Tedd Scheall Johnson
The Effects of Authority on Social Engineering Sensitive Information
Think of a
time when you, or someone you know, were victimized, or potentially were a
victim of some sort of scam. Perhaps it was an unexpected prize notification
for which no entry can be personally recalled. Or, maybe a malicious group
tried to trick you into giving them full access to personal online information.
Such tactics capitalize on something referred to as “social engineering,” or
methods of social interaction meant to deceive or manipulate others.
Of course,
successful manipulation requires adequate knowledge and practice in social
behavior. Discovering ways people are easily influenced before malicious scammers
do would be effective in hopefully preventing them in the first place.
After a
personal family experience, former student and graduate of BYU–H, Tedd Scheall
Johnson, became interested in the psychology of social engineering and decided
to focus his senior project on the topic.
Johnson was
recently asked to describe his project experience.
How did you come up with
your project idea and hypothesis? What sparked your interest?
I have always had an
interest in Social Engineering, or "the art of human hacking." On TV
or in movies, you see people pulling all kinds of cool "spy tricks"
to get into a place, but in my work experience, it's more simple methods that
are used to bypass security. A common method used in the Information Technology
(IT) world is simply acting like you belong, and wandering into an area. I
decided to look more into the actual studies that have been done, and was lead
to the study on uniforms by Bickman. I decided to see if something similar
could be done with personal sensitive information, which is usually a high
target for theft.
Clothing and
appearance, as influencing variables, became the basis for Johnson’s
experiment. He hypothesized that undergraduate college students will be more
likely to provide sensitive personal information—that is, their social security
number and mother’s maiden name—on a form when asked by someone who is wearing
a white lab coat and administering the form on a clipboard than someone in
casual clothes with just a sheet of paper. This is based on previous research
showing how persuasive a person can be, simply based on perceived authority.
However,
performing an experiment that involves asking for specific information like
this can be tricky. Many variables need to be controlled for. The main one
being that participants must believe they are part of a completely separate
experiment that is asking different questions. In a word: deception. In Psychology,
we say this controls for, or prevents, the presence of “demand characteristics.”
Demand characteristics are features of an experiment that may heavily suggest
to a subject that they must act a certain way, thus compromising response
integrity and authenticity. Though this is taking place in a laboratory, the
goal is to match real life as much as possible. Imagine if Johnson were to ask
subjects to participate in his study on “how professional clothing influences
behavior.” They may immediately begin to make judgements and behave in ways
contrary to what they might do without that explicit information. Malicious scammers
must deceive in order to be effective, therefore scientific methods used to tease out
those effects must also involve deception.
Johnson
could not simply ask participants to fill out a demographics survey that just
happens to request sensitive information. That’s too suspicious. So, he decided
to team up with another student researcher working on their own senior project
at the same time. He added his own required information on the other researcher’s
survey form. This then allowed Johnson to control for demand characteristics because
the subjects believed they were participating in a completely different study only. In exchange, Johnson aided his fellow researcher in running their experiment so
that he could gather his own data as well.
Randomly, as
Johnson and the other researcher brought individuals in the lab, they would
either wear casual clothes, or professional attire, equipped with a lab coat
and a clip board. Subjects were then given a demographics survey which asked
for the sensitive information at the end of the page. Once the form was
completed, subjects were instructed not to give the form back, but to first cut
the bottom two items off with scissors, and destroy them via shredding. No
sensitive information was ever seen by Johnson or the other researcher.
One might ask, “Were there not any who protested?” There
were, indeed. Some wrote down information without reservation.
Many paused with trepidation and disbelief, asking if the research really needed that information, but still provided it after some persuasion. Some
flat-out refused to provide it, despite the researchers' persistence. In all circumstances, when a subject asked if
the information was necessary, both Johnson and the other researcher would
reply with, “It’s for the purposes of the study, please continue.” This phrase
was repeated until subjects either complied or refused. (If they refused, they
were allowed to continue the study without answering those two questions.) All
responses were noted, and each participant was debriefed and notified of the
purpose of that portion of the study before continuing.
