5 star reviews on Amazon

"Provides concrete techniques and tools"

"What's truly fascinating is how accessible these new approaches are"

From the book "You are Solving the Wrong Problem"

Chapter 9: Problem Paradox

Appearances can be deceiving. Throughout my career in software engineering, I have successfully solved complex problems in relatively short periods of time. However, I have also struggled with seemingly simple problems for decades. It is worth mentioning that I have played a key role in designing and launching a new security service at Amazon Web Services (AWS), which posed astronomical challenges both technically and organizationally. Yet, I have battled severe anxiety and depression based on utterly unfounded concerns. If I were to share with you the trivial things that I worried about, you probably wouldn't believe it. Despite these personal struggles, I am grateful for the blessings and wonderful things in my life.

The deceptive nature of problems arises from what we refer to as the Problem-Paradox. Simple problems often hold hidden complexities, while complex problems can be broken down into simpler ones. In this book, we extensively explore this concept, providing insights into when to act swiftly and when to adopt a more deliberate approach. Sometimes, it is effective to approach problems from a top-down perspective, whereas other times, a bottom-up strategy is more suitable. Deconstructing complex problems is an iterative process, and it is crucial not to succumb to impatience. While rapid turnarounds have their merits, when facing profound issues, relying solely on speed often proves inadequate.

Computer security

This is a field which has always mystified me. The basic concepts are really simple. I log in, or authenticate, to a system. I'm only allowed to perform certain functions, and I can only see certain data. How hard can that really be? Yet, cybersecurity is an incredibly complex field with a myriad of challenges.

A cybersecurity concept that appears simple but is actually complex to master and implement effectively is the principle of Least Privilege. On the surface, this principle is straightforward: users should be granted only the permissions they need to perform their job functions, and no more. This concept is critical in minimizing the potential damage from accidents, errors, or unauthorized use of system resources.

However, effectively applying the Least Privilege principle in a real-world setting involves a complex array of challenges:

1. Identifying Necessary Privileges: Determining the exact set of privileges each user or process requires can be highly complex, especially in large organizations with diverse roles and evolving job responsibilities.

2. Dynamic Environments: In modern IT environments, where services and roles are constantly changing, continuously ensuring that privileges align with current needs is challenging.

3. Granular Access Control: Implementing access controls that are granular enough to provide specific privileges, while not overly restricting user productivity, requires sophisticated security systems and policies.

4. Balancing Security and Usability: Too few privileges can hinder user productivity and lead to "workarounds" that compromise security. Finding the right balance is often a complex, ongoing process.

5. Automation and Auditing: Automating the process of privilege assignment, while ensuring regular audits and adjustments to access rights, involves complex security systems and regular human oversight.

6. Compliance and Regulatory Requirements: Aligning Least Privilege policies with various compliance frameworks adds another layer of complexity, as these frameworks often have specific requirements for access controls.

The principle of Least Privilege, while conceptually simple, requires sophisticated understanding and implementation to effectively enhance an organization's security posture.

Another principle gaining favor in computer security is Zero Trust. This concept is centered on the belief that organizations should not automatically trust anything, whether it is inside or outside their perimeter. As people increasingly work from home and use their devices, the idea of a security perimeter has faded away. Thus, organizations must verify everything trying to connect to their systems before granting access. This approach marks a significant shift from traditional security models that operate on the assumption that everything inside an organization’s network can be trusted.

The basic idea is "never trust, always verify." This means that no user or device, whether inside or outside the network, is trusted by default. Access to resources is granted on a need-to-know basis and only after the identity has been thoroughly verified, usually through multifactor authentication, and the device's security posture checked. This verification process is not a one-time event but is continuously evaluated.

This is a simple concept, but a challenge to implement. It requires various technologies and principles, including identity and access management (IAM), least privilege access controls, microsegmentation (dividing security perimeters into small zones to maintain separate access for separate parts of the network), and robust monitoring and analytics to detect and respond to threats in real time.

The Problem Paradox

The outward appearance of simplicity or complexity cannot be trusted.

