Do you like fried chicken? A year ago or so, KFC was featured in almost every news outlet in the UK: they ran out of chicken for an entire weekend. A horror story for a food chain with 900 restaurants in the country. They were the target of enormous criticism. What did KFC do to address this uncomfortable position?
KFC UK worked together with its advertising agency to plan how to handle the public relations turmoil. An apology arose, but not a dry one. A straightforward tweak using its brand along with a written apology was a splendid move. Check it out:
Figure 1. KFC advertisement at the time.
The company signaled to the public that they screwed things up. The apology was an open, heartfelt expression about contradiction ("a chicken restaurant without chicken is not ideal"). Also, an acknowledgment about how hard it was to maneuver the episode ("It’s been a hell of a week"). Brilliant! What came next was the demonstration of turning a problem into a solution. People loved the response by KFC. Take a look at this video:
Yeah, the agency and KFC won an award for this.
The pratfall effect
In the 1960s, psychologist Elliot Aronson coined the term pratfall effect describing some of his research findings. "The pratfall effect is a phenomenon where people who are perceived as competent, are perceived as more likable or attractive when they commit a blunder."
Aronson ran an experiment recording an actor while pretending to be answering quizzes. In one condition, after "solving" the questionnaires (92% right, on purpose), the actor pretended to spill a cup of coffee over himself. In the other condition, there was nothing clumsy. The recordings were played to a large sample of students who rated afterward how likable the participant was. The clumsy one was rated better.
Figure 2. Avis advertising using the pratfall effect.
We don’t have to wait for our clumsiness or simulate something of the like to put the pratfall effect into practice. Volkswagen (VW), Avis, Stella Artois, and other brands have used it on advertising campaigns. Let’s talk about a VW case. The VW Beetle was successful thanks to the sharp copywriting pointing to some (apparently) discouraging aspects of the car model. "Ugly," "slow," "noisy," "expensive" are words you would have seen in one of the ads in those glorious years for the Beetle. Thanks to adman and writer Richard Shotton, I came across this funny VW ad: "Think small," featuring the supposedly not-that-right size of the vehicle. Counterintuitive. That’s the complexity of the human mind.
Figure 3. Volkswagen advertising.
VW used these weaknesses to their advantage – they implied that the Beetle looked bizarre because their focus was on engineering excellence, not superficial looks. —Shotton
Epic failures and honesty
Have you ever had an epic cybersecurity failure? I bet you have.
Fluid Attacks has also been there
(I know because I was responsible for one).
The "FCK" story and, more broadly,
the pratfall effect tells us something valuable about handling incidents
and signaling who we are.
Back in 2014, one of our customers angrily called us because of a security incident provoked presumably by one of our pentesters. He performed a denial of service attack on one workstation, and it appeared to have collapsed a middle network security device, leaving large corporate systems offline for around 45 minutes. You read that right: a pentesting company hired to make IT more secure, causing mission-critical systems to be out of service (a contradiction). We met immediately with the manager who hired us. We asked him to tell us about the incident; the losses seemed financially significant. It was an awkward, tense 30-minute meeting. Our colleague admitted his mistake, and we had nothing more to do than offer a sincere apology and come back with a proposal to compensate for the outage. The project was halted.
A few days later, my boss met with the customer, who agreed to resume
the project and our compensation proposal. We then reflected on this
incident. The words of our CEO at the time still resonate in my mind:
"responsibility before profits." Today, that customer continues to trust
We shouldn’t be afraid about being honest when a possibly (huge) error was made. Customers value companies that are perceived close to them. Everybody knows that as humans, we make mistakes, so do companies or brands. Admitting blunders and weaknesses is concrete proof of honesty and, consequently, makes other claims more believable.
If you are ever responsible for a security breach, tell your company quickly. Accept your responsibility, bet on the pratfall effect. Many companies have feared a lousy reaction from business errors following this path but have succeeded.
Failures and not-so-good outcomes from handling strategy
I’ve been a learner at Datacamp for almost three years. This company provides online training in data science in a bunch of technologies (Python, R, SQL, and others). A couple of days ago, I got to know over Twitter about a scandal concerning that company. The CEO was involved in sexual harassment to an instructor in 2017. The data science community, in support of the victim, started a "boycott" this April (example). In short, dozens of instructors started telling people not to take their courses on Datacamp and to use other available resources. The reason? Datacamp management tried to hide or diminish the incident as people demanded transparency and accountability for the issue long ago. On April 24th, a very late communication from the company’s board announced that the CEO was stepping from his position indefinitely. I bet if the strategy was different, all this could have been avoided. Datacamp is a big worldwide player in the e-learning market, and it failed to embrace the pratfall effect. I would say that their "rational" approach led to disastrous public relations handling, eroding their trust.
We’re not flawless, but we do our best
As we saw in this post, being open and confront our flaws could have
massive returns. We wanted to share with you another perspective of
human nature related to our day-to-day mission in cybersecurity. No
individual and no organization is fully protected against security
breaches. We must understand that fact, and we should prepare the best
we can to avoid those breaches. We, at
Fluid Attacks, try the best we
can to infuse that premise among our employees. We also share with our
customers that we are not flawless and that sh*t happens from time to
We invite you to check our services if you still don’t know about them. We offer Continuous Hacking, a service that provides a constant review of your source code and applications, looking for vulnerabilities (allowing the development team to focus only on the development), as well as the tracking of the found weaknesses. The service leverages our Attack Resistance Management platform (ARM). ARM is a critical component of our value proposition. We know ARM is not yet a front-runner. We don’t know whether we are the number one or the second, but we work hard to make it better for you.
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting