Skip to main content

The persuasion and security awareness experiment: reducing the success of social engineering attacks

Abstract

Objectives The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. In particular, we study the effect of authority during a ‘social engineering’ attack. Methods Thirty-one different ‘offenders’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

References

  1. Ajzen, I. (1988). Attitudes, personality, and behavior (Mapping social psychology series). Dorsey Press.

  2. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. doi:10.1016/0749-5978(91)90020-T.

    Article  Google Scholar 

  3. Anderson, R. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems: Wiley.

  4. Asch, S.E. (1951). Effects of group pressure upon the modification and distortion of judgments In H. Guetzkow (Ed.), Groups, Leadership, and Men (pp. 177–190). Pittsburgh, PA: Carnegie Press.

  5. Bandura, A. (1986). Social foundations of thought and action (First Printing). Prentice Hall.

  6. Barlow, J. (1998). Knowledge in patients with rheumatoid arthritis: a longer-term follow-up of a randomized controlled study of patient education leaflets. Rheumatology, 37(4), 373–376. doi:10.1093/rheumatology/37.4.373.

    Article  Google Scholar 

  7. Bickman, L. (1974). The social power of a uniform1. Journal of Applied Social Psychology, 4(1), 47–61. doi:10.1111/j.1559-1816.1974.tb02599.x.

    Article  Google Scholar 

  8. Blass, T. (1999). The milgram paradigm after 35 years: some things we now know about obedience to authority1. Journal of Applied Social Psychology, 29(5), 955–978. doi:10.1111/j.1559-1816.1999.tb00134.x.

    Article  Google Scholar 

  9. Burger, J.M. (2009). Replicating Milgram: would people still obey today? The American Psychologist, 64, 1–11. doi:10.1037/a0010932.

    Article  Google Scholar 

  10. Carlson, K.A. (2011). The impact of humor on memory: is the humor effect about humor? Humor - International Journal of Humor Research, 24(1). doi:10.1515/humr.2011.002.

  11. Carré, P.C., Roche, N., Neukirch, F., Radeau, T., Perez, T., Terrioux, P., Ostinelli, J., Pouchain, D., Huchon, G. (2008). The effect of an information leaflet upon knowledge and awareness of COPD in potential sufferers. Respiration, 76(1), 53–60. doi:10.1159/000115947.

    Article  Google Scholar 

  12. Cialdini, R.B. (2009). Influence. HarperCollins.

  13. Cornish, D.B., & Clarke, R.V. (2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime Prevention Studies, 16, 41–96.

    Google Scholar 

  14. Craik, F., & Blankstein, K. (1975). Psychophysiology and human memory. In R. (Ed.), In Psychophysiology (pp. 388–417).Wiley: London

  15. Cross, J. (2011). Social engineering is often overlooked. Retrieved 23-October-2013, from http://www.immense.net/social-engineering-planning/.

  16. Doob, A.N., & Gross, A.E. (1968). Status of frustrator as an inhibitor of Horn-Honking responses. The Journal of Social Psychology, 76(2), 213–218. doi:10.1080/00224545.1968.9933615.

    Article  Google Scholar 

  17. Ershoff, D.H., Mullen, P.D., Quinn, V.P. (1989). A randomized trial of a serialized self-help smoking cessation program for pregnant women in an HMO. American Journal of Public Health, 79(2), 182–187. doi:10.2105/AJPH.79.2.182.

    Article  Google Scholar 

  18. Ferguson, A.J. (2005). Fostering e-mail security awareness: the west point Carronade. EDUCASE Quart, 1, 54–57.

    Google Scholar 

  19. Festinger, L. (1957). A theory of cognitive dissonance. Stanford University Press.

  20. Flight, I., Wilson, C., McGillivray, J. (2012). Turning intention into behaviour: the effect of providing cues to action on participation rates for colorectal cancer screening. Colorectal Cancer-From Prevention to Patient Care. Shanghai: InTech.

  21. Ghaderi, F., Adl, A., Ranjbar, Z. (2013). Effect of a leaflet given to parents on knowledge of tooth avulsion. European Journal of Paediatric Dentistry : Official Journal of European Academy of Paediatric Dentistry, 14(1), 13–6.

