Schneier on Security
A blog covering security and security technology.
« Cryptography Spam |
| New Attack on AES »
July 1, 2009
Security, Group Size, and the Human Brain
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with.
Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking" part of the mammalian brain -- volume with the size of primate social groups. By analyzing data from 38 primate genera and extrapolating to the human neocortex size, he predicted a human "mean group size" of roughly 150.
This number appears regularly in human society; it's the estimated size of a Neolithic farming village, the size at which Hittite settlements split, and the basic unit in professional armies from Roman times to the present day. Larger group sizes aren't as stable because their members don't know each other well enough. Instead of thinking of the members as people, we think of them as groups of people. For such groups to function well, they need externally imposed structure, such as name badges.
Of course, badges aren't the only way to determine in-group/out-group status. Other markers include insignia, uniforms, and secret handshakes. They have different security properties and some make more sense than others at different levels of technology, but once a group reaches 150 people, it has to do something.
More generally, there are several layers of natural human group size that increase with a ratio of approximately three: 5, 15, 50, 150, 500, and 1500 -- although, really, the numbers aren't as precise as all that, and groups that are less focused on survival tend to be smaller. The layers relate to both the intensity and intimacy of relationship and the frequency of contact.
The smallest, three to five, is a "clique": the number of people from whom you would seek help in times of severe emotional distress. The twelve to 20 group is the "sympathy group": people with which you have special ties. After that, 30 to 50 is the typical size of hunter-gatherer overnight camps, generally drawn from the same pool of 150 people. No matter what size company you work for, there are only about 150 people you consider to be "co-workers." (In small companies, Alice and Bob handle accounting. In larger companies, it's the accounting department -- and maybe you know someone there personally.) The 500-person group is the "megaband," and the 1,500-person group is the "tribe." Fifteen hundred is roughly the number of faces we can put names to, and the typical size of a hunter-gatherer society.
These numbers are reflected in military organization throughout history: squads of 10 to 15 organized into platoons of three to four squads, organized into companies of three to four platoons, organized into battalions of three to four companies, organized into regiments of three to four battalions, organized into divisions of two to three regiments, and organized into corps of two to three divisions.
Coherence can become a real problem once organizations get above about 150 in size. So as group sizes grow across these boundaries, they have more externally imposed infrastructure -- and more formalized security systems. In intimate groups, pretty much all security is ad hoc. Companies smaller than 150 don't bother with name badges; companies greater than 500 hire a guard to sit in the lobby and check badges. The military have had centuries of experience with this under rather trying circumstances, but even there the real commitment and bonding invariably occurs at the company level. Above that you need to have rank imposed by discipline.
The whole brain-size comparison might be bunk, and a lot of evolutionary psychologists disagree with it. But certainly security systems become more formalized as groups grow larger and their members less known to each other. When do more formal dispute resolution systems arise: town elders, magistrates, judges? At what size boundary are formal authentication schemes required? Small companies can get by without the internal forms, memos, and procedures that large companies require; when does what tend to appear? How does punishment formalize as group size increase? And how do all these things affect group coherence? People act differently on social networking sites like Facebook when their list of "friends" grows larger and less intimate. Local merchants sometimes let known regulars run up tabs. I lend books to friends with much less formality than a public library. What examples have you seen?
An edited version of this essay, without links, appeared in the July/August 2009 issue of IEEE Security & Privacy.
Posted on July 1, 2009 at 6:51 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think it was the boss of American Steal who made the comment about teams of more than 100 people do not work.
I guess this makes his point some 70years later.
Bruce your military knowledge leaves something to be desired, and IEEE doesn't get points for their fact checking ... squads of 10 to 15 organized into PLATOONS of 3-4 squads, organized into companies of three to four PLATOONS, organized into BATTALIONS of three TO FOUR COMPANIES, organized into REGIMENTS OF THREE TO FOUR BATTALIONS, divisions of three regiments, and corps of two to three divisions.
