Security

Principles vs. Magic

What do economics, evolution, and IT security have in common? They are all complex systems that require a scientific, principles based approach to understand them.

The Austrian school of economics is a praxeological school of thought: it holds that human action can and should be studied as a science, theorizing about the principles that guide and found the complex system of an economy, and testing the theories in practice. In the application of the Austrian school to economic study, both inductive and deductive reasoning are used to arrive at general principles of action, based on observation of the self and the world around oneself as well as on logical reasoning about causal relationships between motive, action, and emergent properties of the complex system as a whole.

When I write about IT Security here at TechRepublic, I have a tendency to try to tie things in with basic principles of security. I believe that, as with economics, one should take a principles based approach to security, first identifying fundamental principles, then reasoning from them to arrive at logical conclusions about why things happen the way they do and how to deal with circumstances that affect security. I believe that, given well-founded principles of security and a keen mind, one can achieve a very high rate of accuracy in the conclusions one reaches while reasoning about security.

The alternative is to engage in rote memorization of what other people tell you to do in each individual case and, when faced with unfamiliar circumstances that aren't covered by what you've memorized, trying whatever you've memorized as "best practices" for whatever circumstance you feel like using as your basis, regardless of differing details. Once you've flailed about, trying things the way a computer might be programmed to do so -- doing things pseudorandomly, without applying abstract reasoning to the situation -- you can see how thoroughly your selections have failed you and adjust them to try again, if you survived the previous round.

Without a principles based approach, your only guidance in making decisions is the set of solutions to other problems that you've already encountered. People who advance the state of the art do so by way of epiphany based on principles, or by rigorous principles based reasoning; people who eschew a principles based approach entirely only repeat the actions of those who came before them, by rote, without understanding why they've worked in the past or why they fail now. Without trying to identify guiding principles of a field of study or endeavor, your approach to problem solving is akin to what Steve McConnell called Cargo Cult Software Engineering.

The need to identify fundamental principles before one can really begin to understand the workings of a complex system applies to IT security, evolution, and economics, equally. Without trying to identify those guiding principles that give rise to the emergent properties of the system, all you can do is either make wild guesses or base your reasoning entirely on wishful thinking.

This is why I find it so saddening when someone attacks a principles based approach to understanding complex systems -- such as the praxeology of the Austrian school of economics, evolutionary theory, or a principles based approach to IT security -- so sad. These attacks usually involve deriding the approach as "abstract theory", as if having a theory of the system is a bad thing. Such a statement is, ironically, usually followed closely by statements in support of an alternate theory. The difference is that the alternate theory is one whose "principles" are the product of wishful thinking and confirmation bias rather than of logical reasoning. In terms of being, in essence, theoretical, there is no difference at all.

The Austrian school of economics is one of the most obvious examples of a principles based approach to understanding a complex system that is often dismissed on the basis of its reliance on understanding guiding principles. When someone dismisses the Austrian school of economics as "theory", implying that it has no relation to the real world, what that person is actually saying -- whether he or she realizes it or not -- is:

The operation of this complex system is not based on, nor is it governed by, any real principles we can logically identify and use. It is a magical system, operating only by arbitrary rules without underlying principles, that doesn't make any logical sense as a whole.

I, for one, do not subscribe to the notion that complex systems can only be "understood" via statistics interpreted through the lens of confirmation bias, by divining arbitrary rules, or by wishful thinking:

  1. I find the urge some people have to imply a mystical approach to economics by deriding the "theoretical" nature of the Austrian school destructive and anti-intellectual.
  2. I find denials of the applicability of natural evolutionary processes to the real world by categorical statements that amount to claims a complex system like the Earth's biosphere could not have arisen without intelligent micromanagement willfully ignorant.
  3. I also find the urge some people have to assert all operating systems are created equal, pointing out the relative security levels and popularity of certain operating systems and ignoring all other correlated factors, suboptimal to say the least. The claim that, simply because one operating system is both much more popular and much more susceptible to security breaches than others, security must be a function of obscurity is a simply wrong-headed perspective that is fundamentally inimical to good security practice. It may be an appealingly easy conclusion to reach, but it ignores many other factors, such as the principle of security through visibility.

