Almost every coffee drinker on-the-go is familiar with the coffee cup sleeve; the seemingly ubiquitous piece of cardboard that slides over a paper coffee cup. Simple in its design, the cardboard sleeve has seamlessly blended into the coffee drinking experience. It is more important than it might seem.
While meditating over my grande Café Americano the other day, it struck me the possible lessons a paper cup could teach us about human behavior, economics, and cybersecurity.
Prior to the advent of the cardboard sleeve, as the book Green to Gold describes, the majority of coffee drinkers would protect their hands from burning by asking for a second paper cup. It was an obvious solution to an obvious discomfort. The problem, both to the environment and Starbucks’ operating margins, was that two paper cups per drink was conspicuously wasteful. Multiple cups per customer increased operating expenses, increased demand on forestry resources, and exacerbated waste disposal issues (think landfill). Considering Starbucks serves an estimated 3 billion drinks in disposable cups every year in the United States alone, a two-cup -per-customer habit introduces non-trivial consequences.
Starbucks first attempt at tackling the issue was to design a new coffee cup – one with a built-in insulating layer to keep hands and fingers cool while holding a hot cup of coffee. The cup cost a bit more per unit, but it contained more recycled content than the original paper cup, was less expensive overall than two paper cups, and would eliminate the two-cup habit amongst coffee drinkers. In short, the new cup was a great, innovative solution that addressed both economic and environmental concerns.
Except customers still asked for two cups.
In fact, despite all the benefits of the new cup design, Starbuck’s estimated that if just 10 percent of customers still requested two cups (which was more than highly likely given known behavior patterns), the new coffee cup would have a LARGER negative environmental impact than status quo; that is, the re-designed coffee cup delivered a worse outcome than the original paper cup. Faced with an overwhelmingly undesirable outcome, Starbucks eventually adopted the cardboard sleeve which uses 40 percent less paper and is less expensive than a full second cup, but simulates the effect of the two-cup habit.
According to Sue Mecklenburg, Starbucks’ VP of Business Practices, “expecting customers to make the right environmental choice often leads to disappointment.” Starbuck’s presumption was that people cared about the environment, and that given an innovative way to protect the environment, customers would adjust their behaviors accordingly. But the presumption was misplaced.
In general, people do care about the environment, but they tend to care about themselves more.
This isn’t selfishness, just self-interest. Habits, such as overeating, exercising, or the two-cup habit, are something that we do almost unconsciously because habits are so much a part of who we are. And who we are, expressed as habits, is important to us. As Charles Sanders Peirce, a noted philosopher, logician, and scientist observed, “human identity is an ongoing social formation resulting in habits of mind.” Put another way: we are our habits. This is why, in part, giving up habits feels so difficult: we are literally trying to give up a part of our identity. As such, accounting for habits (and thus self-interest) is an imperative for making progress on any social concern, whether the concern is the environment or cybersecurity.
I believe Ms. Mecklenburg’s observation is directly relevant to cybersecurity: expecting people to make the right security choices will lead to disappointment. And disappointment seems as ubiquitous in cybersecurity as cardboard coffee sleeves are to coffee drinkers. Our industry is rife with curmudgeons. Mike McConnell’s senate testimony in February 2010 highlights some of this grumpy sentiment: It will take a catastrophe.
I argue the current approach to cybersecurity simply requires far too much from coffee drinkers, errr, I mean users. We demand large changes in habit from individuals and corporations alike (for their own benefit, we assert) while failing to recognize and adjust for force of habit. In fact, cybersecurity guidance is oftentimes in direct conflict with personal and corporate habits. For instance, “stop clicking on stuff” is a constant refrain from security professionals - as Facebook guidance demonstrates (as do others). Facebook might have well said, “don’t ask for two cups.” It would have been about as relevant and effective. Clicking is a habit, if only because interactions on the Internet are designed that way.
If changes of habit would not happen for a mere coffee cup, as Starbucks learned, the demands of cybersecurity are most likely doomed to continual failure no matter how thunderous and repetitive our warnings. Expecting customers to make the “right” choices simply leads to disappointment… if habit remains ignored.
So here are some possible lessons we can learn from a paper cup:
Don’t Fight Your Customer.
Starbucks chose to avoid fighting its customers, estimating that more than 10% were more than likely to still ask for a second cup even if a second cup was no longer needed. Instead of trying to “re-educate” 100 million+ customers through pervasive “awareness programs” about the impact their behaviors where having on the environment, Starbucks adjusted its approach to account for force of habit, and in so doing, enhanced its bottom line and improved the company’s social impact.
In contrast, the focus of cybersecurity is primarily on hackers, which is a necessity. But little to nothing is invested in actually understanding customers’ habits or behaviors. This is an unfortunate and damaging omission that explains in large part why the current approach to cybersecurity remains so unsuccessful. Cybersecurity keeps demanding of customers that which customers are unwilling to provide: abstaining from self-interest.
