In about a week’s time, I will be in a different continent to give a talk on threat modeling, and another co-presented topic with SATCR4K on satellite security.
To some extent, this year’s roll is partially happenstance.
Included in this year’s roll are many more conference talks, co-founding of Threat Modeling Connect’s Singapore chapter and many more friends I have made in the cybersecurity community globally. A few friends even quizzically look at my schedule and give up trying to find a slot to catch up with me. Others tell me I need to take care of myself
Of course, there are others, especially the younger ones, who ask what they can do to perhaps, repeat a fraction of what I do. They wish I could explain to them the magic box. I wish, too.
Perhaps the best answer to give is the saying, “You miss 100% of the shots you don’t take.” by Wayne Gretzky. But the advice should also not be construed to try every single shot possible, simply because there may be an infinite number of shots to take, and there be only an infinitesimal amount of energy one can put on each shot, which is counter-productive too. Rather, the advice should be interpreted to take some shots, and to try to take them well.
Desirable Difficulty
One learning theory that has proven to be good advice (at least for me) is the theory of desirable difficulty (on an unrelated note, some aspects of LLM hallucinations could be rationalised with this reading, potentially). In practical terms, this involves putting in place progressively harder tasks that require the learner to more actively engage with the material. Let us chart out such a progression to illustrate this point (a reduced version of the SQ3R technique)
- Read the material
- Recite the material (without looking)
- Review the material
These tasks provide a gradual increase in difficulty; everyone can read material while presented to them. Thereafter, to test recall, we can get students to recite said material. Examples include providing recall-based quizzes (e.g. do you remember what the syntax is to perform a UDP port scan?), and then a review of the material where you ask questions about the material and more actively engage in it (e.g. how do I know my UDP port scan produces reliable results?)
One can perhaps take this further with higher-order tasks. Examples include writing and teaching the material. Providing output is a much more effortful, but intensive learning exercise. For example, to write a journal article of almost 2,000 words such as this one required at least fifty readings (twenty-six were eventually cited; account for the number of readings that are irrelevant/duplicate/not useful). Naturally, writing is a big level up. But not everyone needs to write 2,000 word articles as a jump. We can write commentary too. Or even discuss such topics with friends. Much less effortful. In fact, I enjoy having juniors bounce ideas with me because they often open up new paradigms that force me to correct a certain set of dogma that could have persisted, sometimes out of bad habit, or sometimes as a consequence of taking some processes for granted and not indulging in the fundamentals enough.
But I thought I would like to mention that conference submissions, to me, are simply an extension. They are simultaneously a teaching experience, and also a highly effective learning one. Want to prove that you are good at your craft? Aim to be able to teach it, especially to someone who has no idea of what you do. But even I don’t consider myself such a master yet.
Even teaching has different strata of achievement. When teaching fellow practitioners, such as at a conference, we are teaching practical skills. For instance, in the subject of threat modelling, we need to use frameworks to provide a more objective method to assess threats. But teaching students who are new to the subject requires us to teach principles. Principles are important in a subject as it provides the necessary grounding for the student to appreciate the way the subject is being structured the way it is. For instance, the Threat Modeling Manifesto is an example of a principle. The four key questions in the manifesto are as follows:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
These questions alone, to a non-practitioner, will not be useful. In fact, one might even critique that teaching principles at the outset could be too daunting. But I take a different view. For someone to be highly effective at their craft, they must understand the core principles of said craft. Teachers do not always have the luxury of being by the side of their learners all the time, so the best service we can give is to impart a certain curiosity of learning, as well as a way of thinking that enables them to answer their curiosity.
But what about young learners who may not understand principle, since they are not cognitively mature yet? This is the highest level of achievement in my view: being able to use the Feynman Technique. Imagine teaching a topic to a 12-year-old. This forces us to confront ourselves to make the material plainly simple. But the true master of craft shows how complex ideas can be simplified, and executed in a way that is almost artistically beautiful.
Habits
But discomfort is scary. Paper rejections are nasty. I am no stranger to them.
But to me, filing for conferences and papers is part and parcel of a challenge: do I think I know enough to put together a submission where someone else would benefit? If not, we can just keep honing our craft in smaller settings. Great examples include community meet-ups and smaller conferences (the cybersecurity community is particularly blessed to have conferences such as BSides and OWASP that provide friendly audiences and positive learning environments).
But what one has to be uncompromising about is a relentless habit to keep learning actively and to demonstrate said learning. And that begins by saying “Yes, I will do something outside my comfort zone.”