I just finished the book "Influence: Science and Practice" by Dr. Robert Cialdini. Dr. Cialdini is considered by many as one of the leading experts in influence, or what our community calls "Social Engineering". This is a powerful book, as you not only learn the techniques that cyber attackers can use against your organization, but can help you create a more effective security awareness program. What makes this book so valuable is not only is it backed by extensive academic research, but its written in a fun and easy to understand way. Dr. Cialdini identifies six principles for influence, what he calls "Weapons of Influence". What makes these principles so powerful is they are automatic, they change our behavior without even us realizing what is happening. After reading this book I began to realize just how many times I've been suckered by slick salespeople. I highlight each of the six 'weapons' below from a security perspective and how they can relate to our world of awareness.
Reciprocation: The idea is very simple, if you give a person something, they feel compelled to return the favor, even if you do not like them. Potentially even more powerful is the 'reject-then-retreat' tactic where a person asks for something extreme, but then compromises and asks for something less difficult or of less value. By compromising, we feel compelled to return the favor and agree. The idea of reciprocation has been key to developing society, and as a result is ingrained into how we interact with others. If you want to socially engineer someone, give them something (or give up something) first. The best defense against this? Understand that when someone is using reciprocity as a tactic to exploit you, that you can receive their gift and return the favor by NOT doing what they want and exploiting them.
Commitment and Consistency: The idea here is that people want to appear consistent. Attitudes or behaviors that seem erratic are often perceived as negative in most cultures. As such when people commit to a certain believe or value, they want to remain consistent to that image. What struck me in this section is the power of getting someone to commit to something in writing. Time and time again Dr. Cialdini demonstrates how countries, companies and sales people use this tactic to influence people. I thought one great way we could apply this to awareness is to get people to publicly commit and/or in writing on what or why they feel cyber security is important.
Social Proof: The idea here is we judge what behavior is correct by watching what others are doing, especially others that are similar to us. This tactic is most effective when we are in a new environment (think new employee) or when we are unsure what is going on. Dr. Cialdini tells the fascinating story of how and why when someone is sick on the streets of a city, how that individual is often ignored, but in a small town or when around a small number of people, why that same person would be helped. Its not because city people are bad and small communities are good (they both want to help) its that in large groupings people may assume someone has already taken care of the situation, or may not even be sure there is an emergency. When they see others not doing anything, this just reinforces the behavior of not doing anything, a vicious cycle. Perhaps this is why in large organizations, security issues can be left ignored as employees simply believe someone else has already taken care of the problem and they see no one else acting on it. If you have a culture of people not following rules (especially management) then through social proof everyone else will continue to exhibit the same, bad behaviors. This is why a secure culture plays such an important role in long term behavior change.
Liking: Nothing shocking here, we tend to respond better to someone or something we like. If you want someone to do something, get them to like you. What is interesting are the different elements that play into liking. Key elements like similarity, compliments, cooperation to achieve the same goal, and association (think fans and sports teams). What is interesting is not how Dr. Cialdini goes into detail on these, but how to say NO when used against you. Specifically, when these tactics are used against you, do not try to eliminate the tactics, but understand how they are being used against you and remove the fact of how you feel about the person from the decision. Also, this may help explain why some security awareness programs fail. People may simply not like the program or the security people leading it. Perhaps they have been told NO by security too many times. Also, security professionals can come off as aloof or arrogant with employees. Long story short, perhaps put someone in charge of your awareness program that employees actually like.
Authority: We are more likely to follow the orders of someone who we perceive to be in a position of authority. The classic research in this area was the Milgrim study. In this study a student was told by a person in a position of authority to apply increasingly powerful electric shocks to a research participant when they got a question wrong. Researchers were stunned at just how far students took this, applying almost lethal shocks (students did not know the shocks were simulated). We have been trained since childhood to follow the orders of people in authority (doctors, policemen, etc) and this behavior can be used by others to their advantage. For the world of awareness, this is one reason why you can have greater impact by having senior executives communicate your security awareness message.
Scarcity: The more scarce something is, the more we desire it. Even more interesting, if that scarcity is the result of demand by others, that desire to have is even more. If you find yourself emotionally wanting something more then you need it because it is difficult to obtain, be careful as this weapon of influence may be in the process of being used against you.
If you are involved in social engineering, or defending against it, take a moment to read this book. Don't have time to read a book, grab the audio version on your smartphone and the next time you find yourself in a long drive fire it up.