Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Assessing Honesty – Who is Better?

© Phil Date | Dreamstime Stock Photos

The workplace is most often or not an amalgam of varying personalities and talents.  It could be difficult, especially in these competitive times, to get an accurate assessment of an employee’s abilities and competence in just a couple of interview sessions.

Often times prospective employees exaggerate accomplishments and/or experience.  It is very important that the company leader (the one who decides who to hire) make well thought out predictions on how a person will perform based on the limited amount of time they have interacted with them.  Hiring managers must make sure candidates can measure up to the requirements of the job description.

Is it the skeptical manager, who is more often than not suspicious about others, or the trusting manager, who assumes that people for the most part are honest, that is better at evaluating truthfulness?

 The Washington Post reported on a study performed by Psychologists Nancy Carter and Mark Weber.

They presented business professionals with a scenario about an organization struggling with dishonesty in its hiring interviews. They had the chance to choose one of two highly competent senior managers to be the company’s job interviewer. The major difference between the two managers wasn’t experience or skill, it was a matter of personality: one manager was skeptical and suspicious, whereas the other manager had a habit of trusting others.

Eighty-five percent chose the skeptical manager to make the hiring decisions, expecting the trusting manager to be naïve and easily duped.

As we know through research Evaluating Truthfulness is a difficult task to master.  Experienced experts continue to brush up on their skills to stay fresh and on top of their game.  Past research has shown that the average person is no better than chance at detecting deception.

So, who is the better lie detector during interviews?

Contrary to popular belief, it is the skeptics that are duped more often than not.   The more trusting evaluators better identified the liars among the group than the skeptics did, and were also less likely to hire those liars.

Why would this be? According to Carter and Weber, it is that lie-detection skills cause people to become more trusting. If you’re good at spotting lies, you need to worry less about being deceived by others, because you can often catch them in the act.  Another possibility is that by trusting others, we sharpen our skills in reading people.

Want to brush up on your Deception Detection Skills?
Join our Evaluating Truthfulness LIVE Webinar, April 27 2013 11-1 pm PST. 

5 Small Talk Scripts to Memorize Now

small talk

Is there anything quite so scary as the thought of having to make polite conversation with total strangers?  Certainly, for some of the more naturally garrulous people out there, making small talk can be seen as an opportunity to connect with new people and get to know others on a deeper level.  But for the vast majority of people, small talk represents a deeply-uncomfortable, anxiety-provoking situation.

Unfortunately, you’ve got to get over this!  According to a recent Harvard Business Review article by Andy Molinksy:

“You can be the most technically skilled worker in the world, but your ability to progress in your job and move up the corporate ladder in the United States is highly dependent on your ability to build and maintain positive relationships with people at work. And guess what skill is critical for building and maintaining these relationships? Small talk.”

The secret to small talk is being prepared.  So if you feel perpetually flustered by the demands of making small talk, memorize the following scripts so that you’ll be able to pull them out at a moment’s notice whenever a situation calls for polite conversation.

Script #1 – “What do you do?”

People in the US love to talk about their jobs, which makes this small talk script a natural starting point for conversations with new people.  Though it obviously isn’t one that could be used when interacting with coworkers at a company event, it’s a great starting point to have on hand for business networking events and other social functions.

One caveat to using this script, however, is that it can backfire in situations where your conversation partner has recently been laid off or fired (as is all too common in today’s job market).  This doesn’t mean that you shouldn’t use it –in fact, in networking situations, it can be a helpful way for the person you’re speaking with to convey his or her openness to new opportunities.  However, you should be aware of the potential for discomfort and have a few expressions of sympathy ready, should you encounter somebody who’s recently out of work.

Script #2 – “What’s new with you?”

If you’re interacting with people you know on a casual level – for example, distant family members, social acquaintances or colleagues in other departments – there’s no more natural starting place for a small talk conversation than, “What’s new with you?”

The key to using this script effectively, though, is to learn how to keep the conversation going by asking probing questions.  If you use this script and your counterpart responds, “Oh, nothing much,” it’s still on you to carry the conversation with follow-up questions like, “Any big projects at work right now?” or “Any plans for the upcoming holiday?”

Script #3 – “Did you see that news story about [xx]?”

When in doubt about how to start a small talk conversation, jump in with a recent news article or major upcoming event.  Sporting events are a great neutral territory for these chats – something like, “Did you see the new story about that Louisville player Kevin Ward’s leg?” is bound to provoke a reaction.

There are two things you’ll want to keep in mind when using this script, though…  First, it’s imperative that you stay away from highly-charged political or religious topics.  Even if you’re absolutely certain that you know your conversation partner’s philosophical leanings, these heated topics really have no place in polite, public interactions.  Save your opinions for your close friends and family members!

In addition, it’s important that you actually have some familiarity with the news story you decide to reference.  If you say to somebody, “Did you see that news story about [xx]?” and he or she responds with, “No, tell me about it,” you’d better be able to back up your small talk script with actual information!

Script #4 – “Any vacation plans in the future?”

As much as Americans live for work, we also live for the precious few days of vacation we get every year – making this a fun small talk prompt to keep the conversation going.

While I wouldn’t use it to start off an interaction with a totally new contact, it’s a great way to learn more about the people you’re speaking with in a non-threatening way.  A discussion about future family trips could open the door to further questions about their family life and structure (for example, “How old are your kids?” or “Where do your kids go to school?”).  Similarly, a mention of a dream vacation destination could prompt you to ask, “What made you choose that location?” or “Have you always wanted to travel there?”

Remember, the more follow-up questions you can ask, the longer you’ll be able to keep your small talk going.

Script #5 – “Where did you get that [piece of clothing]?”

Finally, if all else fails, complement your conversation partner on an article of clothing and ask where it was purchased.

Secretly, we all crave the approval of others – especially when it comes to our physical appearances.  Making a comment that indicates you like a certain piece of clothing or jewelry provides this all-important flattery, while also giving you an opening to keep the conversation going on local shopping and apparel trends.

Certainly, these are just a few of the different scripts you can use to initiate and maintain small talk, but they’re a good couple of options to memorize and keep in your back pocket at all times.  If you have any other go-to conversation starters, share your recommendations below in the comments!

Security Awareness Content: Challenges of Using Punishment

Punishment is evident in all aspects of our life to everything from getting drivers to stop speeding, to getting the dog to not bark at the mailman. Because of this, it is no wonder that several go to punishment when wanting to change user behavior. While punishment is a very powerful tool- that can produce almost immediate change in behavior- it is very hard to control and very hard to maintain. For these reasons, I rarely recommend using punishment when creating and effective security awareness architecture.

sexWhat is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.