Practise what you preach: a study on tech-savvy readers' immunity to social engineering techniques
Sabina Raluca Datcu Bitdefender
Ioana Jelea Bitdefender
Social engineering is defined as the act of duping human beings into performing different actions or into divulging sensitive
information using psychological and social techniques or specific messages.
Getting into somebody else's mind should be a complicated process but nowadays, as people are spending more and more time
online, and as they entertain the false idea of a 'behind-the-screen anonymity', mind mining has become a regular and
unsafe practice. This state of affairs is the more surprising as hundreds of articles regarding data security perils and
best practices are published in the media every day.
This paper presents the findings of an unconventional experiment: 'security-savvy users' (whose baseline qualification is
that they regularly read data security news) were interviewed in order to find out if they would ever become the victims of
social engineering attacks, even if they were conscious of the psychological mechanisms at work. In other words, this
experiment aims to measure the distance between prescribed and taken course of action, between theory and practice. One of
the basic assumptions to be tested here was whether users willingly and temporarily 'suspend' their data security
knowledge before entering risky situations or whether the theory and the practice of cautious online behaviour are two
separate mental areas that rarely connect.
The results showed that, while security experts insist on educating people and on recommending that they should be careful about
the sensitive information they disclose on the Internet, the theory-practice disjunction and the different perceptions of
the protection offered by a machine-mediated interaction often prove to be more powerful than any advice.
The study combines a quantitative and a qualitative analysis of online social behaviour. While the quantitative elements offer
measurable indicators, such as the extent and the frequency of this phenomenon, its qualitative side focuses on describing
the conditions this phenomenon occurs in, participants' perceptions, experience and understanding of such experience. As
one of the tenets of qualitative research in social sciences is that meaning and interpretation are negotiated with one's
interlocutor so as to offer an accurate description of his/her reality, part of the findings were the result of an
'on-the-fly' reconfiguration or adjustment of the study's initial aims.
del.icio.us digg this