Saturday, April 09, 2011

Transactive Memory Systems: an answer to "groupthink"

In the Information Security community, when pervasive ideas are generally agreed upon, inevitably someone cries "groupthink"(often on this blog!) The criticism is that we have let our opinions form by the pressures of the community and not by critical thinking. For example that "strong passwords increase security" or that "SQL Injection vulnerabilities are preventable." A good sign that the community is dictating the opinions is when the topic requires a special level of expertise to grok. Topics like these breed a desire to reach consensus without the individual members of the group exposing themselves as unknowledgeable or foolish. The problem with the term groupthink is that it is a pejorative term that implies the generally agreed upon idea is wrong, regardless of how the group came to that conclusion.

I propose a different explanation for why communities find uniform consensus across such a large group of people. It's efficient. Thanks to the web, the Information Security community shares one large body of knowledge. Using blogs, Twitter, and online journals, we read the expert opinions of security professionals on hundreds of topics a week. This body of knowledge is a Transactive Memory System. The basic difference between Transactive Memory and groupthink is the generally agreed upon idea is not individually analyzed critically because of the inherent credibility of the person communicating it, not because of group pressure to look smart. Transactive Memory Theory states that there is the knowledge of the individual in the group, as well as their "metamemory" of what topics they, and everyone else in the group, knows. The metamemory allows the group to be smarter and more efficient than the individual. (This is not to be confused with Collective Intelligence, which is better explained by a TNG episode with Borg.)

The key to successful Transactive Memory relies on three components: specialization, coordination, and credibility. Using the Information Security community as an example, we can see how the so-called "thought leaders" in the community fit all three categories.

Specialization may not be something a thought leader pursues intentionally, but there are certain people in the community who are experts in specific topics. If you speak about Cloud, or SIEM, or DNS long enough, people start to identify you as the go-to-guy on that topic.

Coordination is enabled in large part by the Internet. It's what allows a community of thousands to behave like a "group." Another key coordination activity is the conference circuit. Across the world, conferences bring not only the ideas we agree upon, but also the speakers we know. Coordination is the process of learning who knows what in the group, and allows for the division of topics based on peoples strengths. This implies that it may not actually be the intentions of the thought leader that relegate them to one topic of expertise, but rather the community that finds it easier to know them for only one thing, requiring less complex metamemory.

Credibility is the most subjective component. Creditability is the extent to which the group actually believes the thought leader's ideas are correct. This is the critical component for efficiency. Initially the group does not believe the thought leader's credibility is very high. This produces low efficiency for the exchange of ideas because everything must be analyzed more stringently by a larger number of people. The longer the group coordinates, the higher the credibility of the member assigned the topic, and the more people who do not need to repeat the research and can take their word for it.

In our industry, there will always be a higher level of skepticism than most, but in order to be efficient and make progress in the science of IT we must be able to divide the topics. I'm sure you'll find that this is human nature, and we're not all experts on everything. Some people who code are not knowledgeable in penetration testing; people who are experts in forensics may not know a thing about visualization. And yet there are many cases where we're asked to give comment on these subjects that we are not experts in. When saying "I don't know!" isn't an option, it's natural to fall back to the Transactive Memory of the community and call upon someone who does.

In conclusion, we have generally agreed upon ideas not because we suffer from groupthink but because we're in a technical field where it is efficient to trust the specialization of others in the community to communicate their knowledge, while we ourselves focus on our strengths in areas not being effectively covered.

[Edit: Rob Graham's response: "No really, it's groupthink."

No comments: