Cybersecurity, Film Noir, and Child Exploitation Just Don’t Mix

Milena Radzikowska, PhD
6 min readOct 27, 2021

--

This article makes reference to child abuse. Italic text or text between quotation marks indicates copy pulled directly from the Proofpoint training module.

From Eve’s catastrophic snack fail to thousands of Americans chanting “lock her up”, there’s a long tradition of woman as scapegoat.* Mother and Whore persist as both tropes and stereotypes. They, and the sub-categories of women-types contained within, are convenient shortcuts, bypassing complex social concerns and redirecting fault as needed.

Most professional areas continue to be dominated by men (particularly at the levels of policy and decision-making). While there are frustrating efforts to challenge and remove gender-based stereotypes, the tech sector has been particularly persistent in vilifying or dumbing-down women and positioning men as the stereotypical protector and knowledge keeper.

Enter Proofpoint’s Cybersecurity Awareness Training

In 2020 my employer — Mount Royal University (located in Calgary, Alberta, Canada) — mandated hundreds of staff, faculty, and (I assume) administrators to complete mandatory cybersecurity training through Proofpoint’s online learning module. I will be honest: it took me until nearly the last day to start the module, fresh coffee pot in hand.

Narrator: So, you’re here to help. Well, better late than never. It wasn’t always like this. Going back in my mind, it felt just like the cops and robbers from TV. Yeah. There was still crime. But at least back then you could put a face to their name. Now they just hide behind technology. I had the perfect life, the dream but, then again, dreams have a habit of ending abruptly.

The design of this particular Proofpoint module is a Film Noir-esque animation containing video and audio components: a disillusioned and weathered detective introduces us to a rain-soaked city overrun with crime.

Narrator: This city never ceases to amaze me. It makes me sick to my stomach. You’re not going to believe the case that just came. This one could be a bumpy ride.

On a late Thursday afternoon Angela Smith, a busy single mother, is fighting her way through the cold and dark city streets. We’re told that she had seen the reports of soaring crime levels and, following some trusted reviews on Brainbook (clearly a spoof of Facebook), Angela heads to a brick-and-mortar shop for products to secure her home.

Narrator: The owner was calm, confident, reassuring. Angela purchased door locks, a security alarm. And, on the advice of the shop owner, a smart security camera.

The narrator emphasizes how patiently the male owner explains key security practices to a naive Angela who, subsequently, fails to put some of them into practice.

She heads home, “clutching” her purchases.

Narrator: Knowing it was to be a safe sanctuary from here on out for her and her daughter, Katie.

I’ll skip you past the training components where we learn about secure passwords and two-factor authentication, to the story’s apex: Angela reuses an old password “and became(s) an unwilling accomplice to this case.”

Predator: What’s your name? I just want to be your best friend, Katie.

Narrator: I can’t watch that anymore. I can’t help but think what if that had been my daughter? How much more do we have to teach people before they’ll stop and take notice.

It sounds ridiculous. But that disgusting person hacked into the one thing that Angela thought would make her home safe. Unknowingly, her actions throughout were a huge part of causing that to happen. Angela didn’t think about the dangers of reusing her password. She didn’t foresee that Brainbook would have a data breach exposing her password, how could she? And, regardless, she shouldn’t have reused the same password, especially not for something as important as a security camera in her own home.

Her actions throughout were a huge part of causing that to happen.

The module presents us with a single mother, scared of her crime-infested city, who installs a security camera on the advice of a security expert but, by not following the instructions, is described as an “accomplice” to a crime perpetrated against her child.

She carries the blame. Not the makers of the tech she purchased. Not the CEOs or developers of the social media platform that created systems notorious for data leaks and security breaches. Not the male shop owner who advised her to purchase the camera. Not even the male predator who hacked into her daughter’s camera and computer.

And, let’s be clear: Proofpoint is alluding to a crime against a child that makes a cop “sick to [his] stomach.”

Screenshot from Proofpoint’s Cybersecurity Awareness Training mandated by Mount Royal University in 2021.

There’s no way to avoid this story once you’re into it — even though I selected the correct answers to all interactive components, nonetheless, I was walked through Angela’s “small but catastrophic mistakes” and the subsequent crime (including the young girl’s voice as she interacted with the predator).

While the introductory text acknowledges that the module’s episode is “not a completely accurate re-enactment of a real story” (they “cut out the boring stuff’’), it also tells us that the narrative is “inspired by real events that impacted real people.” The module is both not real and not entirely fictional, focusing on the impact of lax cyber security on “the employer and the employee” while exhibiting a total lack of awareness of violent crime’s life-long impact on the lives of its victims. “Elements of the story may have been exaggerated for dramatic effect” (we are not pre-warned as to those element’s specifics), and the result is further harm to those who have actually been victims of such crimes.

Screenshot from Proofpoint’s Cybersecurity Awareness Training mandated by Mount Royal University in 2021.

Let’s talk about Proofpoint

Proofpoint has more than 3,600 employees: 86% of its senior leadership is male and I would be shocked if that number was any lower for its development team. They pride themselves for serving more than half of Fortune 100 companies, some top global banks, retailers, pharmaceutical companies, and research universities. Thousands of people are likely associated with Proofpoint, though likely not all of them were subjected to this particular training module. In 2020, Proofpoint generated more than $1 billion in revenue.

And they blamed a mother for her child’s molestation.

Image taken from Proofpoint’s website.

It’s true that I’m basing my analysis (and, honestly, condemnation) on the first six minutes of one (and only one) module mandated by my employer, from the suite of training tools offered by Proofpoint.

But think about this — it took less than three minutes to encounter content that has, at the time of writing, resulted in four months of emails between our union and senior administration, incomplete cyber security training, and a formal complaint. Before this issue is resolved or dismissed (or at least the part of the complaint process that I initiated), a dozen people would have to reallocate dozens of working hours across at least three organizations to deal with it.

The blame and accountability for that falls directly on Proofpoint’s shoulders.

This article was co-authored by Dr. Milena Radzikowska, Professor of Information Design, and Dr. D. Scharie Tavcer, Associate Professor in the Department of Economics, Justice, and Policy Studies, Mount Royal University. Dr. Radzikowska has co-authored over 75 publications in design, including two currently available books (and three forthcoming). She is an expert and researcher in the areas of interface and interaction design. Dr. Tavcer’s sought-after expertise is in Canadian criminal justice, violence against women, sexual violence, and occupational stress injuries in justice workers. She has co-authored over 40 publications including two books (with multiple editions), and two more forthcoming.

--

--