The InfoSec Marshmallow

April 23, 2018  |  Bob Covello

I was listening to the Jordan Harbinger podcast the other day.  If you are a student of social dynamics, listening to this podcast is the best way to spend at least one hour of your week.  The producer of the show mentioned how a particular person was the type who “definitely ate the marshmallow”.  This made me chuckle.

If you are unfamiliar with the reference to the marshmallow experiment, it is based on a delayed gratification test conducted back in the 1970s at Stanford University.  It was designed to see if children who exercised delayed gratification would end up (many years later) performing better on aptitude tests as well as other positive life outcomes.  The test was a bit complicated, and many follow up tests have been conducted over the years along the same lines.  The reason it has become known as “The Marshmallow Test” is due to a more recent version of the test showing how some children reacted to the experiment. 

Each child was given a marshmallow on a plate, and were told that they could eat the marshmallow now, or wait until the researcher returned, at which time they would be rewarded with two marshmallows. A hidden video camera recorded the reactions of the children as they awaited alone in the room with the marshmallow. The most popular version of that experiment can be viewed in this 3-minute video, sure to bring a smile to even the most hardened InfoSec curmudgeon.

When thinking of that video, I wonder how some of us in the InfoSec community would have fared if we were subjects of that experiment.  Given the various InfoSec personality types, here are some comical thoughts about how we would perform.

The Hacker - This personality type would figure out a way to eat only the inside of the marshmallow, leaving the psychologist with a seemingly untouched specimen on the plate, thus getting the reward of the second marshmallow.

The Security Researcher – This type would poke the marshmallow numerous times to see if there are any weaknesses to exploit.  Once a weakness was found, the researcher will seek a bug bounty to get more marshmallows.

The Pen tester – Similar to the security researcher, the pen tester will seek the weaknesses, however, the ultimate goal difference is that the pen tester will aim to pop the shell of the marshmallow to gain full access.  The Pen Tester personality type will also be sure to have a “get out of jail free” card in case the intrusion is detected.

The Cyber Forensics investigator – this person would notate the current state of the marshmallow, tag it, bag it, and take it (and the reward marshmallow) home for further “examination”.

The Red Team member – This person would take bites from the marshmallow, waiting to get caught.

The Blue Team member – Guardian of the marshmallow!

The Security Auditor – This type would ask the psychologist for evidence about the reward marshmallow in order to achieve a “level of comfort” that the experiment is following the correct control protocols.

The Security Policy-maker – Marshmallow Policy: All marshmallows MUST be observed and not eaten until the experiment is concluded.

The Social Engineer – Of course, this personality type will convince the psychologist to watch the marshmallow while the social engineer holds and munches on the full the bag of remaining marshmallows.

I hope I have captured the essence of how we InfoSec folks would have performed if we were in the position of the marshmallow test subjects.  I know that there are a few InfoSec functions that I have omitted, such as the CISO, the Security admin, and the Incident responder, but I leave those to you to observe on your own.  Here’s hoping that you gain new insights into the various InfoSec personality types.  In the meantime, go enjoy a well-deserved marshmallow.

Share this with others

Tags: infosec

Featured resources



2024 Futures Report

Get price Free trial