Why We Can't Have Nice Things: Original Research on Conflict Resolution Styles in Information Security

[Applause] hey everybody good evening and welcome I'm Rachel an intern I have about 10 years of experience in information security and risk management don't worry about writing down there's a lot of references in this talk there will be a handout at the end you can get them from the purple guy and I'm here to tell you why we can't have nice things out of the field we are pretty notorious for having trouble getting along with business with management with technology with ourselves there's just a lot of conflict with all of these problems it can be easy to forget that conflict isn't necessarily bad the opposite of conflict is not harmony the opposite of conflict is groupthink and dumbass decisions we

don't need less conflict we need less stupid conflict so I've been going to cons for many years and pretty much every con will have some version of this talk or several versions I was never terribly happy with them the story for why we had problems was a story I was never sure if it really applied to everybody in the field was it really that we weren't empathetic enough or that we weren't collaborative enough or was this just a personal pet peeve of the speaker I didn't know there was never any data the other issue I had with these talks was that the answer pretty much always boiled down to have better social skills thanks great this

is an arguable but not really very actionable least for me if I could have better social skills just by being told to have better social skills I wouldn't have kept going to these talks so instead I went back to school I got a master's degree in organizational leadership or as i like to call it remedial office politics I took I took a lot of classes in negotiation and conflict resolution and I proved what I already knew I sucked I wasn't my professors were kind of baffled I wasn't too aggressive I wasn't too passive I was just really stubborn and I would end up with no deal even on these really easy class role plays and

they're like Wyatt so there was something wrong with it so I wondered was something in the way we as a field approach conflict causing our problems and I did some research I will get back to the question first let's lay the groundwork for the research oh it skipped one there we go in dispute resolution we frequently talk about negotiation styles there are a bunch of different ways of approaching conflict no one way of approaching them is better or worse than any other the idea is that some are more appropriate to some situations and others to others the skill comes in choosing the right way to approach a particular conflict in the literature these styles are

conceptualized along two axes we've got assertiveness or how much you care for your own outcome and cooperativeness how much you care for the other party's outcome if you're interested in an overview of conflict resolution the different styles and there's even a style test the bargaining for advantage by Richard shell is probably my favorite resource for that so let's walk through the different styles if you're both very assertive and very cooperative you are using the collaborating style this is the win-win style if there is a best style this is the one that people will pick we often get called out as a field for not being collaborative enough I do not think that this is the case and I'll

get to why later collaboration is great when you need good working relationships when you need innovative solutions and when you have plenty of time to work through it collaboration is less good when you don't have the time the stakes are too low to be worth the effort or you're dealing with really competitive people who will not collaborate back if you're very assertive but not very cooperative that is the competing style that's the win-lose style the extreme version of this is alec baldwin and glengarry glen ross if you have not seen that talk look for it on youtube because it is great competing gets a bad rap it's great when you need the results for sure it's less great when you need to

maintain a good relationship with people since most of our work involves maintaining a good relationship with people we need to be careful when we use collaboration when you're middling on both assertiveness and cooperativeness you're using the compromising style that's the way you win some you lose some it seems fair compromising is great when you don't have a lot of time or when you need or when the stakes are not high enough to be worth the effort of collaboration it's not so great when this illusion of fairness makes you forget or somehow give away the really important thing if you're collaborating you're not finding innovative solutions and whoever starts with the most extreme opening position in the collaboration

will win compromising sorry I said all the word so many times if they're all the same now you know you know the word I mean it's on top right that right okay that's right yes do what I meant you to do not where they actually tell you to do so if you're neither assertive nor cooperative you're avoiding this can be a good idea sometimes the risk is too high and you cannot risk losing that thing whatever it is sometimes the stakes are so low that is not even worth talking about people think of diplomats as great negotiators what the literature says is that they're actually often really great avoiders sometimes the only when you move is not to play

but sometimes you have to talk it out and not negotiating it all can lead to miscommunication and resentment finally if you are not at all assertive and you are very cooperative you are using the accommodating style this can be a good idea when the relationship is the most important thing when this thing that that hand is just not an important issue to you when you're wrong however sometimes accommodating people can end up giving away the farm before they even know what it is and if you're dealing was really competitive people it can be a bad idea so let's look at that research question again how do the conflict resolution style preferences of information security personnel compared

with the north of the u.s. workforce that Thomas kellen conflict mode indicator is a test for negotiation style it's kind of corporate astrology but there's about 40 years of research behind it so it's well known corporate astrology it's also normed against the US workforce so I did not have to find a separate control group regardless I expected to find nothing of any significance whatsoever because most research does that you just don't hear about it because it's not important who cares however to my surprise my sample of information security professionals were special I found that in general my sample was less accommodating than the norm for the u.s. population the median was at the 30th percentile the mode

