There’s a popular joke, “I feel sorry for people with no personalities because I’ve been blessed with multiple ones.” Well, when it comes to Social Engineering, having no personality would be great and having multiple would be disastrous. Fortunately, there’s no one with a personality and having multiple personalities is considered a disorder. We all have personalities, and this affects us in diverse ways especially as it concerns social engineering.
What is Social Engineering? It is the practice of manipulating someone to get sensitive information. It is the use of weaknesses in people to access private or sensitive data. Typically, it entails manipulating the psychological or emotional state of humans with the aim of getting confidential information. Often, this entails that social engineering uses humans to bypass security controls. Since humans are the primary targets and it is psychologically based, personality traits thus become important as these can aid or forestall a social engineering attack.
As numerous security professionals have recognized, people are the weak link in security, and since how people act in different situations depends on their personality, understanding personality becomes important. Something else equally important to understand is how psychological ploys are used in social engineering, which is how cybercriminals can trick users or persuade them to take actions that are not in their best interest. It is at this point we begin.
Principles of Persuasion
Social engineers rely on psychological triggers to get their targets to act, researchers have noted that these triggers depend on persuasion and deception. Cialdini’s six persuasion principles is well recognized as the benchmark of understanding persuasion and to it we will look to understand persuasion before we delve into its relationship with personality traits. What follows is a brief explanation of the six principles.
Authority
People are conditioned to respond to an authority figure or do a great deal for someone they think is in a position of authority. Compliance is easier to obtain when it is perceived that the requestor is in a position of authority, as people usually follow an expert or someone higher than them in an organization or society. Common authority figures are doctors, law enforcement, clergy, lawyers, and bankers. An example of how criminals use authority is the CEO fraud. In this fraud, criminals impersonate the CEO or financial head of an organization either through email or a phone call and get an employee (in the accounts department) to wire money to a fraudulent account.
Social Proof
People are more likely to conceive of a behavior as normal, and to engage in those behaviors if there is a belief that others are doing the same thing. That is, we are more likely to engage in an activity if we are convinced that others are doing so, or they approve of such. As Cialdini says ““we view a behavior as more correct in a given situation to the degree that we see others performing it”. Fraudsters have used this principle to entice people into Ponzi schemes, they do this through mass appeal, celebrity endorsements and word or mouth advertising. Implicit in this principle is that we tend to have higher trust levels for those with whom we share similar opinions.
Scarcity
As items or opportunities become difficult to come by, they are perceived to be more valuable. Such an outlook can be used to influence an individual into acting. An example of this scarcity would be an investment scammer telling you he has only three more slots available for an opportunity that would earn you a ton of money.
Commitment and Consistency
As humans we value commitment and consistency. No one admires someone who says one thing and does another. As such, people tend to adapt their self-image to commitments they believe they have made, particularly when those commitments are written down, recorded, or verbally made. Fraudsters exploit this trait by getting people to make an initial commitment, they know once someone has made a commitment, they are more likely to abide by it since they would not want to be seen as being inconsistent. An example of this can be found in romance scams. The fraudster asks the victim for a “favor” that is insignificant or would not cost the victim much. Once the victim performs this initial act, the fraudster then sets us a scenario the requires the victim to do something more significant or costly, of course knowing that the victim would comply out of wanting to continue acting in a consistent manner.
Likability
It is said that “People like people who like them.” This is often the case as we are more open to people who we like because at our core we want to cultivate and maintain social relationships. Another aspect of this is that we like those who are similar to us, we like those with similar interests, hobbies, dispositions, or backgrounds. Fraudsters try to leverage this, that is why they always appear friendly and agreeable. In addition, they often emphasize and try to find points they can use to establish similarity, such as being from the same tribe, having visited similar places or having the same hobbies.
Reciprocity
This uses the tendency to feel obligated to repay someone for something done. People are more likely to respond positively to a request when they feel a sense of obligation or indebtedness towards a requestor because of favors or acts done in the past. Offering targets favors or performing acts of kindness thereby causing people to feel indebted to returning the kindness is how fraudsters exploit this trait. For example, an investment scammer might invite you to attend an “investment seminar” where the first fifty people would get free gifts. Such gifts are to make you more likely to invest your money out of a sense of obligation.
Having covered our bases concerning Persuasion, let us now turn to personality before considering the connection between the two.
