This essay specifically tackles programming, but I would argue the same analysis applies nearly exactly to security and risk management.

There are some great comments, too, so if this interests you at all, go check out the link. One paragraph that especially jumped out at me is this one:

It’s the specificity of a program, the need for exactness when our natural world allows for ambiguity. Natural language did not evolve to specify video games or algorithms. Natural language evolved to allow interaction between thinking beings. Programming languages are about specifying a process to a machine. Dorn’s hypothesis would say that the problem of Commonsense Computing Researchers and John Pane is that what we describe in natural language is necessarily ambiguous, and the process of getting it exactly right for the machine is the hard part.

Now think of the corporate obsession with process. We’re essentially trying to build algorithms which are executed by people rather than computers. So when the process fails, we develop another process to address the failure. Hence, the Big Ball of Duct Tape.

If programming is about being able to hold some portion of the program in your head as a visualization of the system, and most people can’t do it, then what chance do they have of following a process, which was probably designed by someone with exactly the same constraints?

And don’t even get me started about probability…