The Need for Ethics When Researching Social Engineering

Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research needs to be conducted in a responsible and ethical manner.

As a society, we’ve been fascinated with the ability of some people to persuade others through language. In the context of scams, such skills have been exhibited by con artists, who are able to persuade victims into taking actions against their own interests. I dislike the term “con artist,” because the reference to art seems to glorify the practice of defrauding people and organizations.

Similarly, social engineering, when employed to someone’s determent or without permission is a scam—not an opportunity to show off one’s persuasion prowess. Just because it’s possible to influence someone to give up sensitive data, grant access to a system or otherwise aid the social engineer’s objective doesn’t mean that the social engineer should take advantage of this vulnerability.

We’re all vulnerable to social engineering. Researching such practices in a responsible manner can help strengthen defenses against attacks that target humans through influence and persuasion. Yet, we should be careful not to forgo a sense of ethics when employing social engineering to test defenses. Remember, the difference between any security assessment and a malicious attack often merely amounts to permission.

Lenny Zeltser


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more