Five Factors Model (FFM)
The American Psychological Association defines personality as “the enduring characteristics and behavior that comprise a person’s unique adjustment to life, including major traits, interests, drives, values, self-concept, abilities, and emotional patterns.” While they note that various theories explain personality in diverse ways, they remark that all theories “agree that personality helps determine behavior.” This last part is concerned with our subject matter, for if we can use psychological triggers in a way that they affect someone’s personality, then we can affect their behavior to some extent. So which theory gives us the best insight concerning personality? There are several good candidates, but a strong contender is what is known as the Five Factors Model or the Big Five personality traits. Dr Edwin van Thiel of 123test company lists and explains the five factors as follows:
- Openness
- Conscientiousness
- Extraversion
- Agreeableness
- Neuroticism
or OCEAN:
- Openness – People who like to learn new things and enjoy new experiences usually score high in openness. Openness includes personality traits like being insightful and imaginative and having a wide variety of interests.
- Conscientiousness – People that have a high degree of conscientiousness are reliable and prompt. Personality traits include being organized, methodical, thorough as well as following standards.
- Extraversion – Extraverts get their energy from interacting with others, while introverts get their energy from within themselves. Extraversion includes the personality traits of being energetic, excitement seeking, talkative, and assertive.
- Agreeableness – These individuals are friendly, cooperative, and compassionate. People with low agreeableness may be more distant. Personality traits include being kind, affectionate, and sympathetic.
- Neuroticism – Neuroticism is also sometimes called Emotional Stability. This dimension relates to one’s emotional stability and degree of negative emotions. People that score high on neuroticism often experience negative emotions, pessimism, anxiety, and emotional instability.
The Five Factors and Persuasion
Having seen that personality can be understood under these five factors and knowing that social engineering attacks often use the six principles of persuasion, the question before us is can the two be correlated in such a way that we can have insights to prevent social engineering attacks? The answer is yes, Uebelacker and Quiel show this in their Social Engineering Personality Framework.1 Here are their insights.
Conscientiousness – As already stated above, individuals with a high degree of conscientiousness are organized and thorough. Such individuals are also noted for following rules without question. Such individuals are likely to be victims of social engineering attacks that use authority, reciprocity, and commitment-consistency (that is commitment as regards rules). For instance, a phishing email written in a detailed and professional manner impersonating someone in position of authority is going to get a conscientious target to comply. But if there are security policies in the organization regarding the actions the conscientious target is being asked to take, then they will comply with such instead of the email.
Extraversion – Since extraverted individuals are sociable, they will be vulnerable to attacks that use social aspects such as liking or social proof. Also, their Energetic and excitement seeking nature will make them open to attacks using the scarcity principle as getting something scarce often feels exciting. However, such individuals will be less vulnerable to attacks using commitment and consistency techniques as their value for consistency is low.
Agreeableness – Since such individuals are friendly and cooperative, they are vulnerable to influence principles that have to do with the opinions of others such as Authority, reciprocity, liking and social proof.
Openness – Since such individuals are open to new experiences, it follows that they would be quite digitally astute and security conscious as their open nature would not be an obstacle but rather an incentive to attend training and get knowledge. But such individuals would be vulnerable to attacks using the scarcity principle as this tends to limit their options, which is something they are not accustomed to.
Neuroticism – Since Neurotic individuals are anxious, they often act with more caution reducing their susceptibility to digital social engineering attacks. Also, since these individuals are overly pessimistic, they assume they worst thereby making it difficult for them to fall prey to influence techniques.
Practical Applications
As Sun Tzu the great Chinese military strategist wrote in his classic work The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” The “Know the enemy” here would be the principles of persuasion explained above and the “know yourself” would be knowing where your personality falls within the five-factor model. To ascertain this, you can take the test here. Everyone will have traits which fall within all five factors, but one will be dominant. Your next step should be to check the principles of persuasion that are the Achilles hill of your dominant trait. Here’s a graphical representation to help.
For instance, let’s say your highest score is openness, then you should be very wary when considering offers that have to do with scarcity. You should also consider other factors in which your score is in the middle range, these can have effects as well, although they should not be given a higher priority than the factor with the highest score.
In conclusion, you should keep in mind that when it comes to security, and preventing social engineering attacks there is no silver bullet. Take this as another chunk of protection that you can add to your armor. Internalize the principles of persuasion, take the five-factor test, see where your vulnerabilities lie and be prepared.
References
- S. Uebelacker and S. Quiel, “The Social Engineering Personality Framework,” 2014 Workshop on Socio-Technical Aspects in Security and Trust, Vienna, Austria, 2014, pp. 24-30, doi: 10.1109/STAST.2014.12