Category: Security

Deception: Verbal Behaviour

This is the final of three posts for improving front end capacity to prevent and detect predatory physical access and programs access attacks to critical infrastructure facilitated by bogus documents. The potential of security and front line employees face-to-face with would-be attackers is often underutilized. Hereafter this article refers to security and front line employees screening for access to privileges, benefits or services as agents. The training and skills development resources to vest in these agents is contingent upon the threat and potential outcome from a security compromise.

Agents at the point-of-contact are the primary (in the first instance) information gatherers for organizations.  It is the point of intersection between the predator and the organization where they have least control over the ruse, and they know it. Risk in this context is a feeling. Automated registration systems are more efficient if the critical infrastructure is willing to accept the additional risks. Science is pretty clear that the farther away humans are from face-to-face transactions, the easier it is cognitively and thus, the more they cheat.

Quick Review

Agents are dependent on identification and other documents to make business decisions about people the don’t personally know.  Visual (nonverbal) information is processed through the prism of emotions. This automatic/experiential information processing system deep in the brain alerts conscious awareness of things to be attracted to, things to avoid, and things that are novel. Verbal information is processed in a different region of the brain. Beyond the scope of this post, the two information processing systems are connected by a neurotransmitter pathway of neurons and they influence each other depending on the circumstances in the outside environment.

It is reported from meta studies that the best results in deception management are from a combination of nonverbal and verbal red flag cues. Consequently, improving capacity to detect attacks begins with agents establishing a verbal/nonverbal behaviour baseline in order to observe the behavior of others reacting to agent authority. There is a caveat: Sometimes a nonverbal reaction is not a nonverbal response to a question, or other action. It can be a response to something else that was triggered in long-term memory.

Information Gathering by Agents

How information is gathered at the point-of-contact has implications on data collection accuracy, down the road at getting to the truth if agent concerns are escalated for more in-depth review, and in the most egregious cases to its suitability in civil and criminal proceedings.

The agent’s role is different from that of the public police. Police interviewing and interrogation skills training sometimes mission creeps into private sector interviewing training. Person’s of interest interviewed by police do not have to disclose information they feel will cause them harm. Therefore investigators are trained to develop rapport at the front end of the interview.

Agents are in a different, more advantageous situation. The person they are gathering information from wants something and cannot obtain it, without providing the agent all information the agent needs to make their decision. The agent’s role is more consistent with how the likes of psychiatrists and social workers gather information in a process for assessing the reliability of declarations and statements made to them.

The open-ended question

The tool of every professional information gatherer is the open ended question. It forces an interviewee into a editing process. They must choose what to say, and what not to say. Language leaks. Verbal red flags manifest in the structure of language the interviewee uses as they fabricate a story, avoid disclosing something, or even in specific words used to define the relationship they have with the documents they present. For example, there is a difference in relationship between “my’ document and “the” document. The real question is why is the relationship distant? Is it because it isn’t their document, or are they upset about it for some reason?

In everyday conversation with folks we listen to content – what was said. When language is ambiguous or there is information missing from the story, we cognitively fill in the blanks. Agents can’t afford to do this. Agents listen to context in responses to their questions – how things are said. They cannot make excuses for an interviewee when there is ambiguous or missing language.

Very Important Rule for Agents

There is nothing worse for business than false negatives – accusations about reliability that are unfounded.  Beliefs can be scary things. If someone believes their job is to root out deception, they will find it where it isn’t. If someone believes one particular group is more predatory than another, they will find problems with that group they won’t with other groups and that are unfounded. Bias will keep them from digging deep for clarification.

Here is a nugget:  Because the interviewee must provide all information the agent expects, the agent should begin every interview with total belief in what the person is telling them. The interviewee’s reality, whether they can be truthful or must be deceptive in order to get that which they seek, will show up in the structure of the language and words they use, and in nonverbal behaviour if there is mounting cognitive stress. 

