Abstract
Objectives The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. In particular, we study the effect of authority during a ‘social engineering’ attack. Methods Thirty-one different ‘offenders’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ajzen, I. (1988). Attitudes, personality, and behavior (Mapping social psychology series). Dorsey Press.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. doi:10.1016/0749-5978(91)90020-T.
Anderson, R. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems: Wiley.
Asch, S.E. (1951). Effects of group pressure upon the modification and distortion of judgments In H. Guetzkow (Ed.), Groups, Leadership, and Men (pp. 177–190). Pittsburgh, PA: Carnegie Press.
Bandura, A. (1986). Social foundations of thought and action (First Printing). Prentice Hall.
Barlow, J. (1998). Knowledge in patients with rheumatoid arthritis: a longer-term follow-up of a randomized controlled study of patient education leaflets. Rheumatology, 37(4), 373–376. doi:10.1093/rheumatology/37.4.373.
Bickman, L. (1974). The social power of a uniform1. Journal of Applied Social Psychology, 4(1), 47–61. doi:10.1111/j.1559-1816.1974.tb02599.x.
Blass, T. (1999). The milgram paradigm after 35 years: some things we now know about obedience to authority1. Journal of Applied Social Psychology, 29(5), 955–978. doi:10.1111/j.1559-1816.1999.tb00134.x.
Burger, J.M. (2009). Replicating Milgram: would people still obey today? The American Psychologist, 64, 1–11. doi:10.1037/a0010932.
Carlson, K.A. (2011). The impact of humor on memory: is the humor effect about humor? Humor - International Journal of Humor Research, 24(1). doi:10.1515/humr.2011.002.
Carré, P.C., Roche, N., Neukirch, F., Radeau, T., Perez, T., Terrioux, P., Ostinelli, J., Pouchain, D., Huchon, G. (2008). The effect of an information leaflet upon knowledge and awareness of COPD in potential sufferers. Respiration, 76(1), 53–60. doi:10.1159/000115947.
Cialdini, R.B. (2009). Influence. HarperCollins.
Cornish, D.B., & Clarke, R.V. (2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime Prevention Studies, 16, 41–96.
Craik, F., & Blankstein, K. (1975). Psychophysiology and human memory. In R. (Ed.), In Psychophysiology (pp. 388–417).Wiley: London
Cross, J. (2011). Social engineering is often overlooked. Retrieved 23-October-2013, from http://www.immense.net/social-engineering-planning/.
Doob, A.N., & Gross, A.E. (1968). Status of frustrator as an inhibitor of Horn-Honking responses. The Journal of Social Psychology, 76(2), 213–218. doi:10.1080/00224545.1968.9933615.
Ershoff, D.H., Mullen, P.D., Quinn, V.P. (1989). A randomized trial of a serialized self-help smoking cessation program for pregnant women in an HMO. American Journal of Public Health, 79(2), 182–187. doi:10.2105/AJPH.79.2.182.
Ferguson, A.J. (2005). Fostering e-mail security awareness: the west point Carronade. EDUCASE Quart, 1, 54–57.
Festinger, L. (1957). A theory of cognitive dissonance. Stanford University Press.
Flight, I., Wilson, C., McGillivray, J. (2012). Turning intention into behaviour: the effect of providing cues to action on participation rates for colorectal cancer screening. Colorectal Cancer-From Prevention to Patient Care. Shanghai: InTech.
Ghaderi, F., Adl, A., Ranjbar, Z. (2013). Effect of a leaflet given to parents on knowledge of tooth avulsion. European Journal of Paediatric Dentistry : Official Journal of European Academy of Paediatric Dentistry, 14(1), 13–6.
Gisquet-Verrier, P., & Riccio, D.C. (2012). Memory reactivation effects independent of reconsolidation. Learning & memory (Cold Spring Harbor, N.Y.), 19(9), 401–9. doi:10.1101/lm.026054.112.
Glanz, K., Rimer, B.K., National Cancer Institute, U. (1997). Theory at a glance: a guide for health promotion practice. U.S. Department of Health and Human Services, Public Health Service, National Institutes of Health, National Cancer Institute.
Greenspan, S. (2008). Annals of gullibility: why we get duped and how to avoid it. Praeger.
Grewal, D., & Kavanoor, S. (1997). Comparative versus noncomparative advertising: a meta-analysis. Journal of Marketing, 61(4), 1. doi:10.2307/1252083.
Gulas, C.S., & Weinberger, M.G. (2006). Humor in advertising: a comprehensive analysis. M.E. Sharpe, Incorporated.
Hadnagy, C., & Wilson, P. (2010). Social engineering: the art of human hacking: Wiley.
Harris, P., Middleton, W., Joiner, R. (2000). The typical student as an in-group member: eliminating optimistic bias by reducing social distance. European Journal of Social Psychology, 30(2), 235–253. doi:10.1002/(SICI)1099-0992.
Hart, A.R., Barone, T.L., Gay, S.P., Inglis, A., Griffin, L., Tallon, C.A., Mayberry, J.F. (1997). The effect on compliance of a health education leaflet in colorectal cancer screening in general practice in central England. Journal of Epidemiology & Community Health, 51(2), 187–191. doi:10.1136/jech.51.2.187.
Hawkey, G.M., & Hawkey, C.J. (1989). Effect of information leaflets on knowledge in patients with gastrointestinal diseases. Gut, 30(11), 1641–1646. doi:10.1136/gut.30.11.1641.
Hight, S.D. (2005). The importance of a security, education, training and awareness program. Retrieved 23-Oktober-2013, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf.
