Editor’s Note: Appearances
"There may be times and places where it is a good idea to talk back to a military officer, but Germany in 1906 isn’t one of them.” So begins Tim Harford’s recounting of “The Captain of Kopenick,” a well-known tale about fraudster Wilhelm Voigt. In the episode “The Rogue Dressed as a Captain” from his podcast Cautionary Tales, the author and columnist for the Financial Times discusses how the human brain tends to trust the appearance of authority, and that once a person embarks on a path, it is difficult to change course.
Voigt impersonated a captain and convinced two squads of German soldiers to board a train, ride from Berlin to the town of Kopenick, and arrest the town’s mayor. During the arrest, Voigt seized the town’s funds—the equivalent of $250,000—on suspicion of fraud. The soldiers took the mayor to jail while Voigt changed into civilian clothes and escaped with the money.
The details of this story are revealing, says Harford. Voight approached the squad leader dressed in an officer’s uniform and asked where he was going. The leader naturally answered this innocent question. Voigt then asked the squad to follow him, on orders from “the highest level.” What was the harm in marching down the street, especially if ordered to by senior officials? By the time Voigt encountered the second squad of soldiers, he had a squad following him already, so the second squad naturally fell in line.
When the soldiers forced their way into the town hall, they might have had second thoughts, notes Harford, but by then it would have been difficult to challenge the situation. It had gone too far.
Diana Concannon and Michael Center recount a similar anecdote in their article, “Security in Context,” in this month’s issue. An expensive, well-planned security program at a Tokyo facility was thwarted by a color printer, a fake badge, and a very convincing red team member. The penetration tester told building staff that he had flown in from the United States for an emergency audit at the insistence of the CEO.
Similar to the squads’ response to Voigt’s tactics, the staff on duty defaulted to an appearance of authority, and let the tester into the building.
Concannon and Center contend that understanding this tendency—along with culture, organizational values, and politics—can help improve a company’s security posture. They call this contextual intelligence and assert that it can be taught at all levels of the organization.
At the time of Voigt’s exploits, Harford notes, the story was used to poke fun at the German people—they “were suckers for a shouty man in a uniform.” Harford says this is unfair. We all fall for superficial things. We trust tall people more than short people. We trust people in lab coats, even if they tell us they aren’t doctors.
Appearances matter. But so does context. If security professionals can train employees to overcome their biases, they can shift the thinking of the entire organization.