If you confuse them, you lose them.
I was watching a wonderful webcast by Marie Forleo. It was part of her “Copy Cure” course, and if you are unfamiliar with Marie and her work, take the time to explore some of her wisdom. Her webcasts are gems, particularly if you work in the consulting space.
During the webcast she mentioned a phrase that should be at the top of mind for every InfoSec professional: If you confuse them, you lose them.
Think about the last meeting you had, or the last message you wrote. Was it truly as clear as it could be for its intended audience?
Think of the following example:
An executive received the following E-Mail –
Take a moment and think about how you would respond to the executive who sends this message to you and asks “Is this real, or a scam?”
Most of us InfoSec professionals would probably chuckle that the executive doesn’t immediately recognize this as a scam, but that is the first failing of our approach.
When I see this, I assume that the exec recognizes that something is not quite right, and is sending it to the subject matter experts for advice. This is definitely more preferable than if the person just clicked the link and then proceeded with the frantic “Oops, I messed up” phone call, or worse, does not report the error to anyone hoping that no one notices.
Here is where we InfoSec professionals often make the mistake that creates the confuse-and-lose problem.
Would you simply reply: “It’s a scam, delete it”? That certainly gets the message across, and it allows you move on with your day, but does it help the exec? Does it teach anything, or does it add to the confusion, making the person no richer than when they contacted you?
Think of when you go to the dentist because of a pain, and the dentist responds with “It’s nothing”. Do you feel any better knowing that the pain will not progress into the full agony stage, or would you like to know more? Just as I would ask my dentist “How do you know it’s nothing?” the executive to whom you just said “It’s a scam, delete it”, will probably have the same question. How do you know it’s a scam?
Imagine, however, if you sent the following response:
Mr. Exec:
This is what is known as a credential-theft scam. If you followed that link and filled in the information, your username and password would have been stolen.
The phone number is a non-working number, and the link attempts to connect to a .do domain (which is located in the Dominican Republic, not a Microsoft site).
Please delete it.
Thanks for checking with us.
Here is a sample of the fake site:
In this hyper-sensitive cybersecurity environment, even the busiest executive will appreciate the explanation and enjoy a better understanding of what we do to protect the company. This eliminates the confusion, and it also provides a real-world example of the lessons we teach in the security awareness campaigns that are required by many companies.
Wouldn’t it be great to know that you are providing the valuable service of not only protecting your organization, but also communicating in a way that reduces confusion and eases the perceived pain of cybersecurity? Instead of the phrase “If you confuse them, you lose them”, perhaps we can turn it around to “If you teach them, you reach them”.