Advertisement

Journal of Experimental Criminology

, Volume 11, Issue 1, pp 97–115 | Cite as

The persuasion and security awareness experiment: reducing the success of social engineering attacks

  • Jan-Willem H. Bullée
  • Lorena Montoya
  • Wolter Pieters
  • Marianne Junger
  • Pieter H. Hartel
Article

Abstract

Objectives The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. In particular, we study the effect of authority during a ‘social engineering’ attack. Methods Thirty-one different ‘offenders’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

Keywords

Authority Awareness Credentials Experiment Intervention Persuasion Social engineering 

Notes

Acknowledgments

The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREsPASS). This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.

References

  1. Ajzen, I. (1988). Attitudes, personality, and behavior (Mapping social psychology series). Dorsey Press.Google Scholar
  2. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. doi: 10.1016/0749-5978(91)90020-T.CrossRefGoogle Scholar
  3. Anderson, R. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems: Wiley.Google Scholar
  4. Asch, S.E. (1951). Effects of group pressure upon the modification and distortion of judgments In H. Guetzkow (Ed.), Groups, Leadership, and Men (pp. 177–190). Pittsburgh, PA: Carnegie Press.Google Scholar
  5. Bandura, A. (1986). Social foundations of thought and action (First Printing). Prentice Hall.Google Scholar
  6. Barlow, J. (1998). Knowledge in patients with rheumatoid arthritis: a longer-term follow-up of a randomized controlled study of patient education leaflets. Rheumatology, 37(4), 373–376. doi: 10.1093/rheumatology/37.4.373.CrossRefGoogle Scholar
  7. Bickman, L. (1974). The social power of a uniform1. Journal of Applied Social Psychology, 4(1), 47–61. doi: 10.1111/j.1559-1816.1974.tb02599.x.CrossRefGoogle Scholar
  8. Blass, T. (1999). The milgram paradigm after 35 years: some things we now know about obedience to authority1. Journal of Applied Social Psychology, 29(5), 955–978. doi: 10.1111/j.1559-1816.1999.tb00134.x.CrossRefGoogle Scholar
  9. Burger, J.M. (2009). Replicating Milgram: would people still obey today? The American Psychologist, 64, 1–11. doi: 10.1037/a0010932.CrossRefGoogle Scholar
  10. Carlson, K.A. (2011). The impact of humor on memory: is the humor effect about humor? Humor - International Journal of Humor Research, 24(1). doi: 10.1515/humr.2011.002.
  11. Carré, P.C., Roche, N., Neukirch, F., Radeau, T., Perez, T., Terrioux, P., Ostinelli, J., Pouchain, D., Huchon, G. (2008). The effect of an information leaflet upon knowledge and awareness of COPD in potential sufferers. Respiration, 76(1), 53–60. doi: 10.1159/000115947.CrossRefGoogle Scholar
  12. Cialdini, R.B. (2009). Influence. HarperCollins.Google Scholar
  13. Cornish, D.B., & Clarke, R.V. (2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime Prevention Studies, 16, 41–96.Google Scholar
  14. Craik, F., & Blankstein, K. (1975). Psychophysiology and human memory. In R. (Ed.), In Psychophysiology (pp. 388–417).Wiley: LondonGoogle Scholar
  15. Cross, J. (2011). Social engineering is often overlooked. Retrieved 23-October-2013, from http://www.immense.net/social-engineering-planning/.
  16. Doob, A.N., & Gross, A.E. (1968). Status of frustrator as an inhibitor of Horn-Honking responses. The Journal of Social Psychology, 76(2), 213–218. doi: 10.1080/00224545.1968.9933615.CrossRefGoogle Scholar
  17. Ershoff, D.H., Mullen, P.D., Quinn, V.P. (1989). A randomized trial of a serialized self-help smoking cessation program for pregnant women in an HMO. American Journal of Public Health, 79(2), 182–187. doi: 10.2105/AJPH.79.2.182.CrossRefGoogle Scholar
  18. Ferguson, A.J. (2005). Fostering e-mail security awareness: the west point Carronade. EDUCASE Quart, 1, 54–57.Google Scholar
  19. Festinger, L. (1957). A theory of cognitive dissonance. Stanford University Press.Google Scholar
