Risk Assessment in Social Engineering

By February 12, 2015November 25th, 2020Pentesting, Protect Yourself, Psychological principles

What does a soldier charging into the fight have in common with a soldier that flees from combat? Both of these people have evaluated risk and made decisions based on their assessments. Our safety and well-being largely depend on how appropriately we gauge risks and react to them; this guides much of human behavior and bears relevance to the field of social engineering.

In this video by DMPranksProductions, strangers witness either a businessman or a homeless man fall to the ground. Both actors perform their fall ten times each and yield dramatically different results. The businessman was helped every time; the homeless man was helped twice. This might not be surprising, but it is a good example of people making risk assessments and acting in what they feel is in their best interest.

Whether or not a homeless man is more dangerous than a man in a suit is not the point; the point is that people perceive giving assistance to a homeless man invites more risk into their lives. This dictates their behavior. The homeless man, to most people, automatically represents something less approachable solely due to his appearance. This alone makes people less likely to share time and energy, not to mention other complicating factors such as tribe mentality and bystander apathy.

The variables within a social engineer’s control should be considered and adjusted to reasonably lower perceived risk and maximize opportunities during an engagement. Depending on both the social engineer and target’s age, gender, physical stature, or personality, there can be many different considerations. Remember, as white hat operators, the use of influence is preferred over manipulation. We want clients to leave feeling better for having met us, and make the decision to “help” us.

Leave a Reply