The title of this post is an old medical school adage. It suggests, loosely, that when a doctor learns of symptoms, usually the most common cause of the symptoms is the culprit. The challenge of knowledge and experience is the natural desire to consider extremes, often in the pursuit of diligence. This adage is a simple reminder for doctors that a fever is more likely a cold or flu – and not Hemorrhagic Fever. Philosophers and logicians have a similar saying known as Occam’s (or Ockham’s) razor, named after a 14th-century English logician William of Ockham. In the Latin it is lex parsimoniae: 'entia non sunt multiplicanda praeter necessitatem' but in English we know it as 'All other things being equal, the simplest solution is the best.'
These principles are important to the way we practice information security.
Almost 25 years ago I worked for a husband and wife who ran a software development house in a small town in Oklahoma. It was my first real job with computers and my first real job since I’d gotten out of the Navy. One week I was sent to a training class in Dallas, Texas and while there, the other students in the class started sharing the tech version of ‘war stories.’ One story, from a man who lived and worked in an even smaller town in Alaska, has stuck with me to this day. John (not his real name) was the system administrator, technical support, cable puller, software installer, you name it, for all the government offices in this town in Alaska. John explained he was constantly called by one of the city secretaries complaining she could never access any of the files she was saving. She went on to explain to John that she was following all of his instructions to the letter, the system was giving all the proper indications that the files were being saved, etc.
It is important to remember what computing was like over 25 years ago. The system was using, at best, 5.25″ floppies for storage (do you have any of those lying around?). John was stumped after spending several days and many hours on the phone with this secretary trying to troubleshoot the problem. In the process, he replaced the hardware, installed new software, testing every component of the system he could think of and explained the process with her again. Exasperated, he finally decided to just sit back and watch her work one day. As the day progressed, John was actually impressed with her proficiency. As she completed her tasks for the day, she put a brand new floppy into the drive, successfully saved her work, removed it from the drive, and promptly swiveled around in her chair, rolled the floppy into her typewriter, and banged away at the keys so as to label it. John says when he saw that he laughed so hard he fell out of his chair.
The lessons I learned from this story that sticks with me to this day:
- While it is sometimes fun, in a perverse way, to imagine that the events in our daily professional lives parallel those in the book The Cuckoo’s Egg or the movie Sneakers, when something goes wrong with a system or data or connection that is under ones purview, the vast majority of the time the culprit will be a poorly trained worker, or a well-meaning admin just trying to get their job done,
- When trying to identify and quantify risks to the business, be realistic and focus more on what might actually be threats to the business and less effort on uber-hackers, or flying ninja monkeys, or marauding foreign governments, and finally
- Save yourself some time and aggravation by keeping John from Alaska and William of Ockham in mind and “when you hear hoof beats, don’t look for zebras.”