Think Positive and Act Confident
What if you could predict someone’s level of risk-taking simply by observing their non-verbal behavior? What if you could accurately calculate how much exposure to harm or loss a person is willing to accept based on reading their account of a similar situation? Welcome to one of the sciences behind social engineering.
Your risk is showing…
A recent study at the University of California found a predictive correlation between confidence and risk-taking that worked for both verbal and nonverbal behaviors (Moons, Spoor, Kalomiris & Rizk, 2013). The researchers asked 106 undergrad students to participate in small group exercises where they discussed two possible solutions to both a financial crisis and a life-threatening health crisis. The first solution had lower risk but a guaranteed minimal gain, while the second solution had higher risk but also higher potential for gain. The participants were videotaped during the group discussions then they were individually recorded stating which solutions they favored, and lastly they wrote a short summary of why they made those choices. Four untrained observers watched the videos (on mute) then analyzed the written verbal materials for signs of positivity and confidence.
Both the verbal and nonverbal analysis demonstrated a clear connection between confidence and an increase in choosing the riskier solution. While there was no statistically significant findings for nonverbal positivity and a proclivity for risk, there was a negative correlation found between speech content positivity and risk. This means the people who talked positively, rather than confidently, were less willing to take risks.
So what…?
What does this mean to the security professional? The pen might be mightier than the sword and the tongue the deadliest weapon, but your actions still speak louder than words. Clichés aside, this information is a potential tool for negotiators, law enforcement or social engineers. Many individuals have reason to hide their readiness to engage in risk: a parent trying to talk a fussy child out of a public fit, a lawyer discussing a plea agreement, a trapped criminal who grabs a hostage, or a receptionist faced with a charming request to break protocol and print a document off a hapless stranger’s USB key. As much as these individuals might try to disguise their willingness to take a gamble, if they are not careful they will broadcast that inclination loud and clear to anyone observant enough to notice.
You have heard people say “confidence is key” or “confidence is sexy.” Confident body language comes across in stride length or leg position, head position, weight shift, placement of the hands, and even foot movement. If you want to give the impression of confidence when you walk in a room: have up-right posture, square your shoulders, and keep your arms relaxed and at your sides. On the other hand, showing signs of low-confidence is described as “blood in the water” or “the smell of fear,” neither of which are usually thought of as key or sexy. Low-confidence body language can be shown by hand placement, body posture, and lack of eye contact. This would be displayed by someone walking head down, arms hugging their body with their thumbs hidden or hands in their pockets, and with quick light steps. A lawyer telling the opposition he is not worried about taking the case to court better be displaying confident nonverbal behavior to back it up or that plea agreement could be rescinded. As you can see, everyone reads body language even though they are usually not aware of it. A professional social engineer can use this to their advantage.
Mirroring is the act of mimicking another person’s behaviors.If done correctly it can help your target to identify with you. However, it can work against you as well. If a social engineer wants to use the results of this study to give the appearance of someone who is not a risk-taker they might display non-verbals of low confidence but high positivity. This is where mirroring can come back to haunt you; your target could begin to mirror your non-verbals, so pick them carefully.
Worry, fear or anxiety would probably be a bad reaction to elicit from someone you want to do something they really shouldn’t. Sadness on the other hand could be the right card to play. Chris tells a story about matching his nonverbal to his verbal expressions of sadness while tailoring a sob story for a receptionist based on a picture on her desk (Hadnagy, 2012, p. 116-117). The receptionist connected with Chris and broke a pretty big rule as a result. The congruence of cues combined with Chris’s use of positive language and low-risk nonverbal behavior over-rode what this woman knew was corporate policy.
Another example would be to look for signs of confidence as you approach your target. Let’s say that this same receptionist was displaying cues of low-confidence as Chris approached, given the results of this study, it would be wise of Chris to tailor his initial interactions towards increasing her confidence level. This is a principal already used by social engineers when they give compliments (obligation) or give positive reinforcement (liking). On the other hand, if given a choice between talking to a receptionist displaying low-confidence but positive cues and one displaying confident-positive cues, this study indicates choosing the latter because they will be more likely to take a gamble if you play your cards right.
But what about the verbal component of this study? Social media provides a wealth of written material that is usually rich with emotional content that can reflect positivity or confidence. Let’s say a social engineer wanted to know the best route for approaching a shy target named Jim. The social engineer could take a look at any verbal content found online that was written by (or transcribed from) their bashful target. They find that Jim posts frequently about both his interest in Italian food and heavy-metal music (it’s my imagination, just roll with it). Content analysis shows that Jim talks positively about Italian food but confidently about heavy-metal music. Given the results of this study, Jim is more likely to take a chance on engaging in conversation with a stranger if the topic of heavy-metal music is used (and really who wouldn’t?). Perhaps this was part of the reason Iranian hackers went to such lengths to connect on social media with their targets?
Putting it into practice
Even though we all read nonverbal and verbal cues in daily life, training is necessary if you want to master the art of reading others or to learn to mask your own cues. These are the types of skills that take practice to build reliability. We’ve given you some basics here, but a great place to continue learning about non-verbals is Unmasking the Social Engineer: The Human Element of Security by Chris Hadnagy. This book breaks nonverbal cues down into seven aspects: Kinesics, Proxemics, Touch, Eye Contact, Olfactics, Adornment, and Facial Expressions. These categories are explored with over a hundred photographs demonstrating low-confidence and high-confidence as well as other emotions such as fear and happiness. Use this resource to practice looking for these clusters of nonverbal behaviors in a variety of environments and settings.
Whatever your level of experience with social engineering, it pays to be observant. Don’t stop at scrutinizing others though; take the time to track your own nonverbal behaviors throughout the day or read through your own correspondence for words indicating confidence or positivity. Do your words and actions present the same picture or are you broadcasting a different message altogether?
Written by Tamara Kaufman
References:
https://www.social-engineer.org/general-blog/a-good-lesson-on-reading-nonverbals-by-david-kennedy/
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/
https://www.social-engineer.org/podcast/ep-055-learning-notice-see/
https://www.social-engineer.org/newsletter/Social-Engineer.Org%20Newsletter%20Vol.%2003%20Iss.%2038.htm
https://www.social-engineer.org/general-blog/how-to-prevent-social-engineering-attacks-chosing-the-right-security-auditor/
https://www.amazon.com/gp/product/1118608577/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1118608577&linkCode=as2&tag=socialenginee-20&linkId=G3EKIJDEOE3F2MO2
https://www.social-engineer.org/framework/influencing-others/influence-tactics/obligation/
https://www.social-engineer.org/framework/influencing-others/influence-tactics/liking/
https://www.reuters.com/article/us-iran-hackers-idUSKBN0E90A220140529
https://www.amazon.com/gp/product/1118608577/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1118608577&linkCode=as2&tag=socialenginee-20&linkId=G3EKIJDEOE3F2MO2
https://www.merriam-webster.com/dictionary/kinesics
https://www.merriam-webster.com/dictionary/proxemics
Comments are closed.