Chuck beat me to it ... :-)
This roughly corresponds to my observations about science fiction conventions. For example, once the attendance at the con goes over about 150, you need a different concom structure. The next break I pegged at 500-750, and the next one 1200-1500. Most formal groupings, have similar structural necessities, it seems.
You have an unterminated italic tag in the last sentence in this post ;)
Forgive my scepticism, but given the ranges around each group size, it's hard to imagine a hierarchical human structure that *wouldn't* fit this model...
I had a history professor talk about how the problem of communism wasn't the theory - after all, from each according to ability, to each according to need, is how most families work - it was that the idea didn't scale. It just doesn't work beyond the size of a kin-group. And I do recall that he placed the number at "around 150."
Please fix the HTML. Thanks. -D
I attended a small prep school. Each of the four classes (frosh, soph, jr, sr.) numbered roughly 225-250 students. Students highly identified with their class. And to this day there are only a few people whose names I don't recall from my class, now thirty years later. Within our class there were many cliques numbering about 20 students each, and obviously team sports were ways that we identified with each other. At the school level, we were full of spirit, surely a tribe.
Bars that attract
Cliquish psychodrama starts mildly at around 50 people, ramps up around 150, and gets into fullscale dismissiveness and infighting over 150.
This was a central theme in Malcolm Gladwell's excellent book, The Tipping Point. It's fascinating that our brain is wired the way it is.
Is there any relation between the size of a functional group and the introversion/extroversion of its members?
How much does daily exposure shift the upper and lower bounds on these groupings? If you regularly interact with fewer people (or with more), your idea of closer or more distant groupings might well change, at least within the boundaries of brain size.
There's a tipping point in corporate structures, for example, where everyone will know everyone else and do one another's jobs up to a certain head count, and then after division into departments or whatever, the number of well-known people becomes much smaller, and some people seem not to know anyone at all.
This definitely varies from person to person. I look at that "matching 1500 faces to names" and think... wow, that's not me. 150 would be a real stretch. More than 10... but not much more.
Now, it seems to me that in some of the better organizations I've seen, there is effort to keep group sizes small, but to avoid sharp group boundaries. So groups are ~10, but individuals are part of at least two groups, allowing a large mesh to form, which increases resiliency (where you aren't just relying on your 9 "friends" to help you, but the 18 friends in two groups, plus the 162 "friends of friends" one hop away. It doesn't help with the authentication issue (you can positively identify some group, maybe 150, but the security implication here is negative authentication - past 150, if someone you don't know claims to be a member, it's harder to call BS with confidence).
Social Science Sirens sing sweet songs...
I have been caught in the call of this song before but eventually you hear the voice of reason, in this thread the voice of sanity is Greg Wilson:
"Forgive my scepticism, but given the ranges around each group size, it's hard to imagine a hierarchical human structure that *wouldn't* fit this model..."
Turns out your insight is that, for some base b, people historically grouped themselves into groups of 10b, 100b, 1000b, ...
Bruce, I like the theme you have started here but it reads like a wiki entry still in need of revision.
"companies greater than 500 hire a guard to sit in the lobby and check badges"
Says who or what? The many assessments I've done would say this is not only false, but painfully false and often a point of contention with management. I have had large companies explain to me that they do not want to give the "wrong impression" to their employees by hiring a guard to check badges....
I noticed a lack of reference to tools and technology. Badges are the only exception. Does technology change the game for the limits? Could a team of 50 with tools perform as a team of 150 without. In other words, can we expand our mean group size with technology (e.g. social network tech) to 300?
"Small companies can get by without the internal forms, memos, and procedures that large companies require; when does what tend to appear? How does punishment formalize as group size increase?"
The company I worked for grew past this size while I was there. A lot of ad hoc solutions have come up to help with communication, training, size limits of our personal directories on the servers, etc. Lots of little things that didn't matter went on to being big problems. A lot of talk and not many solutions have come up before we lost a lot of work and most people got laid off.
