About two weeks ago, I was looking for book I have called “Mike Caro’s Book of Poker Tells” for a post I wrote about in regards to poker as a great game to learn social engineering. I looked through several boxes that I have that are just books, but I came up empty handed, however I hit psychology pay dirt as I found some psych text and note books from my first undergrad degree. One in particular is “Theories of Human Communication 5th Edition” by Stephen W. Littlejohn, which I will be referring to in this entry. Also a possible source of reference, “The Art of Deception: Controlling the Human Element of Security” by Kevin Mitnik and William L. Simon.
I think it’s a combination of these two books and hanging out at social-engineering.org; listening to their podcasts that started the gears turning for the title of this post. The hypothesis is that a corporate spy could use influence to control how a group makes its decisions to benefit a rival corporation. With a little imagination, I’ll also attempt a plausible scenario, God willing.
The first thing I would like to do is break down some possible communication theories that would be good candidates for this scenario to be.
Fisher’s Interaction Analysis
This theory about group decision making was developed by Aubrey Fisher and Leonard Hawes. To simply state the idea, communication within groups is derived by what Fisher and Hawes calls “interacts” or “the act of one person followed by another” (Littlejohn, Stephen W., Theories of Human Communication 5th ed., Belmont, CA.Wadsworth Publishing Company, 1996, p.291) As an example, if a boss asked “Hey Jim, what was last quarter’s profits?” and Jim replies “I’ll take a look.” That is pretty much how an interact works. It could be statements, questions with responses and even greetings that are the basis of interacts (ibid, p. 291). When applied to group communications, Fisher constructed four phases with how a group decision is made in his “theory of decision emergence” (ibid, p.292) The four phases are:
1. Orientation: This phase it pretty much getting to know your group members and trying to figure out what the task at hand is. (ibid, p. 292)
2. Conflict: In this stage, group members’ ideas on the task at hand become concrete which will divide some colleagues. Arguments and negative opinions materialize. Members begin to ally with those that share the same outlook on the group’s goal. (ibid, p.291)
3. Emergence: Viewpoints and attitudes begin to change. The group begins to act as a cohesive unit to reach the desired answer to the goal/task at hand. (ibid, p.291)
4. Reinforcement: The group finally reaches a decision and stands behind it. (ibid, p.291)
That, in the nutshell is how a group interacts and comes to a decision, according to Fisher and Hawes. Now let’s look at a big issue in regards to group decision making.
Groupthink
Groupthink is a theory proposed by Irving Janis. While group decision making is considered a quicker and more efficient way to solve a problem or perform a task, Janis also has pointed out its pitfalls. While he recognizes groups with strong bonds perform better and new members conform to the rules quicker, there is a downside as well. (ibid p. 286) He has identified six negative outcomes.
1. Little alternative solutions are presented as it seems the group fixates on the simplest idea (ibid, p, 286)
2. The most popular idea is favored, but the group doesn’t think about the less obvious areas where it may fail or what the consequences of the decision are (ibid, p. 286)
3. When ideas are generated, the ones that fall out of favor are rarely revisited even by the minority who proposed them. (ibid, p. 286)
4. “Expert opinion is not sought. The group is satisfied with itself and may feel threatened by outsiders.” (ibid, p. 286)
5. Information gathering is very selective as members only look for data that supports the idea. (ibid, p. 286) This is almost akin to self fulfilling prophecy in scientific research where the researcher only seeks information to support his/her hypothesis and doesn’t take into account the other side of argument. This will always lead the scientist to the conclusion s/he was looking for regardless of the validity of the outcome.
6. Tying in to what I mentioned about self fulfilling prophecy, Janis’s final negative outcome is that overconfidence of the group’s decision leads the group to not consider alternatives if something doesn’t work out nor does it take into account that failure is an option and that a plan for failure isn’t in place.(ibid, p.286)
With these factors in place, Janis explains how the above factors affect groupthink in eight ways.
1. Illusion of invulnerability: Nothing can go wrong in the group because everything is under control. (ibid p. 287)
2. Collective rationalization: Through discussion of the idea/task at hand the group will “talk itself into thinking it did the right thing” (ibid, p.287) in regards to the decision the members made.
3. Morality: The best outcome may actually have moral and ethical ramifications the group might oversee. (ibid, p.287)
4. Out of group leaders are stereotyped as threats, or being “weak or stupid.” (ibid, p. 287)
5. Direct pressure: Opposing opinions are quickly shot down for the sake of group cohesion (ibid, p.287)
6. Self-censorship: Because opposing opinions are quickly shot down, group members will go along with what the group is doing, even if they don’t agree with other members’ positions on the issues at hand. (ibid, p.287)
7. Illusion of unanimity: Even if all of the members don’t support the idea/decision, the group will still prevail even if it’s for the sake of solidarity. (ibid, p.287)
8. Mindguards: Group members who support and protect the leader(s) of the group. They take the position of suppressing information, and even members, that will threaten the group decision.(ibid, p.287)
The book goes on to discuss the steps that Janis has laid forth to prevent groupthink, but for this post, groupthink is a potentially wanted outcome. Now let’s see if we can come up with a scenario, but first let’s define corporate/industrial espionage. Wikipedia has an awesome break down of corporate espionage, so for the sake of brevity, click here.
