BYOI (Bring Your Own Identity): 1+1=3

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Buffer 0 Email -- 0 Flares ×

BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.

You’re in front of a registration form of a webpage. What you do? Beside the obvious answer, what I am asking is: what your eye will do, what is your reaction to the form? how do you choose the username,password, information to be typed in the form?

There are many studies that analyze our reaction to a situation, UX experts should design interfaces with the intent to help us to use their application in a easier way not reverse. In sociology and psychology this is called “situational method”

The situational method is the one in use by the experimental physiologist and psychologist who prepare situations, introduce the subject into the situation, observe
the behavior reactions, change the situation, and observe the changes in the reactions.


The “Situational method” is applicable to many aspects of our life and, of course, to security or maybe to those aspects of  security that involve access to data or resources but I wonder do we use it in a proficient manner? Have the IT the correct "human resources” to design a map to that help the Business vision to become a strategy and at the very end a successful execution?

I’ve briefly explained the relation between the “Innovation Adoption Curve” and the “Moore’s Law” and how one proceed slower then the other creating a despair of perception that could lead to a lack of security. You can read the post here.

As said in the post I define myself and those who were born before me or in the same years digital immigrants  and with this definition I mean that our approach to technology is blind not because we are not able to understand it but because what we handle everyday is something we saw being invented but we’re still trying to fully understand and  fit in the technology puzzle.

The binary error

Do you remember the first lesson in mathematics of your life or, for those who got children’s, the first lesson (always in mathematics) you have taught to your kids?

let’ say it was something like:

1+1 = 2

Probably it was not exactly a lesson but simply a way to help you/them to learn numbers and the magic behind them. Nothing wrong with it, I mean after all the formula is (seems) correct with just a slight “issue”: it’s a binary formula or better is an Aristotelian  view of the mathematics.

Aristotle was a Greek scholar who is often looked upon as the father of logic, or more precisely binary logic. Binary logic is based on the idea that everything is either A or not-A. It is the logic you are forced to use when you take a true or false test. It’s also the logic computers are based on. Electricity or not-electricity, 1 or 0.

From Fuzzy Logic  –

This is what we learn since the very first day: things are not always black or white but not in logic and mathematics, there everything is explained and got is own place. The digital immigrant still live in a world where computers are full of 1 and 0, where to every action  always follow a reaction ( oh by the way: if action= 1 and reaction =0 you’re again in a binary decision) and even worse the digital immigrants in the late years start to thing that his ways to approach new technology were far from a  binary strategy.

Before explain what is a binary strategy I would like to explain my point of view better:

As said we learned to look at things, in a logical/mathematical way since we were kids and it was an Aristotelian approach. This is not a wrong or right method is just the way we were introduced to the mathematics and later to the logic or to the probabilistic calculation. An example?

Risk Management should follow something like this:

  • identify, characterize threats 
  • assess the vulnerability of critical assets to specific threats
  • determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
  • identify ways to reduce those risks
  • prioritize risk reduction measures based on a strategy

Let see the “list” in the specific:

  • identify, characterize threats : binary is a Boolean decision you “think” could be this but not that or both
  • assess the vulnerability of critical assets to specific threats : binary again you simply define the yes/no list of threats
  • determine the risk: binary again  you compile the list of what will happen if the potential threat is true or false.
  • identify ways to reduce those risks: binary decision again is a list full of “if this is true than this is true or false”.
  • prioritize risk reduction measures based on a strategy : it is again a binary decision based on the “true/false” list that makes a threat up in the list or down.

Of course there are some things that are only binary and cannot be changed but this example was to explain how we tend to think in a logical and Aristotelian way.

So the question is what happen when it comes to #security?

The “illogical” security approach

Do you consider yourself a person who pays attention to privacy? If you are in a position where you have to provide a solution to bring data governance to your company I hope so.

Anyway let me doubt of your “security definition” not because your not paying enough attention but because you, like me, are a  digital immigrant and consequently tend to look at things in a binary sequence of events. What does this means?

First example:


Photo by Becky Stern

You have probably a Privacy Filter (a serious one) applied on your laptop so that anybody can cross-read your information while you are reading them on a plane or in a public place but you don’t care what is going on behind/beside you on the same plane if you are using a mobile device to read the same data don’t you?

Not your case? let me refresh you the “Innovation Adoption Curve” definition:

Any new technology or better innovation require a certain time to be fully understood and adopted.



Some of use learn things faster then others and consequently adopt innovation earlier but for the majority of us the time to pay the correct level of  attention to the use of a mobile app or the use we do of the cloud data access has still to come.

So in a binary world the algorithm we learned taught us that :

privacy must be applied to your working device


the device is our laptop/desktop…the mobile is still (just) a phone

After all there were no mobile smartphones 10 years ago neither any kind of “cloud thing” that allow us to access almost everywhere to our corporate data/report so the condition was set to FALSE and still it is in our subconscious.

Let me do a further step we still design ecosystems trying to protect ourselves from external threat but we continue to talk loudly in conference calls while in a public place. Again this is not because of our lack of attention to privacy/security but because we were “programmed” this way since the very early ages of our life.

1+1 =3

Let me take back the first question of this post:

The “Situational method” is applicable to many aspects of our life and, of course, to security or maybe to those aspects of security that involve access to data or resources  but I wonder do we use it in a proficient manner? Have the IT the correct "human resources” to design a map to that help the Business vision to become a strategy and at the very end a successful execution?

The answer is clearly NO until security strategists do not accept the idea that their view of the things are more Aristotelian than what they want to admit. Even more digital immigrants are  binary strategist  by definition and with this last term I mean:

Binary Strategy:The design of a strategy of business that base is roots on hypothesis that can be only true or false

So how we can solve this dilemma? I think that learning to apply the fuzzy quadrant to our way of thinking.

Let’s take the possible value of a simple combination of numbers 0 and  1,  we will find out easily that the possible combination draw a square like the one below.


Following the, so called, traditional logic this square have only four(4) solutions or couple of solution, (0,0),(1,0),(1,1),(0,1) and everything must follow accordingly.

But what if I want to know the value of the black spot at the center of the square, because it is a part of the square itself and so must have a value even if not relay on the perimeter where the values are known.

The black spot in the center is the security strategy, the mobility program adoption, the cloud data access, the data governance deployment you’re trying to achieve and cannot be solved through a  binary strategy.

Security is an #habit and for sure is not simply TRUE or FALSE