05 Oct 2007

The Conscious Competence Security Model

A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.

He in turn is discussing CIO Magazine's Fifth Annual Global State of Information Security which is worth a read especially if you are in the Information Security field.

It was these two quotes that reminded me of the Learning Model -

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.
and

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.

The Conscious Competence Learning Model has many different names and versions but the concept is as follows:

  1. At first you are blissfully unaware of how much you don't know.
  2. Then you start learning and get overwhelmed once you learn just how much you don't know.
  3. Then you learn some more and you struggle along learning all the time.
  4. Then you become a professional and know everything without having to think very much.


My Information Security spin on this is:
  1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
  2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
  3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
  4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.

My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.

Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.

A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.

He in turn is discussing CIO Magazine's Fifth Annual Global State of Information Security which is worth a read especially if you are in the Information Security field.

It was these two quotes that reminded me of the Learning Model -

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.
and

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.

The Conscious Competence Learning Model has many different names and versions but the concept is as follows:

  1. At first you are blissfully unaware of how much you don't know.
  2. Then you start learning and get overwhelmed once you learn just how much you don't know.
  3. Then you learn some more and you struggle along learning all the time.
  4. Then you become a professional and know everything without having to think very much.


My Information Security spin on this is:
  1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
  2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
  3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
  4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.

My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.

Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.