Social Engineering, Applied Educational Theory, and the Gap Between Them

so hi I'm Rose Regina I am the digital security coordinator at an NGO based in Berlin where I provide internal digital security support I create learning resources for activists journalists human rights defenders and members of civil society as well as providing advice and workshops to other organizations this means I get to think about fun things like a PT's organized crime disorganized crime hate groups abusive family members and intimate partners and bad luck in the context of no or minimal funding lack of dedicated security or technical support low-end old or second-hand equipment and exceptional baseline levels of stress all of which makes effectively targeting security behaviors that much more important okay so I'm going to talk a

bit about things to consider when trying to get people around you to learn new security practices my background on this mate comes mainly from coursework in public health years of running trainings and then lots and lots of time around much more conventionally trained teachers then I'm going to look at how some of the skills and techniques commonly used in social engineering can be helpful or how they can be distinctly unhelpful my background in that comes from my activism my work and some other stuff so when I think about teaching I I think about it as creating this experience that is both engaging emotional and rational aspects and it moves people from one point to another and there are

a lot of different things that can affect a given learning experience like the topic being covered the materials being used to support the educational intervention the skill of the teacher how distracted the learner is how distracted the teacher is the cultural background and personalities of both the teacher and the learner and then lots and lots of other things and so this applies when you're doing like more formal trainings but it also matters when you're just like sitting down with a colleague one on one

hmm so when I start thinking about getting ready to teach something I generally start by asking myself to what ends meaning what is my goal for the learner and generally I find that tends to fall into one of three categories so I have teaching four facts which is about specific pieces of information and it's often referred to as rote learning or memorization and there is teaching for understanding which is much more about learning a way of thinking or framework of analysis and then third I have actions and this is basically behavior modification so this means not only conveying information about how to do something but creating a space that builds the self-efficacy for people to

be able to put that information into practice and this is my favorite because when done correctly it's basically about supporting people on fixing and improving their own stuff so figuring out which one of these three things I'm aiming for it helps me figure out what might be appropriate approaches but then it also helps me figure out how I'm going to evaluate how well things went at the end so increasing a learner's self-efficacy greatly reduces how much effort I have to put in to get them to actually change what they're doing and what self-efficacy is is it's just the belief that you can actually do a specific thing and it features really prominently in a lot of public health

interventions especially related to addiction and the idea originally comes from a psychologist named Alfred bendera and it's it's basically the idea that you're in a better starting point for changing what you're doing if you believe that you can change what you're doing rather than if you believe that it's impossible for you so bandura also came up with this nifty idea called social learning theory which is the acknowledgement that you can learn things through indirect social observation which is sadly way more applicable for bad habits than good habits so I don't recommend relying on that social learning theory is an idea about how people learn but there are also theories about how to teach to best

facilitate learning some approaches are geared towards specific populations and some towards specific topics I've put a few examples up here and I encourage you to look into them deeper that we don't have time in this talk but like almost all of that there can be summarized as basically ask questions borrow from other fields get learners engaged and then like be aware of social dynamics I'm gonna dive a little bit deeper into Malcolm Knowles and his work which is commonly known as adult learning theory that there are a lot of other theories about how adults learn Adult Learning Theory has criteria for who counts as an adult learner it has guidance on general ideas to promote

learning by adults and it's tied to the added content structure my major critique of adult learning theory is that it assumes that adults learn differently than children and I think it's really just that we have accepted that we can't bully within learning adults the way that we try to within kids and so I I would hope that if you're working with teenagers or or even younger kids you might also think about some of these ideas so I did stands for activity discussions on activity discussion input deepening and synthesis and I use this structure pretty extensively when I'm drafting curricula and self learning interventions but I tend not to follow it super super to the T but it's just a good checklist for

myself to make sure that I'm putting things together in an order that is supportive to the learner so with the activity it is something interactive that draws on the learners lived experience and Prime's them for integrating what you want to teach them into existing mental models and frameworks the discussion is a chance to get everyone on the same page and to add in any key points that you want people to start thinking about that didn't come up organically in the activity the input is the more conventional learning teaching standing up there doing something like this part and then the deepening is a chance for the learner to try to integrate an with the new information from the input