Thankfully, we were split into different buildings depending on the type of work we did, and we worked across three shifts. I had at most 12 co-workers that I interacted with daily and another 40 or so I had to keep track of.
I find this interesting. In World of Warcraft, its easy to keep 10 people together for a "small" raid, but maintaining order with 25 people for a "large" raid is a tremendously large amount of work.
This also relates to the Silicon Valley problem of Death by Success. When a company is growing explosively, it can spend all its time reorganizing for its new, larger size and stop having time to produce.
SF conventions are the first thing I thought of, too. Somewhere in the 1500-2000 person range is where people start complaining that their regional convention is getting too big and impresonal.
(To unpack a bit of fannish jargon Mr. Romm used: concom = convention committee.)
I think Godwin's Law needs a World of Warcraft clause in it.
One sleep-away summer camp/school went from about 80 kids to about 300 kids during the years I was associated with it. The change was fascinating to watch.
With 80 kids, there was one counselor per 12 kids and about one teacher per 10 kids. All counselors, teachers and administrators met in one group. Most communication was informal and oral, what notes and memos there were were just handed out when we happened to see each other.
I watched the organization form and change as the camp grew. It remained one counselor per 12 kids and one teacher per 10 kids but many other things changed. Teachers knew teachers, counselors knew counselors, counselors knew their kids' teachers. But not all teachers knew all counselors any more. Counselor groups now had subgroups with the subgroups meeting daily, the overall group weekly; same for teachers. Teachers and counselors had inboxes for notes and correspondence.
The most annoying change was that the xerox machine was locked down. I guess that the increase in formal communication was too much for the paper budget, so informal use (such as art activities for the kids) was banned.
If you're talking about tribes and hunter-gatherer societies, then presumably those people would only be associating with the same group of (say) 150 people. Surely it's different nowadays, e.g. with work colleagues and college friends in non-overlapping groups. Then throw in the groups for any hobbies you do, e.g. all the people in your cycling club, or the people who support the same football team as you and turn up to watch the matches together. If any one person can only track 150 names, does that mean that you only have 20 slots available for work? Or is it 150 per context?
@John C. Kirk I think it's 150 total, just from personal experience. There's a definite tension when one runs in several disjoint social circles, because one only has so much time.
The implications of the hierarchy of attachment are interesting as well. If I'm part of three groups, but all my close attachments (the clique and sympathy groups) come from two of those groups, I'm less connected to the third, even if most of my casual acquaintances come from that group.
In kin-based larger groups, identity is also tied to family. And recognizing familial traits like facial likeness, hair color, skin tone, voice, etc. is an aid to recognition.
I stil notice this when I revisit the town where I went to high school. I'll recognize a face or voice in a chance encounter, ask if that person is related to X from my class, and find out it's a son, daughter, niece, nephew, etc.
I don't think I'm unique, either, because my nieces and nephews (as well as my siblings) get asked similar questions, and it's from someone I knew in my youth, or a relative thereof.
But I have 800 friends on Facebook!!! :/
JC Kirk: If you're talking about tribes and hunter-gatherer societies, then presumably those people would only be associating with the same group of (say) 150 people.
Wrong. Small-scale societies are extensively intertwined. You may be a member of tribe X, but your wife may have grown up in tribe Y, or her parents did. Good odds you've had 3 spouses over your lifetime.
Then your brother's wife's family is from tribe Z.
In "hunter-gatherer" societies people spend a lot of effort in tracking this network of interconnections -- some call it "twining", as in a rope. It's terribly important -- economic exchanges go along these lines, and without intertribal linkages your tribe would stagnate and die.
Additionally, you have to figure out some set of kinship relationships when you meet a "stranger". Since there is no government, if you can't come up with some set of links that connect you -- you suddenly have no reason not to kill the stranger and visa-versa.
