The persuasion and security awareness experiment: reducing the success of social engineering attacks
Objectives The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. In particular, we study the effect of authority during a ‘social engineering’ attack. Methods Thirty-one different ‘offenders’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.
KeywordsAuthority Awareness Credentials Experiment Intervention Persuasion Social engineering
The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREsPASS). This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.
- Ajzen, I. (1988). Attitudes, personality, and behavior (Mapping social psychology series). Dorsey Press.Google Scholar
- Anderson, R. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems: Wiley.Google Scholar
- Asch, S.E. (1951). Effects of group pressure upon the modification and distortion of judgments In H. Guetzkow (Ed.), Groups, Leadership, and Men (pp. 177–190). Pittsburgh, PA: Carnegie Press.Google Scholar
- Bandura, A. (1986). Social foundations of thought and action (First Printing). Prentice Hall.Google Scholar
- Carlson, K.A. (2011). The impact of humor on memory: is the humor effect about humor? Humor - International Journal of Humor Research, 24(1). doi: 10.1515/humr.2011.002.
- Cialdini, R.B. (2009). Influence. HarperCollins.Google Scholar
- Cornish, D.B., & Clarke, R.V. (2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime Prevention Studies, 16, 41–96.Google Scholar
- Craik, F., & Blankstein, K. (1975). Psychophysiology and human memory. In R. (Ed.), In Psychophysiology (pp. 388–417).Wiley: LondonGoogle Scholar
- Cross, J. (2011). Social engineering is often overlooked. Retrieved 23-October-2013, from http://www.immense.net/social-engineering-planning/.
- Ferguson, A.J. (2005). Fostering e-mail security awareness: the west point Carronade. EDUCASE Quart, 1, 54–57.Google Scholar
- Festinger, L. (1957). A theory of cognitive dissonance. Stanford University Press.Google Scholar
- Flight, I., Wilson, C., McGillivray, J. (2012). Turning intention into behaviour: the effect of providing cues to action on participation rates for colorectal cancer screening. Colorectal Cancer-From Prevention to Patient Care. Shanghai: InTech.Google Scholar
- Ghaderi, F., Adl, A., Ranjbar, Z. (2013). Effect of a leaflet given to parents on knowledge of tooth avulsion. European Journal of Paediatric Dentistry : Official Journal of European Academy of Paediatric Dentistry, 14(1), 13–6.Google Scholar
- Glanz, K., Rimer, B.K., National Cancer Institute, U. (1997). Theory at a glance: a guide for health promotion practice. U.S. Department of Health and Human Services, Public Health Service, National Institutes of Health, National Cancer Institute.Google Scholar
- Greenspan, S. (2008). Annals of gullibility: why we get duped and how to avoid it. Praeger.Google Scholar
- Gulas, C.S., & Weinberger, M.G. (2006). Humor in advertising: a comprehensive analysis. M.E. Sharpe, Incorporated.Google Scholar
- Hadnagy, C., & Wilson, P. (2010). Social engineering: the art of human hacking: Wiley.Google Scholar
- Hart, A.R., Barone, T.L., Gay, S.P., Inglis, A., Griffin, L., Tallon, C.A., Mayberry, J.F. (1997). The effect on compliance of a health education leaflet in colorectal cancer screening in general practice in central England. Journal of Epidemiology & Community Health, 51(2), 187–191. doi: 10.1136/jech.51.2.187.CrossRefGoogle Scholar
- Hight, S.D. (2005). The importance of a security, education, training and awareness program. Retrieved 23-Oktober-2013, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf.
- Hofstede, G., Hofstede, G.J., Minkov, M. (2010). Cultures and organizations: software of the mind, 3rd Edn. McGraw-Hill.Google Scholar
- Krawczyk, A., Lau, E., Perez, S., Delisle, V., Amsel, R., Rosberger, Z. (2012). How to inform: comparing written and video education interventions to increase human papillomavirus knowledge and vaccination intentions in young adults. Journal of American College Health : J of ACH, 60(4), 316–22. doi: 10.1080/07448481.2011.615355.CrossRefGoogle Scholar
- Lien, N.H. (2001). Elaboration likelihood model in consumer research: a review. Proceedings of the National Science Council, 11(4), 301–310.Google Scholar
- Mann, I. (2008). Hacking the human: social engineering techniques and security countermeasures. Gower.Google Scholar
- Milgram, S. (1974). Obedience to authority: an experimental view. Harper & Row.Google Scholar
- Mitnick, K.D., & Simon, W.L. (2002). The art of deception: controlling the human element of security. Wiley.Google Scholar
- Mitnick, K.D., Simon, W. L. , Wozniak, S. (2011). Ghost in the wires: my adventures as the world’s most wanted hacker. Little, Brown.Google Scholar
- Pallant, J. (2010). SPSS Survival Manual: a step by step guide to data analysis using SPSS. McGraw-Hill Education.Google Scholar
- Petty, R.E., & Cacioppo, J.T. (1981). Attitudes and Persuasion–classic and contemporary approaches. W.C. Brown Company Publishers.Google Scholar
- Petty, R.E., & Cacioppo, J.T. (1984). Source factors and the elaboration likelihood model of persuasion. Advances in Consumer Research, 11(1), 668–672.Google Scholar
- Petty, R.E., & Cacioppo, J.T. (1986). The elaboration likelihood model of persuasion. In Communication and Persuasion, (pp. 1–24): Springer.Google Scholar
- Rouse, M. (2006). Definition social engineering. TechTarget. Retrieved 23-Oktober-2013, from http://www.searchsecurity.techtarget.com/definition/social-engineering.
- Schellevis, J. (2011). Grote Amerikaanse bedrijven vatbaar voor social engineering. Retrieved 03- January-2014, from http://tweakers.net/nieuws/77755/grote-amerikaanse-bedrijven-vatbaar-voor-social-engineering.html.
- Schmidt, S.R. (1994). Effects of humor on sentence memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 20(4), 953.Google Scholar
- Schneier, B. (2005). Flaw in Winkhaus blue chip lock. Retrieved 12-November-2013, from https://www.schneier.com/blog/archives/2005/03/flaw_in_winkhau.html.
- Shim, S.M., Seo, S.H., Lee, Y., Moon, G.I., Kim, M.S., Park, J.H. (2011). Consumers’ knowledge and safety perceptions of food additives: evaluation on the effectiveness of transmitting information on preservatives. Food Control, 22(7), 1054–1060. doi: 10.1016/j.foodcont.2011.01.001.CrossRefGoogle Scholar
- The Federal Bureau of Investigation (2013). Internet Social Networking Risks (Vol. 2013) (No. 4 October). U.S. Department of Justice. Retrieved 23- October-2013, from doi:http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks.