Cognitive disruption card games and agile requirements

A tool for improving existing process

A typical agile process has an action called detailed planning. A handful of requirements that are thought through, broken down and estimated before being written up into an application lifecycle management system. At the start of the planning meeting, set some time aside, an hour is good,  to break old habits and promote fresh thinking

Cognitive Disruption Poker needs nothing more than a  standard 52 card playing card deck. You do not need much if anything else apart from a notepad and pen

A different way to collaborate

Take all the requirements for the iteration and lay them out on the table. The requirements are the starting point for where to look for good hands to play. The idea of the game is to discover and then improve ideas on how to meet those requirements. You can’t play a hand that simply says ‘ I agree with the person to my left’, you have to improve or better the idea.

Print out or whiteboard the description of the suits.


User Experience – How well the users and customers engage with the product


Platform – The logical nuts and bolts that the product is built on


Trustworthiness – Application security, safety and reliability


Commercial – Marketability, return on investment and profitability.

If you have lots of willing volunteers to be first blind deal a card each and let the highest go first, the ‘blind’ and the lowest deal first. Here is an example hand you can join in with

The requirements are simple enough.

Create a mobile version of DataLists v2 with the following features

* Must allow column by column sorting
* Must have search facility
* Must have column reordering
* Must have export to csv

examplehand

Biff is in the big blind with 5h4c and starts with
5h = We implement one of those ‘pull down to refresh’ widgets but use it to ‘pull down to sort’
4c = We use the jquery widget framework as the platform to build it on.

Can you play and of the cards available? To play comment with your hand at the bottom or on linkedin etc.

 

Cognitive Disruption Poker

Cognitive Disruption Poker is a simple tool that uses cognitive theory to disrupt biases that hinder great solutions. It turns out that we humans have two distinct decision making paths in our brain. Most of the hard work and processing power is dedicated to the fast, high transaction, automatic system known as system one that allows us to for example, to play a musical instrument without having to recall and think through each note and beat. Once you’ve learnt the tune, you can play that tune while thinking about other things, even day dreaming. The second decision making path is where decisions are learnt, thought out, rationalised and practised. It is somewhat slower and much lazier than system one so once we have learned something new it is committed, or hard wired into the system one[1].

A simple example of both systems is easily demonstrated.

  1. What is 2 + 2 = ?
  2. What is 16 x 47 = ?

You see how the answer to 2+2 immediately sprang to mind? It was instinctive, automatic, you are unlikely to have worked out the result by thinking it through. The answer to the harder question is not something you usually find in system one.

Maths is one thing what about something a bit more complicate; taste in food, how about the following:

A cheese and jam sandwich
Pretty unpleasant in most peoples mind, a cheese and jam sandwich is not often found in many peoples lunch-box, System one found a few patterns to help work out in your mind whether you should like it or not: A cheese sandwich, delicious and savoury often a main course. A jam sandwich, delicious and sweet, often a childhood treat like cake. Mixing cheese and jam together, probably get told of by mother – Fire ‘yuck!’ response. All this happened automatically when you read about someone eating one on Facebook.

When system one learns, it adds a cognitive bias[2] or two to help fit all this information in your skull and generally aid your survival. Studies have revealed as many as 160 cognitive biases from Loss aversion to Availability heuristic. All of these biases help make up who we are and how we behave and without them we would never have survived so long let alone build a civilisation that explores other planets.

Software Development
Developing software solutions is largely a technical exercise, all logical and systematic in its approach to problem solving so is immune from cognitive bias? Of course not, you only have to work in the industry for a few days to see cognitive bias everywhere. Anyone who has tried to improve that accuracy of time estimation, or the security of an application, or develop a new user experience will have plenty of experience of cognitive bias. We evolve processes and tools to manage these biases in order really to bring order and most are pretty effective in some way. Some of the tools I particularly like are cognitive disruption games. You may have used them yourself, probably the most familiar one in the software industry is Scrum Poker[3]. We use this tool to help improve our estimating tasks by disrupting ‘availability cascade’. Another one of my favourites is Elevation of Privilege[4], a card game used to disrupt how we think about software security and threat modelling. While I was using Elevation of Privilege I pondered how a tool like this could help improve our product’s User Experience, or for that matter any part of a software product, using a standard card desk and loosely following the rules of one of my favourite recreation games Texas Hold-em.

Cognitive Disruption Poker

A game built on some existing patterns and designed to engage your brain to purposefully disrupt your cognitive bias. It is easy to learn and play.

You will need

  • A 52 standard card deck of playing cards
  • A notepad
  • A problem to solve

It is ideas you bet
The rules are pretty straight forward, the game mechanic is almost identical to traditional Texas holdem as far as hands go. It’s not money you are betting but ideas/insight/acumen. You win a hand not simply by being dealt the best hand, but by justifying playing that hand with an explanation of your idea or improvement to solve the problem you are tackling. It has to have merit to be a playable hand, and the stronger the hand the more merit it has to have. 

For software development the cards are in four suits, each suit sets the overall topic of the idea.


User Experience – How well the users and customers engage with the product


Platform – The logical nuts and bolts that the product is built on


Trustworthiness – Application security, safety and reliability


Commercial – Marketability, return on investment and profitability

The cards are ranked from

2 – A simple idea that effects a simple improvement to

Ace – A completely new untried idea that effects significant improvement.

For a great example of this idea of card ranking download the EofP cards and have a read through each suit which this game is based on, the ‘ideas’ are all pre-written in a way to get you thinking about software security and are a good guide on understanding card ranking. Would do little harm to download the whole Secure Development Lifecycle Model and carefully read through to improve your spades – trustworthy hands ( as well as improve your own software security )

The ‘hand’ rules are almost the same as texas holdem, the best two-five cards you can play from the two in your hand and the five on the table. The exceptions to the traditional texas holdem rules are that straight flushes are valid with 2 or more cards. E.g. is a valid hand. There is only one deal per hand,  all five table cards are dealt with the first hand.

Suited Connectors
Suited connectors are important hands in Cognitive Disruption Poker. A suited connector is two or more ideas of the same topic connected to each other. The strongest, and most difficult, hand to play is a royal flush which is five connected and related ideas that are so fantastic they will cause such an improvement or change that it will go down in history, or at least appear on The Register. Be warned, just like traditional hold-em if you get dealt a royal flush and don’t play it you are in danger of giving yourself cognitive dissonance[5], a serious psychological condition[6]. To play well, play suited connectors.

Play order and Blind
Another key principle of the game is that the person left of the dealer has to bet ‘blind’ i.e.. Has to play their hand or at least try and play their hand. As the dealer and blind rotates clockwise after each hand this gives everyone at the table an opportunity to participate and share their ideas. This starts of the flow of the hand and the flow of ideas, people are way happier to go second than they are to go first.

It is best learned by playing it, to help understand here are some hand history (all names fictitious):

Hand Examples
A team get together to improve an application that displays the latest Billboard 100 data with links to online shops that sell the songs on a referral reward system. How do we get it up the app download charts now that ‘No 1 when you were 21′ app is beating our hide.

Community Cards: Qs 4s 5c Jd 2h
Dealer: Anthony
Blind: Andrew
Andrew 4c2s 4c = we use a profiler to help rewrite the findfriends query to speed it up
5c = while we are in the profiler we rewrite the 3 slowest queries to speed them up
Sarah 6h7h 6h=We add a progress bar to show off the improved speed
7h=We make the progress bar speed up towards the end, not slow down
Richard Qc10d Folds
Anthony AdQd Folds
Dealer Notes Neil and Sarah play hands with merit, Sarah wins the hand.

You see how Andrew and Sarah played suited connectors, it is quite natural to think of a few ideas in response to a finding a solution. By playing suited connectors the game disrupts the bias to share one idea, then wait and test the response before sharing anything else.

Community Cards: As 9d Ks 4c 7h
Dealer: Sarah
Blind: Richard
Andrew 6c3s Folds
Sarah Ac2h Ac=We should virtualise all the developer environments and allocate dynamic memory and resources in response to complexity of work
As=We should encrypt all connection heartbeats after the heartache bug
Richard AhJc Ah=How about we rename our product to socialsongs and use social graphs to automatically build playlists
As=We add location information to the security validation and prevent multiple purchases on the same account from locations further than 50 miles apart without further validation
Anthony 4d7c Folds
Dealer Notes All hands have merit. Richards security idea wins the hand

Although in this game Aces are actually difficult to play, when you get dealt Aces it is difficult to avoid the urge to have a try. Although the examples are fictional the kudos of successfully playing a strong hand is a positive bias that gives instant reward. Imagine being able to play the strongest hand in Poker, a royal flush.

