InfoSec 2016: Dr Jessica Barker explains why social engineering works

Dr Jessica Barker took to the stage at InfoSecurity Europe 2016 to explain why social engineering works and what we can do to reduce its effectiveness.

Dr Jessica Barker at InfoSecurity Europe 2016
Dr Jessica Barker at InfoSecurity Europe 2016

Dr Jessica Barker took to the stage at InfoSecurity Europe 2016 to explain why social engineering works and what we can do to stop it from doing so.

As a private consultant with a background in sociology she says that, “Tech has changed and introduced new attacks vectors, however the attacks are still the same.”

Explaining the story of Francis Lowell, the American businessman who rather patriotically thought the US should be producing its own wool, he travelled to the UK and befriended mill owners in Lancashire, who took him for tours around their mills when he pretended to be ‘ill'.

So why do these attacks work? According to Dr Barker, both human nature, the feeling you're indebted to someone and reciprocity, the need to give back by obligation all play a crucial part here. As well as this, human nature and social norms come into play a lot.

According to Dr Barker, people behave very rashly when offered free stuff, citing research where 48 percent of people gave away their login details to financial accounts for a free bar of chocolate. And a lot of this is down to “human naivety”.

Naivety is very key player in social engineering as well, Pandora's box is the perfect example of this and the more modern-day equivalent of “click here for a free iPod” ads seem to be exceedingly successful according to Dr Barker.

And finally Barker says social engineering is very easy when it comes to those who are over-confident and narcissistic. “They want everyone to know what they are doing, and believe they are too big to fall.” These types of people tend to show off on social media, and because of this Dr Barker says “narcissism is rising as quickly as obesity.”

So how can we solve this? Dr Barker quoted Dr Langer who has researched mindfulness at length and said, “If you don't know you're there you're not there.” And this is the problem with cyber-security.

When you're thinking with your impulsive ‘Homer Simpson' brain - of ‘see doughnut, eat doughnut' - how can you make a decision on who should be getting your bank account number and sort code?

Dr Barker says we need to train our brains to be more adept at using heuristic techniques - any approach to problem solving, learning, or discovery that employs a practical method not guaranteed to be optimal or perfect, but sufficient for the immediate goals.

“Don't try and tell people what to do, try and change their behaviour,” says Dr Barker.