The F*CK strategy: The pratfall effect application on business

The pratfall effect

In the 1960s, psychologist Elliot Aronson coined the term pratfall effect, describing some of his research findings. "The pratfall effect is a phenomenon where people who are perceived as competent, are perceived as more likable or attractive when they commit a blunder."

Aronson ran an experiment recording an actor while pretending to be answering quizzes. In one condition, after "solving" the questionnaires (92% right, on purpose), the actor pretended to spill a cup of coffee over himself. In the other condition, there was nothing clumsy. The recordings were played to a large sample of students who rated afterward how likable the participant was. Interestingly, the clumsy one was rated better.

Avis advertising using the pratfall effect.

We don't have to wait for our clumsiness or simulate something of the like to put the pratfall effect into practice. Volkswagen (VW), Avis, Stella Artois, and other brands have used it in advertising campaigns. Let's talk about a VW case. The VW Beetle was successful thanks to the sharp copywriting pointing to some (apparently) discouraging aspects of the car model. "Ugly," "slow," "noisy," and "expensive" are words you would have seen in one of the ads in those glorious years for the Beetle. Thanks to adman and writer Richard Shotton, I came across this funny VW ad: "Think small," featuring the supposedly not-that-right size of the vehicle. Counterintuitive. That's the complexity of the human mind.

Volkswagen advertising.

VW used these weaknesses to their advantage – they implied that the Beetle looked bizarre because their focus was on engineering excellence, not superficial looks. —Shotton

Epic failures and honesty

Have you ever had an epic cybersecurity failure? I bet you have. Fluid Attacks has also been there (I know because I was partially responsible for one). The "FCK" story and, more broadly, the pratfall effect tell us something valuable about handling incidents and signaling who we are.

Back in 2014, one of our customers angrily called us because of a security incident provoked presumably by one of our pentesters. He performed a denial of service attack on one workstation, and it appeared to have collapsed a middle network security device, leaving large corporate systems offline for around 45 minutes.

You read that right: An AppSec company hired to make IT more secure causes one of its clients' mission-critical systems to be out of service (a contradiction). We met immediately with the manager who hired us. We asked him to tell us about the incident; the losses seemed financially significant. It was an awkward, tense 30-minute meeting. Our colleague admitted his mistake, and we had nothing more to do than offer a sincere apology and come back with a proposal to compensate for the outage. The project was halted.

A few days later, my boss met with the customer, who agreed to resume the project and our compensation proposal. We then reflected on this incident. The words of our CEO at the time still resonate in my mind: "Responsibility before profits." Today, that customer continues to trust Fluid Attacks.

Something similar, but more of a public nature, can be seen in what happened to the company Zoom Communications with its platform amid the COVID-19 pandemic. When Zoom faced a spate of security vulnerabilities in 2020, its initial surge in popularity quickly turned into a crisis. Numerous security and privacy issues were discovered, including "Zoombombing" (uninvited participants disrupting meetings), data routing failures, and misleading claims about its encryption.

Recognizing that the digital realm also responds favorably to authenticity, rather than deflecting blame, CEO Eric S. Yuan issued public apologies, acknowledging the company's shortcomings. This wasn't just damage control but a form of digital pratfall. By openly admitting its flaws, Zoom humanized itself, transitioning from an untouchable tech giant to a company grappling with real-world challenges. This transparency demonstrated through their commitment to a 90-day feature freeze to prioritize security, showed a level of responsibility that resonated with users.

We shouldn't be afraid to be honest when a possible (huge) error is made. Customers value companies that are perceived as close to them. Everybody knows that humans make mistakes, and so do companies or brands. Admitting blunders and weaknesses is concrete proof of honesty and, consequently, makes other claims more believable.

If you are ever responsible for a security breach, tell your company quickly. Accept your responsibility, and bet on the pratfall effect. Many companies have feared lousy reactions from business errors following this path but have succeeded.

Example of an avoidable failure

I was a learner at DataCamp for around three years. This company provides online data science training in many technologies (Python, R, SQL, and others). In 2019, I got to know about a scandal concerning that company. The CEO was involved in the sexual harassment of an instructor in 2017. The data science community, in support of the victim, started a "boycott" (see an example). In short, dozens of instructors started telling people not to take their courses on DataCamp and to use other available resources. The reason? DataCamp management tried to hide or diminish the incident while people had been demanding transparency and accountability for the issue long ago.

On April 24th, 2019, a very late communication from the company's board announced that the CEO was stepping from his position indefinitely. I bet if the strategy was different, all this could have been avoided. DataCamp is a big worldwide player in the e-learning market, and it failed to embrace the pratfall effect. I would say that their "rational" approach led to disastrous public relations handling, eroding their trust.

We're not flawless, but we do our best

As we saw in this post, being open and confronting our flaws could have massive returns. We wanted to share with you another perspective of human nature related to our day-to-day mission in cybersecurity. No individual and no organization is fully protected against security breaches. We must understand that fact and prepare the best we can to avoid those issues. At Fluid Attacks, we try the best we can to infuse that premise among our employees. We also share with our customers that we are not flawless and that sh*t happens from time to time.

We invite you to check out our Continuous Hacking solution if you don't know it yet (start a 21-day free trial). It evaluates your applications throughout the SDLC through automated tools and experts and constantly reports and helps you prioritize and remediate their security vulnerabilities. Our vulnerability management platform is a critical component of our value proposition. We know that this platform is not yet a front-runner. We know we are not number one or number two in AppSec solutions, but what we are sure of is that we are working hard to improve our portfolio for your cybersecurity day by day.