American View: What Can Fiction Teach Us that Real Security Incidents Can’t?

Technology

October is Cybersecurity Awareness Month. As such, American companies are inundating their workers with security training, advice, and entertainment in the hopes of promoting compliance, improving processes, and discouraging unsafe behaviour. It’s a noble endeavour, and one that I fully support. As a human risk specialist, my entire year revolves around October the way a mall Santa’s year revolves around late November through mid-December. Even my wife’s company got in on the CAM action this year, surprising both of us. She called me from work last Friday to report she’d been assigned five new short courses about scam detection … This was a huge improvement over her corporate training’s tendency to assign novel-length blocs like the multi-hour marathon course she’d been assigned on sexual harassment.

I love to see it. Heck, I love to teach it. The carnival-like atmosphere that Americans have come to expect from CAM creates the optimal environment for positive and joyful learning. We get more “bang for our buck” when we teach people who truly want to hear our message. CAM is our playground; the work we deliver before Halloween will pay strong dividends throughout the following year.

That said, I’m concerned by how much focus gets placed on process, policy, and technology every October at the expense of the most vulnerable component of every security programme: the human condition. I get why this element is so often shied away from; it’s much easier and less controversial to discuss the technical design of a phishing attack than it is to discuss the complicated and messy elements of a person’s life that subtly and unconsciously influences self-destructive behaviour. Plus, it’s exponentially more difficult to craft a multiple choice question about someone’s convoluted inner life for an end-of-module quiz.

I was reminded of this conundrum Friday night after the rest of my family retired for the evening. I picked up a book at random from a stack of old Georges Simenon novels that I’d inherited from my father’s library after he died. Simenon was one of my father’s favourite authors. He’d started collecting reprints towards the end but seems to have never re-read them based on their near perfect condition. I’ve gone through eight books from the “Simenon stack” this year. Based on my experiences to-date, I assumed I’d get another interesting mystery.

C’mon, who doesn’t want to live vicariously through Sam Spade or Philip Marlowe?

Instead, the book I’d picked up was Simenon’s novella The Venice Train from 1961. It’s not a mystery; it’s more of a character study. The book’s protagonist our protagonist — Monsieur Justin Calmar — is a mild-mannered salaryman returning home early from an awkward family vacation in Italy. Calmar’s an awkward, ill at ease fellow trapped in a passionless marriage. He can barely afford to keep his wife and children at the minimum expected standard of living and despises both his inability to improve and their pity. Calmar has secure employment, but it’s a role that gives him neither meaning nor any opportunity for upward mobility. Worse, it was his only option after his intended career (teaching literature) imploded. Calmar’s boorish friend in the office used to be his wife’s lover making every social encounter cringeworthy. Calmar loathes his condescending and disapproving in-laws, all the more so because his wife and children insist on spending every weekend at his wife’s family’s home. He can’t escape his frustrations at work, at home, or on holiday and sees no way out.

All this in mind, our protagonist is a difficult character to like, but an easy character to empathize with. One the one hand, he’s a young father trying to be a good provider for his family and a good partner for his spouse. He’s struggling to find meaning and fulfilment in a world that offers neither to the working class. He’s stuck, both literally and figuratively; he’s frustrated with his lot but feels powerless to escape the life he passively settled for.

Monsieur Calmar’s encounter on the train from Venice — which I won’t spoil here — is a study in inexorable self-destruction. It’s a case study in what happens when a “normal” person gets embroiled in events they’re completely unprepared for. Specifically, it’s a meticulously chronicled record of how a man rationalizes making poor decisions based on blatantly flawed (but understandable) logic, that culminates in a preventable tragedy. Regularly throughout my time with the story, I had to put the book down and mull over what Simenon wanted to say through his characters. Why was M. Calmar so keen to overlook or ignore better options? I wondered if it was a late 1950s examination of destructive gender roles, toxic masculinity, and corrosive social pressures. It certainly seemed like it.

By the end of the story, it clear that Calmar’s tale is an Oedipal tragedy: every decision the protagonist makes — botches, really — unalterably leads to his downfall. The reader can follow the character from his thoughts on the first page of the story to the last line of the last paragraph and track the trajectory play out, decision by decision. It’s equally appropriate to condemn the protagonist for engineering his own downfall and to empathize with him for being tragically bereft of wisdom. As I said in the beginning, it’s a character study, not a mystery.

My university pals hated this part of the mandatory curriculum whereas I loved this part and hated everything associated with maths. To each their own.

That, then, is something I feel we’re missing from Cybersecurity Awareness Month: that is, a nuanced understanding of the human condition. It’s all well and good for a security boffin to write policies and enforce standards, but those grand plans for thwarting bad behaviour tend to always be written with a comical misunderstanding of human nature. Real people are not the Fungible Labour Units that MBAs and HR planners wish we were. Real people aren’t interchangeable commodities; we’re messy, conflicted, confused, and perpetually stressed out. Sure, we have more in common with one another than we’d like to admit, but we’re each the dysfunctional product of our past mistakes.

As such, managing people is far more of an art than an engineering problem. Yes, there assuredly is great value to be realized through automating away risky activities. That said, building and maintaining an effective security culture requires understanding people, not architecting away the human factor. Leaders and security practitioners need to understand people ... why they think the way they do. It means having empathy, sure, but also a nuanced perspective on the lenses, cultural biases, and pressures that influence how people rationalize their seemingly inexplicable decisions. It means engaging with people “where they are,” so to speak, rather than designing systems and protocols based on how we wish people were.

All that said, I think there’s great potential in teaching security principles, behaviour, and consequences through functional stories like The Venice Train. Since most HR shops won’t allow anyone to discuss real-world security incidents, studying fiction allows us to exhume, dissect, and analyse the destructive behaviours that lead to preventable incidents without triggering blowback from real miscreants. In fact, it might be the only safe way to study destructive thinking without stigmatizing any co-workers. It’s like performing an autopsy save that there’s no next-of-kin to object (or sue!).

Trouble is, I’m not sure how to go about this sort of literary analysis in the workplace. I’ve never met a corporate leader who was willing to consider deconstructing fiction as a technique for improving IRL corporate culture. Still, I think there’s something worth pursuing here. I just need to figure out how to pull it off. The potential improvements in decision-making and process design will likely outweigh the awkwardness and novelty of the approach.