How To Cope With The Physical and Psychological Toll of Social Engineering
Social engineering is a powerful tool used for both positive and negative ends. The Verizon DBIR and other reports like it detail the costs of social engineering, and we know it is a powerful attack vector. But while we know the monetary toll social engineering takes on its victims, here is something else to consider: What happens to the individuals involved in social engineering testing?
As a social engineer, your job is to be someone you’re not for a period of time to gain access to information. This is called pretexting, or building a story about yourself that makes your reason for contacting someone or being somewhere believable. Pretexting requires an incredible amount of focus and ability to keep facts straight. While examining the technique of pretexting is uncommon, research into the effects of deception have been well documented.
The toll of deception
According to Robert Feldman, the average person lies at least 3 times in the first 10 minutes of meeting a new person. Further examination from social psychologist Jerald Jellison says that the same person will tell anywhere between 10 and 200 lies in a single day. Although these are little “white” lies which help us function as a society, these small mistruths lead to deeper issues within us.
The first is known as cognitive dissonance, a state in which our actions are not in alignment with our beliefs, which leads to discomfort. Humans actively seek to avoid discomfort and are willing to go to great lengths to alleviate it. According to Argo and Shiv, there is a level of dishonestly that we are willing to accept. We are capable of “white lies” to prevent social discomforts or to make ourselves feel better about an event not turning out the way that we had hoped. Their research shows that often, to lessen the discomfort brought about by the deceiver’s false statement or action, the individual will actually change themselves to more align with the false persona.
In addition to the psychological discomfort caused by cognitive dissonance, attempting to maintain a level of deception for an extended period can cause physical stress and anxiety. David Ropeik points out well-documented effects of stress and anxiety such as ulcers, sleep disruptions and even potentially increased susceptibility to type 2 diabetes. Ropeik also points out that at the cellular level, stress can cause us to break down. Intentional deception takes a heavy toll on both the social engineer’s mind and body.
The toll of manufacturing emotion
Another part of deception and pretexting is something I discussed in my earlier newsletter: Manufacturing Emotion. When we as social engineers manufacture emotion, we generate a response in others, but we will also experience some ourselves. Amy Cuddy has done a great deal of research regarding the use of “power poses” and how they can influence our psychological state. Unfortunately, even when faking the body language of an emotion, we will experience at least some of it as well as the physical outcomes that go along with it.
For example, physically displaying anger by furrowing your brow, pursing your lips, and breathing faster will begin to push adrenaline into your body and increase your heart rate, preparing you for a fight-or-flight reflex. You may also experience some of the emotion and could be ill-tempered and short for a while afterward.
While these are normal body and mind responses to stressors, they can affect your ability to work after experiencing them. As humans, we typically desire to get back to calm as quickly as possible. Reducing the stress and recovering can reduce the strain on you and decrease negative effects.
Recovering from social engineering
One way to start getting back to normal is to focus on controllable physical actions. When we are under stress, our breathing increases in frequency and becomes much more shallow. By controlling your respiration rate, forcing it to become slower and deeper, you can begin to calm down from high stress situations. This causes a greater amount of oxygen to begin circulating, helping the brain to process data more efficiently. On top of the obviously physical aspects, taking deep and regular breaths also causes your mind to focus on your breathing, removing focus on the stressful event. This can help lower your heart rate and begin the process to recovery.
Another common technique is listening to soothing music. The effects of music on the human brain are becoming more effectively documented, and the effects on stress and injury/illness are becoming more well understood. In one study it was found that individuals had a better recollection of material and a greater reduction of stress when they listened to Mozart versus a relaxation recording or silence. This phenomena is now called the Mozart Effect.
Another way to cope is to get physical. Getting yourself active and moving can help get you mind off of the stressor and can also help your body flush out the adrenaline and cortisol built up. An article from the Mayo Clinic says exercise helps you sleep better, releases endorphins, and creates a phenomena that is best described as meditation in motion. Activities that require a lot of focus take your mind off of stressors. My personal poisons are running and martial arts, but whatever you enjoy doing physically can help you cope with the challenges of pretexting.
Tips for managing the challenges
The first step to managing the problem is to admit the potential problem. Being aware of the issues that stress can create is a generally good thing. Stress can affect your relationships, your sleep, and even the caliber of your work. Being aware can help you take steps to preemptively counter any potential issues.
My dad always told me that proper planning prevents poor performance. Being aware is great, but you also need to take the necessary steps to counter your stress levels. In martial arts, we drill constantly. The goal is to turn healthy reactions into muscle memory so when you face a threat the right reaction is your automatic one. Planning a response helps once you face the stress by giving you a defined course to recovery that requires less focus.
Something else you can do is choose a pretext that’s as close to who you actually are as possible, which will help reduce cognitive dissonance. This strategy also helps your pretext be believable to targets. If you are a naturally dominant person, don’t pretext as an intern or a very passive personality. Be who you are and play to your strengths.
The last suggestion I have is make time to recover. This suggestion is related to planning: If you don’t actually allocate the time to recover, you won’t do it. In a study posted in Organizational Dynamics, work breaks, which can take many forms, are necessary to recuperate from the stress experienced and to prepare for the next task. Mental distance from work is necessary in order to perform at peak efficiency. Many companies now are creating a policy of no contact after shift and making it much easier for employees to find a work-life balance by not allowing them to do anything work-related during off hours.
Being a social engineer can create high levels of stress. It’s a valuable skill and can create amazing results, but if we are not cognizant of the challenges, we are more susceptible to physical and psychological tolls that result from sustained deception. Protect yourself, and be prepared, courteous, and informed.
Written by Bryan Austin