Too Much Deference to Blind Compliance

Leadership Moment: Choice isn’t Frozen

There are times when an organization wants to demonstrate bold leadership on as issue, as the Paris Olympic Committee did when it decided to use geothermal cooling systems instead of more effective air conditioners. Unfortunately for the POC, they didn’t anticipate the entirely predictable consequence: that many countries would bring their own air conditioning. I suspect that the net effect will be worse than if the POC had provided air conditioning for all athletes; instead, we’ll have a larger carbon footprint (shipping A/C, economies of scale, and the cost of the now-unused cooling system), while also disadvantaging countries that can’t afford to bring in A/C.

The failure is one common in leaders driving change. Having observed a system (no one brings their own A/C when the host country provides it), changes are proposed, and no one asks how participants might also change their behaviors. Compliance is assumed, rather than asking how reasonable actors might adapt to the new system.

Subscribe now

One Minute Pro Tip: Threat Model Malicious Compliance

Malicious compliance, if you’ve never run into it, is when someone complies with the letter of a rule, but in a way that violates the spirit of the rule. My personal favorite is people who shred their mail, and stuff it in the pre-paid return letter envelopes that often are part of junk mail. It’s technically okay, and it’s intentionally raising the cost on the other party.

Before rolling out a policy change, it’s worth identifying how someone affected could maliciously comply: in what way can their action, while technically in compliance, entirely subvert our goals. Identifying those methods might give us insight into how our change might be suboptimal, and will certainly give us ways to identify how to notice when our change isn’t universally popular.




June 25, 1330 IL: Cyberweek Tel Aviv Main Plenary: The Immeasurable Challenges of Risk Measurement

June 25: CISO Series Podcast: How About This? Only Attack the Endpoints We Configured


July 2, IL: Cyber over Breakfast: Nine Truths Your Buyer Needs

July 16, NYC: CISO Dinner with Valence and AIM Security

Aug 5-8: (tentative) Black Hat

September 24: HOU.SEC.CON