UA-25768871-1

HITB Keynote

I recently keynoted at Hack in the Box 2012 Amsterdam. My topic was "Getting ahead of the Security Poverty Line", and the talk is below:



After giving the talk, I think I want to explore more about the set point theory of risk tolerance, and how to social engineer risk perception. Updated versions of this talk will appear at the ISSA conference in October, and at Security Zone in December.

How much capacity do you really have?

I recently bought a Nissan Leaf, and I'm going to share the joys and travails of driving one.

We were going to head out blueberry picking today. Our destination was 34 miles away, and the Leaf claimed it had 80 miles of charge available. "Perfect!" I thought - I could exercise it at its full range, and trickle charge enough overnight to get to work tomorrow, where I can fully charge it.

The first five miles of our trip was uphill on an interstate. By the end of that, the Leaf claimed we had 47 miles of charge left. We turned around, went home, and switched to the Sienna for our blueberry picking adventure.

What happened here? Two things: route selection, and mileage variability. The route selection on the Leaf isn't what I'm used to: on my prior vehicles (Toyota/Lexus), when selecting a route, it would display several options. The Nissan interface didn't, although I'm sure it is there somewhere (something to go look for!). So I had selected the "long but fast route," which added 7 miles, but saved 3 minutes at normal driving speed.

Which leads to mileage variability: 80 mile range is really some number of kilowatt-hours; and different driving has different miles-per-kilowatt-hour efficiency. "Optimal" driving is at 38 mph; the "long but fast route" involved speeds that are at least 50% higher, with a concomitant reduction in efficiency. While 80 miles didn't assume optimal driving, it probably didn't expect such high speed driving.

Feature desire: If you put in a route, and the expected fuel efficiency for normal driving on that route won't get you home on your existing charge, give a warning. This probably requires some better GIS integration, but shouldn't be out of the realm of possibility.

Social Engineering Judo

(or, how good customer service and getting scammed can look alike)

On a business trip a few years ago, I found myself without a hotel room (the hotel which Egencia asserted I had a reservation claimed to know nothing about me). I made a new reservation at a Marriott hotel, and then called to check-in, since I had to head off to a customer event, and wouldn't get to the hotel until around midnight (and didn't want a repeat off having no hotel room). The desk clerk informed me that I couldn't check-in yet, but she assured me that yes, I'd have a room, and it was horrible that the other hotel had left me without a room. And yes, it would have a king size bed.

When I arrived, it turned out they'd upgraded me to a penthouse suite for the night. Good customer service, right? (Yes, of course, but now I have to argue the downside.). The clerk didn't actually know if I'd had a problem earlier, so really, she let me socially engineer her (honestly, it wasn't intentional). I've been in the hospitality industry myself, and it's really hard to tell the difference between a customer with a problem whose day you can improve, and a con artist just looking to get by.

One hotel I've worked for had the policy that you could never comp the meal or room a guest was complaining about (because too many people would complain just to see if they could have a free meal), but for folks with issues, you'd comp their next stay, or a meal the next night. This usually made guests happy, and con artists only got fifty percent off (until we discovered the "guest" that hadn't paid for their last ten stays by exercising this policy).

The trick here is to empower your customer service folks -- your front line against con artists and social engineers -- to have enough flexibility to make customers happy, while reducing how much they can cost you. A room upgrade has almost no marginal cost for a midnight check-in; but a free meal is a bit more expensive.

Since drafting this post, I've noticed what seems to be a disturbing trend in the hospitality industry: very few organizations can answer the question, "how will you reduce the likelihood of this happening again?" Instead, they focus merely on, "how can I make you stop complaining?" That's the best case, but it's only a first step.