“Security awareness,” he continues, “is the digital equivalent of giving someone with a gunshot wound a Tylenol. It may make you feel marginally better, but it doesn’t deal with the real problem.”
We possibly concentrate too much on the ‘what’ rather than the ‘why’: what succeeds for the attacker rather than why it succeeds. The ‘what’ could be a phishing email. The ‘why’ would be ‘social engineering’. The question, ‘Why does awareness training fail?’ could be rephrased as ‘Why does social engineering succeed?’
Bec McKeown, founder and principal psychologist at Mind Science, offers the underlying cause. “The brain is a limited capacity information processor,” she explains. “It can only deal with a certain number of things at any one time. So, it filters information out and makes us take shortcuts to handle the sheer volume of information facing us.”
Our focus is on whatever is currently top of mind. This is usually completing our work as efficiently as possible. Filtering is usually subconscious to allow us to retain focus. It revolves around our own subconscious biases including prejudices, preferences, ambitions, hopes and fears, etcetera. Social engineers understand this.
“They often launch attacks when our limited processors have additional concerns, like the weekend, a holiday, or the outbreak of a pandemic,” continues McKeown. “At this point, our limited processors are already overwhelmed with information, and our biases are heightened.”
The attacker uses extreme biases, such as greed, fear, and the need for haste, as social engineering triggers. Victims are more concerned with finishing work and leaving for the weekend parties than in analyzing the latest email. The victim is in response rather than analytical mode. Subconsciously, it is not a user’s job to worry about cybersecurity – that’s the job of the cybersecurity team.
“When working in a controlled contained working environment,” says Ian Glover, MD of Inspired2 and former president of CREST, “there is an assumption that the institution will look after me. The institution will stop people coming into the building to steal from me, they will protect my personal assets that I take to work, they will be on hand to help me if I have a problem and they will provide technology that will help to stop attacks.” This all limits the amount of awareness of cybersecurity threats, which become readily excludable from our ‘limited capacity information processor’ brains.
It is this combination of information overload, personal bias, and the subconscious diminution of cybersecurity as ‘not my problem’ that allows the social engineer to use timing and triggers to breach human defenses.
There are basically two types of social engineering: spray and pray (which is purely a numbers game), and spear-targeting (which is a skill). Awareness training is often considered to be successful if it can reduce user susceptibility from 30% to 5%. But even with this success, if a spray and pray attacker sends out 1,000 email attacks, 50 will be successful.
Spear-targeting involves researching the target to understand specific biases. This can easily be done via social media and the target’s online footprint. The result is an attacker who knows exactly which bias trigger to pull to ensnare the target with a high degree of success. Spear-targeting by a well-resourced attacker with time and skill will almost always eventually succeed.
Remote working adds an additional edge to the social engineering issue, although not everyone believes it is detrimental. Warren believes it increases risk: “Remote work has added to the problem of social engineering because it has created new vulnerabilities and challenges for organizations. With remote work, employees may be more likely to use personal devices or work outside of secure networks, which can increase the risk of social engineering attacks,” he says.
Glover is not so sure. He believes the reverse effect of assuming protection by the ‘institution’ will apply. “As soon as these assumptions of protection and help are taken away, there is a feeling of greater personal responsibility,” he suggests.
Bruce Snell, director of technical and product marketing at Qwiet AI, adds, “Remote work has increased the amount of daily communication within organizations, making it much easier to quickly check the validity of a request that in the past might have gone unchecked.”
But Andy Patel, researcher at WithSecure, points out this increased communication also increases the risk. “Remote workers typically rely heavily on digital communication methods like email, chat, and video calls,” he says, “which can make it easier for social engineers to impersonate contacts and deliver malicious content.”
He also raises the separate problem: “Remote employees who have limited access to IT support or security resources may be less likely to identify, report, or mitigate social engineering attempts.” This can be aggravated where companies are forced to compromise on security policies. “Offering a balance between security and useability may lead to situations where users are able to install bad stuff on their company laptops.”
Chris Crummey, director of executive and board cyber services at Sygnia, continues this theme: “Employees sometimes need to find less secure ways to get their job done. Example, the employee using an unauthorized file share to send a report to a client.”
There is an additional problem. Remote workers are often not good at separating life and work – and spend too much time working. This can lead to a tired ‘limited capacity information processor’ which could become even more susceptible to social engineering.
So far, we have discussed reasons behind the success of social engineering. The danger is that this will get much worse very quickly – because of artificial intelligence (AI). AI will be used to increase the quality and quantity of social engineering attacks. It may also assist technology in detecting attacks, but it will not alter the user’s susceptibility to social engineering.
