The Role of Empathy in Ethical Social Engineering
As cybersecurity becomes an ever-increasing concern, more people are becoming interested in a career in the field of cybersecurity. A major factor of cybersecurity is learning how cybercriminals use social engineering to launch attacks. Professional social engineers study how cybercriminals influence people to gain access to critical information. Then they perform a test or an attack in a controlled environment to test a corporation’s first line of the defense – its employees. In a sense, a professional social engineer is mimicking the behavior of a criminal. So what is the role of empathy in ethical social engineering?

Ethical Social Engineering

Social engineering is defined as “any act that influences a person to take an action that may or may not be in their best interest.” Cyberattacks involve human interaction in over 99% of attacks. It is often much easier to manipulate a person than a computer. Attackers with the goal of stealing information from a company or individual for their personal gain, are unlikely to care about the feelings of their victims. So why should a professional social engineer be empathetic when performing their attacks? And could empathy make testing and training more effective?

Empathy—The Difference Between Ethical and Malicious Social Engineering

The Cambridge Dictionary defines empathy as “the ability to share someone else’s feelings or experiences by imagining what it would be like to be in that person’s situation.” Some companies have tested their employees using methods that have left them feeling upset or disappointed.

For instance GoDaddy, a  large internet domain registration and website hosting company, sent a phishing email to test their employees. The email stated that employees would receive a $650 one-time (much needed) holiday bonus. Roughly 500 employees clicked on the link to provide some personal details to receive the “bonus.”

Instead of a bonus, employees promptly received a reply email to let them know they failed a phishing test. The disappointment of finding out you’re not really getting a bonus is bad enough in normal circumstances. However, what makes this example especially disheartening, is the fact that this campaign went out in the middle of a worldwide pandemic. Many of the employees were facing real financial struggles in their personal lives. Needless to say, this phishing test did not leave employees feeling empowered.

Using human emotions to persuade a person to take an action is the essence of social engineering. However, the difference between a malicious social engineer and an ethical social engineer is empathy. When we imagine how our target would feel, then we can create a true learning experience. If our target is left extremely upset and disappointed, they will be focused on how terrible they feel instead of the lesson to be learned. Using empathy when planning and executing a social engineering attack ensures that the target is left with a positive mindset. This results in a more effective method of testing as well as training.

A Realistic Approach

Will your social engineering pretexts be realistic if you use empathy? Let’s consider an example: Most of us have experienced a fire drill at work. During a fire drill, it is advised to use realistic scenarios to train employees how to react when disaster strikes. By adding obstacles such as closed stairwells, broken elevators, and blocked exits, you can simulate a more realistic environment. There’s one thing however, that is never done during a fire drill, that is setting the building on fire. The purpose of a fire drill is to train individuals how to respond in case of an emergency while keeping them safe. Similarly, the role of a professional (and ethical) social engineer is to test and train individuals by using realistic scenarios or pretexts while keeping them “safe.”

The Goal

Social engineers study the methods and behaviors of malicious attackers and use the same tactics to influence and manipulate people. But there is something that should set them apart, that is empathy. Empathy allows you to test your target’s vulnerability while you “leave them feeling better for having met you.” As exhilarating as it may be to have the ability to influence and/or manipulate others, our goal is to train and educate our clients so that they can be safer in their workplace, as well as in their personal lives. An ethical social engineer would never show off their skills at the expense of someone else’s dignity. When we have empathy, we study and impersonate the bad guys, but never become them.