Security awareness == Social engineering

This is a busy time of year for most of us with social events at work and at home, so it seemed appropriate to deliver a module on 'social insecurity' now. The latest batch of security awareness materials primarily covers social engineering, and touches on the related information security aspects of social networking and social media.  

Social engineering revolves around manipulating people to do your bidding. Social networks and social media are sources of information about targets than can be used to gain their trust and persuade or manipulate them. They are also communications vehicles through which to socially engineer others.  Social is the common factor, of course.  Humans are sociable by nature: we tend to 'belong' to various groups, and apply different standards to group members than we do to non-members. 

If you think about it, security awareness and training are forms of social engineering.  We're actively using information to persuade people to change their behaviors.  We inform and motivate them.  We don't lie, as such, but we do 'emphasize' things in order to bring them to the attention of our audiences, using information selectively to make them appreciate certain information security risks for instance.  We use policies and compliance activities to manipulate people into doing what we want.  We repeatedly remind people about security, gradually building their trust and understanding.  Oh sure, we are doing it with the best of intentions and we are quite open about it, but be honest: it is social engineering. 

You have probably heard about, if not actually performed, a "mock phishing attack" on your fellow employees as part of your security awareness program.  The basic idea is straightforward: craft an email with a pretext, some cunning ruse that will fool your "victims" into opening a link to a web page that either simulates a typical phishing data-capture form (perhaps popping up warning messages and awareness content as victims start to enter personal data) or simply displays a suitable security awareness message about phishing. Capturing victims' IP addresses as they visit the page allows you to generate statistics showing just how easy it was to fool some proportion of your organization's employees.  After hammering away with your phishing awareness, a further mock attack with a different pretext should get a much lower hit rate, demonstrating the value of the awareness.  Well, that's the theory!  

December's NoticeBored module takes this rather specific idea and extends it into a more general approach to security awareness.  As well as phishing, several other social engineering techniques could usefully be exploited for security awareness purposes.  Likewise social networks and social media.  Regardless of whether you actually carry through with the idea, discussing such a contentious proposal with management (which is necessary to get their explicit approval) would be a worthwhile awareness activity in its own right.  There are clearly trust and ethical considerations that need to be tackled but the payoff might be worthwhile.

[I'm thinking about writing a paper on this. If I've fired up your imagination already and you are bubbling over with ideas on how to apply social engineering to security awareness, please get in touch.]