Richard Thieme's

Islands in the Clickstream

The Cycle of Complacency

In the world of computer security, it's called the cycle of complacency.

A critical incident - the NIMDA virus disrupts networks or a worm takes advantage of unpatched systems to install a trojan horse - raises the level of urgency. Everyone works overtime. A crisis mentality governs the workspace, and for once, everybody pays attention. The trivial concerns of the day before are eclipsed by the need to respond and respond now. Meetings are held to discuss appropriate security and system users actually change their behaviors. They understand that they are involved in a vague kind of cyberwar, one in which malicious mischief, competitive intelligence, and state- and network-supported cyber-reconnaissance are difficult to separate. They distinguish FUD (fear, uncertainty, doubt) from "appropriate paranoia" and act accordingly.

Then the adrenaline rush subsides. The fight-or-flight level of intensity diminishes. New alarms are not followed by attacks. The reconnaissance of critical systems continues at a steady level that reduces it to background noise, "pings" echoing through the network like returns from submarine sonar. Notices of new patches begin to fill in-boxes. Default positions re-set themselves to "routine." People get back to normal. Pretty soon NIMDA and Code Red are blurred by the passage of time and all we remember is how little real damage they did to our way of life.

It's called the cycle of complacency, and in America, we are in it both online and off.

"The sense of urgency attending a critical incident," said Stanley "Stash" Jarocki, a vice-president of Morgan Stanley and the President of the Financial Services - Information Sharing and Analysis Center (FS-ISAC), "has a ninety day half-life. After three months, people forget, you can't get money for security as easily, and those who raise the alarm are accused of crying wolf."

Jarocki ought to know. Years of experience with government and corporate security have given him a good vantage point. The ISACs - financial services, electricity reliability, and telecommunications - are designed to facilitate sharing information between corporate members and NIPC, the National Infrastructure Protection Center of the FBI. But even on the front lines, organizational cultures continually frustrate the best intentions.

Before September 11, my speeches on how technologies have reshaped organizational structures from the workplace up to the level of national and trans-national entities were often heard as if they were scary sci-fi movies, particularly when I talked about the implications of biotechnology and space war. People felt they were watching a movie, and regardless of momentary anxiety, the lights always came up and the audience shuffled toward the exits.

Since September 11, I speak less about the implications of technologies and more about "Making Sense of Uncertainty." The closer one gets to Ground Zero, the more often audiences are on the edges of their seats - because they are living on the edges of their lives, leaning anxiously into the future with an enhanced awareness of what's at stake.

Last week in New York I facilitated a conversation among members of an association who had not met since September 11. The meeting quickly became an opportunity to experience and manage the cold friction of their grief. That group was not in the cycle of complacency because they carried the devastation I had seen at Ground Zero in their hearts.

The next day I returned to the midwest. The person on the next treadmill at a fitness center turned and said, aren't we fortunate to be in Wisconsin where we're safe?

She was not jogging in place, going nowhere, as she seemed, but running at full speed into the cycle of complacency.

We're a long way from grasping what it means to "be alert" in our daily lives the way we look both ways when we cross a busy street. It has not yet percolated through layers of denial that we are living in a war zone.

It is a war zone, however. Honestly, it is, whether the enemy is a terrorist waiting for the signal to take a machine gun from under a winter coat in the mall or a home-grown hate group consolidating plans for spreading smallpox. The names of the haters are not the point. Besides, terror networks are nested, masks wearing masks. The effort to ferret out ultimate intentions and true identities will never be completed. In addition, collusion with those who launder money or profit from illegal drugs blurs the boundaries between hunter and hunted. Anyone who tries to map evil in the human heart gets a headache.

What will it take, I asked an veteran of the intelligence community, for people to get that the world is a war zone, that our lives are lived on the front lines?

"A rising body count," he said. "Nothing else will make the point."

After we talked about the likelihood of nuclear materials being readied for weapons and the incidence of non-standard diseases and the routes the germs might have traveled, I called another friend to discharge my anxiety.

He tried to help by putting things in perspective.

"Are you responsible," he asked, "for the well-being of the whole world?"

I thought long and hard before answering.

If we're talking about "co-dependency" and grandiosity, then the answer is obviously no. But if we're talking about seeing who we really are, seeing that we are cells in a single body with a single consciousness on a planet threatened with death ... then the answer might be different.

How can we use the vulnerability we feel at Ground Zero to short circuit the cycle of complacency and answer that question correctly?

Ground Zero is not a place. Ground Zero is a state of mind into which we are driven when reality like a knife plunges into our false self and drives us into our true Self. In that moment, we know the answer to that question.

So ... are you responsible for the well-being of the whole world?

And if you're not ...

who is?

Islands in the Clickstream is an intermittent column written by Richard Thieme exploring social and cultural dimensions of computer technology and the ultimate concerns of our lives. Comments are welcome.

Richard Thieme is a professional speaker, consultant, and writer focused on the impact of computer technology on individuals and organizations - the human dimensions of technology and work - and "life on the edge." He also directs the Homeland Defense Network (HDN), a non-partisan, non-profit, independent grass-roots effort to create a positive informed response to the threat of terrorism world-wide.

Feel free to pass along columns for personal use, retaining this signature file. If interested in publishing columns online or in print or employing Richard as a professional speaker, retreat leader or consultant, email for details.

To subscribe to Islands in the Clickstream, send email to with the words "subscribe islands" in the body or subject heading of the message. To unsubscribe, email with "unsubscribe islands" in the message. Or subscribe at the web site

Islands in the Clickstream (c) Richard Thieme, 2001. All rights reserved.

ThiemeWorks on the Web: and

ThiemeWorks P. O. Box 170737 Milwaukee WI 53217-8061 414.351.2321