The three domains of problem solving¶

PSL splits effective problem-solving leadership into three dimensions that are always present and always interacting. Most security work addresses only the first.

Rational¶

Facts, data, analysis, models, tooling, root cause analysis. This is the dimension most engineers identify as the whole job. It is necessary. It is rarely sufficient.

When a vulnerability exists and the technical fix is clear, the rational layer is satisfied. The problem is that most security failures do not stop there.

Emotional¶

Motivation, fear, trust, ego, communication, conflict, psychological safety. How people feel about the problem, about each other, and about the consequences of acting.

A developer who fears that reporting a security issue will delay their release will not report it. An ops team that is overwhelmed will convert shortcuts into policy. A security team that is experienced as a blocker will be routed around, efficiently. These are not attitude problems. They are emotional constraints operating on the system, and they determine whether technically correct solutions get implemented.

The typical red team observation that never makes it into the report is: everyone knew. Nobody wanted to be the one to say it.

Political¶

Influence, authority, incentives, organisational constraints, hidden agendas, and the question of who benefits and who loses from any given change.

This is the graveyard of good security work. Findings classified as accepted risk are often not about risk appetite. They are about the cost of fixing something landing on a team that does not benefit from it being fixed. Shadow IT protected by powerful stakeholders, budget ownership split in ways that guarantee no single team can act, security recommendations that conflict with the KPIs that drive bonuses: these are political conditions, and they decide whether anything changes.

Why all three matter¶

Most failed problem solving over-indexes on the rational dimension while the real blockage sits in the other two. Weinberg’s formulation is direct: if you are stuck, you are probably solving the wrong part of the problem.

The implication for security is that a technically brilliant report is not the output. The output is change. Change requires that all three dimensions are addressed, and that the people doing the work can see all three clearly enough to know where the actual obstruction is.