Note: This is the first part of a two part series on skepticism in security; click here for part 2.
Securosis: A mental disorder characterized by paranoia, cynicism, and the strange compulsion to defend random objects.
For years I’ve been joking about how important cynicism is to be an effective security professional (and analyst). I’ve always considered it a core principle of the security mindset, but recently I’ve been thinking a lot more about skepticism than cynicism.
My dictionary defines a cynic as:
- a person who believes that people are motivated purely by self-interest rather than acting for honorable or unselfish reasons : some cynics thought that the controversy was all a publicity stunt.
* a person who questions whether something will happen or whether it is worthwhile : the cynics were silenced when the factory opened. 1. (Cynic) a member of a school of ancient Greek philosophers founded by Antisthenes, marked by an ostentatious contempt for ease and pleasure. The movement flourished in the 3rd century BC and revived in the 1st century AD.
Cynicism is all about distrust and disillusionment; and let’s face it, those are pretty important in the security industry. As cynics we always focus on an individual’s (or organization’s) motivation. We can’t afford a trusting nature, since that’s the fastest route to failure in our business. Back in physical security days I learned the hard way that while I’d love to trust more people, the odds are they would abuse that trust for self-interest, at my expense. Cynicism is the ‘default deny’ of social interaction.
Skepticism, although closely related to cynicism, is less focused on individuals, and more focused on knowledge. My dictionary defines a skeptic as:
- a person inclined to question or doubt all accepted opinions.
* a person who doubts the truth of Christianity and other religions; an atheist or agnostic. 1. Philosophy an ancient or modern philosopher who denies the possibility of knowledge, or even rational belief, in some sphere.
But to really define skepticism in modern society, we need to move past the dictionary into current usage. Wikipedia does a nice job with its expanded definition:
- an attitude of doubt or a disposition to incredulity either in general or toward a particular object;
- the doctrine that true knowledge or knowledge in a particular area is uncertain; or
- the method of suspended judgment, systematic doubt, or criticism that is characteristic of skeptics (Merriam-Webster).
Which brings us to the philosophical application of skepticism:
In philosophy, skepticism refers more specifically to any one of several propositions. These include propositions about:
- an inquiry,
- a method of obtaining knowledge through systematic doubt and continual testing,
- the arbitrariness, relativity, or subjectivity of moral values,
- the limitations of knowledge,
- a method of intellectual caution and suspended judgment.
In other words, cynicism is about how we approach people, while skepticism is about how we approach knowledge. For a security professional, both are important, but I’m realizing it’s becoming ever more essential to challenge our internal beliefs and dogmas, rather than focusing on distrust of individuals. I consider skepticism harder than cynicism, because we are often forced to challenge our own internal beliefs on a regular basis.
In part 2 of this series I’ll talk about the role of skepticism in security.