Bias
Unconscious Bias and the Social Engineer
A very important lesson in how bias can create personal vulnerability.
Posted August 30, 2022 Reviewed by Michelle Quirk
Key points
- Unconscious bias exists in all of us; if left unchecked, it can create vulnerability in our thoughts.
- Self-evaluation is essential to ensure you are aware of unconscious bias.
- Unconscious bias involves assumptions about groups of people outside our awareness that affect our attitudes and behaviors toward them.
Have you ever interacted with someone over the phone or via email, and based on the name you see, the words chosen, and the sound of their voice, you construct a mental image of what they look like, their gender, their ethnicity, and even their personality? Based on this mental image, you decide how you will treat them when you first meet, but then you come face to face, and they are nothing like you imagined, and it shocks you.
Most, if not all, of us have had this experience at some point; I know I have. This is an example of an unconscious bias at work. One 2017 study found that all humans have unconscious bias and that avoiding the behaviors surrounding these biases can be very hard since many do not know they are engaging in it (Payne et al., 2017).
Unconscious bias is defined as automatic assumptions or stereotypes about certain groups of people outside our conscious awareness that can influence our attitudes and behaviors toward those people.
What does this have to do with social engineering?
Unconscious Bias and the Social Engineer
Recently I was on a social engineering engagement, where my team and I were training some students on how to do live interactions based on the work in my book, Human Hacking (Harper Business, 2021). I set up the perfect situation—they were to meet their targets in a local store, engage them, and elicit vital bits of information out of them.
The targets had no clue they were “targets,” and the trainees had no clue who they were looking for. I gave them one key indicator: Look for employee badges from a particular company.
Armed with that knowledge, they headed out to the location. I waited in anticipation for the “contact made” text. But all I got was silence. I texted asking for an update. “No one is here” was the response.
I texted to get confirmation that the trainees were there—check.
I texted to get confirmation that the subjects were there—check.
Waiting was agonizing, not being able to see anything and knowing the boat was going to get missed.
Eventually, the “targets” finished their task and left, and the trainees gave up and came back to home base.
I desperately wanted to chastise them for missing a key moment in training, but I didn’t know where the failure was.
I decided we need to make some accomplishments that day and set the “targets” out on another task, which I then sent some new trainees to engage and intercept. It was this decision that led to an alarming negative breakthrough discovery and something that we need to discuss.
Enter the Bias
The next team went out and engaged with the targets, successfully capturing the details needed on camera. When they came back, we all watched the film and the original two trainees said something that has since stuck with me: “I wasn’t looking for Black people….”
I had the answer I sought, but the answer wasn’t one I wanted. All of our targets were Black. For the trainee, self-admitted, that choice threw him off.
At first, I was in complete disbelief. I asked myself, why would having an all-Black cast for this event lead some to miss the opportunity in locating their targets?
My students made an assumption that the people who would be chosen for this assignment would be of a certain racial background. They determined this ahead of time, and then it affected their actions and how they proceeded with the assignment.
The Lesson
I felt it was important to discuss this, not only from social engineering angle but also from a social angle. As someone who has spent their career using the ways people make decisions as a professional social engineer, this interests me to understand more deeply.
Not only this, but this bias can also create a situation in which any of us can completely miss an opportunity in testing a company’s security because we assume—based on location or our own thoughts—a certain person would be the only type of person in this role. That type of thinking can create a vulnerability in your security.
Imagine we ignore a whole department because we assume a certain thing about the people in that department? Or we decide to use a certain pretext because we assume that everyone from this customer support department is from a certain race or country? Do you see how this can be a massive flaw?
From a societal standpoint, it was eye-opening for me. I want to admit, for those of you who do not know me, that I am a middle-aged white male. I could never, and would never try, to understand the difficulties and struggles those from different races and ethnic groups have gone through in their lives. For me, though, it was eye-opening to see how something so innocently planned led to some hard-working people being completely not seen due to an expected behavior.
In doing research for this article I found a story in which a man tried to sell his house and had it appraised for $472,000. But that sounded wrong to him for the years and effort he put into improving it, and the market was ready. He replaced all his pictures in his home and asked a co-worker to stand in for him. The second appraiser came and gave the price of $750,000. What was the only difference? In the first appraisal, the family was Black; in the second, the family was white—such a blatant example of how unconscious bias is very much present in modern society and can lead to truly unacceptable behavior.
It also was a good opportunity for me to do a self-check and to see if unconscious bias is holding me back in some areas of my life and career. This was a reminder to do some deep self-analysis and determine if there are areas for improvement so I can be a better leader, employer, security consultant, father, husband…human.
I encourage you to do the same.