Instantiating Complexity with Simplicity and Heterogeneity as Descriptors
How we engage with complexity is shaped by our understanding of its structure which in turn frames our ability to communicate those challenges simply and effectively. Complexity is quick to reveal itself when moving between the simple and the complex, an observation not lost on application security professionals who create policy documents establishing an organization’s guiding principles. The task of creating effective policies which seek to generalize security principles in an effort to effectively guide and cultivate security-conscious behavior from numerous unique instances is a compelling example of the oscillation simplification attempts to balance and hold in place. John Law, a British sociologist, has written much about how complexity can be sketched. For this piece, I’ll be using his perspective and conception of simplicity and heterogeneity to examine how they can be used to explore complexity.
Simplicity can be summarized as presenting information in a format that can be easily grasped and manipulated. Practically this involves limiting the number of elements the reader must contend with. For example, a popular security principle application developers might encounter is one that requires minimizing an application’s attack surface. Although the coding principle “minimize the attack surface” can easily be grasped by a developer reading a policy document, attempting to comprehensively substantiate the principle would fall outside the scope of a high-level policy document. It would not be practical to have a new developer spend hours reading about the technical, economic, and political pressures that lead to its inclusion in the policy document. However, for simplification to be effective it must be balanced which is where Law’s concept of heterogeneity comes into play. 1Law, John. 2006. “On Hidden Heterogeneities: Complexity, Formalism, and Aircraft Design.” Pp. 120 in Complexities: social studies of knowledge practices, edited by J. Law and A. Mol. Durham, NC: Duke University Press.
The principle “minimize the attack surface” foregrounds the importance of reducing attack vectors available to an attacker while simultaneously backgrounding a number of equally important considerations. Law defines the oscillation between what is present and what is absent as heterogeneity. Although the aforementioned coding principle backgrounds political, economic, technical, and personnel costs that will be paid by an organization and its employees which must contend with security incidents stemming from an application with an unnecessarily large attack surface are absent, materially they are very much present. Political, economic, and not to mention personal costs which could be quantified in reduced sleep, family time, and missed birthdays are absent but concrete and will either contribute to simplification remaining in tension or its disintegration. Minimizing the attack surface is not only part of a business formula to directly reduce the risk of an application being compromised but also accounts for a very real material absence which in our case will help an organization maintain a security-conscious working environment which avoids placing unnecessary strain on its developers through by considering security throughout the software development lifecycle. 2Law, John. 2006. “On Hidden Heterogeneities: Complexity, Formalism, and Aircraft Design.” Pp. 121-24 in Complexities: social studies of knowledge practices, edited by J. Law and A. Mol. Durham, NC: Duke University Press.
The strength of a security principle like minimizing an application’s attack surface lies in its ability to maintain the tension of heterogeneity as it oscillates between the present and the absent. Although simplified application security principles rarely include social, economic, or political costs, balancing their absence with what is actually present is crucial to the success of those principles. Law states this clearly, “the stability and form of artifacts should be seen as a function of the interaction of heterogeneous elements as these are shaped and assimilated into a network.” 3Law, John. 2006. “On Hidden Heterogeneities: Complexity, Formalism, and Aircraft Design.” Pp. 136 in Complexities: social studies of knowledge practices, edited by J. Law and A. Mol. Durham, NC: Duke University Press. In other words, the strength of a simplification is contingent on the ability of a heterogeneous assemblage to preserve the tension which exists between the differences its elements embody.