by Maarten Van Horenbeeck

I've always been a great proponent of information sharing. If you live in Belgium, one of the best organizations to meet new interesting security folks at is ISSA. About once a month they organize events that really anyone can attend. These often have fun talks, but more interestingly, you match your ideas on the infosec world with your peers, and gives you some solid ground while you're up in the air trying to think of ways to better protect information assets.

And up in the air I was, last week. Speaker at the event was Uri Biber of Getronics, who gave an interesting talk about social engineering. I'd have to admit that, as with all social engineering presentations I've seen, I thought it was a bit light on content. That wasn't the presenter's fault though - there just isn't much standardization nor a framework to base your social engineering efforts on. That could be improved, but more about this later.

What made the session interesting was a practical exercise at the end. Dividing attendees in attackers and defenders, people were forced to think about how to protect their organization's assets at a critical point in time (just before a major deal and at the end of a really lousy quarter). It was an interesting exercise as we're generally not forced to think this tactically about information control. While we can manage the flow of information across our network, people are generally out of scope. We include them in policies, do some awareness training, but that's where our conceivable efforts end.

There have to be more advanced ways to harden our organisation, though. One of the ideas I had was to apply inoculation theory to ensure members of your organization help keep certain corporate messaging intact. This technique was invented by McGuire and Papageorgis shortly after the Korean war, to ensure that US soldiers not only believed democracy was the best way forward, but actually strongly pronounced that belief.

A brief description of inoculation theory entails that attacks on existing beliefs make beliefs stronger. Strong beliefs engender attitudes that propagate those beliefs. It always consists of four major steps:

• Create message your belief to the target audience;
• Warn the audience that others will try to convince them otherwise;
• Create a weak attack on your message that causes your audience to defend it.

Instead of merely passively accepting your message, your audience will be forced to think about it as a system, its advantages and disadvantages, and overcome an attack on their belief. As the attack is weak, the vast majority of recipients will not be convinced that their belief is wrong. On the other hand, they will gather and process more information to prove to themselves that they were in fact right. Afterwards, the belief is protected against future, stronger attacks - as the recipient has been taught to defend his beliefs.

Several research studies have confirmed these findings, from different points of view. Not only was it confirmed by direct research, but also by some with a slightly different focus: it has been proven that distribution of a message together with weak arguments against it, and strong arguments in favor, better defend an audience's belief system than merely strong arguments supporting it.