2. 2 Cyber-crime Science
Background
Effectiveness of authority on compliance
We can get some of the answers from
» Literature (Meta-analysis)
» Attacker stories/interviews
But the answers are inconclusive
» Different context
» Hard to measure human nature
» Difficult to standardize behaviour.
2
4. 4 Cyber-crime Science
Authority
Titles: Professionals vs Lay people
Clothing: Formal vs Casual
Trappings: Status vs Insignificance
4
[Cia01] R. B. Cialdini. The science of persuasion. Scientific American
Mind, 284:76-81, Feb 2001.
http://dx.doi.org/10.1038/scientificamerican0201-76
5. 5 Cyber-crime Science
Literature on Authority
Classical Milgram Shock Experiment
» 66% full compliance
Nurse-Physician relationship
» 95% compliance
Login credentials
» 47% compliance
5
[Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal
and Social Psychology, 67(4), 371–378.
7. 7 Cyber-crime Science
Attacker Stories
Books about Social Engineering
Six Principles of Persuasion
Provisionally Results:
» 4 books
» 100 cases.
7
[Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception:
Controlling the Human Element of Security. Wiley, Oct 2002.
http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
9. 9 Cyber-crime Science
Nurse Study: Design
Attacker: Doctor
Target: Nurse
Goal: Violating policy
» Maximum dose of medicine
Interface: Phone
Persuasion Principle: Authority
9
[Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study
in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
10. 10 Cyber-crime Science
Stealing a key
What is the influence on compliance on a
request of:
» Social Engineering (e.g. Authority)
You are the researchers!
10
11. 11 Cyber-crime Science
Our: Design
Attacker: You (Student)
Target: Employee
Goal: Violating policy
» Sharing office key with 3rd party
Interface: Face 2 Face
Persuasion Principle: Authority
11
12. 12 Cyber-crime Science
Method : Our design
Dependent and Independent variables
4 experimental conditions
» Intervention / No Intervention
» Authority / No Authority
Dependent variable
» Compliance / No Compliance to request.
12
Request Comply
[Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd
edition, Jan 2009. http://www.uk.sagepub.com/field3e/main.htm
13. 13 Cyber-crime Science
Method : Our procedure
Subjects from the Carré building
» 14 research groups
» 4 conditions
Intervention vs No intervention
Authority: Suite vs Casual
Randomized sample
Attack in 1 day
13
14. 14 Cyber-crime Science
Method : Our procedure
Attack targets
» Impersonate facility manager, and ask for the key of
the employee
» Short Questionnaire
» Note
date, time, location, condition, compliance, difficulty,
etc.
More details on the course-site
14
15. 15 Cyber-crime Science
What to do on Wed 11 Sep
Attacker training in the morning CR2022
Execute experiment individually (or in duo’s)
» One or two attackers per area
» Condition and area allocation: Jan-Willem Bullee
On the course-site soon
» Debrief directly after attack
15
16. 16 Cyber-crime Science
What to do on Wed 11 Sep
We have permission to do this only at
» UT: Carré
Enter your data in SPSS
» Directly after the attack
» Come to me ZI4047
Earn 0.5 (out of 10) bonus points
16
17. 17 Cyber-crime Science
Ethical issues
Informed consent not possible
Zero risk for the subjects
Approved by facility management
Consistent with data protection (PII form)
Approved by ethical committee, see
http://www.utwente.nl/ewi/en/research/ethics_protocol/
17
18. 18 Cyber-crime Science
Conclusion
Designing research involves:
» Decide what data are needed
» Decide how to collect the data
» Use validated techniques where possible
» Experimental Design, pilot, evaluate and improve
» Training, data gathering
» Start again...
18
19. 19 Cyber-crime Science
Further Reading
19
[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009.
http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895
[Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996.
http://doi.acm.org/10.1145/228292.228295