How the ‘cocktail party effect’ leaves us vulnerable to attack – and what the cyber security industry might be able to do about it
With Christmas fast approaching, many of us will soon be attending our annual Christmas parties.
At such parties, it’s impractical for all guests to join a single conversation. So instead, we break into groups of twos, threes and fours to discuss whatever it is we end up discussing. The result is dozens of simultaneous conversations – and a great deal of background noise.
And yet, just about every guest will effortlessly tune out every single conversation bar the one they’re actually involved in. We’ll disregard everything others in earshot are saying or shouting and stay ruthlessly focused on one train of thought.
It’s a phenomenon known, tellingly, as the cocktail party effect. And it’s most likely responsible for thousands of security breaches every year.
Did you see the gorilla?
Researchers first began to study the cocktail party effect by playing people two simultaneous auditory messages (one into each ear). The test – which has been repeated countless times since – shows people have no problem whatsoever focusing on just one of the messages. But in doing so, they’re largely unable to focus on the second.
When concentrating on one thing, it seems as though we’re wired to disregard most other ‘irrelevant’ stimuli entirely. And not just auditory stimuli, either.
In one famous experiment, Christopher Chabris and Daniel Simons asked subjects to watch a clip of people playing basketball and tally the number of passes made. Shortly after the clip begins, someone wearing a gorilla suit walks into the middle of the shot, beats their chest and walks back out of frame. About 50% of the time, subjects fail to notice the gorilla.
Cocktails at work
Consider the cocktail party effect in the context of a busy office.
By definition, people at work have tasks to complete. Typically, tasks need to be completed within a certain time frame. And when working away on a report, proposal or presentation, our attention is usually consumed by the task in hand.
So there we are, working away when up pops an alert warning us of an outdated security certificate, or prompting us to stop what we’re doing and install security updates. The prompt is text heavy and is all that stands in the way of us getting on with the task at hand. Conveniently, there’s an option to ignore the remainder without affording it any attention.
Given we find it so difficult to focus on multiple things without breaking our stride, what are the chances we’re going to even process – let alone read – a security alert?
What are the chances we’re going to drop what we’re doing to install a security update?
Thanks to the cocktail party effect, we’re far more likely to override alerts without thinking than we are to sit up, drink in what’s happening and make a reasoned decision in response.
Naturally, the habit leads to security problems.
Overcoming the cocktail party effect
The cocktail party effect appears to be wired into our DNA. Look around the room at any Christmas party this year. It’s a safe bet no-one will be paying attention to two simultaneous conversations.
So how might we overcome the effect in the workplace to ensure people adhere to security warnings, even when focusing their attention elsewhere?
Research has proved it’s possible to divert focus attention elsewhere so long as a stimulus is deemed of particularly high importance. As a common example, even when engrossed in one conversation, we’re usually able to pick up on someone nearby mentioning something like our names.
Perhaps overcoming the problem of focused attention in the workplace, then, is going to require people affording cyber security a fresh level of importance. And making that happen is going to require our industry to change its approach.
At present, the cyber security industry is primarily concerned with increasing people’s knowledge. To overcome the problems like the cocktail party effect, we need to go beyond the current focus on knowledge and start addressing the way people think and feel about cyber security.
CybSafe and governmental research suggests people aren’t currently that engaged with the topic of cyber security. Instead, they’re more likely to be apathetic, skeptical, indifferent, and/or fearful of the subject.
By shifting people’s perspectives – which begins with actually measuring people’s perspectives – we may be able to convince people to break their stride and adhere to cyber security best practices. There’s undoubtedly still a long way to go.
But the sooner we start doing it, the more attacks we can stop.