The happy secret to better work

This TEDx presentation on how happiness leads to success - https://www.ted.com/talks/shawn_achor_the_happy_secret_to_better_work - was 12 minutes well spent. In particular how it advocates being happy in order to achieve success, rather than aiming for success, a goal that always moves once you reach it.

I think this kind of concept has massive ramifications for cyber security, a notoriously pessimistic industry. I mean the industry is understandably "glass half-empty" given the challenges it faces, but that doesn't mean those in the industry can't indulge in a little wilful self-deception, or confidence, to improve their abilities and chances for success.

Of course maybe the solution is to have a process as a goal: "always strive for a better job", with the knowledge that you are kind of always succeeding at that goal if you're always striving.

And, of course, that completely goes against everything you'll read about goal setting, which advocates the "Specific, Measurable, Attainable, Realistic, Timely", increasingly I think that's suitable for projects, not so much for your personal objectives.

The Utility of War Gaming

This can be found at https://wavellroom.com/2017/11/21/the-utility-of-war-gaming ; I'm "cheating" here slightly because I actually discovered this in November last year, but it came up in the Wavell Room's twitter feed, and as I started reading it, and enthusiastically nodding along, I realised I'd read it before.

Of particular interest is the emphasis on command, and how useful dice are in providing factors you weren't aware of or don't understand, as long as the umpires can explain the effect of the dice then they're just a device, rather than some kind of destiny or fate that decides if you win or lose.

DtSR Episode 302 - InfoSec Superhero Syndrome

This was an episode of the Down The Security Rabbit Hole, which you can download or listen to here: http://podcast.wh1t3rabbit.net/dtsr-episode-302-infosec-superhero-syndrome

I was driving at the time so I didn't take any notes, so all I can say is that this is worth your time. Excellent points on how cyber security people don't scale, and how security practitioners trying to do everything is not only inefficient but leads to burnout. It was just really refreshing to hear something I've been thinking but not really said: that it's OK to admit that you don't know something, and that actually it's better to do so than try to wing it.

A New Approach to Command Post Training

An interesting article from the Wavell Room, a thoughtful website I discovered thanks to a Peter Apps ( https://twitter.com/pete_apps ) tweet; you can find this specific article here: https://wavellroom.com/2018/07/10/a-new-approach-to-command-post-training/.

The article highlights how unrealistic current Command Post training is for the British Army, and the following points really stuck out for me, in relation to my own interest in wargaming, and my investigations into Incident Response training:

  • The unrealistic environment: it appears that these command posts are much more comfortable than those in the field, whereas you want people to be aware how those kind of situations affect their decision making ability.
  • Lack of friction: a common problem with wargames is modelling all the little things, the mis-communications, the misunderstandings, that just make life harder.
  • Steady injects: as a training exercise designer... as you would as an RPG DM, or as a video game designer... you want the exercise to adapt to the skill level of the players, and push them to become better - a predictable stream of injects at a regular pace won't do this.
  • Train tracks: the term used when a predictable set of injects is used. Understandable as it's easy to create and play, but terrible when you're training people to deal with the unexpected, especially as adversarial force.
  • Failure: to me one of the main points of a wargame is to have a "safe space" where players can fail, that way they learn what does and doesn't work, and they learn their limits, in a space with no consequences.
  • Playing divisions against each other: I love this idea from the article, because it reminds me of TRIZ's "use the problem as the solution" concept ( which I've probably over-simplified ). Training exercises suffer because there is no red team to play against, and also they're expensive because you have to run one for every division. So why not have the divisions fight each other, therefore running two exercises for the cost of one.