American View: Why Do Our Brains Trick Us into Subverting Critical Security Controls?

meeting

One of the most important lessons I teach new hires and interns is that we’re all influenced by our cognitive biases … More than we’d like to admit, and far more than we recognize. This negatively affects our work as security professionals. Attributing bad behaviour to wilful disobedience is counterproductive to influencing positive culture change. Many – if not most – users aren’t defying security protocols out of deliberate spite; often, they’re acting appropriately for a situation that doesn’t exist. That is to say, their unconscious biases might have led them to misunderstand what’s happening, and their response is perfectly logical given what they (wrongly) think is happening.

This is a hard lesson to swallow. I’ve noticed that many new university grads entering the workforce come with bizarrely skewed mental models of how adults act in the office. Between TV dramas and highly abstracted college classes, these kids hit the cube farm expecting inhuman levels of motivation, professionalism, selflessness, and obedience. That is to say, they assume that humans will act more like automatons than flawed, confused, distracted people. That’s always my first lesson: we must deal with people as they really are, not as we wishthem to be.

Of course, that epiphany requires us to explore the concept of cognitive biases and heuristics so my students can come to terms with just how badly these influences affect our everyday functioning. This is one of my all-time favourite blocks in my curriculum. I pull heavily from David McRaney’s books since (as far as I’m concerned) no one explains it better. [1]

This block of instruction often foretells how well the new folks will do on the job. I don’t have comprehensive data to prove my suspicious, but the limited anecdotal data I do have suggests that the young folks that “get” it are far more like to vault ahead of their peers since they’re starting their careers with a practical and nuanced view of individual and collective behaviour. That’s a life skill that never loses its value.

The one constant to business life is that you’ll always be working with other people … like it or not.

That said, it’s also a life skill that requires constant reinforcement. It’s embarrassingly easy to get comfortable with your own brain and start to believe – falsely! – that you’re a perfectly rational, unfettered thinker. That’s why I’ve embraced everyday reminders to stay humble. This week gave me a great reminder that I’m still smirking over.

In my last American View column, I mentioned that my wife recently suffered a near-fatal cardiac episode. She’s doing much better – thankfully! – but still can’t do much for herself while she recovers. This last Saturday, she announced out of the blue that she was famished and sent me down to the shops to bring her back a hoity-toity sandwich – ASAP! I did as I was asked. I placed her order online, in my name, pre-paid with a credit card, and jumped in the car.

I reached the restaurant right as her order was ready. A cook had just placed her takeout bag in the “pre-ordered” cubby rack as I walked in. Excellent timing, except … as I went to walk out with her order, a manager stopped me and asked me to prove that I was authorized to take the bag I’d just taken.

“What’s your name?” he asked.

“Keil,” I said.

“What’s the name on the order,” he asked.

“The same. ‘Keil.’ See here?” and I pointed to the name printed on the top of the receipt.

“Delivery drivers aren’t supposed to use their own names on orders,” the manager lectured me.

It wasn’t quite this confrontational, but I could tell the manager thought he was dressing me down.

I blinked, then got what he was on about. I thanked the manager and took off before I caused a scene laughing at him.

Looking at it from the manager’s perspective, an under-dressed and scruffy-looking middle aged man had entered his restaurant with an order printout in hand and went straight to the takeaway rack. This manager’s typical clients were middle class women. A fellow looking like me could – in the manager’s experience – only be a gig economy delivery driver (e.g., DoorDash, Favor, et al).

Given how I normally dress, I understood the man’s implicit bias. If not acted on by an outside force (i.e., my wife’s glaring disapproval), I’ll dress every day like a common labourer in a dark-coloured, heavy-duty T-shirt, heavyweight cowboy jeans, and scuffed work boots. It’s a plain, comfortable, and practical ensemble that ignores fashion entirely in favour of pragmatism. It’s a habit I embraced when I joined the Army at 17. I grew accustomed to the feel of practical work clothing before I entered university. When I left the military, I adopted the nearest civilian equivalent … one that looks appropriate for a blue-collar lifestyle. I got for the generic everyman look and quite happily blend into the background as someone unimportant.

Thus, the hoity-toity salad-monger took one look at me, came to a perfectly logical (if slightly bigoted) assessment of why I was in his establishment, and treated me “appropriately” given his calculation of my social station. I could have set the man straight but that wouldn’t have benefitted either of us. Dallying to challenge the man’s judgment would have delayed getting my ill wife her lunch and would have put the manager’s back up. People rarely appreciate being publicly corrected for having acted like a classist jackwagon.

I found the encounter harmless and funny. Of course, if I hadn’t been a white male in this situation the outcome could’ve been much worse. Despite the contrived howls of pretend outrage from the reactionary community, America is still a bigoted country. Texas often doubles down on standard American racism, sexism, and religious intolerance with its unique flavour of homespun classism. These biases exist. They’re not always punitive or violent; some casual manifestations of implicit bias in Texas are limited to mild hostility or condescension. People just aren’t as friendly as our state’s tourist bureau would have you believe.

To be fair, you’ll likely have a great time … provided you look like this when you visit.

This matters, I teach my students, because manifestations of these biases happen in the workplace all the time. People don’t stop being biased just because they came to work. The subtle biases that we unconsciously hold towards others infiltrates our thinking in the workforce just like it does with strangers in the public square. These silent “weighting factors” affect how we interpret our co-workers’ and vendors’ motivations, competence, trustworthiness, and even truthfulness. Our willingness to cooperate with others is influenced by how our brains judge them even through our corporate “values” claim that ours is a “culture of trust” (or however it’s spun on your company’s motivational breakroom posters).

As an aside, we also tend to unconsciously favour people that we feel “belong” to our office community and disfavour outsiders (i.e., in-group favouritism bias) even if “outside” means “outside our team or department” within the same organisation. In short, it’s normal for workers to misjudge – and, therefore, foul up, their professional relations with their co-workers without realising it. We’re often the victim of our counterproductive biases.

Getting interns and new hires to grok this concept (i.e., we have met the enemy and he is us) can be darned difficult. No one enjoys admitting that they’re prejudiced, even a little bit. That said, wrapping your head around the idea that your unconscious mind might be working against you is the crucial first step towards taking control of your flawed perceptions. Once you understand what your brain is doing, you can recognize and correct for it. You can challenge your reactions and make more rational, more responsible decisions … thereby making yourself a more effective team player.

That, in turn, pays huge dividends for the savvy security professional. Once we understand how cognitive biases can sabotage rational thought, we can change our messaging, policies, and process designs to pre-emptively mitigate likely biased thinking and opportunities for misunderstanding. We can strive to get ahead of the problem (pun intended) while also adopting a more nuanced opinion of people who violate our standards without wilful malice. People are complicated. The best way to protect our wildly weird and wonderful co-workers is to meet them more than halfway.

[1] I have bought more of David’s books as Christmas presents for friends, family, and students than any other gift. I’ve also bought unnecessary duplicate copies of You Are Not So Smart and You Are Now Less Dumb for myself just because I enjoy them so much.

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

Combatting workplace stress with culture and technology

Equipping employees with the right tools, resources, and knowledge to manage stress and avoid burnout is mission-critical

Digital transformation – or the Emperor’s New Clothes?

Less than a third of digital transformation programmes succeed. Why is this, and what can you do about it?

American View: Are You Truly Viewed as a “Valued Professional” Or Just as a Disposable Labour Unit?

Workers often joke that they’re led by idiots. Sometimes “idiocy” is indistinguishable from “calculated indifference.”

Related Articles

Register for our newsletter