Failure Dynamics
Failure dynamics sounds fancy, but there's only so much academic theory I can squeeze out of a HND in Art & Design — so please set your expectations accordingly.
'What is failure dynamics?' Seems a good place to start. We've established it's something i've made up (as far as I know, I was busy drawing bowls of fruit and naked people), but it's also a literal term. To me it is simply the relationships and dynamics linked to a moment of human failure.
Failure as a concept is actually quite interesting. In some respects every second of our lives is packed with opportunities for things to go successfully, and conversely for things to also fail. Some are biological processes beyond our control, and some are cognitive. In some ways it's fun that both throwing a crisp packet towards a waste-basket and describing the benefits of quantum cryptography are both equals where success and failure are concerned.
Even if you're the only one who witnesses it, you can't escape how hard you will or won't be on yourself during a moment of failure — and with infinite ways to fail, because hey that's life, I hope you are never too hard on yourself.
Annoyingly failure is not just a solo sport, and it's expected of us to share our failures with others. And many of us quite rightly hate this aspect of failure, and will actively avoid situations where there's a chance of it arising; the dynamics can be perceived to be that brutal.
Approaching failure from a cyber-threat perspective, to be successful scammers need us to fail. Specifically to fail to realise we are being scammed, and it needn't be forever, just until it's too late will suffice.
To be tricked by a scammer also feeds a pot of feelings we have towards them. They have chosen to decieve us; they are the authors of the situation which brought our failure about. In establishing negative feelings towards them, there is a them vs us, a good vs bad, and our distaste can be shared, too.
I'm sure some reading this will have anticipated which cart i'm wrestling this failure dynamics horse towards — that's right! Phishing simulations. It's common to hear an argument for stronger flavours of phish being necessary, because it's 'authentic', it's a more accurate representation of what a scammer would do. It has to be done, because that makes it 100% identical to a real phish — and one assumes that match includes creating the same threat outlook/behaviour modification.
But, and this is just my non-expert opinion — do feel free to assess it differently — I don't see how we can ever state confidently a phishing simulation is identical to a genuine phish. And that’s because the hierarchy and relationships involved in a simulation's failure dynamics, are different than that of an genuine phish.
A user in a simulated environment is hardwired to channel all the blame for the failure situation right back at their employer. So it's not surprising when you also stir in a pay-increase, things get a little spicy.
But can you make failure dynamics work better in a security training environment? Yes would be my answer to that. Any 'entity' can be created as the target for the dynamics in question; a punchbag, or proxy. Move towards gamification, or just plain old adding something vaguely interesting into it, and it's almost endless how far it could be taken.
So to bring my ramble to a close — keep an eye out for failure situations you create or step into. And especially keep an eye out for pockets of resentment; a byproduct of the dynamics of failures thrust upon you. Right, I'm off to draw some pineapples.