  20. Flight, I., Wilson, C., McGillivray, J. (2012). Turning intention into behaviour: the effect of providing cues to action on participation rates for colorectal cancer screening. Colorectal Cancer-From Prevention to Patient Care. Shanghai: InTech.Google Scholar
  21. Ghaderi, F., Adl, A., Ranjbar, Z. (2013). Effect of a leaflet given to parents on knowledge of tooth avulsion. European Journal of Paediatric Dentistry : Official Journal of European Academy of Paediatric Dentistry, 14(1), 13–6.Google Scholar
  22. Gisquet-Verrier, P., & Riccio, D.C. (2012). Memory reactivation effects independent of reconsolidation. Learning & memory (Cold Spring Harbor, N.Y.), 19(9), 401–9. doi: 10.1101/lm.026054.112.CrossRefGoogle Scholar
  23. Glanz, K., Rimer, B.K., National Cancer Institute, U. (1997). Theory at a glance: a guide for health promotion practice. U.S. Department of Health and Human Services, Public Health Service, National Institutes of Health, National Cancer Institute.Google Scholar
  24. Greenspan, S. (2008). Annals of gullibility: why we get duped and how to avoid it. Praeger.Google Scholar
  25. Grewal, D., & Kavanoor, S. (1997). Comparative versus noncomparative advertising: a meta-analysis. Journal of Marketing, 61(4), 1. doi: 10.2307/1252083.CrossRefGoogle Scholar
  26. Gulas, C.S., & Weinberger, M.G. (2006). Humor in advertising: a comprehensive analysis. M.E. Sharpe, Incorporated.Google Scholar
  27. Hadnagy, C., & Wilson, P. (2010). Social engineering: the art of human hacking: Wiley.Google Scholar
  28. Harris, P., Middleton, W., Joiner, R. (2000). The typical student as an in-group member: eliminating optimistic bias by reducing social distance. European Journal of Social Psychology, 30(2), 235–253. doi: 10.1002/(SICI)1099-0992.CrossRefGoogle Scholar
  29. Hart, A.R., Barone, T.L., Gay, S.P., Inglis, A., Griffin, L., Tallon, C.A., Mayberry, J.F. (1997). The effect on compliance of a health education leaflet in colorectal cancer screening in general practice in central England. Journal of Epidemiology & Community Health, 51(2), 187–191. doi: 10.1136/jech.51.2.187.CrossRefGoogle Scholar
  30. Hawkey, G.M., & Hawkey, C.J. (1989). Effect of information leaflets on knowledge in patients with gastrointestinal diseases. Gut, 30(11), 1641–1646. doi: 10.1136/gut.30.11.1641.CrossRefGoogle Scholar
  31. Hight, S.D. (2005). The importance of a security, education, training and awareness program. Retrieved 23-Oktober-2013, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf.
  32. Hofstede, G., Hofstede, G.J., Minkov, M. (2010). Cultures and organizations: software of the mind, 3rd Edn. McGraw-Hill.Google Scholar
  33. Humphris, G.M., Duncalf, M., Holt, D. , Field, E. (1999). The experimental evaluation of an oral cancer information leaflet. Oral Oncology, 35(6), 575–582.  10.1016/S1368-8375(99)00040-8.CrossRefGoogle Scholar
  34. Humphris, G.M., Ireland, R.S., Field, E.A. (2001). Randomised trial of the psychological effect of information about oral cancer in primary care settings. Oral Oncology, 37(7), 548–552. doi: 10.1016/S1368-8375(01)00017-3.CrossRefGoogle Scholar
  35. Krawczyk, A., Lau, E., Perez, S., Delisle, V., Amsel, R., Rosberger, Z. (2012). How to inform: comparing written and video education interventions to increase human papillomavirus knowledge and vaccination intentions in young adults. Journal of American College Health : J of ACH, 60(4), 316–22. doi: 10.1080/07448481.2011.615355.CrossRefGoogle Scholar
  36. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 1–31. doi: 10.1145/1754393.1754396.CrossRefGoogle Scholar
  37. Lancaster, T., & Stead, L.F. (2005). Cochrane Database of Systematic Reviews, 3(3), CD001118. doi: 10.1002/14651858.CD001118.Google Scholar
  38. Lefkowitz, M., Blake, R.R., Mouton, J.S. (1955). Status factors in pedestrian violation of traffic signals. The Journal of Abnormal and Social Psychology, 51(3), 704–706. doi: 10.1037/h0042000.CrossRefGoogle Scholar
  39. Lien, N.H. (2001). Elaboration likelihood model in consumer research: a review. Proceedings of the National Science Council, 11(4), 301–310.Google Scholar
  40. Mann, I. (2008). Hacking the human: social engineering techniques and security countermeasures. Gower.Google Scholar