and kind of deepen their understanding synthesis at the end is just a chance to wrap up any loose ends provide a summary and just like catch any stray questions so functionally what this means is I start with something interactive I have a chance to talk about what that activity raised I move on to direct instruction apply that learning hands-on and then I give another chance for questions and reflections this is because just talking to people is not necessarily that effective all at the time though I'm really glad you're all here so if I were doing this talk as a workshop it might look something like starting with a popcorn session where you talk about good and bad learning

experiences that you've had and then we might go on to talking in a group about the different characteristics of the things that you brought up as good or bad at which point I would introduce adult learning theory and it did and then we could move into a small group work which could be brainstorming or trying to apply what you just learned to the topics you generally teach people about and then we would come back together you could share what you noticed ask some more questions and maybe do like a little bit more of a presentation of what you did in the small groups if I had enough time I might even include a second go around

that had more of a focus I'm planning an implementation like making a full curriculum and then troubleshooting issues that might come up like if this is a really new approach for you or if this would be a really new approach for where you're working we're trying to do the educational intervention so notably only one of these five steps is actually someone standing up here talking and that's because the activity and this discussion get people ready and open to the topic the input is the new information and the deepening and synthesis are about making sure that the new information gets cemented in by connecting it to what they argue now this is basically about getting people

into the emotional and mental state that they need to be in order to work with and really integrate new information another nice thing about it is is it makes it a little bit harder for you to move through info way more quickly than people are likely to be able to absorb

so when when your goal is behavior change addressing self-efficacy can include troubleshooting real and perceived barriers sometimes it can be about helping set realistic expectations and sometimes it's just about encouragement so it's worth like thinking about how you might be able to do that in a way that's specifically relevant to whoever you're working with so if someone says something is hard just just believe them they're experiencing it as hard and insisting that they're wrong isn't going to change how they're currently experiencing it but it may make them not want to bring problems to you in the future I also really like to frame things in a way that kind of validates the experience of challenge or difficulty

while setting future expectations at a more reasonable level so this is things like okay yes it's hard now but but it gets easier it's going to be easier and another good thing about this is as long as it is something that will actually get easier if it continues to be incredibly hard you maybe want them to come to you because it may mean that one they're doing it wrong or two that they just need a different solution so I DIDS is a great guide for planning but it's just a framework to help you create a controlled emotional experience and there are a lot of other skills that are also needed like asking questions to guide a discussion or prompt a learner

to try a different approach and using active listening reading expressions sensing how much you can get away with pushing someone's impatience and the ability to gauge them and then present in a way that is comfortable to the other person all of that is important for shaping an effective learning experience and there are also all skills that are frequently used in social engineering there's also a ton of acting skills that is kind of about holding people's attention or presenting to a room or just like broadcasting your voice that are really helpful with both us so scaring people into better security really doesn't work I prom you but creating an addressing feel or fear can be extremely powerful tools in

predisposing people to specific actions so we know that creating fear and stress can massively increase the effectiveness of phishing attacks and other kinds of social engineering an appealing solution to manufactured fear can also be used like when you have a pop-up that simultaneously tells you there's a virus and if you just click here and install this thing it will fix it but fear can also create paralysis and the association of a topic with fear can lead to avoidance most of us have probably experienced this most likely with a topic related to money or health so in public health there's a lot that goes into trying to figure out how to both acknowledge the seriousness or

gravity of the situation while also pushing as few emotional buttons as possible and so this is stuff like maintaining a calm demeanor and warning before you're going to say something scary instead of it being like and then immediately providing context to help people understand the risk as well as talking about mitigation options so with social engineering that paralysis is often really useful but when you're looking at education sometimes just reaching that level of heightened emotional state is enough to kind of dissuade someone from ever wanting to revisit the topic and just leads people to avoid thinking about it instead of having any kind of motivating effect for them to take proactive action so establishing trust is importantly

