Judgement Versus Rules

In recent years, in a variety of contexts, Americans are favoring rules and rigid criteria systems over systems that require humans to exercise judgement and discretion. This has effects on many industries, including my own: software security.

Zero tolerance systems in middle and high schools seek to take judgement away from school officials and impose rigid, black-and-white rules that have no room for interpretation. One kid was suspended for having a weapon (baseball bat) on the back seat of his car in the school parking lot. He was a star baseball player on the high school baseball team.

“3 strikes and you’re out” laws impose the same thing on criminals. Mandatory sentencing laws impose the same thing by taking discretion out of the hands of judges and requiring them to issue standard sentences. The removal of parole from many sentences for crimes removes the discretion of the parole board from the criminal justice system. There is no longer the possibility that a criminial will be deemed rehabilitated and rereleased into society.

You can always find a professional (doctor, lawyer, plumber, electrician) who will contradict or cast doubt on the judgement of another professional. So, insurance companies, hospitals, big companies, etc. all create standard procedures that become a bulwark against malpractice lawsuits. Even when a specific medical or legal situation might not call for a certain procedure, the procedure may be done as a standard precautionary ritual to ward off law suits.

In my field, software security, we are starting to do the same thing. We set up piles of checklists, rules, etc. This is a little bit different, simply because there’s nowhere to go but up. Checklists, rules and such make things a bit better, but we all know that they only get you so far. Real security comes from people who can make judgements and can exercise discretion. It comes from people so experienced in doing the thing (development) that they can also consider variations on the thing (the impacts of security techniques, for examples) and determine their impact.

My thesis: we need to teach discretion and judgement. We can provide all the tools, rules, and ability to create rules that we want. Until people can learn the judgement side of this process, they are only marginally better off with all the tools and rules than they were without them.

This is a cultural thing, though. Culture is telling our customers to buy things that are measurable. Successful judgement is hard to measure. The “thud factor” of a checklist or the “number of rules” in a tool like Fortify are easy to measure.  The more we appear to take the guesswork out of software security by imposing long lists of rules and whatnot, the more people feel happy.  There’s a critical disconnect there, though.  We have to find a way to remind people of the value of judgement in addition to all these measureable things.  We’ve got to convince management that they want their people (managers, developers, QA, etc) to exercise judgement.