Social-Engineer Newsletter – Vol 05 Issue 63

 

Vol 05 Issue 63

Dec 2014

In This Issue

  • Thin Slice Judgements
  • Social-Engineer News
  • Upcoming classes

THE NEWS


As a member of the newsletter you have the option to OPT-IN for special offers.  You can click here to do that.


 

Check out the schedule of upcoming training on Social-Engineer.com

All classes below are Advanced Practical Social Engineering or APSE

REGISTER NOW!

2015 Schedule Now Released

Feb 23-27, 2015 APSE – Orlando, Fl

May 18-22, 2015 APSE – Bristol, UK

Oct 5-9, 2015 APSE- Columbia, MD

We are limiting the number of attendees in each class, so first come first serve.

  • 5 days of ground breaking training
  • The Advanced Practical Social Engineering Course guide
  • Special tools to enhance your SE practice
  • A chance to take the first ever Social Engineering Pentesting Certification
  • Homework each night and one instructor led engagement
  • Lots more

If you want to ensure your spot on the list register now – Classes are filling up fast and early!


Do you like FREE Stuff?

How about the first chapter of BOTH OF Chris Hadnagy’s Best Selling Book: Social Engineering: The Art of Human Hacking & Unmasking the Social Engineer: The Human Side of Security?

    

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!

 


To contribute your ideas or writing send an email to contribute@social-engineer.org 


 Special Thanks and Notices:

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.

A Special Thanks to:

Ace Hackware for their support in very cool schwag and hacker tools

The EFF for supporting freedom of Speech

Check out Robin Dreeke’s amazing book called “Its Not All About Me” packed with the top 10 techniques to building rapport fast. It is an awesome book!


The Social Engineering Infographic has been released and is making waves.  If you haven’t seen it click on the thumbnail below to check it out:

Chris Hadnagy’s new book is out and available:

Unmasking The Social Engineer:  The Human Side of Security

is an effort that took over 2 years to write with help from Dr. Paul Ekman and Paul Kelly.

Check it out and order today!


Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Agreement on thin slices of personality (not pizza)

You know when you meet someone briefly for the first time and you walk away with a general impression of what you think their personality is like? That type of situation has a name in psychological research: judgments of thin slice behavior. A fair amount of research has been done on thin slice judgments and, as social engineers will not be surprised to find out, they tend to fairly accurate. Ambady and Rosenthal (1992) found judgments based on thin slices of behavior to be accurate about 70% of the time, which to put that in context, is just slightly less accurate than a trained professional using a polygraph (Faigman, Fienberg & Stern, 2003). Thin slices of behavior are generally considered to be observations under 5 minutes but statistics say that a judgment based off of less than 30 seconds of observation are just as reliable as those made from 4-5 minute observations (Ambady & Rosenthal, 1992). Recent research took a look at what influences group consensus in thin slice personality judgments and there are some interesting findings applicable to social engineering (Pretsch, Heckmann, Flunger & Schmitt, 2014).

 

The study examined several different variables when it comes to group consensus of thin slice judgments: influence of stereotypes, having agreed upon definitions for personality traits (called shared meaning), influence of accountability, and amount of information given about the person. While there was a lot more to the study, we are just going to focus on the stuff relevant to SEs. Some psychologists believe it’s important to study group consensus because it demonstrates that basic perceptions of a personality trait have meaning on a global scale and they can apply those agreed upon definitions to personality questionnaires. SEs, on the other hand, care about group consensus because we can apply it to the principles of influence such as social proof and liking.

 

Set-up to Stereotypes

Let me describe the basic set-up of the experiment so you can better understand how to apply what they found. The participants being studied were “judges” who were randomly divided into groups, each of which were assigned some combination of:

 

1) watching either a six second or a 60 second video clip of a person being interviewed.

2) having either high public accountability (had to justify their answers to others) or low.

3) either given definitions for personality traits to judge or no definitions given.

          

SEs will frequently play on perceived stereotypes because it just plain works. A man is more likely to get the door for a woman carrying a heavy box than he is for another man. Sexist? Maybe, but if it means that he uses his key card and lets the female SE through the door then it’s a tactic worth using. Social engineering is not for the politically correct.

