Covering the global threat landscape

Practise what you preach: a study on tech-savvy readers' immunity to social engineering techniques

Sabina Raluca Datcu Bitdefender
Ioana Jelea Bitdefender

Social engineering is defined as the act of duping human beings into performing different actions or into divulging sensitive information using psychological and social techniques or specific messages.

Getting into somebody else's mind should be a complicated process but nowadays, as people are spending more and more time online, and as they entertain the false idea of a 'behind-the-screen anonymity', mind mining has become a regular and unsafe practice. This state of affairs is the more surprising as hundreds of articles regarding data security perils and best practices are published in the media every day.

This paper presents the findings of an unconventional experiment: 'security-savvy users' (whose baseline qualification is that they regularly read data security news) were interviewed in order to find out if they would ever become the victims of social engineering attacks, even if they were conscious of the psychological mechanisms at work. In other words, this experiment aims to measure the distance between prescribed and taken course of action, between theory and practice. One of the basic assumptions to be tested here was whether users willingly and temporarily 'suspend' their data security knowledge before entering risky situations or whether the theory and the practice of cautious online behaviour are two separate mental areas that rarely connect.

The results showed that, while security experts insist on educating people and on recommending that they should be careful about the sensitive information they disclose on the Internet, the theory-practice disjunction and the different perceptions of the protection offered by a machine-mediated interaction often prove to be more powerful than any advice.

The study combines a quantitative and a qualitative analysis of online social behaviour. While the quantitative elements offer measurable indicators, such as the extent and the frequency of this phenomenon, its qualitative side focuses on describing the conditions this phenomenon occurs in, participants' perceptions, experience and understanding of such experience. As one of the tenets of qualitative research in social sciences is that meaning and interpretation are negotiated with one's interlocutor so as to offer an accurate description of his/her reality, part of the findings were the result of an 'on-the-fly' reconfiguration or adjustment of the study's initial aims.