The ultimate point is that an intelligent IT security professional should be able to achieve greater successes by identifying relevant principles of security and deriving appropriate responses to circumstances based on those principles, than by simply observing the most obvious correlations and assuming they imply a strictly causal relationship. Without understanding principles that underlie our respective fields of expertise, we do little more than wave chicken bones over our problems and chant meaningless incantations in the hopes the problems will magically go away.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

59 comments
Deadly Ernest
Deadly Ernest

you said: "The ultimate point is that an intelligent IT security professional should be able to achieve greater successes, by identifying relevant principles of security and deriving appropriate responses to circumstances based on those principles, than by simply observing the most obvious correlations and assuming they imply a strictly causal relationship" I think you should replace the words IT security and security simply with IT in every place. As the principles approach applies to all aspects of it. One that gets my goat a lot is the non design of web site. Way too many web sites today are put together by graphics artists and other whizzer kids (no misspelling, was intended to give a more accurate description) is they use drag and drop software application like Front Page and Dream Weaver to create fancy looking web pages and web sites without any understanding at all of the underlying code or how the choice of code type will affect the page / site build and performance. They have no idea on how to design and build the pages / sites to be more efficient, and no ability to debug the code. They drag and drop things in and let the software create the page / site with JavaScript or xhtml or Java or what ever scripting methods is the current flavour. the result is a web page or site that uses a great deal more resources than is needed and is often vulnerable due to all the excess code that can be hijacked. There are similar bad approaches to all other aspects of IT - some affect security and some affect performance, while some affect both.

deepsand
deepsand

Now, would that we could have all read, comprehend & accept.

ppg
ppg

It is not at all clear what Mr. Perrin means by principles. If by principle be means basic (and well tested) physical laws such as quantum theory or Maxwell's equations, most scientists would agree that we are so far from applying them to complex systems like biology, economics or computer security that they provide no practical guidance. Then you have to rely on principles or theories (such as the law of supply and demand in economics) created by observing effects and causes occuring together so often that you can convince yourself they are connected. Once you have devolped principles you must continually consider the range of situations for which they apply. When this is done well you can draw conclusions that are not obvious or apply them to new situations. When it is not people say "it was all very well in theory but not in practice" and applied to computer security your system is not as secure as you thought it was.

deepsand
deepsand

It's been a while since I've seen you here; though, how much of that owes to my own sporadic attendance I cannot say. Are you still having to cope with a dial-up connection?

Tony Hopkinson
Tony Hopkinson

quantum theory doesn't explain many things it proponents think it should, some of what it does say we are unable to apply or even prove. Can't speak for Mr Perrin, but I took it to mean the sort of person who tries to make the real world fit their theory... Like an analyst who swears by the Vienna development method because it's contentions can be 'proved'. Less Cantor, more Godel, is what we need.

Deadly Ernest
Deadly Ernest

I moved house about twelve months ago by myself, and damn near killed my self in the process - moved too many heavy things. I also had some issues with the diabetes and related problems then too. I've spent most of the last eighteen months up a few hours, in bed a several hours. I didn't do much for a while and got out of the habit of checking TR. but feeling a bit better now and getting a bit more active again. Much of what I have done during that time has been writing, and I now have over a dozen books out there, some for sale and some for free. you may want to try this story http://www.asstr.org/~ebywater/Rough_Diamond.html or some others at http://www.asstr.org/~ebywater/ The new house has ADSL - yeah broadband.

boxfiddler
boxfiddler

The interaction between you two. Me learn things.

