What are the principles of social engineering?

According to new research, 35% of enterprises reported an increase in cyberattacks this year, and social engineering tops the list of most frequent cyberattacks, which surpass the Advanced Persistent threat (APT) and Ransomware attacks (State of Cybersecurity 2021, Part 2: Threat Landscape, Security Operations, and Cybersecurity Maturity, 2021). Therefore, it becomes imperative to study social engineering techniques and spread awareness about them. With the development of new technologies, social engineering attacks keep changing; however, the fundamental principles of influence remain the same. In this paper, the study of principles of influence will be done to compare the methodology between two reputed books: "Social Engineering: The Science of Human Hacking," 2nd Edition by Christopher Hadnagy, and "Learn Social Engineering" by Dr. Erdal Ozkaya.

Christopher and Erdal are renowned authors in the domain of information security. Christopher is the founder and CEO of Social-Engineer LLC, created the world's first social engineering framework, and currently hosts a podcast based on social engineering. He is a well-known author who has written five books on social engineering (Social-Engineer, LLC, 2021). On the other hand, Dr. Erdal is an award-winning author, speaker, and cybersecurity advisor who has received 8 MVP (Most Valuable Professional) awards from Microsoft. He is an active participant in major conferences related to Information Security (Microsoft MVP Award, n.d.).

Christopher credits his social engineering literacy to Dr. Robert Cialdini's book "Influence: The Psychology of Persuasion" (William Morrow and Co., 1984). Robert presented six principles of influence: Reciprocity, Commitment/consistency, social proof, Authority, Liking, and Scarcity. However, Christopher broke these six ideas down into eight principles: Principle One: Reciprocity, Principle Two: Obligation, Principle Three: Concession, Principle Four: Scarcity, Principle Five: Authority, Principle Six: Consistency and Commitment, Principle Seven: Liking and Principle Eight: Social Proof in his book "Social Engineering: The Science of Human Hacking", 2nd edition. The book is a best seller on Amazon.ca and ranked #9 in the Computer Security category (Social Engineering: The Science of Human Hacking: Hadnagy, Christopher: 9781119433385: Books - Amazon.Ca, 2018).

Dr. Erdal has discussed Influence and Persuasion briefly in his book "Learn Social Engineering." He considers persuasion a critical aspect of social engineering. Influence and persuasion are techniques to persuade individuals and organizations to act or think in a certain way. In one of the book's chapters, "Influence tactics," he defined the techniques used to influence people, which are Reciprocity, Obligation, Concession, Scarcity, Authority (Legal authority, Organizational authority, Social authority), Consistency and Commitment, Liking, and Social Proof (Ozkaya, 2018). The book is a best seller on Amazon.com and ranks #390 in Computer Network Security (Learn Social Engineering: Learn the Art of Human Hacking with an Internationally Renowned Expert: Ozkaya, Dr. Erdal: 9781788837927: Amazon.Com: Books, 2018).

According to Chris, the first principle of influence is Reciprocity which aims to build rapport. When we genuinely give something to others, they tend to return a favor by doing something similar or more valuable. Dr. Erdal illustrated a similar definition in his book. He explained the human psychology of giving and taking. Showing gratitude is an example of Reciprocity used by various politicians, employers, and even pharmaceutical companies where they provide free stuff initially to gain more gain and trust from the people.

Christopher explained how social engineers use the principle of obligation by influencing social events to make a target feel obligated to perform in a certain way. For instance: not holding the door for a lady or someone carrying boxes or other luggage is considered impolite, and social engineers take advantage of this habit. Dr. Erdal describes obligation as a circumstance in which a target feels compelled to perform based on moral, legal, contractual, duty, or religious obligations. This method is used against a customer service representative who is obligated to assist consumers in any way possible.

Christopher defined the third principle of influence as the principle of concession in which he shared an example in his book, how a caller convinced him to donate charity for stray dogs. The caller knew that the author loves animals, hence requesting $250, which the author declined due to the hefty figure. Later caller asked him to pay $25, which he conceded to get money. According to Dr. Erdal, Concession is an acknowledgment or acceptance used in the same way as reciprocation is. The difference between reciprocation and concession is that the target makes the initial request in concession. He further explained that humans are conditioned to repay a favor anytime someone does something nice for them.

