When I was in college, I worked in loss prevention at JC Penney. I took the job very seriously with my $5.45/hr wage as I walked around the store in plain clothes pretending to be a customer but watching everyone else.
One day, I watched a woman in the baby clothing section grab a stack of clothes from the shelf, stuff them under her shirt, and walk out the door. As I approached her car, she was emptying the clothes into the back seat. I walked her back into the store and we waited for the police to arrive in the security office.
As I began filling out some required paperwork, she pleaded that she had done nothing wrong. She told me she had brought the clothes with her to return and decided not to. I started to wonder, could she be telling the truth? Did I miss something? She sounded so sincere… Was I wrong?
I Can’t Believe My Eyes!
My inner self was trying to rationalize that I was mistaken in what it just saw through my own eyes — that this woman was telling the truth and my eyes were the liars! I snapped out of second-guessing what I just watched happen and handed her over to the police.
Over the course of a short career in law enforcement and throughout depositions and negotiations as an attorney, this would not be the last time that my inner self would default to truth in the face of contradicting objective facts.
The Weakest Link and Truth-Default
The tired axiom that people are the weakest link in securing our data points to users as gullible or ignorant as a convenient excuse. However, the human failures point to much deeper roots in psychology. No matter how well-trained users are, we are hardwired to believe other people by default.
In Talking to Strangers, Malcolm Gladwell examined the case of the decorated Queen of Cuba, Ana Montes. She worked her way up to become a senior analyst at the US Defense Intelligence Agency and the resident expert on Cuba, all the while delivering classified information to the Cuban Intelligence Service.
Her deceit was spectacular. However, when she was cornered during an interrogation, several warning signs that she was a spy were not further pressed upon by the DIA counterintelligence officer because he rationalized her responses and defaulted to truth. As a result, her treason continued for years.
Here is a counterintelligence DIA officer (with years of specialized training and experience in catching spies and liars) who chose to reconcile incriminating evidence and behavior with a story that doesn’t add up. He simply rationalized the lies because we all default to truth.
Why?
Why do we default to truth?
According to Dr. Timothy Levine, operating on a truth-default basis “enables efficient communication and cooperation, and the presumption of honesty typically leads to correct belief states because most communication is honest most of the time.” Believing people is efficient! The downside, of course, is that we humans are particularly vulnerable to the occasional deceit.
The simple truth, Levine argues, is that lie detection does not–cannot–work the way we expect it to work. In the movies, the brilliant detective confronts the subject and catches him, right then and there, in a lie. But in real life, accumulating the amount of evidence necessary to overwhelm our doubts takes time.
Malcom Gladwell, Talking to Strangers
Social Engineering
As much as we train corporate IT systems users and the average consumer, people will invariably remain the weak link in the chain if we don’t provide compensating controls. Even the best and brightest are susceptible to deceit from the skilled social engineer.
In his book, Ghost in the Wires, notorious hacker and phone phreaker Kevin Mitnick walks us through his years of escapades as he wreaked havoc on Pacific Bell’s phone networks, among other companies and systems. He did so by understanding how the system worked and the technical and administrative controls put in place to specifically prevent him from gaining access.
In one exchange, Mitnick called a Pacific Bell switching center and encountered Bruce, a tech he had previously duped. Mitnick wanted to trace a phone number with Bruce’s help. While Bruce didn’t recognize Mitnick’s voice, he had been stung by social engineers before and requested a callback number. Unfortunately for Bruce, Mitnick was prepared with a Pacific Bell internal number that he had previously patched to his cell phone.
Now, how are we protect access to data with effective cybersecurity measures at scale when a skilled social engineer engages an employee or officer? How do we guard against a Kevin Mitnick?
I don’t think we can beat all of them – certainly not the Mitnicks of the world.
Compensating Controls for Being Human
We’re all susceptible to being deceived – from second-guessing our own eyes to trying to help out a remote technician who needs to fix a problem. However, better training and awareness can help limit the losses by people — and stronger technical and administrative controls can further mitigate the failures of people who naturally default to truth.
While people may never develop a skillset to intuitively detect deception (we are nearly universally terrible at detecting deception), social engineering awareness training coupled with appropriate technical and administrative controls can help us recognize situations that are prompting unauthorized data access attempts. Moreover, those data security measures and systems need to compensate for humanity’s truth-default bias and our inability to effectively detect deception. We can’t continue to blame people for being human.
References:
- Talking to Strangers by Malcolm Gladwell
- Ghost in the Wires by Kevin Mitnick
- Levine, Timothy. (2014). Truth-Default Theory (TDT): A Theory of Human Deception and Deception Detection. Journal of Language and Social Psychology. 33. 378-392. 10.1177/0261927X14535916. https://www.researchgate.net/publication/273593306_Truth-Default_Theory_TDT_A_Theory_of_Human_Deception_and_Deception_Detection
- DePaulo, B.M. and Pfeifer, R.L. (1986), On‐the‐Job Experience and Skill at Detecting Deception. Journal of Applied Social Psychology, 16: 249-267. https://doi.org/10.1111/j.1559-1816.1986.tb01138.x
Leave a Reply