where most of us landed was at the 16th percentile there were of course some high accommodating people but most of us just say no what does it mean it means we have a very short supply of one of the basic tools of negotiation when all you have is a hammer everything looks like a nail if you do not have a hammer at all nothing looks canal we do not use it even when it would be to our advantage to use it we are just very stubborn and we end up with no deal a lot I didn't look into why we were like this however it makes sense yeah this is like all my friends okay our field requires us to say no a

lot people want to do things that aren't safe on networks and computers I believe that our field may well select for people who are comfortable saying no over and over and over it may also weed out the people who are not comfortable saying no or who just don't like working with people who say no over and over and over every other negotiation style was normal collaboration competition compromise avoidance all of them were similar to the normal population of course different people would have varying degrees some of us are really skewed one way or the other but it all came out in the wash except for accommodation which is where we were weird so if my research found that

collaboration was normal why do we frequently constantly get called out for not collaborating my belief is that because we don't accommodate we never signal a willingness to collaborate one of the basic ways you signal that willingness is to give it a little bit on something anything if we don't do that then people don't realize that we would accommodate and they're not willing to even try because that can be dangerous and a waste of time so what can we do about it I'm not saying that we need to become accommodate errs let me repeat that I am NOT saying that we need to become accommodate errs what we need to do is be able to better socially

influence people we need to be able to use all of the tools at our disposal however socially influencing people sounds may be manipulative maybe a little evil one of the reasons i am a low accommodator is i had this really strange idea that try to persuade somebody with anything other than my Vulcan logic was cheating this is not correct either scientifically or any other way emotion is actually really important to rational decision-making the details are beyond the scope of this talk but des cartes air by Antonio Damasio goes into the neuroscience in pretty good detail if you're completely rational you're also not functional you can't make up your mind on anything besides would you rather be right or

would you rather get things done being right and five bucks will get you a cup of coffee maybe this is Vegas Joel de luca's political savvy was how I did actually finally start learning office politics it's a pretty great overview of how to get things done in an office without actually being evil unless you want to be evil and then cuz you know go ahead so what can we actually do to influence people better number one is look for concessions to make we're always told to pick our battles let's start picking battles to lose one of the reasons that I realized I was having trouble wasn't that I never actually accommodated things it's that if I

didn't care I completely ignored it and gave it away for free this is stupid i smartened up so let's stop doing that I've seen it other people do it we need to pick which battles to lose if we can't find any bring the donuts it works and then there's donuts when we do pick what battles we are trying to lose we should also pick what battles we try to win over time is it field changes we have learned that many of our best practices actually do not help at all and hurt so we should stop doing that do the research to find out if what you are advocating for actually improves the situation one of my

favorite papers and information security is Cormac Hurley's hi so long and no thanks for the externalities the rational rejection of security advice by users everybody should read it it is about how the advice we give users cost them more in time and effort than any benefit they actually get it's not saying that security advice is useless it's just that we need to be a lot more careful on what we insist on another thing that works really well is to admit when you're wrong there's the expected effects from this and then there's one more surprising effect as expected not admitting when you're wrong will backfire really badly when you are found out and the chances that you were found

out are you know really pretty high it always happens like at the worst possible time if you admit when you're wrong people are more willing to listen to you because they know if you have screwed something up you'll say oh my bad and fix the situation the surprising result even though admitting you're wrong is really hard if you just do it and move on people forget they completely forget that you were even wrong in the first place there are people who seem to sincerely believe that I am right all the time this is really awesome I highly recommend that state another important tactic is to let people say face sometimes low accommodate errs like me will feel that

even the illusion of accommodation is bad if you give them an inch they will take a mile the problem with this is that people will forgive you for winning they will not forgive you for making them look bad so stop insisting they look bad if they're wrong about something interest-based negotiation is what most people mean when they talk about collaboration Fisher urien patent getting to yes is the pretty much the seminal work in the field the idea is that you have interests which is preventing bad guys from getting into your network and you have positions which which is that you have I don't know a 90 million character password and whatever or maybe your interest is that

passwords are encrypted in transit and your position is that they use FTPS to do it maybe they don't like ftps maybe you don't care if they use connect direct or SFTP or HTTPS or IPSec or whatever as long as it's encrypted all these different possibilities that you can create by working with people's actual interests instead of these ironclad positions it's called expanding the pie however once you've expanded the pie it does help to have people with competitive skills to help divide it back up because creating all this extra value and then giving it all to the other party is also not bright we forget that we are domain experts in a field that is difficult and counterintuitive

