Security Culture and Social Engineering

I was interested to read my fellow blogger Stuart King’s posting on Psychology and Security. In particular he raises the tricky question about what a member of staff should do when confronting a visitor. Should they be suspicious and ask intrusive questions? Or should they be helpful?

It’s not that easy in practice. In fact, the more you encourage a service-oriented culture, the more vulnerable you are likely to become to social engineering attacks. Professional attacks are exceptional. It’s not what staff expect to encounter. It catches them off-guard. Most people want to be helpful. And it can be career-limiting to provide a bad experience to a senior person or an important customer.

From time to time I’ve been involved in interviews of applicants for security manager posts. I’ve always found it interesting to ask what they would do if the CEO arrived without an office pass. Would they let them in or would they turn them away? Generally it’s one or the other and both answers are unsatisfactory, either from a security or business perspective. You’re damned if you do, and damned if you don’t. It’s rare to hear an imaginative compromise answer. Just once I heard one: “Sir, of course I recognize you and this time I will let you in, but next time you forget your pass I will turn you away”. I was impressed with this answer, though not everyone would be. Because there is no perfect solution.

At the end of the day it all depends what sort of security culture you prefer, and how much of a nice guy, control freak or bully you are. Do you like to make other people paranoid or servile? Do you like to punish people for getting things wrong? Or do you want to encourage positive characteristics such as openness, trust, forgiveness and empowerment? The choice is yours.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So what kind of culture do they have at central government then? Every week our job is writing itself with such crass and simple errors of action taking place, to wit today's news ref. child benefit data going "missing" (20 Nov 07). The key here seems to be the ongoing requirement to encourage people to appreciate the value of information (data) and thus to protect. In defence of Principle 7 of the Data Protection Act (DPA) the compliance requirement is there - to provide "appropriate organisational and technical security measures"... why aren't people doing this yet?? Someone somewhere is not providing appropriate advice, guidance - OR training.....
I have discussed this problem a number of times with my IT Audit and Information Security students when debating the issue of confronting visitors without causing offence or alarm. I still believe this will not be effective until the policy and awareness programs highlight the need; organisations recognise the requirement; and tone at the top is appropriate. In the mean time simply ask the question "May I help you?" when not recognising someone in the office and this bypasses the embarrassing aspect so often felt by members of staff who don't like confrontation. In addition I once went into the data centre and the new CEO was there waiting in the reception area unable to get in because the security personnel didn't recognise him (quite rightly, since they were external contracted staff, which of course is a better solution and assists in stopping the complacent aspects of physical security, and he hadn't requested an access pass). Was he annoyed? Not a bit. The process worked and he was delighted.