Scarcity can be used to time, knowledge, or even goods you are giving away in an attempt as a social engineer. Scarcity will increase the perceived worth of what you have and persuade the target to make decisions based on that value. This is known as the Principle of Scarcity, according to Christopher. Dr. Erdal described that scarcity is produced when items and opportunities are difficult to come by and become more appealing. Scarcity is likely the marketing team's most regularly used tool. Keywords like "limited deal," "1-day sale," and "clearance sale" are frequently used to emphasize the products' availability. Social engineers send scarcity-themed emails to their intended recipients to persuade people to click on the link as soon as they see it.

The fifth principle of influence: Authority, according to Christopher, is when someone in a position of power and authority makes a statement, it is taken more seriously by others. This trait manipulates the target who is convinced to obey the commands. As per Dr. Erdal, the principle of authority is the power principle of influence where people follow the orders of individuals they think to be in a position of power over them. As Lawyers show respect for the judge and jury in court, Employees in organizations follow the orders of their superiors. Similarly, the police are respected by the public on the streets. When you show authority to an individual or group of people via emails or fake websites, they are likely to get trapped in it.

The sixth principle of influence is Consistency and Commitment. As per Christopher, Consistency is a sign of confidence and strength, and People want their values to align with their views. Humans have a strong need to be perceived as constant, according to the principle of commitment. As a result, once we have made a public promise to something or someone, we are considerably more likely to follow through on it. At the same time, Dr. Erdal said that Consistency is a highly desired principle of a human attribute in which people prefer to behave in the same way they did before in the same situation. Because it does not have to reprocess information when performing a task, the human brain prefers Consistency. Commitment and constancy will bind them to a terrible route where they will be forced to accept more significant responsibilities.

Christopher talks about the seventh principle of influence: Liking. He explained that people like other people who are like them. People enjoy being around those who share their interests as skilled social engineers; like is a powerful principle that can practically and symbolically open many doors for you. A similar opinion is shared by Dr. Erdal, explaining that most people enjoy being liked, and they reciprocate by selecting those who like them. Salespeople understand that a buyer is more likely to buy from someone they like. They know that if they show a customer's liking, the buyer will also like them, resulting in a favorable sales environment. To gain the target's trust, social engineer agreeably portrays themselves and try to like them.

Finally, for the eighth principle: social proof, Christopher said that people often do not want to be the first to do something. However, he discovered that employing social proof can help people decide actions they are not sure about. On the other hand, an interesting example is shared by Dr. Erdal for this principle: A group of people was advised to look up at the sky in the middle of the city in one experiment. The end outcome was a success. Others began staring blankly into space, curious as to what was being observed. People who saw others doing this did the same, causing significant traffic jams as people stood in the middle of the road staring at the sky, while others watched from their cars. This was a demonstration of the strength of social proof.

The paper concludes that the principle of influence is a powerful tool to perform social engineering attacks. Both authors explain the fundamentals of principles differently; however, the concept of these principles is the same. The new techniques can be invented with new technologies and strategies; however, the fundamentals will remain the same.

The attacks are made on humans, and humans are considered the "weakest link" in Information Security. Thus, it becomes essential to spread awareness about it among people to minimize the impact. These principles are so powerful and can be used in any other situation of life to influence people. It can be used by politicians, employers, pharmaceuticals, armed forces, police officers, etc.

References

State of Cybersecurity 2021, Part 2: Threat Landscape, Security Operations and Cybersecurity Maturity. (2021, July). ISACA.

Social-Engineer, LLC. (2021, June 8th). Christopher Hadnagy, Founder and CEO of Social-Engineer, LLC. https://www.social-engineer.com/social-engineer-team/christopher-hadnagy/

Microsoft MVP Award. (n.d.). Microsoft. https://mvp.microsoft.com/en-us/

Hadnagy, C. (2018). Social Engineering: The Science of Human Hacking (2nd ed.). Wiley.

Ozkaya, E. (2018). Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert. Packt Publishing.

Social Engineering: The Science of Human Hacking: Hadnagy, Christopher: 9781119433385: Books - Amazon.ca. (2018, July). Amazon. https://www.amazon.ca/Social-Engineering-Science-Human-Hacking/dp/111943338X

Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert: Ozkaya, Dr. Erdal: 9781788837927: Amazon.com: Books. (2018, April). Amazon. https://www.amazon.com/Learn-Social-Engineering-internationally-renowned/dp/1788837924

What are the 4 types of social engineering?

What are the 3 common methods of social engineering?

What is the main purpose of social engineering?

What is the example of social engineering?