or, “How I Became Comfortable with Just Fitting In!”
Hello dear readers!
I apologize for my long absence from the SEORG newsletter. But now that we have a bit of time together, let me start by asking you all (it’s okay to answer privately): How many of you fell victim to (or know someone who fell victim to) the terrible tribal tattoo fad of the past 10 years? No? How about the latest and greatest diet? Or have you ever used Yelp! to specifically visit or avoid an unfamiliar restaurant in a new town?
Without a doubt, we like to think of ourselves as unique. But time and again, we demonstrate that we are social creatures who are impacted by the behavior of others. Conformity is our general tendency to modify our thoughts, actions, or attitudes to align with those around us. Social proof, a specific concept we discuss frequently with respect to influence, is a type of conformity in which we look to others to help us decide how to act correctly in specific situations. Social proof is also known as informative conformity in the behavioral sciences. Try saying that five times fast, and you’ll understand why I prefer the term social proof.
First of all, let me tell you, conforming to a group is OKAY! Everyone is doing it!! Following conventional wisdom, especially in unclear situations, has some advantages. I mean, these people chose XYZ and they’re still alive, right? And when you boil it down, most of our instinctive choices come down to what’s smart in terms of survival. This instinct to follow the majority is so strong that most of us feel some measure of discomfort when we do or say something that is distinctly different than those around us. Can you imagine how much shorter the President’s State of the Union address would be if the audience wasn’t compelled to join in the applause at the end of every sentence?
Second, the tendency to conform is a trait that’s pretty unique to humans and appears very early in life. An interesting bit of research by Daniel Haun demonstrated that children as young as 2 years old looked to their peers for the “best” solution to a reward-based task, but chimpanzees and orangutans did not. Like it or not, conformity is a by-product of the human condition.
As ethical social engineers, our job is to test organizational security by seeing if our population will engage in risky behaviors. Because social proof is a very powerful form of influence (and one that we respond to often without thinking), it’s a concept that you should understand thoroughly. Every single one of us will likely experience influence through social proof at some point.
To effectively use social proof to test your population, you need to be aware of some factors that influence the strength of the effect.
Comparison Group Size – In order to experience the pressure of a group, well, we need a group. But not too big of a group. According to a number of studies, including those by Dr. Solomon Asch, the optimum size of a group for maximum influence is around 3-5 people. Note: these numbers are specific to in-person influence.
Unanimity – Clearly, a group that is unanimous creates a great deal of influence. Researchers Allen and Levine found that conformity of targets decreased from 97% to 36% with just one competent rebel in the comparison group.
Feelings about the Comparison Group – Does the target identify with, like, or look up to the group? Even if you have optimum size and unanimity, the qualities possessed by the comparison group matter. If the target doesn’t feel any sort of connection with or desire to to emulate the group, s/he is unlikely to conform.
Uncertainty – This is the quality that narrows the definition of conformity down to social proof. When the environment doesn’t provide clear cues about proper behavior and there are many possible choices, we will often assume that the majority knows the right action to take. This is so predictable that Muthukrishna et al. used mathematical models to predict conformity based on the number of traits in an environment (more traits = greater uncertainty).
So, how might you as a security professional apply the concept of social proof?
Use social proof as a testing mechanism. Will your population violate a security policy because they think someone else is doing it? For instance, if an “IT intern” is frantically trying to fix a badging issue and needs an employee’s last 4 to reset his badge, will the employee provide that information if he is made to believe that everyone else has complied? Hopefully your people know to never release private information to an unverified caller. But as a security professional you can use social proof and other principles of influence to see if your population is susceptible to bending the rules.
Use social proof as a training mechanism. If you work in a corporate culture in which secure practice is the standard, you live in a world of unicorns and rainbows. Your people will adapt to safer practices to fit in. But if you’re in the same boat as the rest of us, it’s training, training, and more training with the end goal of creating said culture. Social proof can be one way to get there! Sauvik Das et al. conducted a recent study in which it was possible to increase user sensitivity to the availability of security features through the use of announcements incorporating social proof.
One last note. Social proof is just one of the principles of influence. I recommend that serious security practitioners familiarize themselves with all of them. Understanding and being able to properly apply these principles will make you a more effective social engineer. Being a better social engineer will make you better at testing, training, and generally keeping your organization safe.
So the next time you’re in an uncertain situation and catch yourself sneaking looks around to see what other people are doing, give yourself a pat on the back for recognizing one of the major players in the world of influence: social proof!
Stay safe and see you soon.
Written by Michele Fincher
As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.