Commitment and Consistency has potential implications of use for both the attacker and victim in scenarios regarding Social Engineering.
“People have a general desire to appear consistent in their behavior. People generally also value consistency in others. Compliance professionals can exploit the desire to be consistent by having someone make an initial, often small, commitment. Requests can then be made that are in keeping with this initial commitment. People also have a strong desire to stand by commitments made by providing further justification and reasons for supporting them. This pattern of behavior toward or resulting in a negative outcome is called escalation of commitment.”
“The key to using the principles of Commitment and Consistency to manipulate people is held within the initial commitment. That is–after making a commitment, taking a stand or position, people are more willing to agree to requests that are consistent with their prior commitment. Many compliance professionals will try to induce others to take an initial position that is consistent with a behavior they will later request.”
The Attacker or Investigator hoping to employ the Social Engineering technique of Commitment and Consistency usually tries to get the subject or victim to divulge a small piece of information towards the overall intended goal. By getting the subject to remain consistent with things they’ve already said, the attacker may get the subject to reveal even further information.
On the other hand, the attacker must remain consistent with what they are asking. The attacker should start off small and escalate their information gathering. By starting small and moving up with each new piece of information, it will seem like a natural progression and will not appear obvious to the victim.
“The commitment and consistency rule states that once we make a decision, we will experience pressure from others and ourselves to behave consistently with that decision. You can be pressured into making either good or bad decisions depending on your past actions.”
Sometimes it can be quite hard to end up disagreeing with yourself. As a potential victim, people need to be aware of their gut instincts and realize that it is okay to change their minds. One answer does not mean a second one needs to follow. Also, be aware of what the person is asking. Always think one step ahead. For instance, think about what an attacker can do with the information, or answers you give. Read over company policies, as many of them will have sections of what is and isn’t okay to tell people.
Even small, seemingly insignificant commitments can lead to exploitation. For example, “Hello, how are you today?” You answer, “I am doing great….” now prepare for the exploit… “That is good to hear, because some people that are not doing so great can use your help.” You can’t go back on that now, you are still doing great and committed to it.
Examples of the Commitment and Consistency principle can be seen in many marketing situations. Businesses will often compete against each other in an attempt to win market share. Money will be spent trying to “one-up” the competitor without any real return.
Auctions sites are another example of where a person’s commitment and consistency will kick in. Certain people may increase their bids above a value they are comfortable with just to win the item and avoid their opponent from winning the auction. See the Dollar Auction Game: A Lesson In Conflict Escalation.
Ryan Healy wrote a story on his blog about going to the circus. He spent $44 on tickets, $5 on parking, and drove 40 minutes just to get there. His daughter wanted cotton candy so he gave her a $5 bill expecting it to cost less than that. The vendor charged $12 for a bag of cotton candy. In normal circumstances, this would be a definite deal breaker, but Ryan had invested so much time and money already that he easily parted with the extra $7.
To be successful in using the Commitment and Consistency principle, the attacker must get the victim to initially comply with a small request. If the victim is smart enough to never comply, the principle cannot be used.
More information on Commitment and Consistency and Influence in general can be found in Robert Cialdini’s book, Influence: The Psychology of Persuasion.