In the field of security awareness and associated training, the term “critical thinking” is thrown about as an effective defense against social engineering attacks. So, what is critical thinking? And how can it be applied in day-to-day activities to make a user or an entire user–base more secure?
According to the Foundation for Critical Thinking, a “well cultivated critical thinker” gathers and assesses relevant information and comes to well-reasoned conclusions and solutions. One also thinks open-mindedly within alternative systems of thought, while recognizing and assessing their assumptions, implications, and practical consequences.
Let’s break that down a bit. “Gathers and assesses relevant information,” is a very important piece. These days we are overwhelmed with the amount of information we have access to. So, it is vitally important to be able to see through that fog and focus on what is relevant for a given situation.
“Comes to well-reasoned conclusions and solutions,” is a bit more subjective and changes given different circumstances. From a social engineering defense perspective, this often relates to using stated policies and procedures as your guide post to a well-reasoned solution. If the attacker is asking for information that is proprietary or confidential in nature, then the policies stated by your company should clearly state what to do in that situation.
That last bit, “recognizing and assessing their assumptions, implications, and practical consequences,” is where it all comes together in the mind of a critical thinker. What is going to happen if I give this attacker the information they are asking for or act as requested? The consequence of that action could range from minor to devastating to an individual or company. That needs to be addressed before the action is taken, or at a minimum, if a link was clicked or information was disclosed, it needs to be recognized that a mistake was made and then the individual should report the activity to the appropriate security contact(s).
How do we improve our critical thinking skills?
The primary obstacle to critical thinking is emotion. This is a tactic all social engineers use to subvert the training the user may have received and get them to act even though it may not be in their best interest.
The most common emotional triggers used by attackers are fear, trust, curiosity, and greed. These can be used together or independently to try to flood the target with enough emotion that critical thinking just isn’t possible. That moment can actually be the trigger that critical thinking is necessary in that situation.
When you receive an email or a phone call and, for whatever reason, you start to feel overly emotional about the content or message being presented, that is when you should step back and re-evaluate the situation. Nothing, short of a direct life or death moment, will be adversely affected by an extra minute or two of analysis. That short period of time could be enough for your intellectual mind to see the flaw, danger or consequence that your emotional mind looked right past.
The ability to effectively think critically really comes down to practice, and insight into your own mental state. All of this can be taught as part of a security awareness program, and it will have far reaching impacts into the daily lives of those that practice it, both personally and professionally as a defense against social engineering attacks.
Take notice if you are emotional in a situation, evaluate the request that is being made, and understand the consequences of taking that action. Be a critical thinker by applying these simple strategies. Well, simple to say but it takes practice to master.