Can experience be a hindrance in making security decisions?

Some interesting insight from the Harvard Business Review’s January 2020 IdeaWatch section:

A study looked at how people react to information which indicates that a decision which they have already made and acted upon was incorrect. In two separate experiments, the findings were similar – when more experienced people were given the negative information, they were more likely to stick to their (now dubious) decision. For example, when cardiologists who had previously used a medical device which was later the subject of an FDA warning, usage of the device dropped by 56% overall, but the more experienced the doctor, the more likely that they would have been part of the 44% that continued using the flawed device.

I think that this is something we security folks need to think about. Experience is really valuable in many cases – it gives us a storehouse of knowledge and past results to draw upon when presented with a new problem. However, the security field moves really quickly and sometimes, an issue which looks like something we have encountered in the past can be a totally new threat. Sometimes, the tried and true techniques that we have relied on for years are just not going to cut it.

The researchers suggested that, when dealing with more experienced persons in a problem solving situation, it may be useful to engage them “in perspective-taking exercises to clarify how a less experienced person might understand the situation better.” They also suggested that more experienced personnel may need to be encouraged to seek out and consider information which conflicts with their beliefs to see if their assumptions still hold up.

As an, ahem, “more experienced” security professional, I think it is really important to ensure that everyone on the team feels comfortable proposing hypotheses and solutions when problems arise, whether they are senior or junior. Having a diversity of experience and viewpoints can only lead to more imaginative and comprehensively vetted solutions. Getting opinions from team members who make fewer assumptions about the underlying cause of or solution to a problem can lead a team to a better outcome. Sometimes that means drawing out ideas and opinions from people who may feel uncomfortable challenging the “received wisdom” of their managers.

Most importantly, I believe that it is important to be willing to update one’s beliefs in the face of new information. Experience is an important and valuable resource, but as this research shows, it can also blind us to new and better solutions.

*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by Al Berg. Read the original post at: