The F*CK Strategy

Do you like fried chicken? A year ago or so, KFC was featured in almost
every news outlet in the UK: they ran out of chicken for an entire
weekend. A horror story for a food chain with 900 restaurants in the
country. They were the target of enormous criticism. What did KFC do to
address this uncomfortable position?

KFC UK worked together with its advertising agency to plan how to handle
the public relations turmoil. An apology arose, but not a dry one. A
straightforward tweak using its brand along with a written apology was a
splendid move. Check it out:

The company signaled to the public that they screwed things up. The
apology was an open, heartfelt expression about contradiction (“a
chicken restaurant without chicken is not ideal”). Also, an
acknowledgment about how hard it was to maneuver the episode (“It’s been
a hell of a week”). Brilliant! What came next was the demonstration of
turning a problem into a solution. People loved the response by KFC.
Take a look at this video:

Sponsorships Available

Sponsorships Available

Sponsorships Available

Yeah, the agency and KFC won an award for this.

The pratfall effect

In the 1960s, psychologist Elliot Aronson coined the term pratfall
effect describing some of his research findings. “The pratfall
effect is a
phenomenon where people who are perceived as competent, are perceived as
more likable or attractive when they commit a blunder.”

Aronson ran an experiment recording an actor while pretending to be
answering quizzes. In one condition, after “solving” the questionnaires
(92% right, on purpose), the actor pretended to spill a cup of coffee
over himself. In the other condition, there was nothing clumsy. The
recordings were played to a large sample of students who rated afterward
how likable the participant was. The clumsy one was rated better.

We don’t have to wait for our clumsiness or simulate something of the
like to put the pratfall effect into practice. Volkswagen (VW), Avis,
Stella Artois, and other brands have used it on advertising campaigns.
Let’s talk about a VW case. The VW Beetle was successful thanks to the
sharp copywriting pointing to some (apparently) discouraging aspects of
the car model. “Ugly,” “slow,” “noisy,” “expensive” are words you would
have seen in one of the ads in those glorious years for the Beetle.
Thanks to adman and writer Richard Shotton, I came across this funny VW
ad: “Think small,” featuring the supposedly not-that-right size of the
vehicle. Counterintuitive. That’s the complexity of the human mind.

VW used these weaknesses to their advantage – they implied that the
Beetle looked bizarre because their focus was on engineering
excellence, not superficial looks.
—Shotton

Epic failures and honesty

Have you ever had an epic cybersecurity failure? I bet you have.
Fluid Attacks has also been there
(I know because I was responsible for one).
The “FCK” story and, more broadly,
the pratfall effect tells us something valuable about handling incidents
and signaling who we are.

Back in 2014,
one of our customers angrily called us
because of a security incident
provoked presumably by one of our pentesters.
He performed a denial of service attack on one workstation,
and it appeared to have collapsed a middle network security device,
leaving large corporate systems offline
for around 45 minutes.
You read that right:
a pentesting company
hired to make IT more secure,
causing mission-critical systems to be out of service
(a contradiction).
We met immediately with the manager who hired us.
We asked him to tell us about the incident;
the losses seemed financially significant.
It was an awkward, tense 30-minute meeting.
Our colleague admitted his mistake,
and we had nothing more to do than offer a sincere apology
and come back with a proposal to compensate for the outage.
The project was halted.

A few days later, my boss met with the customer, who agreed to resume
the project and our compensation proposal. We then reflected on this
incident. The words of our CEO at the time still resonate in my mind:
“responsibility before profits.” Today, that customer continues to trust
Fluid Attacks.

We shouldn’t be afraid about being honest when a possibly (huge) error
was made. Customers value companies that are perceived close to them.
Everybody knows that as humans, we make mistakes, so do companies or
brands. Admitting blunders and weaknesses is concrete proof of honesty
and, consequently, makes other claims more believable.

If you are ever responsible for a security breach, tell your company
quickly. Accept your responsibility, bet on the pratfall effect. Many
companies have feared a lousy reaction from business errors following
this path but have succeeded.

Failures and not-so-good outcomes from handling strategy

I’ve been a learner at Datacamp for almost three years. This company
provides online training in data science in a bunch of technologies
(Python, R, SQL, and others). A couple of days ago, I got to know over
Twitter about a scandal concerning that company. The CEO was involved in
sexual harassment to an instructor in 2017. The data science community,
in support of the victim, started a “boycott” this April
(example). In
short, dozens of instructors started telling people not to take their
courses on Datacamp and to use other available resources. The reason?
Datacamp management tried to hide or diminish the incident as people
demanded transparency and accountability for the issue long ago. On
April 24th, a very late communication from the company’s board announced
that the CEO was stepping from his position indefinitely. I bet if the
strategy was different, all this could have been avoided. Datacamp is a
big worldwide player in the e-learning market, and it failed to embrace
the pratfall effect. I would say that their “rational” approach led to
disastrous public relations handling, eroding their trust.

We’re not flawless, but we do our best

As we saw in this post, being open and confront our flaws could have
massive returns. We wanted to share with you another perspective of
human nature related to our day-to-day mission in cybersecurity. No
individual and no organization is fully protected against security
breaches. We must understand that fact, and we should prepare the best
we can to avoid those breaches. We, at Fluid Attacks, try the best we
can to infuse that premise among our employees. We also share with our
customers that we are not flawless and that sh*t happens from time to
time.

We invite you to check our services if you still don’t know about them.
We offer Continuous Hacking, a
service that provides a constant review of your source code and
applications, looking for vulnerabilities (allowing the development team
to focus only on the development), as well as the tracking of the found
weaknesses. The service leverages our Attack Resistance Management
platform (ARM). ARM is a critical component of our value proposition.
We know ARM is not yet a front-runner. We don’t know whether
we are the number one or the second, but we work hard
to make it better for you.

Recent Articles By Author

• Alert! ‘Invisible’ Doors Opened
• Cybersecurity as Strategy
• Ciberseguridad como estrategia

More from Julian Arango

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Julian Arango. Read the original post at: https://fluidattacks.com/blog/fck-strategy/