After analysis, Johnson found results that were interestingly
different than what the hypothesis predicted. In his sample population, there
was no difference between groups. That being said, both groups (lab coat and no
lab coat) contained quite a remarkable amount of subjects willing to provide
sensitive information, regardless of authoritative appearance.
Johnson described these results on his project poster:
There are many reasons this could
have happened, and I believe a follow-up experiment would be warranted. Due to
the fact that the majority of participants provided their sensitive information
regardless of the uniform of the researcher, I believe repeating the experiment
on a larger campus where the researcher would be completely unknown to all participants
(as well as all assumptions about the researcher due to the nature of a small
religious campus) may yield significance.
An interesting point discovered was
how many people were willing to provide this sensitive information, even after
they had been hesitant to do so. Similar to Milgram’s experiment in 1965, those
who showed hesitation were instructed by the researcher to ‘please provide the information
asked for, so we may continue the experiment.’
Overall, it is clear that the problem
of exploiting human trust still exists, and that further education and
experiments are needed. Many students were unaware that this information is
personal, and they that shouldn’t be giving it out without an actual valid
reason. No pretext was used to suggest that this information was in any way
needed for the experiment. While there was an approved IRB consent form, no participants
asked for any kind of validation of their authenticity or approval.
This brings up another interesting point regarding the
scientific method and the process of drawing conclusions. Results might tempt individuals
to make broad assumptions which connect the experiment’s circumstances to the
overall human population. Or in other cases, sometimes results simply do not
pan out as predicted. Should that occur, the temptation may be to become
discouraged that the information provides no utility, or that the methods used
were inherently flawed. While those may be true, they happen only some of the
time. More often, however, contradictory results are still useful. In Johnson’s
experiment, for example, while the variable of professional appearance did not
seem to have an effect, the researcher’s persistence in requesting information,
and the apparent trust of the subjects appear to have a profound influence,
which would be beneficial to examine in future studies. Often, results can be
far more interesting than the hypothesis.
Johnson’s interview continues:
How did the 305 and 490 classes go for you?
I loved both classes! Both of them were difficult for different reasons, but had their own rewards. 305 laid a very strong foundation on how to properly do research, perform an experiment, and frankly prepare my project. There was a lot of work to be done on the papers and readings, but overall it was a wonderful experience. 490 was also great, because it allowed real-world application of what was learned in 305. The biggest difficulty in 490 was of course, actually running the experiment, which took more work in itself than I think I expected. I wish I had started collecting data sooner, and had the opportunity to collect MORE data. Analyzing the results and writing the conclusion were work as well, but at the point it felt rewarding to be finishing my project.
How did it feel when you finished your project and presented it to your peers and instructors?
Finishing my project was gratifying. It is a lot of work from the beginning of 305 to completion. The presentations were also a lot of work, but having done the "first round" presentation in 305 helped significantly. I think the best part about finishing my project, or at least the most exciting, was reviewing how I could rerun or modify the experiment. Ultimately, my findings were not significant, so I had to reject my hypothesis, which was a bummer, but to paraphrase Dr. Timothy: Run the experiment correctly, and the outcome is still worth the work.
Now that you have graduated, what to you hope to accomplish, or what do you aspire to do with your degree in psychology?
I've told people that my secret goal is to get my Ph.D. in psychology, my J.D. in law, and go be intimidating in court. I don't think this is likely to happen, but I do know that I will continue to use psychology every day of my life. I have found that it has given me a much better understanding of other people, as well as myself. It has helped me in both my personal and professional life. I will say that I am grateful for the heavy emphasis on statistics and research methods in our program, because both things have helped me in other fields as well. Ultimately my degree in psychology has taught me to think critically, and communicate my ideas more effectively. I love the program, and highly recommend everyone take the chance to learn at least a little bit about the field.
You can see Tedd's study in more detail, including statistical test results, by viewing his project poster here.
Article by Kyle Evan Madsen