 

Let’s start with what they found about stereotype-consensus. The study found that the judges who were assigned to groups with high public accountability also had high measures of stereotype consensus (86%). In addition, these same groups had lower target-driven consensus which means they paid less attention to the actual behavior of the target. Essentially this means, if the individuals within a group were informed they would be publicly accountable for their judgments they were more likely to look for stereotypical behaviors and focused on those in order to conform with what they expected the rest of the group to say. In addition, the study found that higher accountability decreased group consensus on the personality traits of Openness and Agreeableness as found in the Big Five personality dimensions. This meant the individuals in a group had a harder time labelling someone with these traits if they knew they would be questioned on it later.

 

           What can an SE do with this knowledge? If you are engaging a group of targets in a situation where you know the targets will be publicly accountable for their judgments, play to the stereotype to increase group consensus of their judgment of your personality. You can also apply the findings to understand that as accountability for the group goes up, you will have to work a bit harder to convey traits like being open and agreeable. Another possible way to utilize the findings would be to increase the pressure to follow the crowd in situations where you want the group to buy the stereotype you are presenting. This might have some great applications for SEs who work as part of a team and can turn up the pressure to conform within a group.

 

Understanding does not equal agreement

           Another interesting result of the study had to do with manipulating the variable of shared meaning (list of definitions for personality traits). The researchers hypothesized that increasing shared meaning would help increase group consensus. They found the opposite to be true. As shared meaning increased, group consensus generally went down, especially for personality traits such as Extravertism. The researchers agreed that this was likely a result of two factors. First, thin slice judgments are meant to be just a bit mindless and making people use higher cognitive functions (like applying prescribed visual cues and definitions to a judgment made) was counter-productive to group consensus. Too much information meant too much thinking which lead to too many different answers.

 

Second, the researchers postulated that perhaps the judges were too confused by the differences between what they thought something meant and the definition given for them to properly apply what they learned. This has some interesting implications for those of you who are responsible for your organization’s security awareness program. If you are giving your people a set list of traits to look for in a phishing, vishing, or impersonation attack you also need to be giving them enough opportunities to practice what they are learning in order to get consistent results; otherwise, you might get a dizzying array of reactions and responses to what you thought was a clearly defined policy.

 

           One last finding from the study can be applied to security screenings, if that’s your thing. The study found that in order for the group to have consensus on correctly identifying traits that were considered neurotic (i.e. worried, moodiness, loneliness, or easily frustrated) the longer time frame of 60 seconds was needed. Granted, that’s not a huge chunk of time but it does make a difference. Also to increase good group consensus of a job candidate during interviews, it is helpful to decrease public accountability while still having individuals held privately accountable and also to allow the individuals to practice (or talk through) any shared definitions being used before they are utilized for judgments.

 

First impressions matter

    We make judgments about others and may even make decisions based on those judgments. As social engineers, we can capitalize on basic psychological principles that govern how people are influenced individually or as a group, even if we only have a brief amount of time with our targets. We hope this newsletter got you thinking about new ways to engage targets in a group setting and also how to protect them from the criminals who would exploit them.

Written by Tamara Kaufman

 

Reference

 

Ambady, N., & Rosenthal, R. (1992). Thin slices of expressive behavior as predictors of interpersonal consequences: A meta-analysis. Psychological Bulletin, 111(2), 256-274. doi: http://dx.doi.org/10.1037/0033-2909.111.2.256

 

Faigman, D. L., Fienberg, S. E., & Stern, P. C. (2003). The limits of the polygraph. Issues in Science and Technology, 20(1), 40-46. Retrieved from http://search.proquest.com/docview/195916772?accountid=8289

Pretsch, J., Heckmann, N., Flunger, B., & Schmitt, M. (2014). Agree or disagree? influences on consensus in personality judgments. European Journal of Psychological Assessment, 30(1), 31-39. doi: http://dx.doi.org/10.1027/1015-5759/a000165

As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


 

Also check out our friends at:

 

Trackbacks

Leave A Reply