In risk management, sometimes the medium is the message.

Assume that you were a credit officer at a bank in the 1970s.  You come to work, and you sift through the 50 credit applications on your desk.

You notice that while 20 of the applications are made in difference names, identities, addresses and so on… you notice that they are all made with the same pen and penmanship.

Would that not trigger an alarm in your mind?

In Morse code, every operator is taught the same exact alphabet of signals.  For example, the signal for SOS during an emergency in Morse code is . . .   – – –   . . .

Three dots, followed by three lines, followed by three dots.

If you give 100 operators the task to transmit this simple code, do you think they will all do it the “same” exact way?


Each person, will do it slightly differently, and some operators will develop over time their own style of typing – which is called a “fist”.

In war, this fist can provide intelligence about who is the person who is transmitting the code, more so than the actual signal.  In the US Civil War, after the enemy captured one of the posts – they asked their Morse operator to signal to the other posts that “everything is OK, and they can come out now…”

The idea was to ambush the soldiers as they would not expect their enemy to be there.

However, the Morse operator, who communicated with those captured posts, sensed that the fist of this message is NOT the usual tempo in which his counterpart usually signals…

By sending a few more messages that included words that had very distinct fist of his counterpart, the Morse operator concluded that it is NOT a friendly message.

It saved their lives.

In the reference section below you are also read about a famous WWII use of fists and how it helped the allied forces track army movements across Europe.

In the 21st century, the Internet is filled with signals.  We should look for the fists in the signals, to allow us to decipher friend from foe.  For example, keyboard dynamics are used to measure the cadence of typing, to help discern if this is the expected user or not.  These methods are not fool proof and if anything they add false-positives and false-negatives.

This notion is important as when you operate a website, you may have phishers lure the user name and passwords of your customers.  Then, from one computer they will login to many accounts… it is akin to having the same pen and penmanship on different credit applications.

If you adopt the “old school” thinking into the 21st century and beyond technology, you will find the methods of the criminals.

Most law-enforcement personnel are geared towards catching the bad guys, catching WHO did it.  Risk managers care less about who, and care most about HOW they did it – the method.  Once the method is revealed, then measures and controls can be put in place to stop any criminal.

Click here for Chapter 6



The Medium is the Message

Keyboard Dynamics

Leave a Reply

Your email address will not be published. Required fields are marked *