The implementation of social engineering tactics assists organizations in collecting different types of intelligence and devise methods of protecting crucial information. The concept of social engineering refers to the process of directing human behavior through social influence tactics in order to achieve a desired behavior. The creation and adoption of social engineering strategies can be used to conduct ethical methods of protecting information and computer networks, serve as an unethical way to gain access to information and networks, or even be used as a measure of offensive or defensive cybersecurity during instances of cyberwar. When compared with technical approaches of protecting information and networks or gaining unauthorized access to them, social engineering tactics may be less reliable and predictable due to its dependency upon the accuracy of human behavior. In order to develop an effective social engineering strategy, cybersecurity experts should be aware of the complexities of human behavior and various possibilities of using psychological influence in order to achieve their goals. According to many cybersecurity analysts, humans are the weakest link during the process of information security. Despite the efficiency of using technical controls like firewalls, anti-virus and anti-malware programs, intrusion detection prevention systems, supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs) and other software and hardware used as methods of technical control, all of these require a level of human competency in order to monitor and adjust the technology to align with an organization’s technical goals. Humans are responsible for maintaining the security of information and networks and possess the ability to execute specific measures within an organization’s technical requirements or cause a negative effect through bypassing or not fully implementing the technical strategy in ways that enhance security controls.
Using influence to direct human behavior represents a proven strategy for executing and maintaining social engineering tactics. According to Professor Robert Cialdini, cybersecurity experts can use six common forms of influence in order to control human behavior that will lead to the successful operation of technical controls: reciprocity, commitment and consistency, social proof, authority, liking and scarcity. It is important to note that these proven principles can lead to the successful execution of cybersecurity policies and procedures, but can also be used by state and non-state actors looking to conduct various forms of cyberattacks in order to carry out espionage, control critical infrastructure, direct currency, or take down networks at corporations and governments to halt business practices, communication and military operations.
Reciprocity, the first influence principle, concerns the use of relationships between individuals at businesses and governments that involve the exchanging of goods and services. Cybersecurity experts and hackers could use this principle in order to convince someone at another organization to divulge confidential information because they feel a sense of repaying a debt during their professional relationship. Commitment and consistency, refers to individual’s high likelihood of sharing information as a part of a commitment to an ongoing course of action. Throughout this process the individual becomes increasingly more confident in the organization’s policy and procedures and become more likely to share confidential information throughout the process. The principle of social proof describes the ability to influence the behavior of particular individuals by surrounding them with other people who already have a familiarity with the company and its goals. Overtime the individual will gain more confidence in the organization and use their behavior in ways similar to the other members of the group. Authority, one of the most frequently used influence principles, can direct human behavior when people holding a title within an organization like supervisor, manager or executive, request information or a specific task from their subordinates who are extremely likely to complete these requests by a deadline. Liking, as an influence principle, concerns the probability of an individual to share information or complete tasks based on the fact that they know and appreciate the person requesting the information. The scarcity principle motivates individuals to carry out certain behaviors due to the possibility of missing the opportunity to meet a deadline or carry out a requested task by authority figures due to a limitation in time, lack of resources, or the opportunity to gain some level of exclusive access to the organization’s assets. After cybersecurity professionals determine the social engineering strategy and implementation of influence techniques, they can use phishing, baiting and other measures in order to acquire the intelligence necessary to gain access to a competitor’s network, critical infrastructure and other technical resources. Influence techniques can also be used in ethical ways that motivate individuals to conduct cybersecurity measures in an efficient manner.