Slow Down and Frown Your Way to Cybersecurity

There is a moment in the movie, The Pursuit of Happiness, where Chris Gardner (played by Will Smith) is making a phone call as part of his job as an unpaid intern for a financial institution. Or rather a lot of phone calls. We find out that to make himself more efficient, Gardner never hangs the phone up between calls. He spends six hours at a time making phone calls and doesn’t drink water to save time going to the bathroom. As we watch him outworking his competition, something amazing happens. He is smiling. He smiles the whole time he is on the call.

In college, I got a similar internship as a financial advisor with a national firm. They had a training program, in which we learned about both financial investing and basic sales techniques. A big part of getting started is making a lot of phone calls. To prepare us for this, there was coaching, memorizing scripts, and role playing. The most fundamental advice, however, was to stand up and smile. That advice is the most difficult to accept, since you’re facing so much rejection—I still don’t understand how Gardner could keep smiling like that.

Because you’re on the phone, your potential future clients can’t read your body language, which limits the emotional connection you can make with them.  Nevertheless, standing and smiling projects your energy through your voice, and it also allows for a more natural conversation style—it puts less pressure on your diaphragm so you can speak more clearly.  It turns out that, even if you’re faking a smile, it still works.

Slow down and frown

This same advice is still being given today to telemarketers, call center help desks, and receptionists everywhere. But, curiously, there can also be some benefits from frowning—and here’s a little catchphrase that can help change the way we teach people to be more cybersecure: slow down and use your frown.

When a person smiles, endorphins and serotonin are released into the body, which, in turn, results in relaxation. But when someone frowns, the signals sent to the brain suggest that the environment has become unsafe (emotionally or physically) and increased vigilance is in order. In one study, subjects who were asked to hold a pen between their teeth to simulate a smile while watching a cartoon perceived the cartoon as funnier than their frowning counterparts.  The difference, it turns out, is that the brain doesn’t distinguish between happiness and safety or sadness and vulnerability.  When a person is sad, or even just pretending to be sad, researchers have found that their vigilance actually increases.

Spotting the red flags

When we train people about phishing, for instance, we show them the red flags to look for. But knowing what those red flags are and spotting them are two different things. What’s missing is the person actively looking for those red flags in the first place. In fact, when someone’s mind is engaged in an activity such as reading the content of an email or thinking about a response, their ability to successfully identify a red flag is diminished—sometimes almost to zero.

In a study designed to help protect cyclists, researchers in the UK had drivers watch a short video in which they were asked to count how many times one of two teams passed a basketball. At the end of the video every subject guessed correctly: 13. This was a simple activity that their minds could easily accomplish. But the subjects were then asked: “Did you notice the moonwalking bear?” When the researchers replayed the video, the subjects were shocked to see a man in a bear costume performing breakdancing moves while the basketball teams moved around him.

The bear is like the cyclist on the road before a distracted driver, or, in cybersecurity terms, it’s the phishing email red flag that gets lost while someone is focusing on other, more important tasks.

Reducing distractions

There is another technique that can have a dramatic increase on focus: reducing distraction. Cal Newport, in his book “Deep Work,” describes a 2008 study at the University of Michigan, in which subjects were given a complex task to accomplish.  Before the task, one group of subjects was sent out and required to navigate a busy downtown city environment, dodging cars and other pedestrians.  The second group was sent on a walk through a quiet nature trail where they could let their subconscious consider the problem without distractions.  The group that took the nature walk and gave themselves the time to focus outperformed the distracted city walkers in solving the puzzle by up to 20%.

So, it’s clear that eliminating distractions in your office not only increases productivity, as Newport suggests, but it can help make your enterprise more secure, as well. I recommend combining these two pieces of advice to help prevent social engineering attacks, such as phishing. If possible, separate the tasks of reading email and responding to email to help eliminate distractions. And try to frown while perusing email. (When you respond you can start smiling again. . .if you want.)

Care should also be taken to avoid creating an environment in which a false sense of urgency is created for normal tasks. Consider, for example, the CEO who demanded that everything be given to him immediately and without question. When an HR person received an urgent email demanding the whole payroll list from such a CEO, vigilance will be abandoned, and an immediate response without working through the normal vetting process for sharing sensitive information will be the result.

This scenario generally describes what has become known as “CEO fraud,” and the FBI has estimated the cost to businesses to have been more than $2 billion in 2016—an enormous sum, to be sure.

But there might be a lot less fraud if we simply slow down and use our frown. You’ll be smiling later.