You have received an alert from cyber intelligence. A terrible and enormous cyberattack is approaching. You must ensure the protection of 600 positions within your organization. You don’t have much time, so you must decide on the implementation of one of two potential security programs, but the decision must be taken now!
- If you choose program A, you will be able to protect 200 positions.
- If you choose program B, there is a 1/3 chance to protect the 600 positions and a 2/3 chance of not protecting anyone.
An important number of people surveyed usually choose the 1st option: they would rather protect 200 positions with certainty than risk and not protecting anyone.
Let’s see a new cybersecurity scenario. You face the same issue, so you need to protect the same 600 positions. You can choose between the following two new programs:
- If you choose program A’, 400 positions will be compromised.
- If you choose program B’, there is a 1/3 chance of not compromising any position, and a 2/3 chance to compromise the 600 positions.
Read carefully this second scenario. Did you notice that is the same as the first one? Considering that they were successively presented, you may have noticed it. Both A and A’ consequences are the same. This also applies for the B and B’ ones. Nevertheless, for this second scenario most people tend to choose program B’ (perhaps even you did it). This example highlights how powerful Frames are: the context of the choice impacts the choice made.
When you catch reality with your smartphone, is the resulting photo objective? The simple fact of taking such photo from one position or another will make your audience to perceive just the “reality window” that you decided to show. This window, or “frame”, does not necessarily distort reality, but it organizes such reality in a biased manner. People watching reality through your frame will perceive a different image than if they watch reality through another frame: same reality, two different ways to perceive the world.
Just as a photo can show different versions of the “objective reality out there”, we regularly use “mental frames” to mentally represent reality. The fact of choosing, consciously or unconsciously, these frames will strongly govern our decisions. Indeed, frames build the reality that you perceive.
Frames can be created in several different ways when formulating cybersecurity decisions:
- Choice positivity (income) or negativity (loss)
- The order followed to present the choices
- The context within choices are presented
- The type of language (semantics) used to formulate the choices
- Additional information included or left out when formulating the choices
Let’s see them individually.
Choice positivity (income) or negativity (loss)
This effect was deeply described along the last entry: You are less rational than you think when you take decisions under uncertain conditions. The conclusions can be summarized as follows:
If the choice is framed as an income, people will tend to avoid risk and to seek sure profits, even if they are low. However, by framing the choice as a loss, people would rather risk a high loss than lose with certainty, even if such certain loss is low.
The two scenarios proposed at the beginning constitute an example of the frame we are talking about. Anyway, we see continuously similar examples in our everyday life. How would you advertise a firewall?
- It provides protection aainst 99,9 % of the attacks
- Only 0,1 % of the attacks are succeeful
It is clear that the first ad will have a higher success than the second one, even though both frames provide exactly the same information (known as “pure frames”). Just the focus is different. Therefore, in this case there is not a “right” frame. Both are equally valid, although their effects on the choice made can be predicted.
Which sentence would you choose to convince the Board to invest in your Security Plan?
- With the new Security Plan, we will save 350,000 € next year
- With the new Security Plan, we will avoid a loss of 350,000 € next year
Taking into account how we are, the second sentence is more likely to get the approval.
The order followed to present the choices
Did you never ask yourself, over an event for example, if it was better to be the first or the last to give your talk? Sometimes, information presented at the beginning has a greater influence: the priming effect. Nevertheless, information presented at last has often a higher impact: the recency effect.
For instance, imagine that you must hire a security manager. The first candidate is described in their psychological record as: Intelligent, Hard-working, Impulsive, Critical, Stubborn and Jealous. How would you define this candidate? It is more than likely that your interpretation of the last adjectives will be conditioned by the two first ones, Intelligent and Hard-working. At least initially, they are positive characteristics that will make your first impression positive. They set up a filter that will positively sift through the remaining adjectives. For instance, you may interpret Stubborn in a positive manner, meaning that the candidate is a determined person who does not stop when facing difficulties.
However, imagine that you had read the adjectives in the following order: Jealous, Stubborn, Critical, Impulsive, Hard-working, Intelligent. In such a case, even if they are the same adjectives, the reverse order would probably have made a bad impression of the candidate, since the two first adjectives, Jealous and Stubborn, are considered as negative. Therefore, the resulting mental filters would be negative, as well as your interpretation of the subsequent adjectives. For instance, in this case you would probably have added “as a mule” to Stubborn. How different can be the interpretation because of the order!
