A Deep Dive Into Human Vulnerability

A bit of vulnerability can be a good thing. We hear this said in social psychology, but can this be true for social engineering? In social engineering, more often than not, being vulnerable can be dangerous. Merriam-Webster’s dictionary defines vulnerable as "capable of being physically or emotionally wounded."

“Capable of being physically or emotionally wounded.”

Source: Yanky Photographer/Pixabay

Understanding that definition, any human fits this possibility. Now, that is a bold statement. I can already hear the objections, “Not me, I am smarter than that.” I can understand that thinking. In my industry, there is a popular slogan, “There is no patch for human stupidity.”

At first it may seem comical, but ego aside, the more I linger on this statement the more it bothers me. When we think about social engineering, we focus on phishing emails, or vishing through malicious phone calls, SMiShing via text message, or impersonation through social media or in person. If true, that means that only stupid individuals fall for these attacks.

The reality is that I have worked with so many great thinkers and have seen them fall for attacks, so how can that be true?

Is Anyone Really Vulnerable?

Over a decade ago, I wrote the world’s first framework for social engineering, analyzing how psychology and practice can be blended to manipulate people into “taking actions that are not in their best interests.” This framework turned into five books over the next 10 years all focusing on how to understand human decision-making and how malicious people might exploit that.

It might almost seem to you that the person who invented and wrote the framework around these things could never be duped, right?

Sadly, recently I was the victim of a confidence attack that has hurt my business, my nonprofit, and my reputation. But it has also been one of the biggest lessons in my life.

I thought, instead of focusing on the details, which may be the basis for future posts, I could talk about some of the science that can help you and I see where I was vulnerable.

The Halo Effect

In the early 20th century, psychologist Edward Thorndike conducted a survey of industrial workers, asking employers to rate workers based on personal qualities. What he found was fascinating: that those who were good-looking were believed to be more intelligent, despite no such evidence of intellectual ability. In other words, if you have got beauty, we’ll assume you’ve got brains too. This led to the concept of the halo effect.

Of course, in reality, our appearance has little to do with our intelligence, but the halo effect biases us to perceive people whom we find attractive as more honest, more skilled, and more trustworthy.

In my case, I allowed the halo effect to create a pattern of trust that should not have existed. It ultimately led to me making decisions that created serious vulnerabilities.

The Optimism Bias

Have you ever had a situation where something was too good to be true, but despite the overwhelming evidence you should run to the hills, you say, “Well this <insert bad thing here> won’t happen to me"?

The optimism bias made me ignore warning signs, I was so excited about what was to come that I missed what was happening. Now blend this with the halo effect, and I was left at the mercy of a very hijacked amygdala to make some very poor decisions.

The Ostrich Effect

The ostrich effect seems funny, but not so funny if you have found it a vulnerability. When our rational mind ignores glaring facts, in essence burying our heads in the sand because we don’t want to see what is painful, this is the ostrich effect.

In my case, there were glaring signs I was being lied to, neon flashing signs that I was being taken advantage of, and 150-point bold font, with bright red with arrows pointing to where I could have seen some serious warnings, but all got ignored. Like an ostrich, I buried my head only wanting to believe the already-decided-upon truth.

The Lessons

Like most, I spent considerable time beating myself up for failing. And herein lies the first, and maybe most crucial lesson. I am human. Yes, I am a professional social engineer that has spent the last decade-plus studying human behavior and decision-making. But despite that, I am human. And being human, I am susceptible to biases.

Halo Effect Essential Reads

The Halo Effect: What It Is and How to Beat It

How to Manage the Halo Effect on LinkedIn

But for me, it wasn’t just a lesson to make myself feel better. I wanted to understand what we can learn from this, and how we can defend against it the next time.

I am not going to simply say “control your bias," as that simplistic statement has no substance. Instead, here is a three-step process to help defend against potential biases.

1. Wisdom in a multitude of counselors. Having trusted partners, friends, and family that you can openly talk to about a relationship you're concerned about, especially if they are not involved, can help you stay clear of potential vulnerability.
2. Keep emotions in check. As with all social engineering attacks, when you feel overly emotional is the perfect time to step back and ensure you are not allowing bias to take over.
3. Critical thought. This one is harder but making a practice of questioning yourself before you are in a situation that requires it can create good habits to help you avoid vulnerability.

Overall, there is no way to 100% guarantee you will not be vulnerable, no matter how knowledgeable or skilled you are. In fact, sometimes we must be vulnerable to best protect our vulnerabilities. In other words, we need to recognize that all human beings are flawed, and that we are no exception, but as we become more self-aware, we reduce the risk of our vulnerabilities being exploited.

I am living proof. And in this day and age when there are so many people looking to feed on our vulnerability, these tips may just help keep you safe.