What would you say are some traits of someone who is empathic? I would say some of those attributes would include being patient, attentive, understanding and a good listener. Now, think back to when a teacher who was empathic and went the extra mile to help you or other students that may have been struggling in that class. Surely, that contributed to a better learning environment and encouraged you to do better in that class. As adults we tend to lose some of that empathy when teaching other adults as we may reason “they should know better.” How can an empathic approach improve security education?
An Empathic Approach to Security Testing

The Importance of Security Education

According to Proofpoint’s 2023’s Human Factor report, more than 99% of threats require human interaction to execute, such as enabling a macro, opening a file, following a link, or opening a malicious document. This means social engineering plays a crucial role in a successful attack. With this said, more companies than ever before are implementing cyber/information security training and testing. Ongoing training and testing enable employees to recognize social engineering attacks, as well as how to respond and properly report them. Part of this training would include realistic testing such as phishing, vishing, and smishing. Ethical social engineers perform these tests using realistic pretexts while implementing empathy.

Providing a Teachable Moment

Some may wonder, “How can you perform realistic and effective testing while having empathy? Afterall, an attacker would not have such empathy.” While it is true that criminals will do just about anything to achieve their goal, ethical social engineers are not criminals. We want the testing to be realistic and at the same time provide a teachable moment. I often make the comparison of a fire drill; you want it to be realistic, but you wouldn’t actually set the building on fire. Ultimately, we want the person that’s being tested to learn how to interact and report the attack. More importantly we want them to adapt that behavior in the long term while in a safe environment.

We use principles of influence such as authority, scarcity, sympathy, and slight fear, but we will never use a pretext that will elicit extreme fear or create a false expectation such as promising things that the employee will never get. Imagine your company sends you a realistic email promising a bonus and all you have to do is confirm your information in an “HR Portal.” Everything seems legit in the email and you’re excited to get a little extra cash so you click on the link. It then redirects you to a pop-up screen that lets you know it was a test. Promising something that employees will never get can lead to feelings of disappointment and even resentment. This would not be conducive to a positive teachable moment.

The Empathetic Approach

Having realistic but empathic pretexts allows us to perform our test in an ethical way which allows the tested population to remember the lesson learned without feeling resentment. In turn that will motivate them to want to comply and cooperate with their company’s security procedures. When we humanize the tested population and treat them as our fellow employees (instead of just targets), they can view the training and/or testing as a tool for them, not as an adversarial attack. Security awareness training should focus not just on “clicks,” but also on how it will affect the people that serve that business. Employees need to see their IT departments as advocates, not adversaries.

When influential information security practitioner Kate Mullin was a guest on the Social-Engineer podcast, she said, “Part of employee engagement is, you need to care about them, and it can’t be fake. It has to be real.” Implementing a security awareness program that considers not just the business’ needs but that of the employees, can create a partnership that results in everyone being more secure.

Social-Engineer provides custom managed services to assist organizations in the assessment and education of their human network. We take a personalized approach to training and testing. Our team of expert social engineers focus on the tactics hostile attackers use to influence and manipulate people via phishing, vishing, and impersonation. We will assess your organization’s vulnerability to a social engineering attack. Then we will provide customized training and guidance to make your company more secure. You can learn more about the services we offer at our website Social-Engineer.com/managed services/.

Written by:
Rosa Rowles
Human Risk Analyst at Social-Engineer, LLC