IT security has tried to differentiate 'good guys' from 'bad guys' with the mantles of White Hats (fighting for good) and Black Hats (fighting for evil). While this nomenclature was marginally useful in changing the tone that not all 'hackers' and 'researchers' were bad, it was never this simple. Like most things, the world is full of shades of gray. With increased escalation in the number, sophistication and type of APTs or coming to light, these over-simplistic categorizations simply are not supportive enough to informed risk modeling and prioritization. Many of us struggle to come to grips with how to categorize groups like Anonymous or where to draw our bright lines as security vendors, or how to conduct ourselves as researchers in the industry. Confronted by such examples, the White Hat-Black Hat model is not sufficiently MECE (mutually exclusive, comprehensively exhaustive), and so we offer another way to look at the issue. I hope to drive more fruitful discussion, less snap-judgements, next order questions and, as a consequence, more optimal outcomes.

When confronted by current events, it has been interesting to watch the debates over groups like WikiLeaks or the decentralized hacker group known as Anonymous. Many security professionals and citizens at large are conflicted. The over-simplistic notions of good and bad don't seem complete enough. Regardless of good or evil, the group was instinctually different than other actors, in that it was more chaotic. Dusting off the old alignment charts from Advanced Dungeons & Dragons (AD&D) proved to be an apt and useful device for the dialogue. If we introduce the additional continuum of "those seeking order" (Lawful) through "those seeking disorder" (Chaotic), the conversation advances. we can see the fuller three-by-three Punnett square, with which to discuss the various actors in the field of IT security.