Thus, if you are describing a potential solution to a client or your boss, consider that the order followed to present information will determine their feelings towards such information. If you start presenting the positive elements, you will be setting up a positive initial frame, so they will be more permissive regarding the further negative aspects. And the other way around: start presenting the negative elements and you will be setting up a negative frame that will make them see the remaining elements under a negative light.
The context within choices are presented
Imagine the following scenario: you have been invited to dinner by a wine-fanatic friend, but you are not keen on wines. Anyway, you want to buy one. When you go shopping you have three choices: the first wine costs 1.50 €; the second one 9.50 €, and the third one 23.50 €. Which one would you buy? If you are like most people, you will choose the second option. We tend to avoid extremes. This is the technique used when someone wants to palm something off on you: they frame it between extremes.
So, imagine now that you need your boss to approve a security budget of 1 M€ for next year. How would you increase the probabilities of approval?
- You present three potential budgets: 500 K€, 1 M€ and 2 M€
- You present three potential budgets: 250 K€, 500 K€ and 1 M€
Without a doubt, the first option will be more successful. Avoid extremes. And, if you only have one option to present, make up two more options and place them on either side of your proposal.
The type of language (semantics) used to formulate the choices
You can announce your girlfriend’s pregnancy in two ways:
- Mum! My girlfriend is pregnant!
- Mum! You are going to be a granma!
The mental frame chosen to transfer your message can determine your audience’s emotional reaction: you can say the same thing but framing it in different ways, thereby raising opposed feelings.
We continuously see it with politics. It’s not the same to discuss about “gay marriage” than about “marriage freedom”. In Spain, politicians talk about “adjustments” (ajustes) instead of using “cuts” (recortes) and, within the European Union framework, they rather use “relief measures” (medidas de estabilidad) than “rescue mesures” (medidas de rescate). Within the framework of war, the term “collateral damages” (daños colaterales) is used instead of “killing of civilians” (matanza de civiles).
Following the same line, “bombardment” (bombardeo) is called “reactive defence attack” (ataque de defensa reactiva). These frames seek the activation of strong emotions such as hatred, anxiety, fear or euphoria.
Now, think about your work. When you are talking about a firewall, there is a big difference when defining it as:
- An essential protection layer
- A basic survival mechanism
The second option will arouse the strongest response. Consider that, when framing, you are selecting and highlighting particular aspects of the events or matters concerned, as well as setting relations between them in order to promote a particular interpretation, assessment or solution.
Additional information included or left out when formulating the choices
On July 2013 an Alvia high-speed train had a terrible accident near to Santiago de Compostela. In your opinion, do the following sentences provide the same information about the engine driver’s behavior at the moment of the accident?
- The engine driver was on the phone
- The engine driver was answering a call from a RENFE controller
In the second case, the additional information drastically changes your view about the engine driver’s performance. So, adding or leaving out information can completely bias your decision. Imagine the following scenario:
You are the security manager of a multinational company with more than 100,000 workers. A malware is spreading through the workers’ computers, causing damages. Most infections occurred in a unit with 5,000 workers from the same country, although such malware has touched other unities in different countries as well, but in a subsidiary manner. The Board has approved a Budget for you to stop the infection, so you have two options:
- Plan A will save 1,000 computers from the first unit having 5,000 workers from the same country, where most infections occurred, that is, you will save 1/5 computers, 20% of the computers of that country, the most affected by the malware.
- Plan B will save 2,000 computers, but from the whole organization, that is 100,000 workers, in other words: you will save 1/50 computers, 2% of the computers.
What would you do? Which plan do you think is the best? Please, take a decision before reading on.
Consider now the same scenario, but framed as follows:
- Plan A will save 1,000 computers
- Plan B will save 2,000 computers
What would you do now?
When the first version of this scenario is presented, most people choose plan A, which would allow to save 20% of those being most at risk. Nevertheless, when the second frame is formulated, they have a light bulb moment and then opt for Plan B. In such a case, leaving out information (the percentages) make surveyed people’s minds up regarding the right option.
Therefore, the “right” option can sometimes be reached by adding or leaving out information. Be careful when framing choices, because the choice made will depend on the frame chosen.
Your choice will depend on how information is presented
As you can see, we are not as free as we would like to be. We don’t assess options with full objectivity, evaluating the potential impacts and probabilities and optimizing the functions of the expected value. Not at all. Our decisions are conditioned by the kind of information available, by how such information is verbally formulated as well as by its context and its order.
We are victims of our own biases and heuristics. Next time you must make an important choice on security, take a moment to analyse the context of the choices. This may lead you to take better decisions.
Gonzalo Álvarez Marañón
Innovation and Labs (ElevenPaths)
