When I started this blog over a decade ago, my understanding of postmodernism arose from my college studies of art history and aesthetics. Like Camille Paglia, I was not a fan of the movement or the result: the soul-crushing commoditization of art. I used the title as a pretentious insider joke to highlight the deplorable state of cybersecurity, a field increasingly driven by disingenuous vendors and practitioners who valued profit over stewardship.
Only now, as I have read more about the movement and learned to appreciate the perspective of one founder, Foucault, do I realize how appropriate the title of this blog is. “The insurrection of subjugated knowledges” is Foucault’s famous quote from Society Must Be Defended, where he spoke about how long-suppressed cultural wisdom is rediscovered, challenging the dominant power structure. Originally, I chose the name as a commentary about the current state of cybersecurity because my work felt repetitive and meaningless, like being on an assembly line. Going to different organizations didn’t seem to matter. More mature, less mature, they always had the same problems, which were rarely technical. The biggest challenge I saw was how security practitioners treated the people within the organizations they claimed to serve. Anyone outside the security team was victim-shamed and blamed for their purported cluelessness, as if they were at fault for failing to make cybersecurity the central locus of their daily work. Security organizations often tyrannized the very people they were meant to serve.
This behavior seemed counterproductive and demeaning, especially as I learned more about Nonviolent Communication and other conflict resolution techniques. I considered that peacebuilding methods might be useful in creating collaboration and alignment between stakeholders. Not many security practitioners seemed interested, but as organizations transitioned to DevOps, which emphasized these attributes, I found some like-minded people.
I also observed similarities with the criminal justice system, in which the predominant punitive, shaming narrative hasn’t been shown to decrease crime or support victims. But an alternative approach, restorative justice, shows promise. Restorative justice is focused on repairing the harm from crime and restoring community, while also upholding the dignity of all parties involved. The set of practices aims to process the shame experienced by stakeholders of crime to effectively rebuild relationships in a community, which reduces recidivism. It has already been successfully expanded to educational settings and I wondered if it could be useful within the field of cybersecurity as well.
The research I found helps support this use-case. The security community’s fixation on methods based on Protection Motivation Theory, or fear appeals, hasn’t demonstrated much success. Additionally, the use of shaming, highlighting how users fail in their attempts at implementing security, only seems to alienate those people we need to cooperate with us. What does encourage voluntary security behaviors from members of an organization? Feelings of being supported in a workplace community, a primary goal of restorative justice.
As the practice of cybersecurity becomes increasingly commodified, but decreasingly constructive, isn’t it time for us to re-evaluate the way we operate within organizations? Will we continue to use shame as a tactic to enforce desired behaviors even though it has been shown to be fruitless and even harmful? Isn’t it time we evolved past our FUD-infused approaches, recognizing that users are our allies?
Postmodern Security 