    Google Scholar 

  22. Gisquet-Verrier, P., & Riccio, D.C. (2012). Memory reactivation effects independent of reconsolidation. Learning & memory (Cold Spring Harbor, N.Y.), 19(9), 401–9. doi:10.1101/lm.026054.112.

    Article  Google Scholar 

  23. Glanz, K., Rimer, B.K., National Cancer Institute, U. (1997). Theory at a glance: a guide for health promotion practice. U.S. Department of Health and Human Services, Public Health Service, National Institutes of Health, National Cancer Institute.

  24. Greenspan, S. (2008). Annals of gullibility: why we get duped and how to avoid it. Praeger.

  25. Grewal, D., & Kavanoor, S. (1997). Comparative versus noncomparative advertising: a meta-analysis. Journal of Marketing, 61(4), 1. doi:10.2307/1252083.

    Article  Google Scholar 

  26. Gulas, C.S., & Weinberger, M.G. (2006). Humor in advertising: a comprehensive analysis. M.E. Sharpe, Incorporated.

  27. Hadnagy, C., & Wilson, P. (2010). Social engineering: the art of human hacking: Wiley.

  28. Harris, P., Middleton, W., Joiner, R. (2000). The typical student as an in-group member: eliminating optimistic bias by reducing social distance. European Journal of Social Psychology, 30(2), 235–253. doi:10.1002/(SICI)1099-0992.

    Article  Google Scholar 

  29. Hart, A.R., Barone, T.L., Gay, S.P., Inglis, A., Griffin, L., Tallon, C.A., Mayberry, J.F. (1997). The effect on compliance of a health education leaflet in colorectal cancer screening in general practice in central England. Journal of Epidemiology & Community Health, 51(2), 187–191. doi:10.1136/jech.51.2.187.

    Article  Google Scholar 

  30. Hawkey, G.M., & Hawkey, C.J. (1989). Effect of information leaflets on knowledge in patients with gastrointestinal diseases. Gut, 30(11), 1641–1646. doi:10.1136/gut.30.11.1641.

    Article  Google Scholar 

  31. Hight, S.D. (2005). The importance of a security, education, training and awareness program. Retrieved 23-Oktober-2013, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf.

  32. Hofstede, G., Hofstede, G.J., Minkov, M. (2010). Cultures and organizations: software of the mind, 3rd Edn. McGraw-Hill.

  33. Humphris, G.M., Duncalf, M., Holt, D. , Field, E. (1999). The experimental evaluation of an oral cancer information leaflet. Oral Oncology, 35(6), 575–582. 10.1016/S1368-8375(99)00040-8.

    Article  Google Scholar 

  34. Humphris, G.M., Ireland, R.S., Field, E.A. (2001). Randomised trial of the psychological effect of information about oral cancer in primary care settings. Oral Oncology, 37(7), 548–552. doi:10.1016/S1368-8375(01)00017-3.

    Article  Google Scholar 

  35. Krawczyk, A., Lau, E., Perez, S., Delisle, V., Amsel, R., Rosberger, Z. (2012). How to inform: comparing written and video education interventions to increase human papillomavirus knowledge and vaccination intentions in young adults. Journal of American College Health : J of ACH, 60(4), 316–22. doi:10.1080/07448481.2011.615355.

    Article  Google Scholar 

  36. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 1–31. doi:10.1145/1754393.1754396.

    Article  Google Scholar 

  37. Lancaster, T., & Stead, L.F. (2005). Cochrane Database of Systematic Reviews, 3(3), CD001118. doi:10.1002/14651858.CD001118.

    Google Scholar 

  38. Lefkowitz, M., Blake, R.R., Mouton, J.S. (1955). Status factors in pedestrian violation of traffic signals. The Journal of Abnormal and Social Psychology, 51(3), 704–706. doi:10.1037/h0042000.

    Article  Google Scholar 

  39. Lien, N.H. (2001). Elaboration likelihood model in consumer research: a review. Proceedings of the National Science Council, 11(4), 301–310.

