Superbloom

One of the highlights of HybridConf 2016 was hearing writer Stevyn Colgan talk about his time as a police officer at London’s Scotland Yard. He entertained the audience of UX designers and front-end developers with stories from his book, Why Did the Policeman Cross the Road?. As someone who is concerned about the state of policing (in line with recent protests in the United States), I did not expect to be impressed, but Colgan’s design-thinking approach to crime prevention took me by surprise.

Design Thinking + Policing

Colgan was a founding member of the Problem Solving Unit, which operated differently from the rest of Scotland Yard. Instead of solving crimes, they made it their duty to prevent them. Colgan didn’t use dystopic tools to identify future criminals. Rather, his team borrowed techniques from cognitive science, marketing, urban planning, and other fields to consider the influence of environmental factors. It is this holistic approach - contemplating physical, technical, and social systems - that makes him a design thinker.

Colgan shared many stories about his 30 years with the police force, and a few of them were particularly relevant to the security crowd. Information security is about keeping unauthorized people from accessing sensitive content, so in a sense, infosec overlaps with law enforcement in its commitment to crime prevention. Instead of only taking a classic defensive-security stance, borrow from Colgan’s Problem Solving Unit and find inspiration by thinking like a creative cop. Here are a few pieces of advice from Colgan’s stories:

  • Make your stuff less attractive - Something as simple as covering a motorcycle decreases the likelihood that it will be stolen. The added friction of needing to uncover the motorcycle will redirect thieves to other more-accessible targets nearby.

A covered motorcycle is less attractive to thieves than uncovered motorcycles nearby (from Stevyn Colgan’s Hybrid Conf talk)

  • Identify the weakness - In many enclaves, trash collection happens on a set day. Residents wheel their garbage bins to the curb and bring them back after they’ve been emptied. In Colgan’s city, the only distinguishing factor across these bins is the owner’s house number scrawled on the side. Uncollected bins signal that people aren’t home; with one glance, thieves can deduce which houses would make the best targets for daytime break-ins.

Garbage bins are identical except for the house number written on the side (from Stevyn Colgan’s Hybrid Conf talk)

  • Constantly adapt your techniques - In the 1990s, London was a center for raves. While these gatherings were a mainstay of cultural life for many people during that era, the police considered them to be dangerous because of illegal drug use, sexual assaults, and overcrowding in the case of fire. Before the internet, people relied on posters to learn when and where raves would be held. The Problem Solving Unit made it difficult for promoters to attach posters by adding diagonal braces to walls, which meant that fewer people learned of the raves. Inclement weather played a role, too. The posters were easily damaged when it was wet or windy because they were posted on uneven surfaces.

Diagonal bracing made it more difficult for promoters to attach posters to the wall wall (from Stevyn Colgan’s Hybrid Conf talk)

Implications for infosec

Colgan’s stories of social engineering drew on observations of human behavior and environmental signals, and the Problem Solving Unit’s successes and can be applied to infosec UX. Key takeaways include:

  • Basic precautions are good enough for most people - Withstanding a targeted attack by a powerful adversary is difficult, but deflecting crime is easier. Just as covering your motorcycle redirects attention, simple deterrents can save your data from harm.

  • Look with fresh eyes - Identical garbage bins are unremarkable features in many landscapes because they’re so common. Thinking like a designer means looking past the surface and seeing what can be tweaked. Removing bin numbers - the superficial solution - would have been a complex and impractical response, but nudging people to change their behavior worked just as well.

  • Consider the entire user journey - Rather than focusing only on undesirable behavior at raves, Colgan mapped the entire user journey from the very moment that people learn of a rave. By looking for the starting point, Colgan’s team came up with the clever solution to use “cancelled” stickers.

I was surprised to find a police officer at a design conference, but Colgan’s stories demonstrate that a design mindset always has a place, and technical problems don’t always need technical solutions. Colgan’s solutions may have been in plain sight, but they were elegant. Instead of signaling a lack of originality, tactics like the “cancelled” stickers are markers of success.

Sometimes, the best adjustments are so trivial that we overlook or discount them. When crafting new technologies, what simple solutions have been sitting in front of you, waiting to be discovered?