Home

Published

- 8 min read

Social Engineering - Cognitive Strain and Cognitive Ease

redteam social engineering
img of Social Engineering - Cognitive Strain and Cognitive Ease

We all know the situation: The moment the camera rolls or the live video chat with 20 colleagues started, even the most basic tasks suddenly seem overwhelming. Some people even become temporarely blind, unable to read the keys on their keyboard or to find the link to the presentation.

Cognitive ease - you wanna know this

Exploiting Human Cognition to Bypass Security Measures

Cognitive ease and cognitive strain are two essential concepts in social engineering and psychology. Both play a role in everyday human interaction and cognition. Cognitive ease describes the mental state in which individuals find information easy to process, understand and accept, while cognitive strain refers to the mental effort required to process unfamiliar, complex, or difficult information. Lets have a look at the role of cognitive ease and cognitive strain in social engineering, focusing on their impact on attention and decision-making, as well as potential countermeasures.

Cognitive Ease, Cognitive Strain, Attention

Cognitive ease and cognitive strain influence the attentional resources of an individual, which are finite. According to the dual-process theory, human cognition consists of two systems:

  • System one, an automatic, fast, and intuitive mode of thinking
  • System two, a slow, deliberative, and analytical mode of thinking (1)

Cognitive ease generally engages System one, while cognitive strain demands the activation of System two (2).

Research has demonstrated that cognitive ease can lead to increased:

  • reliance on heuristics
  • use of cognitive shortcuts that simplify decision-making
  • biases & prejudice
  • errors that fall in the category “oversight” (3)

In contrast, cognitive strain promotes analytical and critical thinking leading to:

  • decision fatigue
  • overthinking
  • overcomplicating
  • lag of reaction, bystander syndrome (people watching accidents or an ongoing crime without inervieining or calling the Police)
  • reduced auto-pilot process abilities (e.g. driving a car is easy, except when we start thinking about each single action our body and mind needs to do)
  • when focusing too long: reduced cognitive resources that lead to errors and bad judgment (4)

There’s valid criticism on the dual-process theory and I personally think too, that it’s oversimplified. It doesn’t fit neither evolutionary explanations nor modern theories in psychology and neuro sciences (I think we agree that we’re beyond Freud and the subconscious minds). That doesn’t invalidate the knowledge we just worked out, but maybe it’s the best way to see it like the OSI IP model, a helpful abstraction layer.

Example

To bypass a guard we try to trigger cognitive ease:

  • We chose a company name that is easy to pronounce, e.g. LaRaBell
  • We repeat the name multiple times, as well as the phrases we were ordered | no fixed date | do it now | finish soon within a few sentences
  • Cognitive ease will make the guard feel generally positive towards these terms and phrases. We can add a few more backup terms that we try to exploit in a later stage of the conversation, if things don’t go as expected.

We offer a possibility for the guard to check our information, but explain this as a complicated, long series of steps, that we only explain once. We could use the talking slow technique here on top, or add other techniques. If the guard asks us to explain again, we start doing so, but then quickly make an excuse cause we have to take a phone call or go back to the car. When we return, we offer other, cognitively easier options as an alternative for the complicated process. If the guard still insists on checking:

  • We prepared a callback number on a hard to read, small business card surrounded by lots of other, long numbers, IDs etc.
  • Additionally, we explain a 3 step process that includes another, large and impracticle document the guard has to identify two pieces of information within two separate paragraphs. We explain the guard needs to add this information when asked question 1 and later question 2. The document could also contain lots of long, complicated terms, bad formating, spelling errors and printing faults (bad copy)
  • Intentional mistakes during our explanation, skipping back and forth, repeating the unimportant parts, will provide additional cognitive load

With a little bit of luck the guard will give up and wave us past.

Of course, when you’re not a communication genious, this will require training and preparation.

Use in Social Engineering

By inducing cognitive ease, we can make deceptive tactics appear more believable and less threatening. For example, research on the mere exposure effect suggests that repeated exposure to a stimulus, such as a name or word, increases its cognitive fluency, making it easier to process and more likely to be perceived as true or familiar (5). We may use easily pronounceable and familiar names, repeatedly mention the target’s name, company, or job title, or employ simple language to create cognitive eases and increase the likelihood of compliance.

In addition to inducing cognitive ease, we can also try to exploit cognitive strain to distract, confuse, or overwhelm their targets, making it easier to bypass security measures. A classic example of this strategy is the “time pressure” technique, where social engineers create a sense of urgency, forcing their targets to make decisions under stress and with limited cognitive resources (6). Such pressure can lead to cognitive strain, decision fatigue, and ultimately, compliance with our demands - without proper verification or scrutiny.

Countermeasures and Implications

Understanding the role of cognitive ease and cognitive strain in social engineering can inform the development of effective countermeasures against these attacks. Organizations can train security personnel and employees to recognize signs of cognitive manipulation, encourage critical thinking and skepticism in potentially deceptive situations, and implement policies and procedures that require additional verification or authentication for access to sensitive information or areas.

For instance, confirming requests with trusted colleagues can provide an additional layer of security against social engineering attacks. Organizations should consider the impact of cognitive strain on employees in security-critical roles or positions: effects of long working hours or monotonous tasks on attention and decision-making need to be countered by a process or strategy - we only provide very broad recommendations at this point, cause this is very process-depended - there’s no one size fits all solution.

Decision fatique

TL;DR: When you want someone to make a decision in your favor, your chances are much higher on a Monday morning or after a vacation than on Friday night or after an extended period of work and stress.

We get tired of making decisions. Over a day, week or longer work period, our ability to make decisions in general, no matter if coupled with positive or negative emotions, will drastically decrease. This goes up to a point when we stop making decisions at all. Online Marketing strategies try to work around this problem with things like:

  • Repeated exposure: Displaying an advertisement of a product you searched on the day before. These placements are often made within well researched time frames. This is not snakeoil, Online Marketing strategies are backed up by consistent data, statistics, etc.
  • Cognitive ease: Using one-click checkout, subscription models or browser plugins to automate decisions, along with experimental stuff like the auto-filling fridge

Even professionals may not be aware about this issue. A friend of ours is a nurse and regularly the tells us about dealing with ambulance drivers, who reject to take her patients with them. When she asks, what else to do with the patient, they often shrug and don’t answer, as if they try to say “not our problem” - while they know, it definitely is their problem. We expect to get the same quality of treatment each time, while in reality, it can be quite the oposite: not because, they’re intentionally unhelpful, but because they’ve come to a point where they’re simply unable to make another decision.

This is not a character flaw, it’s our human inability to make decisions over and over again, probably way more than evolution built us for.

Finally you may have noticed, when you go out on a party or event, there’s a time window, when you still can decide easily to go home, for example around 23:30 p.m. But if you decide to stay longer, at some point around 3:00 a.m. you seem unable to go home anymore. The party now is almost empty, you’re bored and drinks are no longer served. But you remain seated in a corner, brabbling about life choices with a stranger, checking the clock again and again, yet feeling unable to make the decission and leave.

So, try to have your heart attack on a Monday at the beginning of the ambulance shift.

Sources:

  1. Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus, and Giroux.
  2. Ibid.
  3. Tversky, A., & Kahneman, D. (1974). Judgment under Uncertainty: Heuristics and Biases. Science, 185(4157), 1124-1131.
  4. Baumeister, R. F., Bratslavsky, E., Muraven, M., & Tice, D. M. (1998). Ego Depletion: Is the Active Self a Limited Resource? Journal of Personality and Social Psychology, 74(5), 1252-1265.
  5. Zajonc, R. B. (1968). Attitudinal Effects of Mere Exposure. Journal of Personality and Social Psychology, 9(2, Pt.2), 1-27.
  6. Cialdini, R. B. (2006). Influence: The Psychology of Persuasion. HarperCollins.

General Disclaimer on Social Engineering

With all our articles about Psychological Manipulation we aim to help victims of such tactics. These days, Bad Actors use these techniques and tactics, outside of a legal context like Redteaming or Pentesting, for their own purposes. Thereby attackers are often crossing ethical borders, for reasons like Fraud, Blackmailing or just to put people under pressure, leaving their victims without resolution.

We provide detailed analysis of these techniques in hopes to create awareness, to help people understand what maybe has happened to them and to protect them against Social Engineering attacks.