for others we can see patterns at a glance they can't they have to think it through laborious Lee and they will sometimes get it wrong any security solution that requires people to think something through is probably going to fail because we want them to react correctly all the time Daniel Kahneman's Thinking Fast and Slow is about these different types of thought and how they work with people Gary clients power of intuition is about how expert decision makers make decision decision science often talks about you know how we rationally go through things and weigh the pros and cons Gary Klein talks about how all is preacher said no that's not what happened they do instant pattern mashing

and pick seemingly by instinct or magic what's best and that's because of the hundreds or thousands of hours that they've been learning something and it's about how do you get better about it how do you get better at teaching it I wonder if we need to get better at teaching information security anyway finally my new favorite paper in information security is no one can hack my mind comparing expert and non-expert security practices it compares expert and on expert practices for staying safe online they are very very different one of the interesting things I noticed is that all of the non-expert practices are our old requirements they learn them they're still doing them they don't know

why we're yelling at them for us so let's understand what they're thinking and why they're thinking it and use that when we try to change I've been told that it is good to let other people think that they came up with an idea first I had no clue how to do that motivational interviewing is an actual psychological technique to do that it's intended to elicit the clients inner motivation for change it's been used by psychologists that's been taken up by coaches it's been used by information security practitioners with good results it's beyond the scope of this talk when is definitely worth looking into and finally i thought i would share how i learned better social skills for real

the problem wasn't that I didn't really know what to do I sort of knew I could just never do it in the moment in a moment I wanted to say no so I said no which is not very socially skilled changing that the most important things for me were a regular exercise habit and a regular manda tation practice those things allowed me to take a step back and instead of my reflex know I was able to do something else I could look for concessions to make I could bring doughnuts if I couldn't find any I could do research into what the best this for something actually was I could look into what it would actually cause

people to do what I was telling them to do as a boat instead of assuming it was free I could admit when I was wrong about something or if I couldn't think of anything I could ask them if I was wrong about something because they will love to tell you that I could make sure that I was letting them save face if I was winning on any point I could try exploring interests instead of hammering on positions I could remember that I was supposed to see patterns that they didn't necessarily see and explain the patterns if I needed to I could learn what they were really thinking and doing and I could try some stuff from

motivational interviewing nothing i'm advocating is harmful because again i'm not saying we should accommodate on the important things but i want you all to try it maybe you're not a low accommodator great try it anyway try it see how it works tell me how it works complain to me if it goes horribly horribly wrong because stories are great i'm on twitter and it's just try these things because they are worth trying and i know a lot of us just don't because i've been in the field 10 years and I've seen us not do it any questions yeah but sometimes you have to say no and you have to show data and metrics because once you show data and metrics is it's

hard to argue with that what are your thoughts on you know you can say no 90 times out of 100 but if you have data to back your you know no with you will I mean it's nobody can argue with that and if it's for the better and if you are making your if you're taking a customer you know perspective you're making your you know customer data more secure or if it's in the best interest of the company and you back it up with data in metrics you know you could always win if you are right and the data backs you up can you help me understand the question so what I'm asking is if I am always right and

if I have the data to back my hypothesis or what I'm saying know about is that still good or that bad like I can't say no to some to be honest I have never met anyone who is always right I have never met anyone who has metrics who can that can convince anyone and why is that if I have data and if I a metric and if the metrics strongly point to a direction that the company needs to take why would someone argue with that I have seen many many bad back tricks nobody zombie hypothetical perfect spherical metric no no it's not hypothetical the assumption has a metrics is correct because if you can explain how you collected the

metrics what was your I mean it's hard to argue with numbers but then that's just think nobody but you are saying but you're saying you are basically going against the data and saying the data say is that this is good for your customers but you will not make that decision because your people or not there is an entire book that I mentioned in my talk des cartes error about why this does not actually work with people with real people in real practice and that is my data and my metrics for why that question does not help yeah well once and while you bump into a colleague that honestly believes in Flat Earth or something like I can't hear once in a

while you bump into a colleague that believes in the theory of Flat Earth or something like it like a single node Hadoop cluster being a good idea how like once you have exhausted any no rational arguments and references to computer science texts and industry practices if the guy remains unconvinced how do you handle that I say help me understand and I keep through why you're such a [ __ ] in my inside voice

you know seriously ask them ask them to explain it to you because you don't understand this is putting the onus on you for not being smart enough people with that kind of insistence like it when you're not smart enough to understand and they will explain it to you and eventually you can get them to explain enough that either you realize they were right in the first place in which case you admit you're wrong graciously and get magic points or they start stuttering and they realize oh [ __ ] and then you let them say face does that answer the question so you dropped on us a bunch of different books and a lot of information that was really

awesome but you know I for one have limited bandwidth where do I start there's a handout that mr. purple leader has preparing in advance is helpful that handout has a lot of starting points that I would recommend we all set

[Applause] nice