teaching and especially when you're talking about a topic like security where people are fairly unlikely to have the internal knowledge already to be able to tell if what you're saying actually is true so while sometimes similar rapport building is not the same as establishing trust report is about feeling connected but you can feel super in sync with someone and know that they will still let you down it's it's good for getting favors but security should not be a favor you can use a bunch of techniques like mirroring and obligation to get rapport fairly quickly but it also breaks Trust is better thought of as slow and like hopefully persistent so with social engineering the goal is generally

short-term with the expectation that you don't need the glamour to last much past the end of the interaction or the con for lack of a better term but with teaching our hope is that the lessons and behaviors are going to be retained indefinitely if social engineering is about getting someone to do a thing then teaching for behavior change is about helping someone figure out how to socially engineer themselves so like it's one thing for me to get my colleague to use a password manager to generate super strong passwords when I'm standing right there it's another thing for me to get that colleague to a point where they're going to do that even when I am NOT looking over their shoulder

so rapport is sometimes more important than trust especially for those of us who are not people people and rapport building techniques can be incredibly useful I'm not I'm not against it even with looking at the differences between trust and rapport you can kind of see how you could sort of substitute one for the other sometimes however potentially more important than all of these kinds of mismatches attempting to use certain social engineering techniques with your colleagues causes two kind of fatal problems that aren't really just that it's the wrong tool for the situation so problem one with some of your colleagues you are normalizing manipulative behaviors in connection to digital security you are training them to be vulnerable especially to the kinds

of attacks that are not going to be as easily stopped with better visibility employ solutions or a higher level of lockdown when we tell people to ignore scarily worded messages with explaining them without explaining them or when we ask people to share passwords especially over the phone or over email it kind of puts the idea that like that's okay stuff plus if you're mean while doing it you are doubly setting up your co-workers for an attacker to be able to come in and pretend to rescue them so just because they're going to be so happy to maybe get some help without being made to feel awful about it like all of us have bad days

we all have our mean days and I'm not saying that if you're ever short with a colleague you are responsible for every phishing attack that ever happens where you work but do kind of think about the impact of how you choose to engage with the people around you and whether or not that's actually what you want it to be so problem two is that some of your colleagues are bound to be a bit more resistant to manipulation and with some of them you're just gonna fall a little bit short and you will fail and then that's fine if disappointing to you but with others you're going to set off the same twinge that an attacker would so they're gonna

consciously or unconsciously sort you into the bad actor bucket and that's that's not a good thing like sometimes it means that they just will be a bit wary of you but sometimes it means that they're going to actively hate you for insulting their intelligence and thinking that you could pull a fast one on them and it can also feel super disrespectful so in that situation you've not only made enemies of a colleague by doing this but you've specifically aligned against you the people who should be most able to get to to work with you and to like come to you with problems that they're noticing earlier because they're just a little bit more aware of it and this can also

feed into shadow IT because if people don't trust you especially when it's on a gut level they're more likely to go out of their way to avoid interacting with you and that means that they would rather go through the process of setting up an alternative system than trying to get support from someone they perceive as unsupportive or worse so you can affect habits through directly targeting behaviors or indirectly through affecting attitudes and understanding habits are also seldom contained to just one area of a person's life this is true what the bad habits people bring in from like an old job or from their personal life and it shows up in the office and then you have to deal with it but it's

also just as true going in the other direction in terms of thinking about like the impact that what you do in terms of security education where you work has on their personal lives so what you do the impression you make when you're doing security education interventions that carries over into people's future workplaces and and their homes and that's actually a serious responsibility but it's also a pretty amazing opportunity so I hope this talk was helpful or at least a little interesting teaching whether formal or informal is hard but there are tools to make it a little bit easier and if you're trying to get someone to do something when you're not there just be aware and like try to specifically aim

for the things that are going to facilitate that you may already have a bunch of the skills that you need to be great at teaching but take some time to reflect to make sure that like you're doing things that are going to lead to a better outcome and not things that are going to get in your way of being effective and when you teach about digital security in your work that is a responsibility and an opportunity and the people you work with deserve good security in all parts of their lives because everyone does and this is both about your responsibilities to other people individually but also to like the larger society so thanks

so I I I think there's time for questions if anyone has them there that that was the the 20 minutes I believe

all right come find me later if there's anything you want to ask privately