There is a reason why it is necessary to delve deep and examine the details closely. The illusion of simplicity can deceive us, leading us to underestimate the challenges at hand. Conversely, problems that appear insurmountable can discourage us from even attempting to find a solution, as we perceive them as having no chance of success.

When we think back to our time as students taking tests, we may recall preferences for certain question types: true/false, multiple choice, or essay.

At first glance, true/false questions may seem appealing. The answer is either true or false, resulting in a 50% chance of getting it right. However, many of these questions can be "trick" questions, where a statement may be mostly true but embedded within it is a false element. This renders the entire statement false. Have we considered all aspects of the statement? Ultimately, a seemingly simple test format proves to be more challenging than anticipated.

In contrast, multiple-choice questions offer several explicit choices. A question with four options provides a larger solution space compared to true/false questions. Yet, many people find these questions easier to handle. On the other hand, essays are the least favored option as they demand a deeper understanding of the subject and the ability to clearly convey information. It requires considerable effort, although partial credit can be earned, presenting its own advantages.

The true/false construct reflects the Problem Paradox, which can be summarized as follows:

Simple problems conceal complexity, while complex problems break down into simple ones.

This paradox arises when the apparent simplicity of a problem masks its true complexity. Conversely, seemingly overwhelming problems can be simplified through a strategic approach focusing on decomposition.

The Problem Paradox creates an iterative loop. Large problems are broken down into smaller ones, but as we delve deeper into these smaller problems, they can become more complicated. We uncover additional considerations that were previously unknown to us. This iterative nature of the process drives us to continuously reassess and reevaluate our understanding as we uncover new layers of complexity.

There are several dimensions to this phenomenon.

1. The Paradox of Choice: True/false questions are simple binary choices, yet, there is hidden complexity within those choices. Likewise, having too many potential solutions can be overwhelming and lead to analysis paralysis.
2. The Knowledge Contradiction: As you gain more knowledge about a problem, you might discover additional complexity you didn't know about before. The paradox here is that although you know more, you realize that the gap in your knowledge is bigger than expected. Additionally, the solution may lie within these hidden layers that have now revealed themselves.
3. The Time Dimension: Sometimes, the more time you spend trying to solve a problem, the more elusive a solution becomes. Conscious thought may not yield significant results. One might expect more time leads to better solutions, but that isn't always the case. Sometimes, we simply need to walk away and return to the problem at a later time.

In general, we tend to stick to our preconceived notions or surface-level analysis. However, it is crucial to dig deeper to unravel the true problem. We need to become comfortable with the duality of the paradox and not get discouraged on the journey between simplicity and complexity. Simple solutions should not be ruled out for complex problems, as the simplest solution is often the best, all other things being equal.

The Thief at the Store

This question went viral recently on social media and is a great illustration of the Problem Paradox.

A thief steals a $100 bill from the register of a store. He then goes shopping in that same store, and uses that $100 bill to buy $70 worth of goods. The cashier gives him back $30 in change. How much money did the store lose?

Carefully consider what makes this seemingly complex puzzle simple.

Take a moment and see if you can solve the puzzle.

Then continue on to see the answer.

The solution follows, so if you want more time, stop here.

An explanation of the Thief at the Store

The thief stole $100 from the store. He then used the stolen money to buy $70 worth of goods and got $30 in change. This means that the thief now has $70 worth of goods and $30 in cash, and the store has lost $70 worth of goods and $30 in cash.

In other words, the thief has converted the $100 he stole into $70 worth of goods and $30 in cash, and the store has lost $100 in total. It doesn't matter that the thief used the stolen money to buy goods. The store has still lost $100 in total because the thief has taken $70 worth of goods and $30 in cash from the store.

You can also think about it this way. The store lost $100 when it was stolen. After that, everything else was money or value moving back and forth as a part of a normal transaction.

You could technically argue there was some amount of profit that would normally be incurred on the sale. Thus, a loss of slightly less than $100 is also an acceptable answer, with the caveat that we don't have enough information to know the store's profit margin.

Now that we understand the symbiotic relationship between simplicity and complexity, we need to become efficient at moving between them. But how do we do that? We tackle that subject next.

5 star reviews on Amazon

"Provides concrete techniques and tools"

"What's truly fascinating is how accessible these new approaches are"