Security Culture and Social Engineering

I was interested to read my fellow blogger Stuart King’s posting on Psychology and Security. In particular he raises the tricky question about what a member of staff should do when confronting a visitor. Should they be suspicious and ask intrusive questions? Or should they be helpful?

It’s not that easy in practice. In fact, the more you encourage a service-oriented culture, the more vulnerable you are likely to become to social engineering attacks. Professional attacks are exceptional. It’s not what staff expect to encounter. It catches them off-guard. Most people want to be helpful. And it can be career-limiting to provide a bad experience to a senior person or an important customer.

From time to time I’ve been involved in interviews of applicants for security manager posts. I’ve always found it interesting to ask what they would do if the CEO arrived without an office pass. Would they let them in or would they turn them away? Generally it’s one or the other and both answers are unsatisfactory, either from a security or business perspective. You’re damned if you do, and damned if you don’t. It’s rare to hear an imaginative compromise answer. Just once I heard one: “Sir, of course I recognize you and this time I will let you in, but next time you forget your pass I will turn you away”. I was impressed with this answer, though not everyone would be. Because there is no perfect solution.

At the end of the day it all depends what sort of security culture you prefer, and how much of a nice guy, control freak or bully you are. Do you like to make other people paranoid or servile? Do you like to punish people for getting things wrong? Or do you want to encourage positive characteristics such as openness, trust, forgiveness and empowerment? The choice is yours.