Improving Your Complexity Value Behaviors

Returning to Warren Weaver and the idea of organized complexity, it is difficult to understate the significance of his differentiation between types of complexity. The security industry today has become very concerned with complexity, but I believe that it may not appreciate how enormous is the size of the wrench that is thrown into the analytical gearbox when a system moves from disorganized to organized complexity. The promise of big data has been touted as being able to find patterns that will allow us to predict system behavior in aggregate, even when we cannot predict the behavior of individual system components. But that assumes disorganized complexity, where everything in the system follows the same rules, which can be determined. When complexity starts organizing itself, you get different rules in different parts of the system, and the distribution of organization may itself be random. That's not a system with a million things behaving individually according to complicated rules. It's a system composed of millions of those systems, all doing their own thing but impacting each other.

It may be possible to analyze that too, but Weaver's point was that we haven't discovered how to do it yet.

HRSPs don't try to discover how to analyze and predict systems of organized complexity. They simply try to find ways to survive and thrive within those systems.

They do this by facing the implications head on. You will never understand exactly why your security systems behave the way that they do. You may understand a technology product pretty well, but people are part of that system too, and once they get involved, all bets are off. You can manage against the complexity, but you will always inevitably be surprised by emergent behavior. Instead of hoping things work the way they predicted, HRSPs spend a great deal of time and effort thinking about the ways they won't.

Improving complexity value behaviors can, paradoxically, be liberating. When you accept that you are not in complete control, you can stop putting so much effort into convincing others that you are. It opens up avenues for collaboration and cooperation that are fruitful and even pleasant, breaking down barriers between the silos of the organization and inviting people to work together to master their complex, surprising environments. People are problem solvers by nature, and people-centric security devotes itself to solving not only the problems that come from specific threats or vulnerabilities, but also the problems that come from the lack of interaction and sharing of information that keeps people locked into risk-inducing behaviors in the first place. Complexity is the most direct link between the Security FORCE Behavioral Model and the Competing Security Cultures Framework, addressing the relationships between human beings that cause complexity to become organized to begin with.