A mindful infusion of science. A well thought out skills development implementation plan combined with practical escalation protocols for more in depth review. Doing this inside a learning culture. All of these things can improve physical and financial security at critical infrastructure. We can prevent more attacks before the occur, and increase the certainty of catching some predators the act. We can reduce the number of poor judgments which result in loss of reputation, trust and sometimes financial costs from torts where judgments have been egregious.


Deception: Nonverbal Behaviour

Risk appetite at Critical Infrastructure depends on the the level of threat and anticipated outcome of a security compromise. The outcome was catastrophic from terrorist boarding airplanes in Boston [2001] and crashing them into the World Trade Center, the Pentagon and a field in Pennsylvania.

There was a lot of political noise post-911. What to do about terrorists boarding aircraft using fraudulently obtained identification cards?

The Congressional Reaction 

The political response, in lieu of seemingly impossible logistics of a National ID Card, was to tweak the security requirements for State issuing of driver’s licences and identification cards with REAL ID.  A post implementing review of REAL ID was undertaken by the U.S. General Accounting Office. The first audit results were published under title, Counterfeit Identification Raises Homeland Security Concerns [2003]. Another study published in 2009 reviewed the progress of individual states in complying with the REAL ID regulations.


The outcome is not all that promising for security. Desk audits found a general inability to detect deception with counterfeit and forged documents presented to security and immigration at airports and at Departments of Motor Vehicles (DMV) across the U.S. State compliance with REAL ID is not consistently applied across each State.

The reality, when someone presents a Certificate of Birth, of which there are 7,000 plus issuers in the US, at a DMV service outlet as proof of status, it is a genesis document for a variety of other means of identification. With a birth registration system designed for the conditions of 1907, no provisions were made to include a biometrics directly linked to the birth record. It remains the same to this day. Secondly, out-of-state deaths are not correlated with in-state births.

So, what is left?

Outside increasing the effort to commit personation and identity fraud, and which is beyond the reach of those depending on these documents, what is left is to increase certainty of catching predators in the act. They are at their most vulnerable while presenting fraudulently acquired, forged, and loaned/stolen genuine documents at the point-of-service to complete their ruse.

Ability to identify red flag indicators of deception is a learned and honed skill.  People higher on the emotional intelligence scale have a better chance of success in maintaining focus over longer periods of time, and better equipped to pick up on the emotions of others.

Back to Affective Realism

The previous post, “Affective Realism“, poured the footings for deception risk mitigation. This metaphor high-lights the most fundamental building block of deception management.

This post posits nonverbal behaviour as a component of assessing the reliability of statements and declarations made at the point-of-service in the deception management game. Assessing nonverbal behaviour can be complicated and fraught with variability. It refers to communication distinct from speech. It is taken generally to include facial and eye expressions, hand and arm gestures, postures, positions, use of space between individuals and objects, and various movements of the body, legs and feet.

Nonverbal behaviour communication can be generated deliberately, the behaviours can be culturally nuanced, and they can be triggered my emotions from below levels of conscious awareness.

The complexity here is that the emotionally triggered nonverbal behaviour can be for something totally unrelated to a request or question posed.

Context is Everything

Nonverbal behaviour must be interpreted contextually: “Depending on or relating to the circumstances that form the setting, in this case, for a security screening event.”  And as learned in the last post, nonverbal behaviour is interpreted through the prism of emotions, as well as beliefs and biases. One can see that is not a precise, nor absolute science. It is fraught with variability.

This does not mean throwing nonverbal behaviour out. It for certain means assessing with humility. When something appears to be aberrant, or out-of-sequence, it is mistake to jump to a conclusion that there is deception. It is something to potentially action with followup questions at the point-of-service or, optionally, to escalate for more in-depth review.

What’s Next?

Meta studies of the research resulted in no single nonverbal or verbal clue as a reliable indicator of deception. The probability of detection increases when clusters of indicators are present (DePaulo ‘et al’, 2003; Masip, ‘et al’ 2005; Vrij 2006; Sporer & Schwandt, 2006,2007).