For the last few years our concern has focused on deepfake technology. “As deepfake voice and video becomes more accessible, more affordable, and more convincing,” comments Al Berg, CISO at Tassat, “attackers will use it to their advantage. We are already seeing use of deepfake voice tech being used in ‘virtual kidnapping scams’ and I would be surprised if it has not already been used to trigger fraudulent payments and fund transfers.”
But, says Patel, “Deepfakes are still rather expensive to create. Thus, their use, even in targeted attacks, will likely remain minimal. Synthetic images and videos are starting to become more sophisticated and easier to create. These techniques may eventually see use, but only in sophisticated, highly targeted attacks.”
The immediate threat comes from the growing availability of large language models typified by the generative pre-trained transformer – the GPT element of ChatGPT that was launched in November 2022.
“WithSecure recently published research on using large language models to create social engineering content. Such models are very capable of doing so, and the techniques we illustrated could potentially be used for things like spearphishing,” he continued. “Another interesting possibility is that language models may be used to power chatbots or to automate the formation of connections with potential victims over longer email conversations, prior to the adversary stepping in.”
A vision of the future can be found in the publication of How to use ChatGPT (in Sales) by Alfie Marsh, a go-to-market specialist and founder of Rocket GTM. This demonstrates AI-assisted scaling for personalized messages. It uses a free Google Sheets extension called Cargo (described as ‘The openAI addon for sales and marketers’) that interfaces with ChatGPT.
Variables are entered into Sheets (in this example by researching job opportunities on LinkedIn). Cargo is used for the finished email (a job application).
“Instead of writing one prompt per email,” says Marsh, “you can write one prompt template that will spit out thousands of uniquely personalized emails in seconds thanks to custom variables.”
Consider this process in the hands of a social engineer with time and resources to research targets and their triggers. It could evolve into a methodology for effective spray and pray spear-targeting, while allowing reuse by simply changing Cargo’s output email. And this is still the dawn of AI in social engineering.
If the current approach to combating social engineering isn’t working, while the threat is increasing, we need to try something different. Einstein’s definition of insanity is doing the same thing over and over again and expecting different results.
The primary problem is that we are training people to recognize attacks, such as phishing, without tackling their personal biases (that is, their personal behavior). Trainees may have the knowledge to recognize phishing, but their biases in the form of subconscious behavior patterns still prevent from doing the right thing.
Security awareness should go together with behavioral training. “Have a layered approach to training,” says Crummey. “Do not stop at awareness – the level you want to get to is ‘behavior change’.”
Behavior change is far more difficult than simple recognition. “What people don’t realize is,” says McKeown, “is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.”
People simply react more to their subconscious biases than to their conscious knowledge. Creating a ‘good’ new bias rather than trying to defeat long-standing ‘negative’ biases may be the way forward. It’s almost like the common view of muscle memory – an automatic good response, or habit, that requires no conscious thought.
Achieving this has led to the concept of nudging. “It’s about phrasing cybersecurity training in a way that tries to capture the users’ attention more effectively,” says McKeown.
David Metcalfe, a PA behavioral science expert, has written on the subject. “The answer lies in behavioral science. By introducing ingenious ‘cyber nudges’, companies are able to overcome employees’ bad habits. These nudges are design features engineered into digital environments to indirectly encourage good cyber habits at all levels of the organization. They leverage behavioral insights to drive compliance without affecting functional activities or productivity.”
He provides a simple example related to phishing. “By embedding a small ‘hassle’ in the user experience, like using a pop-up to make people consider whether a link or attachment is from a trusted source, people stop and think instead of acting on their first instinct. As a result, they become better at identifying malicious emails.” This is a simple example that wouldn’t work on its own – in-bred habits would soon lead users to ignore the pop-up. But it is indicative of the approach of nudging users toward better behavioral habits.
Cybersecurity must become second nature to all employees, whether at work or at home. For now, users are primarily taught to reject emails by recognizing typos, grammatical errors, and unknown origins. This is the ‘what’ of a phishing email. But users need to understand more fully the ‘why’ and ‘how’, and the effect of a social engineering attack. Avoiding social engineering must be part of the job rather than an annoying addition to the job.
Right now, a social engineering attack is a buffer overflow delivered by a denial of service attack against the psyche’s limited capacity information processor. We have defenses for similar attacks against our technology systems – now we must learn to defend and positively activate our human resources to the same effect. The concept goes far beyond phishing awareness. It can be used wherever there is a potential threat to the cybersecurity of the enterprise.
Related: 2,000 People Arrested Worldwide for Social Engineering Schemes
Related: New ‘Greatness’ Phishing-as-a-Service Targets Microsoft 365 Accounts
Related: Harris to Meet With CEOs About Artificial Intelligence Risks