deepsand
deepsand

the real universe. And, we're not going to see it , experience it, whilst looking through rose colored glasses, peering out between blinders, or, worst of all, living behind shuttered windows.

ppg
ppg

I really didn't think I would have to justify quantum theory but have a look at the accuracy of calculations for the hydrogen atom. My point was merely that it is a long way from a hydrogen atom to complex systems involving humans. As I said supply and demand is a theory that can not be proven but only validated by observing the real world. I also don't wish to put words in people's mouths but I interpret Mr perrin's posting opposite to the way you do. He said you should begin with the principles and apply them to the real world. I would agree that you should begin with principles or theories rather than whims or biases but you continously have to consider whether the principles you have chosen apply in your situation.

deepsand
deepsand

Realized such only after unexpectedly fell in love with a young woman who, among other things, remarked as to how remarkable my references to ex were, in the sense not that I had ever stopped loving her, but that I now readily recalled only the best in that relationship.

Deadly Ernest
Deadly Ernest

spoke of attitudes and behaviours back in 1994 and 1995 when the pain was sufficient to burn holes through armour plate. Things are different today - as the song says: "Time has rewritten every line," It took time, but no matter how much she tries to get a rise out of me, it doesn't work any more - I'm as civil to her as I am to the Tax Office people. I now utilise one of my favourite sayings: "Smile and speak sweetly, it'll aggravate the hell out of the bastards." Fifteen years is a lot of time and it's work changes. At the time playing computer games help me deal with the tension, the anger, and the stress. I wasn't angry about her attitude to me, but very angry about how much she was going about screwing over our son's life so she could lever more money out of me. The false accusations of child abuse got to the point two different judges threatened her with contempt of court if she kept making them after three very thorough investigations by Child Welfare. he didn't need that sort of pressure while only seven and eight years of age. Then a couple of years alter she wanted to dope to the eyeballs with amphetamines claiming he was ADHD - it took a bloody judge to tell her to shove it. Ten years of in and out of court at the drop of a hat when she wanted to change the visitation arrangements because she had party on or something, before she gave up after he told the court he wanted to live with anyone but her. those were very turbulent times mate, very turbulent.

santeewelding
santeewelding

You disappoint me. Reach instead into your longer, longer view, which you otherwise articulate here from time to time, and in other published places that you avow.

Deadly Ernest
Deadly Ernest

especially when listening to numbers like Unchained Melody - what helped me a lot in the early stages were DOOM and DOOM 2 and a variant with her image for one of the monsters, I really loved that, just blow her away a few hundred times in the game.

santeewelding
santeewelding

At stage x of a long, long rehabilitation of self. Call it y. It eventually peters out, and becomes of little consequence. By which time you -- or, since I am speaking, I -- may fully love again. Includes even you. That, sir, takes doing.

deepsand
deepsand

She had the bad habit of refusing to take part in making what should have been joint decisions, perhaps owing to a desire to not have to accept any responsibility should the consequences of such prove less that expected or desired, or simply because it meant that she would not be the dominant party, choosing instead to defer to my judgement, and then totally ignoring her commitment to abide by such. For example, she repeatedly and steadfastly refused to participate in any budgetary considerations, preferring instead that I "do the numbers," and then tell her how much we could afford to spend on what, after which she would always spend more than the budgeted amount, complaining that I'd simply budgeted too little for such!

Deadly Ernest
Deadly Ernest

problem. Your description even hit the mark with my ex, but I was her number two.

deepsand
deepsand

In fact, she has an unusually large number of [i]former[/i] friends and [i]former[/i] employers, as well as 2 [i]former[/i] husbands prior to me. Never really gave any of that much thought 'till after she split - thus proving the adage that love is blind - offering only the vague statement that she was "unhappy" as reason. In hindsight, I understand that many of her failed relationships most likely owed to her inability to accept a non-dominant role; being an equal just wasn't enough to satisfy her.

