Events in the news, future possibilities, and situations close to home are often presented in black and white terms. But more often than not reality is much more variable. And if we mistakenly accept a black and white view of the world then it becomes much more difficult to respond effectively—because we just don’t see things as clearly as we could.
I came across a good demonstration of this black-and-whiteness today. CESG, which provides information security advice to the UK government, recently switched its advice on passwords from “Your users should change their passwords frequently” to “Your users should not have to change their passwords frequently”. To me, the notable thing about this is that on the one hand the advice flipped, and yet on the other hand the world had not flipped—it has continued changing and evolving almost imperceptibly day by day.
This is a great example of something which is superficially black-and-white, and yet clearly based on a world of gradual change.
CESG’s reasoning for the change is of course perfectly sound, and if you are someone who doesn’t have the time, resources, or inclination to create a robust password policy of your own then this is the advice for you.
However, if you’re someone who has the capability, capacity and inclination to take more control of your own password policy then you’ll probably have been looking at the underlying reasons yourself, and have been making your own judgement on what’s best for your own situation. Those underlying reasons all relate to a complex world. CESG says that for some people the policy change was not unexpected, which implies they know there are people who are making their own judgements, and who will have made those judgements ahead of anything CESG might have announced.
This is an example of taking control. People who want to take control of this aspect of their security policy can do so much more effectively by looking at the nuances.
And so it is with other aspects of our daily and working lives. Problems which are presented as black-and-white “risks” can be understood better if we look for the variability, and see them more broadly as areas of uncertainty. That can help us find better potential solutions. Issues which are presented to us in black and white terms can similarly be handled more effectively if we seek out the details.