I had a bad case of the willies recently. Actually, it was a more or less sustained case of the willies. I work in a building that has a lot of glass. Surprisingly for someone who has a Tumblr devoted to tornadoes, volcanoes, and hurricanes it wasn't inclement weather I worried about. No, it was an active shooter fear: I worried that one of our customers or even just a random want-to-watch-the-world-burn individual would come shoot up the office (I occasionally wonder which of my colleagues is most likely to go postal but I haven't seen anything that bothered me). Our office phones have a floating display of what number to call in an active shooter scenario, so every time I look at my phone (or someone else's) I'm reminded of it. It was getting so bad that I took about any excuse to work from home that I could (the weather certainly helped out there). I talked to a retired military colleague about it who advised planning as a strategy. I've seen all the videos and figured out quickly that in a building of glass running, not hiding, was my best bet, but I still felt apprehensive. Another colleague suggested that I read a couple of books: Gavin de Becker's The Gift of Fear, and Ben Sherwood's The Survivor's Club. I initially thought these books were part of the Cybersecurity Canon, but it turns out they aren't, although they are recommended reading for anyone in a security field because of their focus not only on physical security but also threat modeling on a personal level.
I requested them both from the public library. The Gift of Fear (TGOF) arrived first. I was unfamiliar with the author until I saw an article about Jeff Bezos' security investigator and realized he was the author of the book. I have to admit the Bezos background story added some glamour and intrigue so I started reading TGOF eagerly. Here is my cat posing with them:
I will pause here to note that reading TGOF while traveling alone on business to a strange city is not the best idea. There is a huge focus on vulnerable women.
TGOF opens with a harrowing story of a rape and near murder, by someone who had murdered previously. That's an attention-grabbing start. Because of my business trip obligations I couldn't stay up all night reading the book, but it seemed to be the sort of book one wanted to do that with. I picked it up again on the trip back, but, let's be realistic here: my ratio of awake/asleep time on plane flights is 10/90 (this despite numerous viewings of plane crash investigation programs...which I will return to discussing shortly). I ended up having a free weekend shortly after and dug into the book with relish, figuring I'd knock the rest of it out quickly.
...except that I realized I didn't really like the book past the riveting opening.
Several TED-Talkish people (Adam Grant, Daniel Pink, Gretchen Rubin, etc.) recommend that one stop reading a book when one realizes one doesn't like the book. There's no law that says one has to finish a book one starts. Lifehacker even has an article about it: https://lifehacker.com/quit-more-books-1822969347 Normally, I would take their advice; I don't like to fall for the Sunk Cost Fallacy. But, in this case, I didn't want to let my friend down - he seemed to love the book so much - he's recommended it several times, in fact - and I figured I must be being too picky and had to figure out a way to get through the book. I tried again. Nope. De Becker came across to me as a monster ego-beast. Yes, I know he has experience. I don't doubt that. It was just so annoying to keep reading about how much he loved himself and how awesome he was. That's not what I was expecting. I wanted to know how to deal with my fear of active shooters. I started jumping ahead to find the useful parts. There are useful parts, but they are obscured in the self-serving prose.
I began to wonder whether it was just me. As I mentioned in an earlier blog entry I'm sensitive to "trying too hard". I checked out Goodreads, a book review site, to see what others thought. Most of the reviews were very positive. I did, however, find some reviews that echoed my thoughts: "Parts of this book were helpful. But I could SO do without all of his egotistical grandstanding", "blatant self-promotion", "digging out the interesting bits between all the clutter and self-promotion feels like a chore", and "The Gift of Fear is impossibly repetitive. It is disorganized, badly edited, and mainly serves as a pedestal on which Gavin de Becker can place himself for the rest of us to admire." It wasn't just me. It's a style thing. I don't care for his style.