  41. Milgram, S. (1963). Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. doi: 10.1037/h0040525.CrossRefGoogle Scholar
  42. Milgram, S. (1974). Obedience to authority: an experimental view. Harper & Row.Google Scholar
  43. Mitnick, K.D., & Simon, W.L. (2002). The art of deception: controlling the human element of security. Wiley.Google Scholar
  44. Mitnick, K.D., Simon, W. L. , Wozniak, S. (2011). Ghost in the wires: my adventures as the world’s most wanted hacker. Little, Brown.Google Scholar
  45. Packer, D.J. (2008). Identifying systematic disobedience in milgram’s obedience experiments: a meta-analytic review. Perspectives on Psychological Science, 3(4), 301–304. doi: 10.1111/j.1745-6924.2008.00080.x.CrossRefGoogle Scholar
  46. Pallant, J. (2010). SPSS Survival Manual: a step by step guide to data analysis using SPSS. McGraw-Hill Education.Google Scholar
  47. Petty, R.E., & Cacioppo, J.T. (1981). Attitudes and Persuasion–classic and contemporary approaches. W.C. Brown Company Publishers.Google Scholar
  48. Petty, R.E., & Cacioppo, J.T. (1984). Source factors and the elaboration likelihood model of persuasion. Advances in Consumer Research, 11(1), 668–672.Google Scholar
  49. Petty, R.E., & Cacioppo, J.T. (1986). The elaboration likelihood model of persuasion. In Communication and Persuasion, (pp. 1–24): Springer.Google Scholar
  50. Robb, K.A., Miles, A. , Campbell, J., Evans, P., Wardle, J. (2006). Can cancer risk information raise awareness without increasing anxiety? A randomized trial. Preventive Medicine, 43(3), 187–190. doi: 10.1016/j.ypmed.2006.04.015.CrossRefGoogle Scholar
  51. Rogers, R.W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114. doi: 10.1080/00223980.1975.9915803.CrossRefGoogle Scholar
  52. Rosenstock, I.M. (1974). Historical origins of the health belief model. Health Education & Behavior, 2(4), 328–335. doi: 10.1177/109019817400200403.Google Scholar
  53. Rouse, M. (2006). Definition social engineering. TechTarget. Retrieved 23-Oktober-2013, from http://www.searchsecurity.techtarget.com/definition/social-engineering.
  54. Schellevis, J. (2011). Grote Amerikaanse bedrijven vatbaar voor social engineering. Retrieved 03- January-2014, from http://tweakers.net/nieuws/77755/grote-amerikaanse-bedrijven-vatbaar-voor-social-engineering.html.
  55. Schmidt, S.R. (1994). Effects of humor on sentence memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 20(4), 953.Google Scholar
  56. Schneier, B. (2005). Flaw in Winkhaus blue chip lock. Retrieved 12-November-2013, from https://www.schneier.com/blog/archives/2005/03/flaw_in_winkhau.html.
  57. Shim, S.M., Seo, S.H., Lee, Y., Moon, G.I., Kim, M.S., Park, J.H. (2011). Consumers’ knowledge and safety perceptions of food additives: evaluation on the effectiveness of transmitting information on preservatives. Food Control, 22(7), 1054–1060. doi: 10.1016/j.foodcont.2011.01.001.CrossRefGoogle Scholar
  58. Stubbings, S., Robb, K., Waller, J., Ramirez, A., Austoker, J., Macleod, U. (2000). Development of a measurement tool to assess public awareness of cancer. British Journal of Cancer, 101(S2), S13–S17. doi: 10.1038/sj.bjc.6605385.Google Scholar
  59. The Federal Bureau of Investigation (2013). Internet Social Networking Risks (Vol. 2013) (No. 4 October). U.S. Department of Justice. Retrieved 23- October-2013, from doi:http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks.
  60. Weinstein, N.D. (1980). Unrealistic optimism about future life events. Journal of personality and social psychology, 39(5), 806. doi: 10.1037/0022-3514.39.5.806.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2015

Authors and Affiliations

  • Jan-Willem H. Bullée
    • 1
  • Lorena Montoya
    • 1
  • Wolter Pieters
    • 1
  • Marianne Junger
    • 2
  • Pieter H. Hartel
    • 1
  1. 1.Services, Cyber-security, and Safety Group (SCS), Faculty of EEMCSUniversity of TwenteEnschedeThe Netherlands
  2. 2.Industrial Engineering and Business Information Systems (IEBIS), Faculty of Management and GovernanceUniversity of TwenteEnschedeThe Netherlands

Personalised recommendations