Thursday, July 08, 2010

responsibility? what's that?...

... i don't wanna think about it. we'd be better off without it. </music>

responsibility is a concept that gets bandied around frequently in the security domain. accusations of irresponsibility fly one way, denials and dogmatic ideology fly the other. i wonder, though, if the concept has become so overused that it's become little more than an abstraction.

i suspect we've all been accused of being irresponsible, back when we were teenagers, and that's the first thing that pops into my head when i think about irresponsibility. i think that association between irresponsibility and immaturity is pretty strong and probably a serious driving force in some of the knee-jerk reactions to the claim.

the fact is, though, that it's not really a binary trait. you don't magically stop being irresponsible when you grow up. instead you (hopefully) become less irresponsible when you grow up - but you're always going to be a little irresponsible in one way or another.

part of the growing up process means learning to do things even when (or especially when) you don't want to because those things need to be done. that's part of what it means to be responsible - to be aware of and responsive to one's obligations to those around us, to society at large, etc. before we grow up, however, we don't think as much about consequences, or the big picture, or our obligations. as children we mostly think about ourselves. we begin as thoughtless beings and gradually become aware of more and more. much of our irresponsible childhood behaviour is rooted in this thoughtlessness - if we were aware of how we were affecting others (and not just in an abstract way) we probably would behave differently.

awareness and thoughtfulness, like responsibility, aren't binary traits. no one is perfectly thoughtful or completely aware as adults, so there is still room for those to lead to irresponsible behaviour, even in adults. drunk drivers are generally not aware of how impaired they are, even though they know they're drunk. they don't know how badly their reaction time or judgment had been affected. when we buy certain products we aren't aware of all the things that went into making that product and getting it to us. we aren't aware of the environmental or perhaps social consequences that supporting the industry that produces that product has. there's plenty of room for us, even as adults, to be more responsible than we actually are.

now when i was growing up, my favourite superhero, without a doubt, was spiderman. spiderman, as it turns out, is pretty much the poster boy for responsibility - always obsessing over doing the right thing, always blaming himself and beating himself up over his failures to protect those around him. he's even haunted by an admonition from his late uncle "with great power there must also come great responsibility". i mention this because it seems to me that in the security field we actually have an astounding amount of power. the things we say and do can sometimes affect millions of people - and i don't just mean the security researchers who put entire user populations in harms way by disclosing new vulnerabilities to the public before they're fixed - even someone like myself who mostly just talks about security can inadvertently put many people in harms way. it stands to reason, then, that since we have the potential to do so much harm we should be holding ourselves up to a much higher standard of responsibility than the average person. that's easier said than done, however.

if our irresponsible behaviour as adults is still rooted in a lack of awareness of some sort then you can't just say we should be more responsible and expect it to magically come true. having recently been lucky enough to deduce a different sort of lack of awareness in myself i can attest to the fact that if you lack awareness of something you probably won't know it. you won't be aware of it, and if you should become aware of some sort of awareness deficit that doesn't automatically mean you'll also gain the awareness you were lacking. it's like when you finally realize you don't know something - that simply means you've become aware of your own ignorance, the ignorance itself isn't eliminated.

oftentimes we're only aware of the things that directly affect us. we aren't aware of the impact we have on the world because the world doesn't always give us feedback. mike ellison (aka stormbringer, a virus writer from way way back) got that feedback and it changed him profoundly. in the absence of anything like that, however, we're left with what can be the surprisingly difficult task of trying to remain aware of the impact we have on individual people, companies, etc. all over the world. if that's not something that already comes naturally, nor a skill you've managed to develop, then maintaining that awareness (or even the presence of mind to try and maintain that awareness) can be very difficult - and that assumes you're even aware of the need to maintain that awareness.

if you're in security and never experience those peter parker-like moments where you question what you're doing, if you're not exercising restraint even when you don't want to, if you're just going through the motions of your day-to-day life, not thinking about the world and your obligation to the people in it to not cause them harm, then maybe you have actually been irresponsible. maybe you need to work harder to be better than you currently are.


Unknown said...

Great article -- and one that needs wider distribution. In my opinion, the security industry as a whole suffers from this, and not necessarily because it's something they just don't think about. It seems to me that it's much more about attitude and arrogance. People working in security think/believe that all they do helps people and keeps them safe, and that they themselves know better and are thus infallible. I'm not talking about "abuse of power/position", just the pattern of thinking that "I know better than you". Actually, this goes along with just about any specific field of endeavor. I've done it myself -- but as soon as realize it, I correct whatever damage I've done as best I can.

Thought-provoking articles such as this are few and far between. Well done!