« Do we want to go to the moon or not? Remembering John C. Houbolt | Main | Rogue Trader's Long Walk »


David Shaw

Gunnar, your infosec blog entries are informative and often thought-provoking. This one triggered my brain's safety pressure relief valve! Your one raindrop is still rippling my ectoplasm.

What a neat, simple way of thinking about the source of frustration experienced by users, business leaders, infosec professionals and tinkers.

It certainly helps to focus thinking about the payback (or lack thereof) we see in projects like some GRC 'automation' implementations (System 2 response paying lip service to System 1 interactions).

I also wonder whether a marker for robust, maturing infosec posture is that any measure introduced that delivers a System 1 outcome should have a System 2 corresponding capability performing analysis on effectiveness, efficiency, relevance.


Hi David,

You nailed the main action item, there has to be some level of integration between System 1 and System activities. Most of the time they are separate which I think is a major contributing factor to infosec's current state of affairs. Its not that people do not spend money and its not that people are not working hard, but they are not rowing together.

Jarrod Stenberg

Great insight.

Now if only I can find a way to attach my System 2 design to a small project that doesn't even want to talk to a security guy in the first place. I think I'll just conclude that they don't care or that they are too stupid to get it when they stop inviting me to their meetings.


"System 2 design to a small project that doesn't even want to talk to a security guy in the first place." Says it very well.

When we come in with these uber long list of requirements, it feels like we're telling someone to read War and Peace before they can make a grocery list and dash out to the store


Interesting thought, Gunnar. This also raises the training point again, though, as the purpose of training is to take a type 2 activity and make it a type 1 activity--like a martial art.

Or do you think this doesn't apply?


@DanielMiessler - That's a great example. And if you think about it that way, it should mean that most trainings become way more focused, way more practitioner oriented.

A lot security training mirrors the security policy, its a kitchen sink exercise. "Everyone say 'Least Privilege'" but following your logic, then I am going to carve out the bits that I want to transition to System 1. Then the training is more on the lines of why and how to do this instead of a series of System 2 whats.

The comments to this entry are closed.