10 Principles for Successful Social Engineering

Do you know what makes a social engineering attempt successful?  Much of the current literature focuses on various tools and tactics such as NLP, framing, weapons of influence, trust etc.  However what makes a person comply isn’t a particular method or approach, but how effectively you use specific principles.

The power of a social engineering tactic stems from the fact that these principles are (often) built into the tactic itself.  So if you want to succeed at social engineering, you need to understand these 10 principles.

1.  You Can’t Force Compliance

There seems to be a common misunderstanding about the limitations of social engineering.  Social engineering is not mind control.  No matter what anyone tells you, you can never guarantee compliance.  Even threats of death are not persuasive enough in all situations.

2. Social Engineering Increases The Likelihood Of Compliance

While principle #1 states what you social engineering can’t do, this principle tells you what it can do. Despite the fact that you can’t force compliance, social engineering is still highly effective.  This is because social engineering tactics increase the likelihood of compliance.  Stated another way, your goal as a social engineer is to construct an environment that increases the likelihood of compliance.

3. Emotions Motivate Behavior

Emotion is the key to increasing the likelihood of compliance (i.e. performing a desired behavior).  Emotions are the motivating force behind behavior, and provide the goals that shape and direct our decisions.  Analyzing how social engineering tactics, interactions, and body language affect emotions, provides a new (and revealing) perspective on what is really going on.

4. Emotions Are Based On Physical States

Since emotions provide motivation for our behavior, it’s important to understand what it means to experience an emotion.  While there is no standard model for an emotion, I have seen a trend in texts relevant to social engineering.  This trend is called core affect.  The idea behind core affect is that an emotion is a neurophysiological state described by valence (pleasure vs. displeasure) and physiological arousal (high vs. low).

Another theory that is useful for discussing social engineering and emotions is the Conceptual-Act Model of Emotion (C.A.M.E.).  The fundamental concept of C.A.M.E. is that the experience and label of an emotion is based upon how we interpret our core affective state, using our knowledge and understanding of the emotion.

This is one reason why framing is useful in social engineering.  Changing the frame changes the context, which changes our interpretation, and consequently our experience.

5. Affect Emotions, Affect Behavior

This principle is a logical consequence of principle #3.  If you can affect the source of a behavior, then you can affect the behavior itself.  This principle may seem obvious at first, but it can lead to some surprising results.  For example there are several “non-traditional” methods to affect emotion, such as emotional transference, that can be used successfully in social engineering.

Another example of this principle is in Joe Navarro‘s book What Every Body Is Saying.  Navarro describes a model for detecting deception based on “the concept of limbic arousal and our displays of comfort and discomfort”.

6. Psychological Hedonism For Emotions

What are the goals of emotion-motivated behavior?  The answer comes from applying the concept of psychological hedonism to emotions.  Psychological hedonism is the idea that we make decisions based on the goals of maximizing pleasure and minimizing pain.  In terms of emotion, this means that we try to increase positive emotions and decrease negative emotions.

Now there have been debates as to whether or not psychological hedonism holds true for decision making.  Yet at the lower levels of emotion, the theory appears to be correct.

7. Emotions Provide The Motivation, Not The Solution

If emotions are one half of the social engineering puzzle, then logistics are the other half.  Emotions provide the motivation and goals for behavior, but not the path to reach those goals. Constructing an environment conducive to compliance involves creating both a path, and a set of incentives.

8. Awareness Of The Desired Behavior

In order to perform a specific behavior, it stands to reason that a person must be aware of the desired behavior.  Often this awareness is implicit due to context, but not always.  For instance a sales person could tell you “This product will help you lose weight.”  Awareness of purchasing the product is implied by the context of a sales person.  Alternatively the same sales person could be more direct and ask “what would it take for you to buy this product”?  In either case you are aware, consciously or subconsciously, of the desired behavior (purchasing the product).

9. Associate Emotional Goals With Compliance

Associating compliance with emotion-motivated goals creates an incentive for compliance.  How strongly the two are associated is what attracts a person towards one choice, and (potentially) away from another.  If compliance is not associated with increasing positive emotions, and/or decreasing negative emotions, there is little incentive for the desired behavior.

Perception is key to this principle.  When you are attempting to social engineer someone, how strongly compliance and emotion-motivated goals are associated, is based on their perception, not yours.

10. Align Compliance with Emotional Goals

Another way to create incentive for compliance is to align compliance with emotion-motivated goals.  The less compliance and emotional goals agree, the less incentive there is to perform the desired behavior.

For example, if you’re trying to social engineer someone’s password, and they are nervous about providing it, reminding them that sharing passwords is a violation of company policy, probably won’t increase the likelihood of compliance.

Similar to principle #9, perception is vital.  How well compliance and emotion-motivated goals agree, is based on the perception of the person you are trying to influence, not on your perception.

Fingerprint: 2C9A73597F49F857826FF84038D86A83