By Uri Biber
The root of all problems, Baron Münchhausen, why “no” fails, and why Buddha was a hacker.
Please, don’t continue reading. Unless you’re willing to give up everything you thought is true about information security awareness I gently ask you to stop. If the only thing you’re interested in is how to distribute an awareness material to the employees in the organisation you belong to this series is not for you. If you think that you can make people aware of anything by explaining it to them this series is not for you. If you believe that computer based training can make anyone aware, please stop, this series is definitely not for you.
Awareness is an experience, not a target. You (think you can) acquire targets, you live an experience. Information security awareness is an experience, not a target. Targets are by nature predefined, finite. True experiences are personal, subjective, multi-layer. True experiences are challenging, life changing, painful, breath-taking, beautiful, unique. Targets gives you the illusion of achieving something without taking into consideration the whole picture.
Are you truly willing to change the way your organisation perceive information security? Are you truly willing to let go of old paradigms? Do you really understand what you’re asking for when you say you wish to make people more aware of anything? If you wish for targets, this series is not for you, so please don’t continue, and thank you for reading so far.
If you choose to continue because you realised that what we do right now in order to create a shift in awareness to information security does not work, may I gently remind you that the previous three articles can provide you a better insight to this article? If you choose to continue, know I’m here for you, that I love you for your courage. Thank you.
The mini-bus that took the six kids from the special needs school to a two days packed activities near the sea finally arrived to the parking lot near the school almost an hour later than expected. As the door opened one child outburst outside screaming, shouting, and crying.
That child was my son, Rephael.
When Rephael saw me he run towards me. I opened my arms, and he just came, hugged my body and cried. I hugged him, held him tight to my body, allowing him to cry his heart out while finding shelter in my presence.
As Rephael was hugging me I saw how other kids get off the bus with a big smile, excited to come back to their beloved parents. “It’s OK”, I told Rephael, “It’s OK”.
After a minute or so the school manager who arranged the trip and was with the kids at the sea came to me. “What happened?” I asked this wonderful woman who has been taking care of Rephael for the last 3 years. “Oh, the ride back was horrible. Since we entered the car Rephael refused to sit quietly. He just said “1 2 3 go” and tried to make us stop. He tried to open the door while we were driving, he was screaming and shouting and it was really, really hard. Other than that everything was ok with him during the trip”. As she was speaking I felt the experience had left a deep trauma not only on Rephael but on her as well. Rephael suddenly stopped hugging me, went to my car, opened the door, went inside and shut me, the school manager and the rest of the world behind him.
Rephael is non-verbal, which sometimes makes his life extremely frustrating. He can say one word (such as the name of his sister, his brother, food elements, etc.). He remember sentences from animation movies (e.g. “Toy Story”) and can say them yet he seems to be unable to create his own sentences. When he is extremely tired this inability to express what he wants, why he wants it, or how he want something can sometimes makes him loose the endless smile, laughter and love he radiates. However, there is one word in the universe of words we verbal humans say that Rephael never was able to accept, and that word is “no”. Even hearing that word creates pain in him: his body goes into a shock state, he starts to cry, all his tenderness goes into a phase of breaking down. To me it feels he fears the word “no” like most people fear … death.
Most “normal” people will look at Rephael and don’t understand it. We consider it as “drama”. This is why Rephael is experiencing so much pain in his interaction with us, the “normal”. Most of us don’t understand this deep pain because we are “no” experts. We are so good in saying “no” that if there was an academic path to “no-ism” we all were entitled to receive a PhD in it.
What most people don’t know is that we all have autistic traits within us. The reason why our inability to accept a simple “no” is invisible to us (and sometimes to others) because this is buried under years of society confinement and behavioural code that were engraved in us before we were even aware of them. Deep down inside of us we all react to “no” the same way Rephael does, and the difference is that we learned to suppress it, to find ways to not re-live that pain, to make it unconscious. We might be experts in saying “no” but almost all of us (me included) are far from being experts when it comes to understanding ourselves, and reality.
If you ask yourself why did I wrote about Rephael remember Nancy Reagan and her “Just say no” approach to drugs. If your approach to information security awareness include a lot of negative statements such as “do not click on links in an email from an unidentified sources” or “do not give away your password”, or even “if we do not implement [information security technology] we will be vulnerable”, what you are doing is igniting a unconscious storm within the person you are communicating with. They might be able to suppress it, but sometimes, like Rephael, the storm will be so strong that they will not be able to resist their body and brain, and will leave them acting in a way that will create a trauma for them and the rest of the organisation he is part of.