A future post scans verbal behaviour.

Affective Realism

“We do not passively detect information in the world and then react to it — we construct perceptions of the world as the architects of our own experience.”

Researchers on affective realism are arriving at a consensus that, at any  given moment, emotional state influences perception of information received through sensory channels, with the exception of smell which has it’s own channel.

These early findings have broad, real-world implications that extend from everyday social interactions, to situations with more severe consequences such as:

  • When judges or jury members have to evaluate whether a defendant is remorseful;
  • During police time-sensitive judgment to discharge a firearm in environmentally negative conditions; or
  • When front line employees are making judgments about people they don’t know, who are presenting documents for access to critical infrastructure, to board airplanes, and in other similar circumstances.

Being competent at interpreting what is behind the curtain in the behaviour of others is complicated. There is no absolute. There are many factors to consider and to scientifically research, which will undoubtedly lead to new discoveries.

Heath Care Systems: Outside-the-System Predatory Fraud Controls (3 of 3)

This is the last in this three part series on the financial harms posed by misuse, abuse and predation. The last post explored inside-the-system threats. This post explores outside-the-system threats.

Predation is a different cup of tea than reducing threats posed by trusted billing agents being careless with resources or cheating a little bit. Although outside-the-system attacks may involve corrupted trusted billing agents, this is not representative of the billing agent  community at large.

With automated billing systems, it isn’t what’s known about predatory attacks that is important. It what isn’t known. Tragically, much of the storytelling about healthcare systems’ fraud is sourced from attitudinal surveys. The interesting thing about this, the more this story is told, these attitudes begin to define “reality.”

Committees’ of the United States Congress picked up on health care fraud hyperbole during the Clinton administration; when exploring fraud in America’s healthcare systems. Experts were quoting a ten percent (10%) loss from predation. The Committees response: No one really knows. It was never scientifically quantified. And, there is no evidence that the threat of investigation and prosecution is a stand-alone deterrent to fraud. It is little wonder risk managers and business decision makers balk at putting additional resources towards “countering fraud”, much to the angst of those struggling to control it.

The question then becomes how do you quantity efforts  to counter predatory fraud in order to determine what works and what doesn’t work?

Work has been done in this regard in a different domain. There is evidence from the problem-oriented policing service delivery model that applying situational crime prevention works; when it engages non-police stakeholders partnering in identifying and tackling root causes of crime. Traditionally this has been more the domain of uniform division in policing than in the investigations divisions. Efforts to introduce this harms reduction model to criminal fraud investigations teams servicing the health care sector fell short.

This model views “law enforcement” as one intervention strategy to be applied with other interventions (three to five) to remove crime attractors. Mastery comes in isolating recurring outlier patterns and hot spots for which projects can be undertaken and completed in six to nine months. The targeted activity is quantified going in, and outcomes measured for effectiveness in reducing harms. From it will grow a body of best practices leading to a situational health care fraud matrix. The short of the long; learning from doing.

Malcolm Sparrow J.F. Kennedy School of Government, Harvard]  proposed this problem solving model in his book,  “A License to Steal: How fraud bleeds American’s health care system.” As an educator of and practitioner of problem-oriented policing, Gregory Saville o/a SafeGrowth vouches for its effectiveness in reducing crime harms. Regrettably, the fraud investigations culture in the health care sector appears to be slow on the uptake.

In summary, from our research of privacy acts and case law defining how information may shared and used between insurers, and between insurers with police, there are no legal barriers to becoming more inter-agency cooperative in reducing predatory financial harms when following the procedures outline in our laws, only mindset barriers.

Health Care Systems: Inside-the-System Billing Abuse Controls (2 of 3)

This is the second of a three part series of articles addressing misuse, abuse and predatory practices causing financial harms to health care systems.

