Letter from the CISO, Vol 4 Issue 12
WashU Community:
Any tool can be used for good or evil
My motto for the past ten years has been “keeping information security simple”. I understand that most people tune out or fall asleep within seconds of starting to hear about information security unless it is highly understandable and emotionally resonant.
A recent article on Perry Carpenter’s Deceptive Minds LinkedIn column entitled, “Too Easy to Be True: The Fluency Trap and the Lie That Slides Right Past You” surprised me. It highlights that the same simple approach is often used by scammers and con artists!
While people with a deep understanding of how things work – whether in investing, relationships, romance, or society – try to explain that things are often complicated, scammers tell you that their magic snake oil is the only thing you need to solve all your problems.
Cognitive Processing Fluency…
According to Carpenter’s article, “cognitive fluency” or “fluency bias” is our tendency to more quickly believe things that require less cognitive energy and are simpler and easier to understand.
This is true in many aspects of our lives, as described in David M. Oppenheimer’s 2008 paper “The secret life of fluency” in the Trends in Cognitive Sciences.
You might have some friends or family members who are gullible. They fall for simple falsehoods all the time. If you are more comfortable with complexity, can figure out complicated ideas, and can follow difficult trains of thought you might be frustrated with the cognitive shortcuts people are willing to take.
You might even be the gullible person, falling for harmless pranks and being victimized by scammers.
It’s not (entirely) your fault. We evolved to make decisions quickly and easily. Unfortunately, when something seems familiar and easy to understand, it feels safe and accurate. But when something is complex, contradicts prior beliefs, or seems strange, alarms go off. Warnings ring in your head, even if the thing is demonstrably true.
Hackers and scammers use familiarity and comfort to lure us into complacency and away from the truths that can protect us. They can even condition us to believe something false simply by repeating it over and over. Once it becomes familiar, it starts to seem safe and correct.
How bad can it be?
If you’d like to hear some depressing stories of people who fell for scams – some of which required significant effort over long periods of time – I recommend The Economist’s podcast series Scam Inc. Its true stories of defrauded people and upended lives are heartrending. But Scam Inc. really brings home that it can happen to anyone and shows how hard it is to recognize what is happening to you when you’re in the middle of a cognitively fluent scam.
What can you do?
According to Mr. Carpenter, the fix is to, “Disrupt the Ease”:
- “Slow down when something feels too easy. That ease is the bait.
- Question clarity. Ask yourself: Is it true, or is it just clean and confident?
- Normalize effort. Truth often requires work. That’s not a flaw — it’s a signal.
- Look past the packaging. A screenshot is not a source. A document is not evidence. A polished video is not proof.
- Teach fluency bias. The more people know the trick, the less likely it is to work.” (I’m doing this now!)
This is a nice way of building on my usual advice to be “vigilant, skeptical, and a little bit paranoid.”
As I said at the beginning, keeping InfoSec simple has been important to me for a long time, which is why this column usually tries to focus on just one or two things everyone should do to improve their information security. When I sometimes have to violate this approach, I lean on a “keep InfoSec understandable” approach, relying on short checklists, such as my Cyber Security Buddy checklist.
If you need help with any of these ideas, please contact your colleagues in the Office of Information Security.
Thank you for reading my column and for being part of the university’s InfoSec team.
Good luck and be careful out there!
-Chris Shull, CISO