It might be hard for you to accept the above statements. If so, please know that I feel you. Accepting the fact that we don’t understand ourselves, realising that whatever edition of reality we subscribed to and whatever story we been told or told ourselves about reality is nothing but a fabrication is counter intuitive, and against what our mind is telling us.
Our tendency as information security awareness experts is to focus on “the problem” which is usually summarised with something like “lack of awareness to information security”. This approach, a target oriented one is similar to treating a patient that that is complaining about severe pain by administrating them pain killers without identifying the real issue which could be a fatal disease such as cancer. Sure, a pain killer will supress the pain but by not handling the root-cause you’re not really helping your patient, you’re actually killing him.
“The root problem of all problems is (the) mind itself…Unless you know the nature of the mind you will not be able to solve any problem (in) your life. …No individual problem exist, mind *is* the problem.” (Osho)
OK, root cause analysis is finished. We can finally start to…. Wait, the mind is the problem? How exactly? I think therefore I am! My mind is the only problem? Not the hackers? Not the NSA? Not the stupid users? Not even my mother?? I’m sorry, it doesn’t make any sense!
“It doesn’t make any sense” means something that is not understood. As long as we don’t understand our mind (which is a sense) we are left with a sense that doesn’t make any sense.
We do try to understand it, at least some of us do. We try to understand the reality around us using our minds which is why we fail, because our mind has a limited understanding of the system we call reality. Unless we recognise that our mind is a sense, and that it is limited when we try to solve our problems we act as if we are trying to get ourselves out of the swamp by pulling our hair with our hands. There is only one man in the history of humanity that this had worked for him (and his horse) – and that’s Baron Munchausen.
We are lucky that we have an answer to that problem, and we had it for at least 2500 years.
The Fresh Prince of Kosala
The story of Siddharta Gautama, which most people know as Buddha is fascinating because Buddha was a hacker. The system he was hacking is our perception of reality, or life as we know it. Here are some elements in his story to support this claim:
- Buddha was born into a world that tried to protect him from experiencing a system via various restrictions.
- Buddha discovered that there are some painful elements of the system he cannot escape (four noble truths).
- The internalising of that fact ignited his personal journey to explore the system. Buddha gave up the comfort of the protective world (closed system).
- Buddha realise that the path he is choosing at any given time allows him to experience the system regardless of the previous experiences one had with the system.
- Buddha tried various techniques in order to reach the understanding of the system he was investigating, but he realised that none of them were adequate enough. He started to enhance them.
- Buddha then started to develop his own tools, a new approach, one that he called “the middle way”. This was a state of tuneful harmony, a way in which was operating in alignment with the system. He theorised that the best way to own a system is not by trying to over control everything in the system, or to ignore elements in it. Buddha theorised that the best way to own a system is to become an integrated part of the system, to become the system.
- Like all great hackers, he came up with a cool name for his finding (what is known today as state of mindfulness).
- Buddha didn’t only developed a theoretical approach – he experimented with the system by himself, taking upon himself a huge risk and great torment. This experience allowed to be fully aware of his system, to understand it, to “own it”.
- Buddha didn’t keep his findings to himself but dedicated his life to sharing his knowledge with his community for free. This made him admired by many people in that community (also known as humanity). Buddha is one of the world’s most legendary hackers, and we all owe a deep gratitude to his, even though he lived 26 centuries ago.
What type of a hacker was Buddha? Some people divide hackers into groups: black, white, grey. If you would have asked Buddha’s dad I’m sure he would have told you that his son was a black hacker – he broke rules, he broke the system without approval, and he did it for his own personal gain. However, even his own dad acknowledged at a later stage that his son made the system stronger via his actions. Next time you read about a hacker, ask yourself if you can observe his action without the judgement which is based on your perception of reality.
Buddha’s findings can provides us an understanding why the current perception of reality we hold is mistaken, and why our perception (aka “awareness”) to information security is the root of the suffering we experiencing in it. The next article in the series will dive into the teachings of Buddha, and what we can learn from them in the way we approach information security as a whole and awareness in particular.
Blessings and love
© All rights reserved 2014