It's the same set of tools for a 100,000 years, just changing context.
Church growth follows similar patterns. Alice Mann of the Alban Institute has written a great deal about this, in particular in the book "Raising the Roof" http://www.alban.org/bookdetails.aspx?id=1004. "Family-oriented" churches get up to about 40 members; "Pastor-oriented" churches get up to about 120-150 (the limit for the number of people the pastor can have a personal relationship with), "Program" churches are >200 or so, and "Mega, Corporate" churches are bigger still. The mentioned book discusses stress in the in-between sizes. How does a church grow when it's too big for a Pastor to keep up with, but too small to staff the committee structrue of the Program church?
"for some base b, people historically grouped themselves into groups of 10b, 100b, 1000b, ...
Almost but not quite, powers of ten are realy a "most modern" almost metric affair.
Historicaly you need to think powers and multiples of 12 or 60.
With 12 you get,
12b, 144b, 1528b
Which are closer to the numbers Bruce gives than powers of ten.
Oh and without going into details it's actually almost as easy to count to 24, 60 or 144 on your fingers as it is 10 (and actually a lot more usefull to a trader than ten could ever be).
Nice catch. I was trying to write 10 sub b; not 10 * b; the b is suppose to indicate which base we use to interpret 10.
Certainly interesting, and may be related in interesting ways to the power law scaling of social (and other) networks.
However as Greg Wilson points out, the fuzziness of the numbers makes it difficult to draw any definite conclusions.
For example, the smallest unit of military organisation is actually the fire team of 3 or 4, and that's just because any less than 3 can hardly be called an "organisation"; groupings of just two are used for some purposes ("the buddy system".)
The smallest squad size of which I am aware is 8, but note that that is "nominal strength"; in reality it is common for military units to be slightly understrength, and I have often seen squads of 6 . I don't know of anyone who has 15 man squads but I do know of up to 14 man ones. Coming down on the other side however there is the "patrol" which is approximately half a platoon, and so ranges from about 12 up to a little over 20. Then the platoon proper ranges from 26 (nominal) up to 50 (nominal.)
Then, like the patrol, before we hit the company we can slip in the "half guard" which is approximately half a company with a typical strength of 50 to 100.
Companies range from 75 to 200 -- nominal.
Battalion sizes vary enormously too, although I should point out that most have more than 4 companies: it's usually 3 or 4 "ordinary" companies (e.g. rifle companies in an infantry battalion) plus additional support elements (usually a combat support company which includes e.g. heavy weapons, and a service support company that provides administrative and logistic services such as transport pool, medical support, etc.)
I could go on but I think the point is clear: military organisation is a hierarchical structure with sufficient flexibility that it can accommodate any number of persons in an organisational unit, which if you think about it, is probably a useful feature in most organisations ("oh no, we have three people too many, whom shall we expel?!")
It is true that the size of groupings grows roughly exponentially with a smallish base, but this is a function of making it practical for the leader at each level to communicate with his subordinate leaders. What is perhaps more interesting here is that the base (generally described above as "three to four") is more usually considered to be 3+1. That is, at each level we combine (about) 3 of the "ordinary" subordinate element with an additional support function that was not required at lower levels. The nature of the "+1" can vary considerably at different levels.
1. Six, by the way, is the absolute minimum group size at which you can maintain 360°, 24 hour / day vigilance whilst still getting a crude approximation of adequate sleep. With fewer than 6, either you have times at which only one person is on guard (in which case there must be unobserved directions of approach, hopefully the least likely ones), or you get so little sleep that after a few days your sentries wouldn't notice a bus load of tourists driving past. Thus if squads drop below 6, you need to re-organise into a platoon that has a smaller number of slightly larger squads.
I agree with John C Kirk's point - if I have a budget of 150 interpersonal relationships, I'm not going to spend all 150 at my workplace.
One problem I see with concluding group size is based on limitations of the human brain is that group coherence must also be a function of how much time you have in a single day.
