Greetings to my fellow explorers into all things associated with the “Human Condition” in this time and space. Our subject for today is the psychological trait called “Normalcy Bias.” This is a phenomenon in which people have a tendency to underestimate the likelihood or impact of a disaster or crisis. You might think of it as a “deer in headlights” circumstance. The deer, while standing in the middle of a road, sees an oncoming car’s headlights. However, it remains motionless until the car hits it, having never understood the approaching threat.
This bias is often dealt with by individuals (and, accordingly, by larger groups of individuals) in one of two primary ways: preemptive engagement or cautionary delay. Each mode of response has advantages and flaws. So, lets take a look at a couple of real-world situations.
For our first scenario, we need to jump into our “Way Back Machine”; destination time: December, 1998. Location: a corporate headquarters for a group of mid-sized television stations. The subject being discussed? The upcoming potential problems associated with what was being called “Y2K.” While we focus on this on location, please keep in mind that similar talks were taking place in various venues around the globe.
The problem was that a large number of older computers, when built, had not been expected to still be in use by the time the year (as tracked inside their internal clocks) rolled over from 1999 to 2000. Many systems only tracked the last two digits of the year. So, if software used math based on the calendar date of two different days, the result could not be one hundred percent assured to be accurate.
For example, if you wanted to pay an employee $100.00 per day from 12-01-1998 to 01-01-1999, a program might say, “If ending year minus beginning year is equal to one, add the days from the first date to the end of the year and the days from the beginning of the last date to the end date of the last year, for a total of days involved.”
Using the last two digits of the years would give us 99-98=1. So, from December 1 to December 31 would be thirty-one days inclusive. And, from January 1 to only January 1 would be one day. Add those two, and get a result of thirty-two days.
But, with that same pattern, what happens if the final date is 01-01-2000?
To start, 00-99=-99. Therefore, the answer is NOT equal to one. So, the process we followed with our first set of numbers would never be executed because the test failed. The software might crash. Worse yet, it might still run, but with incorrect results.
If our program was being used to compute paychecks, this situation would be potentially expensive, and absolutely annoying. If the program was used to control traffic lights, or operates a machine that automatically administers medicines in a hospital, the error could cause the loss of lives and/or the destruction of property. Costs of that nature would be too high to be acceptable!
So, the task given to the intrepid Information Technology folks at our example headquarters (as it was also being done at thousands of other businesses all around the planet) was to investigate, test and where required, fix all computer systems so as to be safe from failure before New Year’s Day 2000.
It was a rather monumental tasking, to be sure. As the new year was rung in around the world, the actual number of Y2K failures was amazingly small. The investment of time, money and effort by thousands upon thousands of people prevented the potential disaster of computer failures in essential systems.
However, in the days and weeks following, the general public started to imagine that the whole Y2K event was just a giant ball of pointless worry. Nothing happened. We just wasted time and money. Y2K eventually became the target of jokes and TV skits, and then silently faded from the collective memory.
So, as we return to today, we can see that preemptive engagement has as its strongest advantage the ability to have the maximum amount of time wherein to respond to the posed threat or crisis. And with that extra time comes the ability to apply the greatest amount of resources to the problem.
The disadvantages include lowered recognition of accomplishment and an increased likelihood of Normalcy Bias in future situations.
Next, let’s look at cautionary delay. We only need to go back a few weeks. Destination time: June, 2024. Location: a corporate headquarters for a “Software-As-A-Service” (SaaS) called CDK Global. It provides all-inclusive software for new and used automobile dealerships all across North America.
Sometime in early June, insider information believes that a phishing hack email was received and opened at CDK Global. It contained a link to a hidden downloader. (For those not familiar with the term phishing, it is using fake website and email forms to fool people into acting on instructions that appear to be from valid companies. This allows an unfriendly group access to otherwise secure areas.)
Someone apparently violated security protocols, and clicked the link. This caused a bad program (identified as BlackSuit) to load into the computer. BlackSuit is a type of invasive program known as a “Cluster Bomb.” It is called this because it actually contained not just one, but SEVEN different hacking programs. Each of these layers of programs would unfold in the target computer and open and install the next layer. Some layers would harvest any personal information in the target computer and send that info out to collection servers in Eastern Europe. Some layers would explore in-house networks, looking for new targets. The final layer would encrypt everything on the target computer, leaving it locked up. Only by entering the unlock code would the data on the target computer be accessible. The hackers would then offer the password for a ransom.
As you might have guessed, when the SaaS Server was locked, ALL the dealerships that used that server to buy, sell, trade, repair, ship, finance and inventory their cars and trucks were out of business until the server came back on line.
So, at first go, they just loaded a backup from an earlier time. But, apparently, the BlackSuit had been silently waiting for a long enough time so as to be on the backups. Oops!
They went even further back. No good. BlackSuit ended up being in all the backups!
So, CDK Global had no choice other than to pay the multi-million dollar ransom. It seems to have worked, and, as of July, 2024, CDK Global is repairing and reopening for business.
Now, one might be wondering how “cautionary delay” had ANY advantage in this event? Well, at the beginning, proceeding with caution would have bought the maximum available time to investigate the situation. This would also provide the biggest opportunity to consider different options as a response.
But, as we saw, it is also the largest potential for things to go from bad to horrible in the quickest time. In the case of CDK Global, inside information leads us to believe things went from, “I think we have a problem” to “We are SO dead!” in just a few hours.
CDK Global had a secure network. It used secure VPN (Virtual Private Network) connections to its clients. By normal hacking vectors, it SHOULD have been untouchable.
But, as I have often taught students over the years, the weakest link in any computer/networking security system is ALWAYS the humans that are using it.
This was proven truth in this event, as the hack entered by email, with just one person opening the poison link. And, I can promise you, this person had been taught by the company to never click on email links, no matter how safe they look.
Normalcy Bias told that person, “It’s probably just a quick message from someone I know, so it’s OK to click the link they sent me.” Millions of dollars in damages were to follow.
So, as we near the end of our study on Normalcy Bias, we’ve seen that both approaches have positive and negative points to be considered in a crisis situation. Each situation will be unique; each response will need to be customized to fit the particular characteristics in that event.
However, a piece of wisdom given to me many years ago has proven to be very applicable to these circumstances:
“In a high pressure situation, it is far better to quickly respond, even if it isn’t the best response, than to find the best plan after it has become too late to matter.”
In the world we live in today, things can go from peace to war, from feast to famine in mere moments. Knowing that Normalcy Bias is just a part of being human can give you an advantage when dealing with the unexpected. Give yourself time before something happens to imagine various events, and how you might best address those events. You don’t even need to plan on WHAT you will do, so much as planning HOW you will do it. Just a little preparation can mean you won’t be the deer in the headlights.
Peace be unto you.
