The three Foundations of Asimov

A vast sci-fi scene inspired by Isaac Asimov’s Foundation universe: on the left, the First Foundation on Terminus, a sleek futuristic city under a transparent dome, glowing with advanced technology and starships; on the right, the hidden Second Foundation represented by shadowy figures in a vast ancient library on Trantor, surrounded by data streams and subtle psychic energy; in the centre background, Gaia as a living planet, covered in lush forests and oceans, glowing with a soft green consciousness, faint neural patterns connecting all life; the three elements connected by faint lines of light symbolising influence and control.

Hari Seldon’s plan required two foundations. The first would preserve the knowledge of civilisation. The second would quietly ensure that knowledge was applied to the right ends, by people who understood how minds actually work under pressure. Neither alone was sufficient. The first without the second produces an encyclopaedia nobody uses correctly. The second without the first produces manipulation without substance.

The work collected here is organised around the same distinction, with a third option that neither Seldon nor most security teams spend much time thinking about.

The first foundation is the technical and knowledge layer: tools, frameworks, documented practice, the accumulated understanding of how attacks work and how defences are built. It is necessary. It is also, by itself, insufficient for the reasons that have been known since at least the 1970s and rediscovered approximately every five years.

The second foundation is the organisational and psychological layer: how people actually behave under pressure, how communication breaks down in exactly the ways Satir identified decades ago, how organisations resist change for systemic reasons that have nothing to do with competence or intention. This is the layer that makes the first layer work or fail.

The third option, Gaia, is the uncomfortable question about whether external control is the right model at all. In security terms: what would it look like if the organisation had genuinely internalised security as a shared practice, rather than having it imposed on it by a function whose job is to correct behaviour?

Seldon himself would note that the plan is only as good as the initial assumptions. This section is partly about the assumptions.