The Scenario
Here is how I think it possible for a corporate spy to exploit a group’s operation in order to carry out his/her handlers’ plans. Let us assume that company A is the target and company X is the attacker. I have a feeling that, while I’m not an expert in corporate espionage, large corporations are more susceptible to infiltrations. My reasoning is, large companies tend to have the entire c-suite (chief exec. officer, chief financial officer, etc) separate form rest of the company. An educated guess is the heads of GE don’t frequently visit all the business entities that operate under them. The amount of employees they have would never allow the c-suite to know everyone inside and out. A small business, on the other hand would have a better chance of detecting a spy, but I could be wrong and I digress. Let’s get to the fun stuff.
Insertion
In order for company X to get their spy into company A, I think someone from the attacking company would have to grease the wheels of an unhappy employee at the target business, preferably a person in the position of being involved with the hiring of new employees. So, maybe an exec at company X pumps an unhappy HR worker for information and in return the HR employee gets a little cash under the table, dinners to great restaurants, etc.
The spy company X selects should be a master manipulator when it comes to social engineering. In order of this scenario to work, the spy would have to be placed in a position that works closely with application development and security, so the chosen candidate would also need a nicely rounded background in programming as well as information security.
Once selected, company X would use it’s inside person at company A to get the spy into their system as a fully fledged employee.
Integration
Once the spy is in the target company, the first step, when engaging in social engineering, would be, according to Kevin Mitnik, to build trust among the targets because they will be easier to manipulate once their guard is down. (Mitnik, Kevin., The Art of Deception: Controlling the Human Element of Security, Indianapolis, IN., Wiley Publishing, Inc., 2002, p.41) It would give the spy a chance to learn about the characteristics of his/her “colleagues.” This would be a key step as it would give the spy a chance to build up political power within the department(s) s/he is assigned to as well as learning how to influence the people in this group. I think a great social engineer has the ability to quickly adapt to peoples’ characteristics in order to build rapport rapidly.
Group Meeting
Two months into the spy’s job, an IT department meeting is called to discuss how to design and implement a new product for their marketing efforts; an application that can revolutionize how they collect and use customer data in order to increase sales drastically. Access to the database that this app would create could be considered invaluable to their competitors.
Since the spy has taken the time to know the employees inside and out, s/he takes the initiative to make suggestions for the project as well as run the discussion. In a sense, establishing him/herself as the leader of the group. To make sure the idea happens, it is presented, by the spy, as a very simple one so that the majority of the department will fixate on it. As the idea is deemed popular by the group, the dynamics of groupthink should hopefully take over. The spy even volunteers to be the person who does the inspection of the application before its release. Why? So that s/he can build a back door into the code that would allow him/her and company X to access the information in the application’s database. As long as the group continues to exhibit the symptoms of groupthink, the plan should be a piece of cake. To make sure, I think the spy would need to quickly identify who the mindguards of the group are, so that they can help suppress opposing ideas or bringing in outside experts to find the best way to design the product. Group cohesion would have to be ratcheted up so high that in order to maintain it; the spy would have to use the group members’ flaws to maintain the togetherness of the unit.
Aftermath
After the design of the application is finalized by the spy, s/he hands off the details to company X on how to access the back door of the database to get the client information. In a sense, the database would be a huge pool of new potential customers and a smart marketing campaign could be built to pull them away from company A. Once the database is accessed though, the spy’s time at company A would be numbered and s/he would have to pick the right moment to resign.
Conclusion
Could group decision making be a useful tool for a corporate spy, or even a social engineer? Yes and no. While an individual can be influenced relatively easy, it would be an uphill battle for one person to truly manipulate an entire group. For starters, there’s the issue of conformity. One or two more people would have to be in alliance with the manipulator in order to gain more support for the proposed idea. Seeing that our fictitious corporate spy was only working at the target company for about two months, I think it would be difficult to exert social power over veteran employees who really know the workings of the company. In that light, company X would be better off using the unhappy HR employee to find an unhappy IT employee who understands the politics of the organization. I think in that case, one person influencing a group is plausible if the cards dealt are played right and that means setting things up so that groupthink is inevitable. While it may be plausible, I could only imagine the effort needed wouldn’t be worth the time of one person. This certainly needs more looking into and I will need to track down studies on individuals influencing, purposely, the decision making process of a group.
If you’ve made it this far, I applaud you! If you have anything to add to my hypothesis I would be interested in your theories, even if they are an opposing view. Can you come up with other situations where the flaws of group decision making are exploitable? Post them in the comment section!
See you next post.
References Cited
Littlejohn, Stephen W., Theories of Human Communication 5th ed., Belmont, CA.Wadsworth Publishing Company, 1996
Mitnik, Kevin., The Art of Deception: Controlling the Human Element of Security, Indianapolis, IN., Wiley Publishing, Inc., 2002
Tags: behavior, groupthink, psychology, social engineering