This post explores inside-the-system financial harms.  The third in this series will review “outside-the-system” harms.

The reference to “systems” is important.  Becoming effective and controlling financial harms will require a system dynamics and systems thinking approach. This is the world of nonlinearity and developing anti-abuse/misuse and predation of systems learning cultures.  The tools for mitigating these two different types of harms are not that same; while and at same time cannot be considered separately. The stuff of complex systems thinking requires deep understanding the relationship between parts.

Efficient delivery of health care is built on trust that diagnosing physicians/practitioners and other services providers, here-to-after referred to as trusted billing agents, will do the right thing. It is hard to imagine this system working in any other way. This requires faith in an effective cooperation model.

Reciprocal cooperation (altruism) models are complex and chaotic. Cheating is everywhere in nature. Administrators must expect trusted billing agents to cheat a little bit. They should expect cheating to increase if trusted billing agents believe their peers are cheating. When people are reminded of their morality close to the time of a temptation, cheating is shown to goe down. The message from behavioral biologists; there is no such thing as “free will” in resisting cheating temptations, and no-more-so than when trust and resilience are depleted.

If not handled well, controls administrators can do more harm than good. Negative business  relationships provide rationalizations (excuses) when trusted billing agents are tempted to do bad things. Secondly, when offended cooperation decreases in reducing other types of misuse and abuse, both inside the system (corruption, fraud and workplace sabotage), and from outside the system (beneficiary abuse, enterprise medical crime networks, regional gang activity such as accident benefits and bodily injury claims, and at the top of the predatory food chain – transnational organized crime).

In the late 1970s, Robert Alexrod’s now famous game theory tournaments researched cooperation models. This came out of initial insights learned from playing out Prisoner’s Dilemma. The “tit for tat’ reciprocal cooperation model that emerged was evidenced by behavioral biologists and ethologists observing animals in their natural environments. The ultimate game theory model today is generous (forgiving) tit for tat’. It wins out every time in reciprocal cooperation, game theory modelling.

Perhaps there are lessons to be learned from nature on how to develop cooperative relationships with trusted billing agents.

Health Care Systems: Misuse, Abuse & Predatory Fraud Controls (1 of 3)

Health care is an integral part of a nation’s critical infrastructure (CI). It is the largest public cash dispensing sector in the United States and Canadian economies. Ten times that of defense. Health care services delivery is an extraordinarily complex system. Within this context, conversation on misuse, abuse and predation (fraud) controls must be broken down into smaller ecosystems to make sense of the issues and to deploy effective counter measures.

Definition: Ecosystems are, “living organisms in conjunction with nonliving components of their environment interacting with the system.”  

This is the first of three blog posts addressing human cheating and predatory practices causing financial harms to health care systems.

The United States spends in excess of 17.3% of GDP on health care. It is a complicated vertical system of public and private sector plans. People falling between the cracks end up uninsured. The result can be physically, emotionally and financially  catastrophic for families.

Far and way, the United States has the most expensive per capita health care spending in the world. In his book, “A License to steal: How Fraud Bleeds America’s Health Care System”, Harvard University’s Malcolm K. Sparrow explored health care delivery system’s defenses against predatory attacks and made recommendations on fraud specific controls that are for most part ignored.

Canada spends in excess of 10.53 % of GDP on health care benefits and services. The Canadian system is more horizontal; with basic care for everyone meeting status and residency requirements. It is topped up by private plans for unregulated services, Some costs are also absorbed by the property and casualty insurance industry in the case of injury related accidents. Although Sparrow’s work was introduced at a conference held by former Canadian Health Care Anti-Fraud Association, it pretty much goes unheeded by the health care industry’s replacement, the Canadian Life and Health Insurance Association.

Increasingly larger portions of provincial budgets is fueling subtle deregulation of formerly paid for public services in Canada. In Chronic Condition; What Canada’s Health Care System Needs to Be Dragged Into the 21st Century”, Jeffrey Simpson explores the options with a growing problem the Canadian system faces; including cuts to “nonessential” services, tax increases, various types of privatization, and finding savings within health care itself.

