The Pyramid of Fear
This short essay is about communication strategies for working with people in our modern society. It addresses the effiency, intrusiveness, and experienced fear by employing each strategy. I figure this might be mostly relevant for introverted people like myself. (Originally published on my linkedin profile in 2017)
The Background
The last couple of years I have been an assistant teacher and, later, the course responsible for teaching InfoSec risk assessments (ISRA) to first-year InfoSec bachelor students at NTNU Gjøvik, Norway. The course was such that the students got divided into large teams and each got a real case to audit. The cases varied from assessments of an application to whole departments, physical locations, and even big development projects. At the end of the project, the students had to present their findings to decision-makers and hand in the final report. To solve the case, the groups needed to perform a risk assessment according to a particular methodology and collect the data they needed. Because without any data, there really can not be a proper risk assessment. Penetration tests were off limits due to the obvious risks of letting 40 eager students attack our networks. So, the rules of engagement limited the audit teams to traditional methods of data collection, such as interviews, questionnaires, sampling, observations, and physical security tests. All of these approaches have their merits, but for ISRA purposes, we have found interviews with system owners, experts, and users has by far the greatest utility. However, getting to the point of actually having performed an interview is not always so easy.
The Challenge
There are many challenges with conducting an ISRA, but communication is perhaps the greatest of them, especially for many IT-students. When I talk about communication, I mean doing stuff that is uncomfortable, for example, contacting someone you do not know to schedule an interview. Believe it or not, many students (I have mostly observed students, but I would say it is a fair guess that this spans wider) really do not wish to contact someone they do not know. So, they choose to send an harmless e-mail, which is a nice and non-intrusive approach but also too easily ignored. Consider someone receiving 50 or 100 e-mails every day; the inquiry will be just one out of many. Another benefit of e-mails is that the e-mail can be as long as you want, and one can even add ISRA-related questions in them. However, when the students have waited say, two weeks, without any response, they start to get worried; should they send a reminder and risk waiting another two weeks? After all, the groups have a time budget to manage, so, what is the next step?
You guessed it, the SMS or direct message service, a bit more intrusive than the E-mail, but still impersonal enough to (i) avoid talking, (ii) have plenty of time to formulate the request, and (iii) be comfortably in the green zone.
Although we spent a lot of time teaching ISRA methods, these are mostly theory and the students can learn them on their own. The real challenge was to get the groups to realize that telephone calls are vastly more efficient than the less intrusive approaches, AND nudging them actually to make the call.
Enter the hierarchy of efficiency, intrusiveness, and fear.
The pyramid contains the different communication options. On the left side, you see the efficiency of the communication strategy, which can be measured in, for example, time spent, room for misinterpretations, or room for persuasion. The right side shows the experienced intrusiveness of the interview subject, or victim if you will. And the fear meter shows how much fear the student or auditor feels, and must overcome when employing each of the communication strategies.
An example: I needed students to join me for a presentation on practical risk assessments. So, I started at the top of the pyramid with e-mail. E-mail is too easily ignored, and big surprise did not work. So, I moved down the pyramid and employed Facebook as a direct message service. Also, Facebook uses the socially awkward «message seen at time»-feature which makes it harder to ignore messages and I got one of my co-presenters. I skipped the telephone call and went all the way down to the bottom of the pyramid to recruit my other co-presenter because direct contact with voice is by far the most efficient communication form. SMS and Telephone calls can be ignored and postponed, but someone talking to you face-to-face is a lot harder to ignore. And also more intrusive.
Getting the students to jump from the blue zone to the yellow and red zone was the issue we emphasized most during the lectures and supervision. In our information and technology-based society, I think that perhaps the hierarchy of fear reaches well beyond conducting ISRAs, but I leave the relevance up to you to decide.