Hofstede, G., Hofstede, G.J., Minkov, M. (2010). Cultures and organizations: software of the mind, 3rd Edn. McGraw-Hill.
Humphris, G.M., Duncalf, M., Holt, D. , Field, E. (1999). The experimental evaluation of an oral cancer information leaflet. Oral Oncology, 35(6), 575–582. 10.1016/S1368-8375(99)00040-8.
Humphris, G.M., Ireland, R.S., Field, E.A. (2001). Randomised trial of the psychological effect of information about oral cancer in primary care settings. Oral Oncology, 37(7), 548–552. doi:10.1016/S1368-8375(01)00017-3.
Krawczyk, A., Lau, E., Perez, S., Delisle, V., Amsel, R., Rosberger, Z. (2012). How to inform: comparing written and video education interventions to increase human papillomavirus knowledge and vaccination intentions in young adults. Journal of American College Health : J of ACH, 60(4), 316–22. doi:10.1080/07448481.2011.615355.
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 1–31. doi:10.1145/1754393.1754396.
Lancaster, T., & Stead, L.F. (2005). Cochrane Database of Systematic Reviews, 3(3), CD001118. doi:10.1002/14651858.CD001118.
Lefkowitz, M., Blake, R.R., Mouton, J.S. (1955). Status factors in pedestrian violation of traffic signals. The Journal of Abnormal and Social Psychology, 51(3), 704–706. doi:10.1037/h0042000.
Lien, N.H. (2001). Elaboration likelihood model in consumer research: a review. Proceedings of the National Science Council, 11(4), 301–310.
Mann, I. (2008). Hacking the human: social engineering techniques and security countermeasures. Gower.
Milgram, S. (1963). Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. doi:10.1037/h0040525.
Milgram, S. (1974). Obedience to authority: an experimental view. Harper & Row.
Mitnick, K.D., & Simon, W.L. (2002). The art of deception: controlling the human element of security. Wiley.
Mitnick, K.D., Simon, W. L. , Wozniak, S. (2011). Ghost in the wires: my adventures as the world’s most wanted hacker. Little, Brown.
Packer, D.J. (2008). Identifying systematic disobedience in milgram’s obedience experiments: a meta-analytic review. Perspectives on Psychological Science, 3(4), 301–304. doi:10.1111/j.1745-6924.2008.00080.x.
Pallant, J. (2010). SPSS Survival Manual: a step by step guide to data analysis using SPSS. McGraw-Hill Education.
Petty, R.E., & Cacioppo, J.T. (1981). Attitudes and Persuasion–classic and contemporary approaches. W.C. Brown Company Publishers.
Petty, R.E., & Cacioppo, J.T. (1984). Source factors and the elaboration likelihood model of persuasion. Advances in Consumer Research, 11(1), 668–672.
Petty, R.E., & Cacioppo, J.T. (1986). The elaboration likelihood model of persuasion. In Communication and Persuasion, (pp. 1–24): Springer.
Robb, K.A., Miles, A. , Campbell, J., Evans, P., Wardle, J. (2006). Can cancer risk information raise awareness without increasing anxiety? A randomized trial. Preventive Medicine, 43(3), 187–190. doi:10.1016/j.ypmed.2006.04.015.
Rogers, R.W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114. doi:10.1080/00223980.1975.9915803.
Rosenstock, I.M. (1974). Historical origins of the health belief model. Health Education & Behavior, 2(4), 328–335. doi:10.1177/109019817400200403.
Rouse, M. (2006). Definition social engineering. TechTarget. Retrieved 23-Oktober-2013, from http://www.searchsecurity.techtarget.com/definition/social-engineering.
Schellevis, J. (2011). Grote Amerikaanse bedrijven vatbaar voor social engineering. Retrieved 03- January-2014, from http://tweakers.net/nieuws/77755/grote-amerikaanse-bedrijven-vatbaar-voor-social-engineering.html.
Schmidt, S.R. (1994). Effects of humor on sentence memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 20(4), 953.
Schneier, B. (2005). Flaw in Winkhaus blue chip lock. Retrieved 12-November-2013, from https://www.schneier.com/blog/archives/2005/03/flaw_in_winkhau.html.
Shim, S.M., Seo, S.H., Lee, Y., Moon, G.I., Kim, M.S., Park, J.H. (2011). Consumers’ knowledge and safety perceptions of food additives: evaluation on the effectiveness of transmitting information on preservatives. Food Control, 22(7), 1054–1060. doi:10.1016/j.foodcont.2011.01.001.
Stubbings, S., Robb, K., Waller, J., Ramirez, A., Austoker, J., Macleod, U. (2000). Development of a measurement tool to assess public awareness of cancer. British Journal of Cancer, 101(S2), S13–S17. doi:10.1038/sj.bjc.6605385.
The Federal Bureau of Investigation (2013). Internet Social Networking Risks (Vol. 2013) (No. 4 October). U.S. Department of Justice. Retrieved 23- October-2013, from doi:http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks.
Weinstein, N.D. (1980). Unrealistic optimism about future life events. Journal of personality and social psychology, 39(5), 806. doi:10.1037/0022-3514.39.5.806.
Acknowledgments
The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREsPASS). This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bullée, JW.H., Montoya, L., Pieters, W. et al. The persuasion and security awareness experiment: reducing the success of social engineering attacks. J Exp Criminol 11, 97–115 (2015). https://doi.org/10.1007/s11292-014-9222-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11292-014-9222-7