Tinkering with humans? Social engineering and the construction of the "deficient user" in cyber security
(Technical University of Munich)
Alexander Wentland (Technical University of Munich)
Paper short abstract:
Social engineering in cyber security refers to ways in which hackers use human vulnerabilities to penetrate technical systems. Our talk focuses on how hackers and SE experts attribute (ir)responsibilities to the users, as they imagine possible solutions to the supposed "people problem."
Paper long abstract:
Social engineering (SE) in cyber security, refers to the various, and often highly creative ways in which hackers penetrate and overcome security systems by targeting human as well as technical vulnerabilities simultaneously. More than two-thirds of all hacking attacks use SE, which leaves cyber security professionals in both companies and government organizations struggling to develop effective counter-measures. One of the main reasons for this is that because SE exploits basic human characteristics such as curiosity, greed, excitement, and ignorance as a gateway into the technical layer of a targeted information system. In this presentation, we explore how hackers, security professionals, and institutional stakeholders construct a deficit employee or, more generally, deficit users as opposed to IT specialists. More specific, we focus on how hackers and SE experts attribute (ir)responsibilities to the users, as they imagine possible solutions to the supposed "people problem." We trace the ways in which SE and the experts in this community construct deficits. Instead of looking at schemes that target individual users, for instance in order to obtain a victim's credit card information, our analysis deals with the interplay between users in organizations, IT departments, and the larger SE expert discourse. What we observe in these institutional contexts is a shift in the way individual deficiency is constructed vis-à-vis collective security. While companies have largely benefitted from the digital revolution in ICT, they have individualized the risk that came with it, drawing on rarely challenged psychological and ethical assumptions underpinning most SE expertise today.
Caring, negotiating and tinkering for IT in/security