What can Snoopy teach us about security?
28 January 2019 |
Good security depends on people responding properly to a wide range of cyber threats. To train people effectively, you first need some nuanced understanding about how and why people react strangely – or don’t react – to sudden treats. For that, we need to consider the curious case of the famous dog who penned an atrocious novel.
One of the most famous and beloved entries in Charles Schultz’s Peanuts comic strip was a parody of awful, florid fiction writing. Schultz’s character Snoopy, in his persona as “the World Famous Author,” starts typing a novel with the phrase “It was a dark and stormy night” (as an homage to Washington Irving’s use of the phrase in his 1809 book A History of New York). In later strips, Snoopy “develops” his novel with increasingly-flamboyant, attention-grabbing non sequiturs. Snoopy’s novel’s opening paragraph  eventually became “It was a dark and stormy night. Suddenly, a shot rang out! A door slammed. The maid screamed.”
This seemed like grand writing when I was a little kid. Later, older me came to understand that Schultz had been gently lampooning what he considered to be awful prose writing habits. The “World Famous Writer” strips were parody, leveraging a common trope familiar to Schultz’s fans. It was solid comedy writing; I just didn’t get the references.
It still works as a setup: Snoopy’s opening paragraph has just enough content to effectively construct a scene in the reader’s mind: it has a place (a structure with doors), a time (night), scene conditions (dark and stormy), an event (echoing gunfire), and reactions (slamming doors, screaming maid). It isn’t good writing, but it is minimally sufficient for guiding the reader’s imagination. It also raises the important question of why the maid screamed instead of doing something that might have been more pragmatic.
Trust a security professional to focus on an obscure aspect of a story and disappear down a rabbit hole (so to speak). The thing is, the story-within-a-story that Schultz wrote in that series of Peanuts comics caught my attention as a kid. Young me tried to find the meaning in the story. Why did the maid scream? Who slammed a door? Why?
“Surely,” eight-year-old me argued, “you’d prioritize taking cover stealthily over slamming a door and, thereby, drawing the shooter’s attention your way.” (not an exact quote)
When I asked my father those questions, he explained the concept of media tropes. When he was growing up, everyone listened to radio drama. Since the audience couldn’t see a scene, radio actors relied on common sound effects to provoke the desired emotional reaction. Having a character scream in response to a narrated event prompted the listener to feel fear for the character and to picture that character in danger. This helped the story achieve verisimilitude, which helped the audience grow more invested in the story.
When Schultz wrote Snoopy’s text, he wasn’t just making up nonsense phrases; he was applying commonly understood mass media tropes. Sure, screaming wasn’t (and still isn’t) an effective reaction to sudden gunfire; Schultz wasn’t suggesting that it was. Instead, he was showing how a bad author (Snoopy) mis-used radio-specific emotional manipulation cues in a printed work to show that Snoopy – for all his charms – wasn’t a particularly good prose writer.
In the real world, people typically react to unexpected danger in one of two ways. Most people don’t react to threats at all. This can be because they can’t believe that it’s happening, can’t handle the enormity of it, or simply don’t know what to do about it. Often, people will freeze or wait for the threat to resolve itself. This is due to a natural (and often counterproductive) cognitive defence mechanism called “Normalcy Bias,” where people become abnormally calm and pretend that everything is normal during a crisis. 
On the other hand, some people react immediately to sudden threats based on their training, drilled responses, and practiced reactions. Often, this latter group will respond to the sudden threat entirely on learned behaviour patterns before they rationally consider the threat itself. Research shows that proper, trained reactions are more likely to save a person in a crisis than unpractised academic knowledge. Professions involving considerable danger (like soldiers and police officers) often pre-emptively train people how to immediately react to specific stimuli according to best practices.
You prioritise training based on probability and severity. That’s why I invested about three times the effort teaching my squaddies first aid skills than I did teaching tactical movement. Statistically, they were far more likely to encounter a severe car wreck driving to or from the office than they were to stumble onto a conventional battlefield.
As an example: I was chatting with a former Army buddy over the holidays. He shared a story about how he and his writing partner had instinctively responded to a New Year’s firework blast. The pair had been at home on 31st December, working on a script, when a loud blast went off outside their window. Both writers mistook the explosion for gunfire; each reacted instinctively. The ex-squaddie immediately fell prone and low-crawled to a window to pinpoint the shooter’s location and orientation. The ex-Federal agent immediately leapt to her feet, placed her back against the nearest wall, and scanned the entrances for an advancing threat. When they realized the “gunshot” was a firecracker, each made fun of the other for having reacted “incorrectly.”
Yet, they didn’t act incorrectly. Each responded exactly as they’d been trained to by their respective prior organizations. The soldier had been trained to immediately take cover from incoming rifle fire. Since drywall is concealment (not cover), his best option was to get as low to the ground as possible and then orient himself to the enemy’s position and line-of-advance. The law enforcement agent had been taught to eliminate threats coming from behind first, then scan likely avenues of approach for either advancing criminals or fleeing civilians. His focus was on dodging heavy small arms fire; her focus was on controlling a small crime scene. Both reacted appropriately … given how their respective former trainers had conceptualized the “risk” presented by sudden gunfire.
As Security Awareness professionals, we need to understand that people’s immediate reaction to sudden threats is controlled by their trained instincts. When something unexpected happens and there is no authority figure around to give instructions, people will either freeze or act before they think.
It’s our role as security professionals to train our people to internalize best practices. We present a stimulus and then drill our users on performing the optimal response. We keep training these learned reactions until our training overwrites and replaces any previously-learned responses. Most importantly, our goal is to craft and inculcate responses that people can swiftly perform without having to stop and apply complex rational analysis.
Immediate action drills need to be as simple as “move the sparking wires apart” or “cut the power” … If you demand that users perform mathematical calculations on the voltage first before determining which of several specialised actions to take, you’re setting them up for failure.
We need to take care not to mock those people whose existing trained reactions are different from the reactions that we want. Everyone comes from somewhere else. If a different employer previously drilled a specific reaction into its people, that doesn’t make that reaction wrong. The trained reaction was likely optimal for the previous employer’s environment based on their own rational risk-modelling. If a new user’s trained reactions are suboptimal for our environment, it’s our job to first understand the current reaction so we can then deliberately and effectively retrain the reaction to one that’s right for our organization.
Ultimately, this is what separates Security Awareness content from cartoonists’, fiction writers’ and actors’ content. It’s okay if we make our work amusing, however, humour can only ever be a means to an end. Our “creative output” must focus on optimizing users’ behaviour to best protect themselves and our organisation. World Famous Writer Snoopy can write bombastic and confusing schlock. We cannot. We must be clear and results-oriented. The objective of our writing is to condition our users to recognize and instantly respond to high-risk threats.
 As highlighted in Schultz’s 1971 book Snoopy and “It Was a Dark and Stormy Night.”
 I’ve written about this behaviour before. My original 2013 column Cowboys in the Cubicles is no longer online, but that column eventually became the core idea that led to my annotated collection Office Cowboys: Cautionary Tales from the Cubicle Frontier.
Latest posts by Keil Hubert (see all)
- Why “old” skills still have practical value for cyber security - 22nd July 2019
- Want to improve your security? Understand the cognitive bias behind decision-making - 1st July 2019
- A guide to phishing emails and how they work - 10th June 2019
- Cyber security through storytelling: which approach will motivate your users? - 13th May 2019
- A practical guide to busting the “perfect security” myth - 7th May 2019