The other day, I stumbled across a study on how mentioning gifts affects the success rate of social engineering with respect to obtaining passwords. One gift stood out. Yes, you know the one: chocolate.
The research showed that this small gift greatly increased the likelihood of participants giving away their password. If the chocolate was only given out afterwards, 29.8 percent of participants revealed their passwords. However, if the chocolate was received generally beforehand, a total of 43.5 percent of the respondents shared their password with the interviewer.
I found that ridiculous. It would take at least chocolate AND coffee to get me to hand over my password.
I’m kidding, of course.
There are questions about the study that aren’t answered, such as whether the socially engineered passwords were real or not. But more interesting is the reasoning behind the study: to investigate human nature.
It turns out that we are generally reluctant to receive a gift without giving one in return. Some have gone so far as to call this a “universal” principle. Based on that observation, researchers attempted to exploit that tendency in the study.
Which is really all that social engineering is, after all: understanding how to manipulate human nature to produce an expected result.
But let’s not get ahead of ourselves here. Is the tendency to return a gift after receiving one really universal, or is it learned?
The answer matters because if it’s the latter, the question becomes whether such a learned tendency can be overridden by other, just as strongly implanted tendencies. If it’s something we teach our children, it’s a learned behavior.
But it seems almost instinctual if you’ve been taught to be that way. And if that’s the case, we should* be able to exploit the way in which a deep-seated learned behavior can become nearly instinctual by doing the same thing with password security.
If, for example, I rear my children with a very strict policy of not sharing passwords under any circumstances, will that override the gift-returning impulse? Is the proverb “raise up a child in the way he should go and when he is old he will not depart from it” applicable for password security?
I suspect at this point in Internet history we can’t know the answer, for there isn’t a large enough population of children who have assumed adulthood after being raised with a strict “no sharing passwords” policy. My three adult children were, and the fourth is also, but that’s a statistically insignificant pool from which to perform such a study.
Our youngest son’s school – which unsurprisingly makes use of many different applications for reading and math, among other subjects – also reinforces the “no sharing passwords” behavior. I’m sure many of you have the same story to tell.
If we’re going to keep fighting a Sisyphean battle of password security, we can ignore that the bad guys seem to understand human nature better than we do, or we can start figuring out how to make that nature work for us.
Still, it’s going to be years before we can duplicate such a study and find out whether such efforts have borne fruit. In the meantime, it’s an interesting question to think about.
Can we socially engineer (in the purest sense of the term) the next generation into better security practices?
*I am not a psychologist or social-anything, but deductive reasoning seems to tell us this is possible if not true.
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.