Interpersonal bonds, whether personal or professional, are gained through shared experiences. The people I consider co-workers are the people I work with the most. Since I only spend 9 hours working per day, the number of people I work with is limited. I only have so many social hours, if I tried to get a huge group of friends during those limited hours, I wouldn't spend enough time with any particular individual to become good friends with anyone.
@peri: "Turns out your insight is that, for some base b, people historically grouped themselves into groups of 10b, 100b, 1000b, ..." "...I was trying to write 10 sub b; not 10 * b; the b is suppose to indicate which base we use to interpret 10."
Did you actually mean to say "integer powers of b"? Because that's how the two above quotes read.
Once I got to 150 girlfriends, I asked each to wear a name tag. Now I don't have any girlfriends.
I have seen the obverse of this: once the organization has grown large enough to break into sub-groups, it's important for every member to be in one of the sub-groups.
I'm involved with a roller derby league. About 130 people. These people are naturally organized into 5 teams of about 20 skaters each, one referee/scorekeeper crew (also about 20 members), and a few people who are not on any of those teams, including myself.
Naturally, the league communication structure is set up to facilitate communication between teams through team captains. The governing committee communicates decisions and solicits input from the members through the captains of the teams and the head referee.
Which means I and people like me are often out of the loop, because we don't fit the structure. Whatever it is gets discussed at the captain's meeting....
Looking again at the military example, the base of the exponentiation -- the factor by which group sizes increase at each level -- has varied with technology, which makes it seem unlikely that it is driven by fundamental features of the human brain.
In modern armies it is about 3 or 4, as discussed previously. But from ancient Roman legions through to the Napoleonic Wars and at least up to the US Civil War, it was closer to a factor of 10 up to somewhere around brigade or division level, when it dropped back to 2 or 3 due to logistical limitations. For example in the classic (Marian) Roman army, including support troops the steps from individual soldiers to entire legions go: 10, 10, 6, 10.7 + 1. Roughly similar patterns are found in the Napoleonic Wars and the US Civil War, although as regiments were based on regional recruitment the numbers were much more variable (e.g. the number of companies in a US Civil War regiment could vary from as few as 4 up to 11 or perhaps more.)
The reason for the change was changing military tactics due to changing technology. Such a small base is used today because modern tactics tend to emphasise wide dispersion and rapid coalescence. This is related to technology in two ways: the destructive power of area effect weapons made dispersion desirable, while radio communications and motor transport made it practicable.
In earlier eras, the slow speed of concentrating forces and lack of area weapons gave a decided advantage to an army marching in the largest formation that logistics could support, so there was less structure below the level of the regionally based regiments.
It is true that we very widely see the existence of a units with a strength somewhere on the order of 100 men. However the nominal strength of "company level units" varies by a factor of 3, and units of 150 or more are not the most common. Most "company level" subunits were quite a bit smaller. As the name implies, Marian Roman centuries had ~100 men, but this was because Marius attached the support troops at the lowest level; there were only 80 actual legionaries. In the condottieri model from late Middle Ages to the Renaissance the closest unit to what we call a company today would be the bandiera, which was about 75 strong including support staff. 80 is also a typical strength for companies in the Napoleonic Wars, while in the US Civil War they ranged from 60 up to the mid-80s. In the first half of the twentieth century they tended to grow slightly larger, up to around 110, but the reasons for this were, once again, technological not psychosocial.
Sometime in the seventies, I heard William Gore (Goretex) say that esprit de corps evaporated in his company in groups of over 150. IIRC, he'd hive off units when groups started approaching 150 members.
During my initial HAZOP field training in the early 90's we used 7-3-6 rule.
In level 'A' suits with unknown chemical, fire, RAD and haz threats we deployed, trained and conducted daily ops in groups of 7. In the field we then broke out the 7 into two groups of 3 with a stay back op for rescue, rotation, monitor and com (non-military gov cleanups).
