One of my favorite security gurus, Bruce Schneier, has an entertaining and yet infuriating article on The Security Mindset in which he tries to explain how security professionals think differently from other engineers.
SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
Really, we can't help it.
This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work.
It's fun and you should read the whole thing.
But it's also a bit frustrating — because Bruce restricts his discussion to how engineers think. To me, what he is describing is a big part of “thinking like a lawyer”. And when Bruce asks whether this sort of demented worldview, one in which you shake things to see how they break, can be taught, I think, “Hell, yes: I've been doing it for years.”
Most lawyers don't have the math to be a cryptographer or the technical chops to do security analysis of a complex program. But good lawyers — whether transactional or litigation oriented — do have a “security mindset”: A big part of learning to 'think like a lawyer' is learning again and again how things broke. That equips you to try to build things that won't break (or at least won't break in old ways); it also trains you how to break them.
