BYOI (Bring Your Own Identity) : Are you a single or double loop learner?

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Buffer 0 Email -- 0 Flares ×

BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.

A thermostat that automatically turns on the
heat whenever the temperature in a room drops below 68 degrees is a good example of single-loop learning. A thermostat that could ask, ‘‘Why am I set at 68 degrees?’’ and then explore whether or not some other temperature might more economically achieve the goal of heating the room would be engaging in double-loop learning.

Chris Argyris – “Teaching Smart People How to Learn”

In almost every conversation I have on #security, #governance or #identitymanagement I  ended up talking about security habits and how people should learn to behave in a certain way.

That certain way I refer to is to remember that whether you’re using: a company owned device at office or enabled for personal use (COPE), a personal device (BYOD) or any other kind of thing to access/manager corporate data you should always act as “ a responsible father of a family”. In other terms :

  • Avoid sharing corporate data even if you are  thinking that are not “sensitive” if not in a context that require the sharing (aka corporate meetings, context where it is absolutely plausible this kind of sharing,etc…).
  • Electronic Data works as Physical Data (papers): do not take them home (home computer) or read them in public places.
  • Always remember that the guy/girl beside you is a stranger. Do you reckon the mummy suggestion? DO not talk with strangers or at least do not share your company info’s because this will not make of you “the cool one” but the “idiot one”.
  • it is in your interest report suspicious behavior in your company ecosystems (from your BYOD to the office).

Sound simple isn’t it? So I wonder how come that most of the users in the digital ear still not apply those simple rules?

Not convinced yet? Just take the underground train or a plane or sit down in a waiting room of a public places and appear “empathically open to conversation”. For a more clear explanation on how to do that I suggest “The Ultimate Guide to Social Engineering“.

The Master Plan

If I ask to anyone if he act in a responsible way toward the protection of his security and, consequentially, the company he/she work for I am sure I’ll obtain a positive response. But I am, at the same time, confident that the same person could be easily caught in a conversation at the phone where share “info’s” without paying too much attention on who’s around her/she.

One of the paradoxes of human behavior, however, is that the master program people actually use is rarely the one they think they use. Ask people in an interview or questionnaire to articulate the rules they use to govern their actions, and they will give you what I call their ‘‘espoused’’ theory of action. <…>When you observe people’s behavior and try to come up with rules that would make sense of it, you discover a very different theory of action—what I call the individual’s ‘‘theory-in-use.’’ Put simply, people consistently act inconsistently, unaware of the contradiction between their espoused theory and their theory-in-use, between the way theyt hink they are acting and the way they really act.

Chris Argyris – “Teaching Smart People How to Learn”

To summarize what Chris Argyris define as a theory-in-use I created the following image:


Basically the fear of losing something or to not act in a “positive” way lead use in betray our “master plan” and, from time to time, walk in an alternate path.

In other terms make security an habit is not a matter of:  commitment,motivation or any self-convincement that you’re follow the “rules”

The trust and the social login

In today world where we live in a, always more, complex ecosystem where our digital identity is connected to others we have, where our company “me” leverage the  social “me” to simplify the login process and where company/public application make more simply communicate/share information’s what could help us in " make the difference”?

Failure is simply the opportunity to begin again, this time more intelligently.

Henry Ford

or in a more visual way:


What Chris Argyris call a single loop learner is the usual way of thinking where what drive you is the fact that your are not a “fallible” subject or better you did not experienced enough the failure to be able to recognize it or learn from it. Let me apply this to a simple exercise:

The trust questionnaire: (Answers calculate 1 point for yes and  -1 for no)

  • Q1. do you trust social login? in other words do you think that connect a social network with an undeniable reputation (in terms of effort toward make its environment more secure for its users) is it safe enough  to link your corporate ID to it?
  • Q2. Do you think that the since the “protocol” used do not transmit any sensitive information make this “linked process” secure enough to be used?
  • Q3.Do you have more than 5 digital Id? Count corporate ID, social ID’s (like twitter, facebook),public digital ID’s (hotmail,yahoo,gmail,etc…)
  • Q4. do you use a different password not related to the others for every digital ID’s?
  • Q5. do use a complex answer (i.e.: alphanumeric and long word) for the “security question” in the social/public identity profile you use?
  • Q6..Do you change the social/public password accordingly to the corporate password if linked?

The image below represent the answers in a more visual way:


What we learn from this example? that more trust we have less attention we pay to the security implication even if our “Master plan” tell us that we think to be responsible users.

Let me explain better:

Linking a social id to a corporate id do not expose you to a security breach, from a technological point of view but nevertheless become a “link” to it and, consequentially, assume a grower importance in terms of security attention to its management.  Filling a password input field with a (mandatory) secure password is (almost) useless if the security question you choose is “ what is your son/daughter first name” and you reply “meg” . On other hand, what make you so focus and keen to security aspects with your corporate id and so “distracted” with everything else linked to it?

Learning is a curve not an angle

In conclusion, if the trust is a value subjective security should be an objective value related to our practice in implementing its rules and conventions.

As Chris Argyris  observed in his research and experience:

Highly skilled professionals are frequently very good at single-loop learning. After all,they have spent much of their lives acquiring academic credentials, mastering one or a number of intellectual disciplines, and applying those disciplines to solve real-world problems. But ironically, this very fact helps explain why professionals are often so bad at double-loop learning.
Put simply, because many professionals are almost always successful at what they do, they rarely experience failure. And because they have rarely failed, they have never
learned how to learn from failure

Chris Argyris – “Teaching Smart People How to Learn”


Security Habit starts from the assumption that at some point you may incur in a mistake and you’ll fail and this do not make you a less secure individual but a more responsible and security-oriented one.

for more information on Chris Argyris studies :“Teaching Smart People How to Learn”