Deadly Ernest
Deadly Ernest

I won't say much about her, but my son who's now twenty-one and was sent, by the courts, to live with her until he was sixteen (ten years) calls her a super bitch, and that's hi sown opinion as I've always gone out of my way not to play the 'that so and so's fault' game in this, but she did and he saw right through it.

deepsand
deepsand

your ex was first my ex, do you? :O

deepsand
deepsand

Once I'd made the final settlement payment, my ex vanished by her own choice. The only reminders have been several creditors contacting me to try to find out where she is/was; told them truthfully that I'd no idea.

Deadly Ernest
Deadly Ernest

removed after that date. Although she still acts like she has me under a full mind control ray.

deepsand
deepsand

Best have a full body scan done; you just might find something that wasn't there not too long ago. ;)

Deadly Ernest
Deadly Ernest

my wife had one surgically implanted during the wedding. It's gone now.

deepsand
deepsand

Where can I get one of those?

Deadly Ernest
Deadly Ernest

after I abused him. My new doc is a bit worried about sleep deprivation. lol

deepsand
deepsand

I've bookmarked them, in my "Things to do on days when I don't feel like be a responsible adult" folder. As for health issues, I can empathize. I'm just now coming out off a period during which a pinched nerve in my neck, coupled with blinding headaches, left me constantly in desperate need of unattainable sleep. I wish you best in these regards. And, I'm glad to know that you're finally able to enjoy the benefits of broadband; now, to avoid becoming addicted to being always "on." ;)

deepsand
deepsand

And, bed. Tomorrow's alarm will sound all too early, and the day promises to be long.

deepsand
deepsand

Nothing more; but, certainly nothing less.

apotheon
apotheon

Also Known As: a heuristic judgment of validity

boxfiddler
boxfiddler

so long as I think it and it leads me to think more and other things. I do like when it fits, though. ;)

deepsand
deepsand

Alice, Looking Glass, etal.

deepsand
deepsand

It is the rare case that allows of simple Boolean logic; those damned "excluded middles" keep pushing their noses under the tent.

apotheon
apotheon

Why leave him alone? I wasn't kidding. I'd love to see discussions get to the point of building truth tables to construct proofs of validity. It'd be a nice departure from the usual in, for instance, arguments about intellectual property law -- where someone will eventually use the tired old argumentum ad hominem fallacy, "You're just a music/software pirate trying to justify stealing!"

santeewelding
santeewelding

Like, playing with his blocks. He can't get into serious trouble that way.

apotheon
apotheon

Are you going to start building truth tables now?

deepsand
deepsand

If "correct" TRUE, then "real" TRUE. If "correct" FALSE, then "real" UNKNOWN. If "correct" UNKNOWN, then "real" UNKNOWN

santeewelding
santeewelding

Your presumption is also real. If that, you need to come up with something better than reality to explain either "real" or "presume". I really like to screw with you.

Tony Hopkinson
Tony Hopkinson

theory, set them to particular values, case proven. The ones you don't need, deem irrelevant, if the values don't work, massage them until they do.... Reality again is shown to be theoretically true. That's what 'rational' people deal with. Not counting my OS is very secure, because how insecure it is, is a secret, type people.

apotheon
apotheon

Actually, one could construct a logical proof of the applicability of supply and demand in determining price. Like any proof, it would start with "Given these assumptions. . . ."

Tony Hopkinson
Tony Hopkinson

It works when you apply it correctly. It doesn't explain the real world though, just carefully cosen abstract models of it. Hydrogen atom. This is the simple system composed of a proton and electron with quanticised energy levels that can be desribed as a string, a point or a waveform , photons, quarks, gluons... Also according to all our theories observing it changes it, perhaps even creates it... Not simple at all. Quantum mechanics relies on real world measurements in order to be accurate, it's an applied discipline, just as is economics. Decide whether the principles you have chosen apply. Sounds like a good idea, I wonder why more people don't do it.

Editor's Picks