Hackers are not our customers. Everybody else is. Yet cybersecurity insists on fighting a two-front battle. One against hackers, the other against customers’ self-interest. No business wins by fighting its customers. It is simply bad for business.
As much as we might need to think like (and combat) hackers out of necessity, we need to think like business people more. We have a duty to confront cyberattackers – that is no doubt part of our job – but it is not the key element. The part about stopping hackers does not override or circumvent the other part: our duty to our customers and their relentless self-interest.
De-emphasize Technology
Starbucks spent a lot of time and money re-designing its eco-friendly coffee cup only to abandon it. And for good reason: it was a failure. The attempt at brilliant innovation was a noble one…but a simple cardboard sleeve was more practical. Innovation isn’t always the answer. Starbucks had to let go of the “big thing” and aim for something more pragmatic.
In cybersecurity, no failure is truly abandoned (it's just re-branded). Cybersecurity might have to let go of the "big things" we hold on to so tightly that just won’t work no matter how much awareness, training, technology, or dollars we invest. The search for “game changing” technology in cybersecurity also comes to mind (think “coffee cup re-design”).
We might just have to figure out how to let customers do what they want to do, but in a smarter way with stuff we already have that isn’t nearly as sexy as a Next Generation Widget. We also might have to look for, and create, solutions that synchronize with (or at least simulate) customers’ habits.
Be Effective, Not Right
The third lesson is tightly bound to the second. For Starbucks, the “right thing to do” was focusing on environmental impact by redesigning the coffee cup…to pursue an innovative solution to combat conspicuous wastefulness. But looking at the newly designed coffee cup through an economic lens, and taking into account known customer behavior, the “right” solution was suboptimal. Cybersecurity has yet to learn this lesson.
The “right things to do” in cybersecurity are legion: Deploy firewalls. Deploy anti-virus. Enforce password policies, don’t click on stuff…implement awareness programs, deep and frequent auditing, continuous monitoring, and so on. But so far, effectiveness in cybersecurity remains elusive. There is no such thing as perfect security, of course, but it is clear that cybersecurity as envisioned and practiced today has widely missed the mark. The “right thing to do” can be a dangerous distraction. Cybersecurity needs to deeply reconsider the balance of right versus effective.
Be Eager, Not Insulted
Starbucks was not insulted when customers failed to adopt an innovative coffee cup, nor were Starbucks’ executives angry at customers. Starbucks’ executives might have been disappointed, but never angry…certainly not the kind of righteous indignation some cybersecurity practitioners seem to demonstrate towards customers. Terms such as ID10T, PEBCAK, PICNIC, and “stupid users” - common in the technical and security industry – hardly reflect customer respect.
I feel cybersecurity has a disproportionately high number of curmudgeons. A curmudgeon is just another term for describing a person full of indignation at some act regarded as a personal injury or insult. My advice: Let it go. This is business.
So often I hear cybersecurity practitioners lament that they are not considered equals by their fellow executives. Probably for good reason. If you want a seat at the executive table, deliver executive value. Here’s a hint: penetration testing and security assessments aren’t it, no matter how much they might be festooned with words like “risk.” If our efforts do not save our customers time or money, if we do not streamline their interactions, customers will resist and our perceived value subsequently diluted. Be eager to adjust to the customer. This is our business.
Compromise
Aggressively
Some environmentalists argue that the cardboard coffee sleeve still produces enormous amount of waste and is an overall failure. This might be true to a degree. But the cardboard sleeve was, in effect, a successful compromise between the sometimes contradictory forces of economics, human behavior, and environmental concern. Sometimes these forces align, sometimes not, which means compromise is essential to move the ball forward.
Unfortunately, the drive to “get some teeth” for cybersecurity practices through regulatory regimes and legislative mandates has made compromise difficult; practitioners hands are oftentimes tied by ridiculously expensive and highly suspect prescriptions. In more simple terms, coffee drinkers are still demanding two cups even though we keep yelling that the rules specifically state to take only one. This is grounds for an ugly and unproductive relationship with our customers. So compromise aggressively. Figure out how to quickly say “yes” to customer self-interest and go from there.
In the end, the potential for nonlinearity and erratic interactions in human endeavors emphasizes the overly simplistic assumptions we often make about habits and real outcomes. Starbucks serves as a helpful example. Perhaps you too might contemplate this over your next cup of coffee.
Talking about Starbucks makes me want a "double venti macchiato"; unfortunately there is no close Starbucks in costa Rica.
When I was a network administrator, dealing with viruses can be a pain for our users (customers, clients, etc.) and for us. You find out quickly that no matter how much you try to train and help them to stay clean and secure, they will inevitably click on an email that says they won ten thousand dollars.
Our happy compromise; install better gateway security and stop the viruses before the computers can even get them (mostly) and just make sure their computers and virus software is up to date through group policy.
So we are getting what we want (to be more secure) and the users are okay because they can click on anything they want, because we have already scanned it.
Nothing is 100 percent, but this saved on support calls and damage to file servers..
Posted by: Jim Gaudet | August 05, 2010 at 05:13 AM