A PSYCHOLOGICAL AND LEGASLATIVE PERSPECTIVE ON SOCIAL ENGINEERING

CHAPTER 3 A PSYCHOLOGICAL AND LEGASLATIVE PERSPECTIVE ON SOCIAL

ENGINEERING “The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But the  social engineer applies these techniques in a manipulative, deceptive, highly unethical  manner, often to devastating effect .” Dr. Sagarin, Social psychologist  (Mitnick & Simon, 2002: 221).3.1

INTRODUCTION

Social engineering crosses the boundaries of various disciplines. Its roots stem from the criminological and computer science disciplines (vide chapter 2). It also derives from psychological perspectives as well as touches on issues of legislation. The aim of the current study is to explore, describe, explain and analyse social engineering attacks by means of MIT analysis. For this reason, these disciplines need to be explored through their relation to social engineering and its associated facets. In order to do this, the psychological and legislative perspective on social engineering will be discussed.

SOCIAL PSYCHOLOGY CONSIDERATIONS IN SOCIAL ENGINEERING

Social engineering is inherently psychological in nature, as it relies on manipulation and exploitation of the human element to be successful (Frangopoulos, 2007: 82). Thus, a need arises to explore the psychology behind social engineering attacks. Social engineering specifically incorporates aspects of social psychology, as humans and their social surroundings play a pivotal role in its methods of operation. Frangopoulos (2007: 82) further argues that effective social engineering results depend on human vulnerabilities, because technical hacking methods alone would not be able to achieve the same results. The following section seeks to identify the methods and techniques used in social engineering attacks based on a social psychology perspective.

Background and origin of social psychology

Aspects of social psychology have most likely been considered, discussed and questioned as long as humans could think about each other and their social contexts. However, the scientific study of social psychology only commenced by the end of the nineteenth century (Kassin, Fein & Markus, 2014: 12). Early findings indicate that researchers such as Triplett and Ringelmann emerged as some of the first scholars interested in social psychology, for they explored how the presence of others influences an individual’s performance. However, the discipline only started to develop structure once social psychology textbooks were written between 1908 and 1924. The field of social psychology started to develop rapidly when the world sought explanations to the violence of war and possible resolutions to it. Accompanied by this rapid growth, were the questions raised from the ethics involved in research practices, the validity of research findings as well as the generalisations made from research conclusions (Berscheid, 1992; Cartwright, 1979; Goethals, 2003; Kassin et al, 2014).
At present, social psychology assists in deciphering many societal problems such as racism, environmental pollution, Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/Aids) and crime. In this way, social psychology can lead to the advancement of a theoretical model upon which intervention can be based (Buunk & Van Vugt, 2008: 4).

Defining social psychology

Kassin et al (2014: 6) define social psychology as the scientific study, inclusive of methodical observation, narrative and measurement, of how individuals think, feel and behave in a social context. Furthermore, these thoughts, feelings and behaviours are studied in terms of their conceivable influence by the authentic, fictional or implied presence of other human beings (Stroebe, Hewstone & Jonas, 2008: 5). For instance, an individual needs only to imagine receiving positive or negative reactions from an authoritative figure for those reactions to influence that individual’s self-esteem and confidence. Smith, Mackie and Claypool (2015: 3) state that social psychology is a science which focuses on the effects that social and cognitive processes have on the individual. Social psychology fixes its attention on the psychology of the individual and inhabits a social context as their thoughts, feelings and behaviours either concern other people or are influenced by other people (Kassin et al, 2014: 7).
Criminal activity should be perceived as a process, as opposed to an event or action. This process is often embedded in earlier experiences. Thus, the inherent nature of psychology focuses on individuals by investigating the latent process of cognitive, emotional and interpersonal facets of the criminal process (Canter, 2013: np). The psychology of crime can consequently provide insight into a wide range of criminal activity (Canter, 2013: np; Walters, 2012: 8; Webber, 2010: 6). Crime does not occur in a vacuum and thus needs to be investigated holistically.
In order to explore social engineering’s correlation to social psychology and criminological principles, the following aspects need to be discussed: the significance of trust in social engineering; the art of persuasion; and compliance mechanisms used in social engineering attacks.

The significance of trust in social engineering

The social engineer’s principal objective is to cultivate enough trust to successfully carry out an attack (Mann, 2008: 88). Human beings have a natural tendency to trust others. This element of trust is classically illustrated by the Milgram experiment conducted in 1961 (cf. Milgram, 1963: 371), in which Milgram set out to showcase the conflict between obedience to authority and personal conscience; it also highlights individuals’ natural inclination to trust. There were two roles in the experiment – the teacher and the learner. Milgram ensured that one of his associates would always be the learner, unbeknown to the participants. The teacher was told to ask the learner a series of questions and to administer an electric shock every time the learner answered incorrectly, increasing the degree of shock each time. The results of the experiment indicated that all of the participants continued to 300 volts while 65 per cent (two-thirds) of the participants continued to the highest level of 450 volts (Milgram, 1963: 371). Naturally, the teacher trusted the instructions from the researcher enough to carry out the electric shocks. Similarly, social engineers attempt to exploit the human tendency to trust and follow what people say.

Table of Contents
LIST OF ABBREVIATIONS
CHAPTER 1 PROBLEM STATEMENT AND OVERVIEW OF THE STUDY
1.1 INTRODUCTION AND PROBLEM STATEMENT
1.2 SOCIAL ENGINEERING IN PERSPECTIVE
1.3 RATIONALE OF THE STUDY
1.4 RESEARCH AIM AND OBJECTIVES
1.5 RESEARCH QUESTIONS
1.6 KEY THEORETICAL CONCEPTS
1.7 OUTLINE OF THE DISSERTATION
1.8 CONCLUSION
CHAPTER 2 FUNDAMENTAL PERSPECTIVES ON SOCIAL ENGINEERING
2.1 INTRODUCTION
2.2 INFORMATION SECURITY CULTURE
2.3 CONCEPTUALISATION OF SOCIAL ENGINEERING
2.4 SOCIAL ENGINEERING THREATS
2.5 THE WEAKEST LINKS IN INFORMATION SECURITY
2.6 THE PERPETRATORS
2.7 SOCIAL ENGINEERING ATTACKS
2.8 THE IMPACT OF SOCIAL ENGINEERING ATTACKS
2.9 CONCLUSION
CHAPTER 3 A PSYCHOLOGICAL AND LEGASLATIVE PERSPECTIVE ON SOCIAL ENGINEERING
3.1 INTRODUCTION
3.2 SOCIAL PSYCHOLOGY CONSIDERATIONS IN SOCIAL ENGINEERING
3.3 SOUTH AFRICAN LEGISLATION
3.4 CONCLUSION
CHAPTER 4 SOCIAL ENGINEERING AND CRIMINOLOGICAL THEORISING
4.1 INTRODUCTION
4.2 DEDUCTIVE AND INDUCTIVE REASONING
4.3 CLASSICAL CRIMINOLOGY
4.5 THE POSITIVIST SCHOOL
4.6 CONCLUSION
CHAPTER 5 RESEARCH METHODOLOGY AND DESIGN
5.1 INTRODUCTION
5.2 PHILOSOPHICAL PERSPECTIVES
5.3 RESEARCH METHODOLOGY
5.4 RESEARCH PROCEDURES
5.5 DATA COLLECTION
5.6 DATA ANALYSIS AND INTERPRETATION
5.7 PILOT STUDY
5.8 VALIDITY, RELIABILITY AND ACCURACY OF COLLECTED INFORMATION
5.9 ETHICAL CONSIDERATIONS
5.10CONCLUSION
CHAPTER 6 ANALYSIS AND INTERPRETATION OF DATA: A SUBJECT MATTER EXPERT AND BUSINESS PERSPECTIVE
6.1 INTRODUCTION
PART I: A SUBJECT MATTER EXPERT PERSPECTIVE
6.2 ANALYSIS AND INTERPRETATION OF SEMI-STRUCTURED ONE-ON-ONE
PART II: A BUSINESS PERSPECTIVE
6.3 ANALYSIS AND INTERPRETATION OF GROUP-ADMINISTERED QUESTIONNAIRES
SECTION A
6.4 BIOGRAPHICAL DATA
SECTION B
6.5 EMPLOYMENT DETAILS
SECTION C
6.6 GENERAL USE OF COMMUNICATION THROUGH TECHNOLOGY
SECTION D
6.7 ACCESS TO AND VERIFICATION OF PERSONAL INFORMATION
SECTION E
6.8 ACCESS CONTROL
SECTION F
6.9 SOCIAL ENGINEERING
SECTION G
6.10 LEGISLATION RELATED TO INFORMATION SECURITY
SECTION H
6.11 IMPACT ON INFORMATION SECURITY AWARENESS (Annexure F question3)
6.12 CONCLUSION
CHAPTER 7 ANALYSIS AND INTERPRETATION OF DATA:  AN INDIVIDUAL PERSPECTIVE
7.1 INTRODUCTION
7.2 ANALYSIS AND INTERPRETATION OF SELF-ADMINISTERED QUESTIONNAIRES
SECTION A
7.3 BIOGRAPHICAL DATA (Annexure I questions 1, 2, 3, and 4)
SECTION B
7.4 EMPLOYMENT DETAIL
SECTION C
7.5 GENERAL USE OF COMMUNICATION THROUGH TECHNOLOGY
SECTION D
7.6 IDENTIFICATION AND AUTHENTIFICATION
SECTION E
7.7 ACCESS CONTROL
SECTION F
7.8 SOCIAL ENGINEERING
SECTION G
7.9 LEGISLATION RELATED TO INFORMATION SECURITY
SECTION H
7.10 IMPACT ON INFORMATION SECURITY AWARENESS (N = 96) (Annexure I question 38)
7.11 CONCLUSION
CHAPTER 8 ACHIEVEMENT OF AIM AND OBJECTIVES, RECOMMENDATIONS AND CONCLUSION
8.1 INTRODUCTION MULTI-INTER-TRANSDISCIPLINARY (MIT) SOCIAL ENGINEERING PROTECTION MODEL
8.2 ACHIEMENT OF AIMS AND OBJECTIVES OF THE STUDY
8.3 LIMITATIONS OF THE STUDY
8.4 RECOMMENDATIONS FOR PREVENTION OF AND RESPONSE TO SOCIAL ENGINEERING ATTACKS
8.5 Recommendations for businesses
8.6 RECOMMENDATIONS FOR FURTHER RESEARCH
8.7 CONCLUSION
LIST OF REFERENCES