I’m still not quite done with the topic of how to convince organizations to work on improving security, a topic that I started after visiting the Security Roundtable at the UKOUG Tech 2014. This is part 3 of the blogpost series of selling security by hacking influence (or part 5 of the “How can we sell security? series”) and I’ve gone rather deep down the rabbit hole for this one.
Ah yes, authority. It’s the one thing we don’t have, do we? If we had that, we’d require to start security improvements where necessary immediately.
But what do we actually mean with authority? Authority can be the person in power, or a very respected person, or an expert. Right off the bat, I’m going to say that if you are warning about security issues, within your organization, you are the expert. But what if they don’t listen to you regardless of that? What if they don’t feel that you are the authority?
You would think that certain expertise should make the difference for management to come to a decision about security and many other things, but it’s only part of the equation. Because there are other things at play. One of those things is social status.
Working in IT, you might assume (depending on your upbringing and the industry you work in) that social status is not very relevant, but in fact it is everywhere. And one job where you really need to know about this, is in acting.
It might surprise you that I’ve been following acting lessons since August last year. It’s true and I am going continue the course in the next half year. What I’ve learned is that everyone, including me, is very able to play high status roles: kings, dominant parents, mob bosses, people who generally won’t budge. I’m not saying it gives high quality theatre, but it’s apparently in almost all of us.
Playing only high status roles gives uninteresting theatre, because – and an audience feels this – it does not reflect reality. In reality there seems to be some kind of pecking order, but it’s much more subtler. And good actors know about this and know how to play roles with a slightly higher or lower status: people with scars, with trauma’s.
Why am I writing this on a technical blog like this? For one thing, because social status isn’t fixed. You can game it. Hackers sometimes do game it when using social engineering. They might call a helpdesk, impersonating a manager higher up, asking in a dominating voice for a new password or extra privileges. And this works. People will go far under “authority pressure”. Read about the Millgram experiment to find out how far they are willing to go.
There lots of ways that people automatically gain social status: titles, clothes and cars for example. But your body language, the things you say and how and many others are also used to convey status. LessWrong.com has an interesting list of “social status hacks” from The Improv Wiki. Take a look at a couple of their high status behaviours:
- When walking, assuming other people will get out of your path.
- Making eye contact.
- Interrupting before you know what you are going to say.
- Speaking with certainty.
- Giving or withholding permissions.
Important for a perceived expert, by the way, is effortlessness. Telling is the list of ways to lower someone else’s status. Some might be familiar to you:
- Contradict them.
- Correct them.
- Give unsolicited advice.
- Disregard their advice. (ah, so that’s where that’s from)
Interesting, right? Now let’s look at ways to lower your status:
- Feeling like you need permission. (We (still) don’t have enough mandate, so…)
- Dancing around your words when your message will displease someone.
- Explaining yourself.
- Anxious behaviour, fidgeting.
- Trying too hard.
So what to do with all this knowledge? Shall we adopt a high status tomorrow? You can try, but it’s likely you will run in some problems. As my teacher of the acting lessons told me, acting isn’t the same as real life. You can act high status on stage because you have the freedom to do so. There is no penalty to be inconsistent with your former status.
Once you give away status, you won’t get it back that easily. Unless you are really high status from now on and don’t really care what other people think of you. The best thing is to act high status in new circumstances and with people you don’t know right away and be consistent about it. And even then you might feel like a fraud.
The best takeaway probably is that besides knowledge and expertise, there’s also social status and knowledge and expertise might lose out in your organization. Being right and having the right arguments might only get you so far. So when defending your arguments, try to imagine you are your favourite high status hero (a fictional character, an inspiring person or a politician you admire). Bring your arguments confident, with conviction, gracefully and act like what you want is actually already a done deal. You might surprise yourself.
Of all the principles of influence I find scarcity the least applicable to improving security. I don’t find how limiting numbers, or limited time could help persuade management, unless it has something to do with limited time bargains for security software or something. Or certain threat: “If you don’t approve the security project I’ve planned within two weeks, I’m gone!” I would not recommend doing that, unless you’ve got somewhere better to go maybe. It usually is better to go somewhere else for positive reasons, is all I’m going to say about that.
If you found the last three blogposts a bit too manipulative for your tastes, then you might like the next blogpost(s?) where we will approach security issues a bit more maturely. I’m planning to write how the book “Switch” by Dan and Chip Heath might apply to security improvements.