The next post in this series explores inside-the-system financial harms and controls. The third in this series looks out outside-the-system financial harms and controls. The distinction between these two types of harms and controls is too often poorly defined.

The Complexity of Uniform Policing

Risk assessment for critical infrastructure assumes uniform police will run at catastrophic and violence events everyone else is running away from. Often they must make time-sensitive judgments on personal and public safety in high anxiety environments.

At the same time, the public and the courts expect uniform police , as primary sensory and verbal information gatherers, to make every judgment and decision rationally and impartially. All this happens in an environment that is often a perfect storm – dealing with their own emotions, while having to deal with the motions of others.

Intuition and time-sensitive judgments draw on prior emotions-laden experiences. The intensity (valence) and influence of these experiences in policing ranges from highly negative to highly positive, which accumulate over a career. In the worst case scenario with highly negative experiences, people end up with Post Traumatic Stress Disorder.

More thought is required on whether uniform police should be recruited for their emotional intelligence (EI) aptitude. More should be known and practiced on what in-service self-awareness and resiliency maintenance training is needed to  mitigate unintended consequences from environments and situational circumstances employers put uniform police in.

About Tranzform-security

This inaugural post introduces tranzform-security. We believe in a dynamic approach to security practice at critical infrastructure (CI). We draws from science in order to extend the boundaries on how we mostly think about security.

Critical infrastructures are ‘complex systems’. The human threats posed to CI manifest in two subcategories. Exogenous [outside the system] threats include acts of terror and other crime attacks by predators. Endogenous [inside the system] threats include technical vulnerabilities arising from human error, occupational fraud, internal theft, corruption, workplace sabotage and workplace violence.

About Complex Systems

“All complex systems, whether they are biological ecosystems like the human body, natural ecosystems like a rain forest, social ecosystems like an open-air market, or socio-technical ecosystems like the global financial system, or the Internet are deeply interlinked. Individual units within these ecosystems are interdependent, each doing its part and relying on the other units to do their part as well. This is neither rare nor difficult, and complex ecosystems abound.  

Bruce Schneier, Liars and Outliers (2012)

Transformative Security Practice

“Transformative security practice”  (TSP) is new language for defining transformation of security as  ‘learning cultures’ (Senge, Peter. ‘The Fifth Discipline: The art and practice of the learning organization’. 1994).

A security learning culture is generative. It is a shift of mindset from ‘business as usual’ to one of wonder, discovery and continuous improvement. It is a new way to think about how organizations perceive and practice security. It is adaptive, putting technology in the hands of the right people, doing the right things, at the right time.

TSP challenges security to move beyond the limitations imposed by reductionist, cause and effect, thinking about solutions. It embraces chaos the comes with humanity. It applies ‘system’s thinking‘ to explore the inter-relatedness between parts in the organization, and how changes to these parts influence the whole.

With TSP, we learn how to motivate employees in playing a vital role in security as primary over technology. We recognize the influence and impact of beliefs, mental models, heuristics bias (mental shortcuts) and affect (emotions) on security.

A Generative Approach to Security

Security is dealing with new realities including acts of terror, transnational enterprise crime, and a post-industrial age uncertainty that is increasing stress and anxiety predicted in 1970 (Toffler, A.  Future Shock).

TSP takes a behavioral and prevention science approach to security. In factors both the feelings of security and the reality of security. It draws on science from multiple disciplines including psychology, neuroscience, social physics, behavioral economics and behavioral biology.

TSP promotes deep cycle learning. It encourages lateral thinking to resolve security problems. It centers around five disciplines for creating a security learning culture :

  1. personal mastery
  2. mental models
  3. shared vision
  4. team learning and
  5. systems thinking delivered in practitioner-based, problem-solving ways.