ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > How to Hack a Human

How to Hack a Human

Raef Meeuwisse, CISM, CISA, ISACA expert speaker, and author of Cybersecurity for Beginners
| Posted at 3:08 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (0)

Raef MeeuwisseHave you ever wondered just how many ways there are to hack the human mind and just how effective each technique is? I did; so I set about collating all of the techniques for human control and influence:

  • Every social engineering scam I could find;
  • The list of factors that influence the human decision-making process;
  • The components that make any argument or point persuasive;
  • How confidence tricks work;
  • How cognitive biases—the shortcuts in how the human brain processes information—work, and how they can be manipulated;
  • How far subconscious and subliminal suggestions can be used to control and influence the actions or beliefs each of us has.

I also wondered if the techniques we use in the field of cybersecurity to defend computer systems could be used to analyze and defend against the tactics designed to deceive the human mind. Was it possible to create a human hacking kill chain?

What raised my interest in this project was that I had started to notice that the techniques I learned many years ago when studying hypnotherapy – methods for planting suggestions in patients – were becoming increasingly noticeable in standard web pages.

According to the experts, 90 percent of what guides our decisions is based on something called implicit memory. This is composed of the subconscious and unconscious patterns driven by past experiences, our environment and other factors that we do not even realize we may be referencing when we make a decision. It seemed to me as though many business-savvy organizations had woken up to the power of PsyOps (psychological operations) and were now looking to use those skills to help sell as much product and advertising as possible.

The project took me much longer than I anticipated. What was supposed to be a three-month project turned into nine months of thought-provoking revelations.

Those irritating cookie permission boxes might look harmless enough, but as I collated and analyzed the tactics in use, I came to realize that most of the permission boxes were using 10 or more separate techniques just to persuade us that it was easier to click “Accept all” rather than take any other course of action:

  • Attentional bias to make the “Accept” option most noticeable
  • Coercion to block the page content until we agreed to the terms
  • Misdirection to hide the options for changing the permission settings so they were not easy to find
  • Fuzzing to make the time involved in pursuing the navigation of settings and options unappealing
  •  ...

Fuzzing as a human hacking technique was an interesting discovery. Fuzzing used to be a technique for pushing excessive and unexpected data into computer systems to check for vulnerabilities. However, because of the way the human mind operates, it is now also a social engineering technique in regular use to overwhelm the human mind with the impression that the level of expected effort to pursue what should be a reasonable and preferable option within easy reach will instead take a huge and unsatisfying amount of time to achieve. After all, there is rarely any option on the cookie permission boxes to “Proceed with minimum cookies” or “Reject all” – and continue to read the page.

The more I collated and understood about the techniques, the more I noticed how many of them had fallen into mainstream usage. They had become standard tactics for most large and successful organizations.

Subliminal imagery, the subtle use of particular language to slip suggestions straight into the reader’s subconscious, selective social proof, reverse psychology, the illusion of choice and even outright bullying … I thought I had some idea of how these tactics were in use to hack the human mind, especially through the technologies we use. But it turned out that even I had vastly underestimated the degree to which PsyOps have become the backbone of trillions of dollars of income.

Due to the amount of psychology I had to explore – and on the recommendation of my copy editor – I also had to enlist the help of a psychologist to ensure my exploration of how the human mind could be exploited (and defended) would not be too egregious to those that worked in that field.

So where did I end up with all that research? Was I able to identify indicators of human compromise and a human hacking kill chain? In short, yes.

It turns out that hacking humans, just like hacking computers, is indeed a process, or to be more precise, many different process options – all of which share some common components.

What each human hacking technique has in common is that they each need to get access to their human targets. But what was a real eye-opener was that just like the techniques of the advanced persistent threat, the most effective human hacking seeks to embed its techniques into our everyday lives and to go unnoticed for as long as possible.

I no longer look at content delivered through technology in the same way. I sit and pull apart the vast array of techniques packed into web pages and even emails, and I reduced the number of organizations I subscribe to and have increased my efforts to protect my identity.

This book has changed my life. It forced me to analyze and improve what I knew about making effective, persuasive arguments, and to recognize how the things that we do not think make a difference to the way we make life choices (but do) are exactly the items that are used to hack the human mind.

Editor’s note: Raef Meeuwisse’s new book, How to Hack a Human: Cybersecurity for the Mind, will be released on 9 January, 2019.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.