My verdict? TGOF is a famous book and cybersecurity professionals should be familiar with it, so at least read some spoilers. The main message is to trust one's Spidey-senses. I'm someone whose Spidey-senses have saved them in the past, more than once. I'm what is called "disagreeable," to boot, so I'm unlikely to allow a stranger to take advantage of me because that's just not how I'm drawn. Another message, though, is to not manufacture fear, and if one feels fear to figure out why it's there. De Becker thinks that worrying about everything is a waste of energy and many people worry for no reason. Perhaps that's the message my friend was trying to get me to see: in the absence of an actual negative customer situation the likelihood of an active shooter scenario at work is low. Intellectually I know that I'm more likely to die on the commute to and from the office than at the office. This may be another area of disagreement with de Becker who is quite anti-worry. I am a worrier by nature: after reading about a tragic accident involving an overturned cement truck I cannot be around them now. My manner is called Defensive Pessimism and it means that I'm prepared for everything bad to happen and spend a great deal of my life pleasantly surprised. I can't change the way I am and one day my way of being will save the galaxy. I need to spend time after coming up with all the threats prioritizing what do about the threats, though.
After my less than positive experience with TGOF I was worried (see what I did there? ;-) about The Survivors Club (TSC). But, blog posts need to be written so I picked it up (also I'm on my last renewal of the books so I had to just do it) Defensive Pessimism to the rescue! I was pleasantly surprised! I wanted to stay up all night reading TSC and while I was unable to again (pesky real life obligations) the impulse has sustained. I've determined that I liked Sherwood's style better. He's a journalist so writing is his craft. He knows how to tell a story without getting himself in the way - although his opening story about qualifying for survivor status in an aviation survival training center exercise started ringing the self-serving bells. Mercifully, that part was over quickly and he moved on to others' stories - which are good stories. (I really shouldn't be sleeping on planes, at least during takeoff and landing.)
TSC has three rules for the club: everyone is a survivor, you can't compare your crisis to someone else's, and people are stronger than they realize. The first half of the book is about what it takes to survive and the second half presumes one knows one's survivor type (a new book comes with a code, but I was reading a library book with a code long used - I tried to find a free version of the quiz and all the leads came up dry. Given that the book was popular a decade ago that should not be surprising.) Based on reading the descriptions I'm mostly a Thinker, with a splash of Realist. Adaptability, intelligence, and ingenuity are my top strengths, although Instinct is probably up there, too. (Interestingly, the two books converge when Sherwood is discussing Instinct as a psychological strength: Sherwood invokes TGOF and its discussion of intuition.)
Upon figuring that I'm a Thinker I remembered a wonderful movie from the 1990s called The Edge. It starred Anthony Hopkins and Alec Baldwin. Their plane crashed in the Alaskan wilderness and they had to survive. A bear was chasing them. At one point early in the movie Anthony Hopkins' character is seen reading a survival book. I didn't remember after the movie what the name of the book was (and it seems from this discussion that the book was fictional, anyhow), but I found something similar at a bookstore and carried it with me on every plane flight I took after that. (I do count how many rows until the exits and never take my shoes off.) Here is my cat posing with it, and another book I keep in my post-apocalyptic bag (I believe the proper name is "Ready Bag," but I prefer my more colorful terminology):
After the characters' plane crashes and before the bear starts chasing them there's a scene where Hopkins notes why people die in the wilderness (his book is lost in the plane crash, by the way):
From IMDB:
"You know, I once read an interesting book which said that, uh, most people lost in the wilds, they, they die of shame....Yeah, see, they die of shame. 'What did I do wrong? How could I have gotten myself into this?' And so they sit there and they... die. Because they didn't do the one thing that would saved their lives: Thinking."
There is so much of TSC in that one quotation. (Well, for Thinkers, anyhow ;-) If one has time for only one of the books I suggest Sherwood's, because I find more actionable advice with real-world applicability.
We hope that our cybersecurity tasks don't involve thwarting a literal bear but there are metaphorical bears, including a nation-state variety. The concepts in both books apply to security generally and can be applied to cybersecurity specifically. Incidents happen and how one responds to them is likely the same way one responds to bears. Likewise, it's important to listen to one's intuition about threats, particularly in a human factors sense. Check the badge, ask for the ID, don't let someone tailgate in, decline to click on the free lunch email link.
I'm sad to say neither book made the active shooter concerns go away, but I realized they ebb and flow. They're a dull roar right now and other concerns are busy screeching in my ear - like this blog entry ;-)