A deep dive into human vulnerability
A little vulnerability can be a good thing. We hear this said in social psychology, but can it be true for social engineering? In social engineering, more often than not, being vulnerable can be dangerous. The Merriam-Webster dictionary defines vulnerable as “capable of being harmed physically or emotionally”.
“Capable of being physically or emotionally harmed.”
Source: Yanky Photographer/Pixabay
By understanding this definition, every human being corresponds to this possibility. Now that’s a bold statement. I can already hear the objections, “Not me, I’m smarter than that.” I can understand that thought. In my industry, there’s a popular slogan, “There’s no patch for human stupidity.”
At first it may seem comical, but ego aside, the longer I dwell on this statement, the more it bothers me. When we think of social engineering, we focus on phishing emails, or vishing via malicious phone calls, SMiShing via SMS, or identity theft via social media or in person. If true, that means only stupid individuals fall for these attacks.
The reality is that I’ve worked with so many great thinkers and seen them get attacked, so how can that be true?
East Nobody Really vulnerable?
Over a decade ago I wrote world’s first framework for social engineering, analyzing how psychology and practice can be mixed together to manipulate people into “taking actions that are not in their best interests”. This framework grew into five books over the next 10 years, all focused on how to understand human decision-making and how malicious people could exploit it.
It might almost seem like the person who invented and wrote the framework around these things could never be fooled, right?
Unfortunately, I was recently the victim of a trust attack that damaged my business, my nonprofit, and my reputation. But it was also one of the greatest lessons of my life.
I thought that instead of focusing on the details, which could be the basis of future articles, I could talk about some of the scientific data that can help you and see where I was vulnerable.
The Halo effect
In the early 20th century, psychologist Edward Thorndike conducted a survey of industrial workers, asking employers to rate workers on their personal qualities. What he discovered was fascinating: that those who were beautiful were considered more intelligent, despite the absence of such evidence of intellectual capacity. In other words, if you have beauty, we will assume that you also have intelligence. This led to the concept of the halo effect.
Of course, in reality, our appearance has little to do with our intelligence, but the halo effect causes us to perceive the people we find attractive as more honest, more competent, and more trustworthy.
In my case, I let the halo effect create a pattern of trust that shouldn’t have existed. This ultimately led me to make decisions that created serious vulnerabilities.
The optimism bias
Have you ever had a situation where something was too good to be true, but despite the overwhelming evidence you should run for the hills, you say, “Well, this
The optimism bias made me ignore the warning signs, I was so excited about what was to come that I missed what was happening. Now mix that in with the halo effect, and I was left at the mercy of a very devious amygdala to make some very bad decisions.
The Ostrich Effect
The Ostrich Effect sounds funny, but not so funny if you found vulnerability in it. When our rational mind ignores the hard facts, essentially burying our heads in the sand because we don’t want to see what’s painful, that’s the ostrich effect.
In my case there were blatant signs being lied to, flashing neon signs being taken advantage of and a 150 point bold font, with bright red with arrows pointing where I could have seen serious warnings, but all was ignored. Like an ostrich, I buried my head not wanting to believe that the truth had already been decided.
Like most, I spent a lot of time blaming myself for failing. And therein lies the first lesson, and perhaps the most crucial. I am human. Yes, I am a professional social engineer who has spent over ten years studying human behavior and decision making. But despite that, I am human. And being human, I am sensitive to prejudice.
But for me, it wasn’t just a lesson in how to feel better. I wanted to understand what we can learn from this and how we can defend against it next time.
I’m not just going to say “control your biases”, because that simplistic statement has no substance. Instead, here’s a three-step process to help you defend yourself against potential bias.
- Wisdom in a multitude of advisers. Having trusted partners, friends and family members with whom you can talk openly about a relationship that concerns you, especially if they are do not involved, can help you stay clear of a potential vulnerability.
- Keep emotions under control. As with all social engineering attacks, when you’re feeling overly emotional, it’s a great time to take a step back and make sure you’re not letting bias take over.
- Critical thinking. This one is harder, but practicing challenging yourself before you’re in a situation that requires it can build good habits to help you avoid vulnerability.
All in all, there’s no way to 100% guarantee that you won’t be vulnerable no matter how knowledgeable or skilled you are. In fact, sometimes we need to be vulnerable to best protect our vulnerabilities. In other words, we must recognize that all human beings have flaws and we are no exception, but as we become more self-aware, we reduce the risk of our vulnerabilities being exploited.
I am living proof. And in our time when so many are looking to feed on our vulnerability, these tips may just help you stay safe.