Patching the Wetware - Addressing the Human Factor in Information Security (Paperback)

In the practice of information security, it is increasingly observed that the weakest link in the security chain is the human operator. A reason often cited for this observation is that the human factor is simpler and cheaper to manipulate than the complex technological protections of digital information systems. Current anecdotes where the human was targeted to undermine military information protection systems include the 2008 breach of USCENTCOM computer systems with a USB device, and the more recent 2010 compromise of classified documents published on the WikiLeaks website. These infamous cases, among others, highlight the need for more robust human-centric information security measures to mitigate the risks of social engineering. To address this need, this research effort reviewed seminal works on social engineering and from the social psychology literature in order to conduct a qualitative analysis that establishes a link between the psychological principles underlying social engineering techniques and recognized principles of persuasion and influence. After this connection is established, several theories from the social psychology domain on how to develop resistance to persuasion are discussed as they could be applied to protecting personnel from social engineering attempts. Specifically, the theories of inoculation, forewarning, metacognition, and dispelling the illusion of invulnerability are presented as potential defenses.