We would be given a maximum of 6 primary objectives (thus 7-3-6).
Our lead instructor was an ex-mil with a big cigar and no fear attitude... he trained brigades that went in to clean up Kuwait, Weyauwega and dozens of other national 'incidents'.
And while we had 100% different personalities and lives, I still train and run teams the same as he taught me.
In business, IT, operations, team sports 7-3-6.
When you increase the numbers, risk grows exponentially.
The difference between ours and military group size was indicative of the lack of human threat to loss ratio...
Toxic drums and fires don't fire back.
I hate doing bases using subs etc because it always causes confusion in a single type face.
And of course it gives rise to the old joke,
Q: Why can't programers tell the diferance between Halloween and Chrstmas?
A: OCT 31 = DEC 25
"Six, by the way, is the absolute minimum group size at which you can maintain 360°, 24 hour / day vigilance"
Hmm, there is always the exception...
In the British army certain specialist units have the "four man brick" who will do extended operations behind enamy lines.
Likewise Observer/Snipers usually operate in pairs (gunner / spotter) again often for extended periods.
Of interest is "light house keepers" originaly (for fiscal reasons) there where just two per light on a six week or more shift. However after a tragic accident which caused the death of a light house keeper and caused his "mate" to go mad whilst waiting for relief the number of keepers was increased to three.
It is also interesting to note that people who work in very small teams at close quaters for extended periods have certain personality traits that are not that comman.
"... squads of 10 to 15 organized into PLATOONS of 3-4 squads, organized into companies of three to four PLATOONS, organized into BATTALIONS of three TO FOUR COMPANIES, organized into REGIMENTS OF THREE TO FOUR BATTALIONS, divisions of three regiments, and corps of two to three divisions. ..."
You've unwittingly proved his point!
Um, "...Larger group sizes aren't as stable because their members don't know each other well enough. Instead of thinking of the members as people, we think of them as groups of people. ..."
We might know a few Joes from Company X over at Y Battallion, but I hardly think we know *all* of 'em.
cheers! I get your point about 150, and yeah, but still ... hee hee!
These relationships are not necessarily transitive -- think the difference between a mailing list and facebook. So "group" is not always to appropriate word.
What Rodger said. Add to that the undifferentiated nature of earlier armies. The 10 companies of a Civil War regiment were, for the most part, functionally the same. The same is true of the Centuries of a Marian legion. Modern militaries almost always have a specialist heavy weapons and possibly support subunit for ever three - four regular subunits.
This doesn't necessarily totally invalidate the point. Perhaps earlier armies were able to function at a greater sub-unit multiplier because of simpler structure and the fact that for the most part, everybody fought in line of sight.
> In the British army certain specialist units have the "four man brick" who will do extended operations behind enamy lines.
I don't think this is quite correct. I am aware of the brick -- indeed it is also used also by conventional light infantry in certain terrain -- but I don't believe it often operates independently for extended periods. Of course I have plenty of wiggle room with the vagueness of "extended", but there are widely published instances where two bricks were combined into 8 man sections for deployments of more than several days.
> Likewise Observer/Snipers usually operate in pairs (gunner / spotter) again often for extended periods.
Yes, but they cannot achieve "360°, 24 hour / day vigilance"; they rely almost completely on concealment for security.
"I don't think this is quite correct. I am aware of the brick -- -- but I don't believe it often operates independently for extended periods."
Well amongst specialised units it does, although since the colapse of the CCCP/USSR the need for "stay behind" units for intel and other purposes is diminished "drop behind" and other units are for similar reasons on the up.
During both Gulf wars they where deployed behind the lines as bricks and the specialist units train on this assumption.
Think of organization in terms of a fractal: Scaling, self similarity, and of course total chaos should you get it wrong.
The generator driving the fractal is the cost-beneft relationship of organization to the problem at hand.
Don't mean to stir-up a hurricane with this brief comment here... :-)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.