A burger, please….extra fat… Framing and the Social Engineer
Hello, dear readers. As usual, I’m sitting here with this newsletter deadline looming and I can’t think of a thing to write because I’m starving. And do you know what really sounds great? A burger that’s 20% fat. Pan-fried in butter. For those of you who are now clutching your chests in agony, let me rephrase that. How about a burger that’s 80% lean, lightly sauteed? If this made you feel a little differently about my culinary choices, you have now witnessed the awesome power of framing.
What is framing?
Framing is a term from social sciences in which the way we think, feel, or make decisions are affected by how information is presented. For example, do you tell yourself your multiple deadlines at work are stressing you out, or is it an opportunity to excel? Are you middle-aged or vintage? You might think that facts are facts, but as it turns out, context does matter.
If we were rational thinkers and actually weighed facts, it would stand to reason that we would be consistent in our reactions, regardless of the framing.Tversky and Kahneman found this was not the case in their seminal research published in 1981, entitled “The Framing of Decisions and the Psychology of Choice“. They basically developed disease scenarios that resulted in mathematically identical outcomes, but were worded differently – people who would be saved versus people who would die. They found that depending on how the situation was framed, people’s choices changed.
How is framing used?
Now that you are consciously aware of framing, it might be hard not to notice how politicians, advertisers, and anyone else in the business of influence choose to present information. What do you see in this classic picture; young lady or old crone? Did reading this make a difference?
Framing is a cognitive bias – although you will likely notice visual media, it can also affect you through various channels. For example, have you ever discovered that you’ve been singing the wrong lyrics to your favorite song? Once you know the right lyrics; however, it’s usually impossible to not hear them differently. Another example is receiving electronic communications. Depending on your mood and devoid of any other context, it is quite easy to misunderstand the intent of the sender – were they joking or making a spiteful comment?
One of the most interesting things about framing is that it can even affect our memories. Many of us believe that our memories are accurate. “I was there, I saw the whole thing!” But researchers have found evidence to support the idea that our memories are actually quite unreliable and vulnerable to influence. The individual probably most highly associated with research in this area is Dr. Elizabeth Loftus. She and Dr. John C. Palmer did fascinating study in which subjects were shown a video of a car accident and asked to answer questions about what they saw. She found that the verb used in a question (“About how fast were the cars going when they smashed, collided, bumped, hit, contacted into each other?”) affected people’s estimates of speed. It also affected whether or not they “remembered” broken glass a week later when they were retested.
Social engineering implications
Implications for the social engineer present an interesting problem. When conducting a penetration test, your frame may be “I need to obtain information”. Your target’s frame is very unlikely to be “I need to provide information to this unknown caller”. It may be “I have a ton of work” or “I want to go to lunch” or “Squirrel!!”. Regardless, you can imagine how the two incompatible frames will affect how both parties respond.
There are different processes we can employ to help align frames and improve our influence. We discuss this in detail in our 5-day Advanced Practical Social Engineering class and also in our social engineering framework. I think it’s safe to say, however, unless you are a cognitive psychologist, it’s less important to know the specific types of processes and more important to have a basic understanding of the concepts along with the fact that it will be your job to make or influence frame alignment.
One very simple way to encourage frame alignment is developing rapport with your target. Good rapport helps build bridges between two strangers, increases liking and comfort, and therefore, increases the likelihood of positive influence. If you make someone feel better for having met youandhave helped them discover their security vulnerabilities, you are a true partner in information security.
So, the next time your company or client has a security violation, stop and think. If you frame the incident as a noob mistake made by stupid users as opposed to uncovering a training opportunity, you’ve missed out on a great chance for a teachable moment…and viewed the situation as a glass half empty.
Written by Michele Fincher