    Google Scholar 

  40. Mann, I. (2008). Hacking the human: social engineering techniques and security countermeasures. Gower.

  41. Milgram, S. (1963). Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. doi:10.1037/h0040525.

    Article  Google Scholar 

  42. Milgram, S. (1974). Obedience to authority: an experimental view. Harper & Row.

  43. Mitnick, K.D., & Simon, W.L. (2002). The art of deception: controlling the human element of security. Wiley.

  44. Mitnick, K.D., Simon, W. L. , Wozniak, S. (2011). Ghost in the wires: my adventures as the world’s most wanted hacker. Little, Brown.

  45. Packer, D.J. (2008). Identifying systematic disobedience in milgram’s obedience experiments: a meta-analytic review. Perspectives on Psychological Science, 3(4), 301–304. doi:10.1111/j.1745-6924.2008.00080.x.

    Article  Google Scholar 

  46. Pallant, J. (2010). SPSS Survival Manual: a step by step guide to data analysis using SPSS. McGraw-Hill Education.

  47. Petty, R.E., & Cacioppo, J.T. (1981). Attitudes and Persuasion–classic and contemporary approaches. W.C. Brown Company Publishers.

  48. Petty, R.E., & Cacioppo, J.T. (1984). Source factors and the elaboration likelihood model of persuasion. Advances in Consumer Research, 11(1), 668–672.

    Google Scholar 

  49. Petty, R.E., & Cacioppo, J.T. (1986). The elaboration likelihood model of persuasion. In Communication and Persuasion, (pp. 1–24): Springer.

  50. Robb, K.A., Miles, A. , Campbell, J., Evans, P., Wardle, J. (2006). Can cancer risk information raise awareness without increasing anxiety? A randomized trial. Preventive Medicine, 43(3), 187–190. doi:10.1016/j.ypmed.2006.04.015.

    Article  Google Scholar 

  51. Rogers, R.W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114. doi:10.1080/00223980.1975.9915803.

    Article  Google Scholar 

  52. Rosenstock, I.M. (1974). Historical origins of the health belief model. Health Education & Behavior, 2(4), 328–335. doi:10.1177/109019817400200403.

    Google Scholar 

  53. Rouse, M. (2006). Definition social engineering. TechTarget. Retrieved 23-Oktober-2013, from http://www.searchsecurity.techtarget.com/definition/social-engineering.

  54. Schellevis, J. (2011). Grote Amerikaanse bedrijven vatbaar voor social engineering. Retrieved 03- January-2014, from http://tweakers.net/nieuws/77755/grote-amerikaanse-bedrijven-vatbaar-voor-social-engineering.html.

  55. Schmidt, S.R. (1994). Effects of humor on sentence memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 20(4), 953.

    Google Scholar 

  56. Schneier, B. (2005). Flaw in Winkhaus blue chip lock. Retrieved 12-November-2013, from https://www.schneier.com/blog/archives/2005/03/flaw_in_winkhau.html.

  57. Shim, S.M., Seo, S.H., Lee, Y., Moon, G.I., Kim, M.S., Park, J.H. (2011). Consumers’ knowledge and safety perceptions of food additives: evaluation on the effectiveness of transmitting information on preservatives. Food Control, 22(7), 1054–1060. doi:10.1016/j.foodcont.2011.01.001.

    Article  Google Scholar 

  58. Stubbings, S., Robb, K., Waller, J., Ramirez, A., Austoker, J., Macleod, U. (2000). Development of a measurement tool to assess public awareness of cancer. British Journal of Cancer, 101(S2), S13–S17. doi:10.1038/sj.bjc.6605385.

    Google Scholar 

  59. The Federal Bureau of Investigation (2013). Internet Social Networking Risks (Vol. 2013) (No. 4 October). U.S. Department of Justice. Retrieved 23- October-2013, from doi:http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks.

  60. Weinstein, N.D. (1980). Unrealistic optimism about future life events. Journal of personality and social psychology, 39(5), 806. doi:10.1037/0022-3514.39.5.806.

    Article  Google Scholar 

Download references

Acknowledgments

The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREsPASS). This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jan-Willem H. Bullée.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bullée, JW.H., Montoya, L., Pieters, W. et al. The persuasion and security awareness experiment: reducing the success of social engineering attacks. J Exp Criminol 11, 97–115 (2015). https://doi.org/10.1007/s11292-014-9222-7

Download citation

Keywords

  • Authority
  • Awareness
  • Credentials
  • Experiment
  • Intervention
  • Persuasion
  • Social engineering