The ethics of making it real
Drills and exercises can help prepare people and organizations for the unexpected, but the choices of how to do so may involve tough trade-offs with ethical concerns
I once had the misfortune of experiencing two fire alarms in the same day. The first one was in the middle of the afternoon, at the office of my then employer in West London. As so often when this happens, the rain was pouring down, and many of us got soaked hurrying from the emergency exit to the assembly point in the car park across the road. Later, I made my way to the Isle of Wight for a client meeting the next day. I was about to get ready for bed when the fire alarm in the small Cowes hotel resounded, and the guests, in various states of dress and undress, proceeded to a corner of the car park — not the most pleasant of places on a cold December night.
In both cases it was a genuine, but false, alarm — at least that is what we were told. I always wondered, though. We have probably all had our share of planned fire drills, in which we get told upfront of the time it will take place — invariably noon, 2pm, or some other conveniently precise whole hour, and never at, say, 3:42pm.
To this date, whenever I hear a fire alarm, I automatically check the time. If it ends on “:00”, I worry a lot less that it might be the real thing — not at all, to be honest. And this relaxed attitude seems to be widely shared during such exercises: nobody appears remotely in a hurry to leave the building. True, the instructions advise us to proceed calmly in case of a fire, but I am not sure they mean the kind of leisurely stroll down the emergency stairs that are typical for fire drills.
So, might devious facilities managers perhaps deliberately engineer ‘malfunctions’ at unexpected times, so they can get a more accurate view of how the building’s occupants would behave in more realistic circumstances? In fact, it is doubtful whether even that would make much difference — most such false alarms tend to be little different from the pre-announced fire drills: the assumption is that it is not a real emergency. No, a facilities manager who genuinely wants to find out how evacuation happens when there is a real fire, should come up with a much more realistic scenario. It should not just take place at an awkward time, but there should also be no doubt that it was real — perhaps helped by a small quantity of pyrotechnics.
One summer, long ago, I was out camping with a bunch of other 14-year-olds in the wilderness of Belgium’s Far East. We’d had our dinner and, as dusk was slipping into the darkness of night, we were enjoying the sketches each group had prepared to perform around the campfire. Suddenly, one of the leaders emerged all flustered: one of us, while carrying two full jerrycans of drinking water, had slipped on the narrow path on the way back from the spring that supplied our camp. Apparently, he had suffered a serious leg fracture.
You probably guessed that it was all faked, but to us it there was no doubt at the time that it was all too real. We hastily organized ourselves, improvised a stretcher, and set out to search for our unfortunate friend. In the darkness, all that was needed to give it the necessary tinge of realism was a torn pair of old jeans and the content of a bottle of ketchup (it was only afterwards that we realized there had been a strange scent near the ‘accident’ site).
But was deceiving us in that way an ethical thing to do for the camp leaders — and wouldn’t the same question arise if a daring facilities manager staged a fake but realistically scary fire? It is not an easy question: the ethics of a choice, its purpose and the circumstances all play a role. It is a genuine tough trade-off.
Fighting deception with deception
Perhaps the dilemma is less stark if the purpose of an intervention involving misleading people, and hence debatable ethics, is precisely aimed at combating the criminal use of fakery? GoDaddy is one of the world’s largest web hosting companies, managing well over 70 million domains for more than 20 million customers. In 2019, it suffered an embarrassing security breach, in which the accounts of around 28,000 service users were compromised. Understandably, such a company wants to protect itself against such attacks.
Phishing, a form of computer crime in which the perpetrators approach individuals posing as someone legitimate to try and obtain sensitive data, is not just used to steal money or people’s identities, but also to break into corporate systems. For companies like GoDaddy, it is important to ensure that employees are capable of spotting such attempts, and don’t get taken in.
In December of last year, several hundreds of GoDaddy’s staff received an email from the address Happyholidays@Godaddy.com, promising them a one-time $650 Holiday bonus. All they had to do is click a link to select their location and provide some other details. About 500 of them received another email a few days later, from GoDaddy’s chief security officer, to inform them that they had failed a phishing test.
It is not uncommon for companies to conduct such exercises to test their staff’s susceptibility to phishing. This one plainly sought to activate people’s emotions: in a period where many are experiencing financial hardship, the prospect of a bonus is very appealing. Was it, as some say, cruel and indeed unethical to do so? Or should such an exercise, to be effective, be as realistic as possible and use the same kind of ingenious, sophisticated social engineering techniques criminals use to weaken their targets’ sceptical tendencies?
If the benevolent producers of the test email were able to come up with this kind of cynical deceit, actual scammers can surely do the same thing. But does that justify the undoubted hurt it caused the employees who fell for it? Even if the company does not blame (let alone punish) the employees who were caught out, there may be instrumental considerations to take into account as well. How might this exercise affect employees’ attitude towards their employer? Might they become more suspicious and less trusting about all communications from the company?
Formulating a strategy to counteract a real threat of deception does not seem to make handling the ethical concerns involved any easier. Simplistic thinking, especially when decisions have an ethical dimension, is appealing. The allure of both a pure consequentialist perspective in which “the end justifies the means”, and a pure deontological one, in which moral rules are not negotiable is unmistakeable. But the former would effectively dismiss any ethical concerns, and the latter would do likewise with any beneficial outcomes.
In the real world of greyscales, both matter. As a decision-maker, we cannot escape having to make a judgement call by hiding behind oversimplified principles. But also as an observer and a potential critic, we should be conscious of the difficulty that inheres in making such trade-offs, before we feel justified outrage.
Originally published at http://koenfucius.wordpress.com on January 22, 2021.
Thanks for reading this article — I hope you enjoyed it. Please do share it far and wide — there are handy Twitter and Facebook buttons nearby, and you can click here to share it via LinkedIn, or simply copy and paste this link. See all my other articles featuring observations of human behaviour (I publish one every Friday) here. Thank you!