couldn't print the tests out then you wouldn't have to take it uh that's when the floodgates opened I think that uh the kids started to feel more comfortable sharing their more creative ideas uh one student said he would put raw fish in the HVAC system crank the heat up and break the knob off I brutal but I appreciated it uh another student said they'd cause a car accident to take

out a power pole nearby the school the morning of the test if the school had no power they probably wouldn't have students come in that day once the barrier of the conventional was broken the students probably came up with uh four or five dozen ways to get out of taking the test and I've never been so proud uh so I wanted to actually take some ideas how much time do I have left like 3 minutes three uh does anybody have an idea for uh how to turn the light off am I am I 10 ways to turn the light off no this one okay 10 ways to prevent someone from or 10 ways to turn the

light off anybody have an idea what throw a shoe at the light yes somebody said hit the

breaker that's what I like to hear uh all right on the flip side uh what about 10 ways to prevent someone from turning off the light any good idease chair tie them to a chair small small pox that will do it FR crime frame them for a crime and get them

arrested yes you yeah create a guard that that's like the the the answer that I would have expected to hear first uh which proves that we're at a hacker convention uh so uh I wanted to give a special thanks uh before I wrap things up I just wanted to acknowledge uh Toby kenberg who taught me what it means to be on a red team and routinely encourages me uh to challenge my own assumptions and ideas uh Toby's the one who gave me the electrician scenario in the like originally and showed me the Jack of all trades uh questions and he offered me my first red team job I'm really proud to consider him a mentor even if we don't

really talk as much these days uh I also wanted to give a special thanks to Kelly Shortridge who inspires me and who encouraged me to for early ideas of this talk uh as well as whose ideas have helped shape my own beliefs around security and challenging the status quo of the industry uh challenging our own mental models plays a like a key role in her book security chaos engineering uh which I highly recommend reading so to wrap things up I hope this is what you take away as an expert go out of your way to ask questions that you think others might need to know the answer to even if you already know the answer ask

to clarify acronyms ask to clarify assumptions that people are making you can lead by example and pave the way to a much more productive and informed team as a beginner be curious be inquisitive and don't be afraid to be wrong if someone says something that you think is wrong ask them to clarify don't assume that just because they have 20 years of experience uh that they're automatically right seek to understand why they believe what they believe finally and most crucially uh engage in Divergent thinking challenge your assumptions challenge your own beliefs challenge your own mental models this is how we become better not only at our jobs but as people thank you [Applause] right on

time questions concerns does anybody have more creative ways to turn the light off or tell if the light is off or

whatever yeah uh yes they make the PlayStation solar powered make it make it bike powered so you have to exercise to play Call of Duty