We remember things that stand out in the crowd. But different doesnāt necessarily mean itās important.
This is a draft chapter from my new book; Security Gems: Using Behavioural Economics to Improve Cybersecurity (working title).
Subscribe to read new chapters as I write them.
š Standing out is not such a badĀ thing
To āstand out like a sore thumbā implies that something is noticed because it is very different from the things around it.
Iām often guilty of being the sore thumb. Dressed in shorts mid-winter, whilst those around are being warmed by five layers of clothing.
One of the factors behinds EasyJetās success, arguably the pioneer of the low-cost flight, was to stick out like a sore thumb. The companies early advertising consisted of little more than the airlineās telephone booking number painted in bright orange on the side of its aircraft.
āHave you heard of that orange airline?ā, people would ask.
Have you ever highlighted information in a book? Then you too have used this effect to your advantage.
Psychologists have studied why our attention is usually captured by salient, novel, surprising, or distinctive stimuli. Probably using highlighter during their research.
Product designers understand our fascination with things that stand out and will spend hours perfecting the size, colour and shape of something to grab your attention, directing you on the path they want you to take.
Good products guide users to the important features and functions by making them stand out.
The big red flashing bell indicating a security alert should be distinctive, drawing attention and making it very clear that it needs to be looked at.
š Information overload can make standing out difficult
Being able to draw attention to something in the age of information overload is vital.
An email received from a friend or family member sticks out amid a sea of unfamiliar names.
A letter where the address is handwritten stands out, allowing me to easily filter boring correspondence from correspondence I will enjoy reading.
āYOUāVE WON A PRIZEā
āYOUR ACCOUNT HAS BEEN COMPROMISEDā
These email subject lines have a similar effect.
Not only is someone shouting at you, theyāre also warning you of a potentially serious event that arouses a sense of urgency.
Itās not your everyday (or hourly); āSally has liked your photos taken in 2003 on Facebookā email. Itās serious.
In phishing school [2], youāll find classes titled: How to grab a victims attention.
Successfully grabbing the attention of someone browsing their inbox is the first part of a successful campaign. You should expect the attackers to have aced that class.
š Not standing out can be disastrous
Digging deeper into the email inbox, or not as the case may be, itās clear our brains werenāt designed to deal with mountains of spam.
So called alert fatigue highlights this weakness. People stop noticing alerts, emails, texts, and [INSERT LATEST COOL MESSAGING SERVICE HERE] because there are simply too many.
People become desensitised to similar things being shown to them every day.
I once sat with a client who somewhat proudly proclaimed the āAlertsā folder in his inbox stood at 10,000 unread emails. That was nothing he assured me, his colleagues folder clocked closer to six digits!
You donāt want to foster this culture.
When my fire alarm sounds, my heart rate accelerates as adrenaline is pumped into my blood stream. The noise that stands out. Itās important. It immediately draws all my attention. Yes, even from an oh so cute cat video.
Security alerting needs to have the same effect. To point you to real fires. To prioritise what is most important. Missing critical alerts, emails, texts, or warnings of actual fires does not typically end well.
š The art of deception
The ability to recognise and remember things that stand out has long proved advantageous to our species.
As hunter gatherers being able to determine something that stood out was vital in finding food and avoiding becoming food.
Evolution has long realised standing out is a disadvantage.
Chameleons.
The Artic Hare is another great example of the evolutionary importance of blending in.
In the winter their bright white coats hide them from predators amongst a backdrop of snow. In spring, the hareās colours change to blue-gray in approximation of local rocks and vegetation.
Humans are no different.
Go to a club on a Saturday night and watch the herds of men and women dressed head to toe in clubbing uniforms.
During my college years flannel shirts were the āin-thingā. One night I bumped into 3 other guys, who all had a great taste in fashion I will add, all wearing the same shirt.
Militaries around the world understand the importance of camouflage. Soldiers donāt want to stand out. Itās a matter of life and death on the battlefield.
Neither do criminals.
Actors know downloading terabytes of data in a short period of time will stand out. Instead they slowly exfiltrate data over months patterns donāt stand out.
Malware is designed to act like a user, disguising itself as a normal process on an endpoint.
Yet so much of cyber security is focused on identifying the anomalies.
Sure, anomalies are important. Itās why so many vendors consistently demo that there product proudly detected ā3 failed logons, from 3 different locations, in 3 seconds, for 1 accountā.
However, the things that stick out, in a world where the bad guys are doing everything they can to stay anonymous, are only part of the story.
š Breaking camouflage
In the early days of map making it took a lot of time to produce a map.
Companies had to hire someone to go out and walk every street.
Needless to say, plagiarism plagued the pre-computerised map making industry.
In the 1930ās, General Drafting, a map making company, came up with an ingenious idea. In their map of New York State they included a copyright trap; a fictitious place, Agloe [3].
Fast forward a few years and the company spotted Agloe detailed on a map produced by one of their fiercest competitors, Rand McNally.
Such was the problem, Agloe continued to appear on a number of maps up until the 1990s. I can imagine the disappointed faces of day-trippers, and the ensuing arguments about wrong turns.
These traps have come to be affectionately known as Mountweazels [4]: a bogus entry deliberately inserted in a reference work. Prizes for anyone who spots the one in this book.
Like Mountweazels, honeypots are similar traps used in computer networks.
A honeypot mimics a system that may be attractive to an attacker, but would only ever be accessed by someone snooping around.
Like a motion activated light illuminates intruders attracted by the shiny objects in your house, honeypots illuminates attackers attracted by the shiny potential they offer.
š SecurityĀ Gems
If you want people to remember something, make it stand out.
- Make the right path clear: If you want a user to take action in a certain way, guide them by making the route stand out.
- Beware of normal: itās easy to remember things that stand out, but distinctiveness is not the only attribute you should be worried about.
- Donāt focus on anomalies: entice those operating covertly into the open. Break their camouflage.
- Donāt make yourself obvious: Remember, attackers are drawn to things that stand out.
- Communicate effectively: Make important communications and events distinctive in a way that makes sense. Remove the bullshit.
- Think about methods of communication: Sending important alert to mobile phone might make them stand out over email alone.
[1] Salience, Attention, and Attribution: Top of the Head Phenomena (Taylor & Fiske, 1978)
[2] Completely fictitious.
[3] Agloe, New York (Wikipedia)
[4] Fictitious entry (Wikipedia)
Security Gems: Using Behavioural Economics to Improve Cybersecurity
This post is a draft chapter from my new book. Pardon the typos.
Subscribe to read new chapters as I write them.
