Security

Principles vs. Magic

What do economics, evolution, and IT security have in common? They are all complex systems that require a scientific, principles based approach to understand them.

The Austrian school of economics is a praxeological school of thought: it holds that human action can and should be studied as a science, theorizing about the principles that guide and found the complex system of an economy, and testing the theories in practice. In the application of the Austrian school to economic study, both inductive and deductive reasoning are used to arrive at general principles of action, based on observation of the self and the world around oneself as well as on logical reasoning about causal relationships between motive, action, and emergent properties of the complex system as a whole.

When I write about IT Security here at TechRepublic, I have a tendency to try to tie things in with basic principles of security. I believe that, as with economics, one should take a principles based approach to security, first identifying fundamental principles, then reasoning from them to arrive at logical conclusions about why things happen the way they do and how to deal with circumstances that affect security. I believe that, given well-founded principles of security and a keen mind, one can achieve a very high rate of accuracy in the conclusions one reaches while reasoning about security.

The alternative is to engage in rote memorization of what other people tell you to do in each individual case and, when faced with unfamiliar circumstances that aren't covered by what you've memorized, trying whatever you've memorized as "best practices" for whatever circumstance you feel like using as your basis, regardless of differing details. Once you've flailed about, trying things the way a computer might be programmed to do so — doing things pseudorandomly, without applying abstract reasoning to the situation — you can see how thoroughly your selections have failed you and adjust them to try again, if you survived the previous round.

Without a principles based approach, your only guidance in making decisions is the set of solutions to other problems that you've already encountered. People who advance the state of the art do so by way of epiphany based on principles, or by rigorous principles based reasoning; people who eschew a principles based approach entirely only repeat the actions of those who came before them, by rote, without understanding why they've worked in the past or why they fail now. Without trying to identify guiding principles of a field of study or endeavor, your approach to problem solving is akin to what Steve McConnell called Cargo Cult Software Engineering.

The need to identify fundamental principles before one can really begin to understand the workings of a complex system applies to IT security, evolution, and economics, equally. Without trying to identify those guiding principles that give rise to the emergent properties of the system, all you can do is either make wild guesses or base your reasoning entirely on wishful thinking.

This is why I find it so saddening when someone attacks a principles based approach to understanding complex systems — such as the praxeology of the Austrian school of economics, evolutionary theory, or a principles based approach to IT security — so sad. These attacks usually involve deriding the approach as "abstract theory", as if having a theory of the system is a bad thing. Such a statement is, ironically, usually followed closely by statements in support of an alternate theory. The difference is that the alternate theory is one whose "principles" are the product of wishful thinking and confirmation bias rather than of logical reasoning. In terms of being, in essence, theoretical, there is no difference at all.

The Austrian school of economics is one of the most obvious examples of a principles based approach to understanding a complex system that is often dismissed on the basis of its reliance on understanding guiding principles. When someone dismisses the Austrian school of economics as "theory", implying that it has no relation to the real world, what that person is actually saying — whether he or she realizes it or not — is:

The operation of this complex system is not based on, nor is it governed by, any real principles we can logically identify and use. It is a magical system, operating only by arbitrary rules without underlying principles, that doesn't make any logical sense as a whole.

I, for one, do not subscribe to the notion that complex systems can only be "understood" via statistics interpreted through the lens of confirmation bias, by divining arbitrary rules, or by wishful thinking:

  1. I find the urge some people have to imply a mystical approach to economics by deriding the "theoretical" nature of the Austrian school destructive and anti-intellectual.
  2. I find denials of the applicability of natural evolutionary processes to the real world by categorical statements that amount to claims a complex system like the Earth's biosphere could not have arisen without intelligent micromanagement willfully ignorant.
  3. I also find the urge some people have to assert all operating systems are created equal, pointing out the relative security levels and popularity of certain operating systems and ignoring all other correlated factors, suboptimal to say the least. The claim that, simply because one operating system is both much more popular and much more susceptible to security breaches than others, security must be a function of obscurity is a simply wrong-headed perspective that is fundamentally inimical to good security practice. It may be an appealingly easy conclusion to reach, but it ignores many other factors, such as the principle of security through visibility.

The ultimate point is that an intelligent IT security professional should be able to achieve greater successes by identifying relevant principles of security and deriving appropriate responses to circumstances based on those principles, than by simply observing the most obvious correlations and assuming they imply a strictly causal relationship. Without understanding principles that underlie our respective fields of expertise, we do little more than wave chicken bones over our problems and chant meaningless incantations in the hopes the problems will magically go away.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks