One of my favorite pickup lines goes like this…have a girl feel the cuff of your jacket or shirt. Ask her, “do you know what kind of material this is”? And when she says no, tell her “boyfriend” material.

Here’s a thought exercise. (Disclaimer, I could be totally wrong. Also, I’ve never used a pick up line.)

Pickup lines are the original social engineering. If you want to understand how to train people to be resistant to social engineering, it might be illustrative to look at why pick up lines fail. Stay with me here…

Pick up lines, and social engineering in general come from the brain’s neocortex. The neocortex is the part of the brain responsible for abstract, thought, imagination, learning, and planning. In other words, this is the part of the brain where lies come from. Maybe not all pick up lines are lies. Maybe they’re just elaborate stories. I digress. In order to come up with and deliver a pick up line, this is the part of the brain that will be running the show.

An indivdiual’s response to a pick up line comes from the reptilian brain. This is the part of the brain that governs fight or flight responses. This is why some people get slapped after delivering a particularly bad pick up line. Reference the guy who’s brain is injured.

Now, if you’re a betting person, and you had to pick the winner between a fight between someone who has a neocortex and someone who could only use their reptilian brain, you’d go for the one with the neocortex. Hands down, every time. Why? You want to go for the side that can plan and outsmart the rigid two dimensional thinking of the other. I’m looking at you Wrath of Khan. And if you’re talking about social engineering, at least if you’re talking to a social engineer trying to sell you to buy their services, they’ll say they are successful 99% of the time. And that’s probably true.

Why then do some of the best pick up artists say that they are only successful 10% of the time? It’s personal. If you’re at the office, it’s a safe environment and in order to be successful, you need to be friendly and polite. It’s socially acceptable. When you’re at a bar and a stranger approaches you, you don’t need to be friendly and polite. It’s at least a little socially acceptable to be rude to strangers that are unwelcome.

The difference is that social engineering is less successful when it’s an invasion of your person. I think the lesson here in making people more resistant to social engineering is to make them make the business more personal to them.

I once hired a social engineer to do an assessment of the University I was working for. Our University has a police department, so we had to write a letter that would be a literal get out of jail free card, signed by our president. They made a bet with me that no one on campus would catch them and they would never have to use that letter. They lost the bet. They walked the whole campus and only one department on campus caught them. And they immediately called the police. The department was the School of Theology. To date, my best theory is that the difference between the theologians and everyone at the University or perhaps anyone that the social engineer had ever encountered is that to them, the job was more personal.

This is what goes through my mind when I say that we should make security awareness personal. It needs to have an impact on the individual personally AND it needs to give the security of the company a closer, more personal impact on the individual.

The good news is that at least for the moment, humans need to be the ones that perform social engineering on other humans. Let’s be happy for a moment that computers probably won’t be very good at social engineering anytime soon. For fun, this is what AI thinks a pick up line is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s