Community Cards: 3s 10d 8c Jd Kd
Dealer: Richard
Blind: Anthony
Andrew 7c2s Folds
Sarah 5c5s 5c=Turning the logging strings to enumerations will increase performance
5s=Closing unused connections will improve security
Richard KcKhKd Kc=We add real time social messaging to the platform using jSocial
Kh=we all join the network to get things going
Kd=We put adverts based on the songs discussed in the client.
Anthony AdQd 10d = we offer bonus tokens , collect 20 and get a free t-shirt.
Jd = We use the data we collect to predict number ones and bet on those predictions
Qd = We set up our own betting shop as we will know number ones ahead of time.
Kd = Having created own one ecosystem we create a digital currency
Ad = we train some simians to keep the developers supplied while they code.
Dealer Notes Anthony plays a royal flush but is disqualified as live animals are prohibited by H&S. Richard wins the hand with 3 of a kind Kings.

Disruptive Technology
I believe that to create disruptive technology one of the things you have to do is disrupt the cognitive biases that hamper great ideas as well as the biases that have a negative effect on our success. We have all worked on products or projects that didn’t quite meet the agreed expectations let alone our dreams of doing something amazing. Using a tool like Cognitive Disruption Poker is just a fun way of exploring those ideas and taping into our amazing brains that may produce something both great and unexpected.

If you play a great hand let me know, and if you are up for a game get in touch and I’ll bring my poker face.

 

References

[1] BBC Horizon on iPlayer
[2] Cognitive Bias on Wikipedia
[3] Scrum Poker
[4] Elevation of Privilege
[5] Cognitive Dissonance the book
[6] Cognitive Dissonance the podcast [ Mature Audiences only, may cause offence ]

© Neil Dixley April 2014

Get The User Experience Right on Password Policy

Two of my current technical passions are security and user experience. Usually these two efforts are driven and delivered by teams with very different visions and passions and consequently little in the way of collaboration takes place, which based on my experience today, is much needed.

Password Expiration

This morning I was presented with a regular annoyance from the last millennium, back when everyone used ‘password’ as their actual password the only way to get them to change their ways was to expire their passwords. This became a widely accepted best policy, which of course back then it was.

Other sensible policies have since come in including complexity requirements which has made easy to guess or brute force passwords unusable.   The password expiration policy is just a sign that you haven’t made your complexity requirements strong enough to survive a brute force attack. Not only that, you haven’t understood how those attacks work, changing one password for another of the same complexity makes no significantly statistical difference to the chances of it being cracked. Consequently all you have done is annoy your user into having to think of, and remember, another password.

How to make a strong password.

The key to making a strong password is thinking of something that is easy for a human to remember but hard for a computer to ‘guess’. One of the best ways to accomplish this is to have two widely disconnected words interspersed with non-alphanumeric characters e.g.

Snorkling$Trombone;)

Because I have a brain that is designed to treat new and usual things with quite a bit of respect and effort to store, imagining a Trombone snorkeling in a sea of dollar bills with a winking smiley face will create a whole bunch of new neural networks and it will be very difficult to forget. A computer algorithm however will take a very long time to iterate enough combinations to ‘guess’ a password like that, and typically won’t even bother to waste resources when their are plenty of easier ones to focus on.

Now that I have made a real effort to invent a super secure password why would you want to expire it every 6 weeks.  If your that paranoid enforce an even tougher complexity.

Being a typical human I get tired of this and discover a strategy that meets all the complexity requirements and satisfies the darn computers insistence that I keep changing my password – I add a number to the end.

Snorkling$Trombone;)0

Now I can keep my complex password and simply increase the number until retina scanning becomes everyday technology. Man and Computer both happy.

Trust my phone to spoil the party.

Now that the system forced me to change my password I have a bunch of other places I need to go and also change the password to the new secret+number. Probably the most important place is my mobile phone. My mobile has the unusual privilege of accessing a whole bunch of private and work related information as well as being very easy to loose or misplace. Now if someone else gets hold of my phone, changing my password will go along way to stop them from doing anything that useful. Except my phone presents a user experience that has an unwanted and unexpected effect. Although it hides my password, it allows me to delete just one character, then add another without eliminating the hidden characters, making it very easy to change ********0 to ********1. The UI makes all that effort to invent a complex password worth almost nothing, simply changing the last character from 0-9 will give me a statistically high chance of guess the password without having to imagine bizarre swimming instruments. Its obvious when you see it, and would have long since been solved if some of the security folks occasionally went to a UX meeting and vice-versa