Those irritating cookie permission boxes might look harmless enough, but as I collated and analyzed the tactics in use, I came to realize that most of the permission boxes were using 10 or more separate techniques just to persuade us that it was easier to click “Accept all” rather than take any other course of action:
Attentional bias to make the “Accept” option most noticeable
Coercion to block the page content until we agreed to the terms
Misdirection to hide the options for changing the permission settings so they were not easy to find
Fuzzing to make the time involved in pursuing the navigation of settings and options unappealing
…
Fuzzing as a human hacking technique was an interesting discovery. Fuzzing used to be a technique for pushing excessive and unexpected data into computer systems to check for vulnerabilities. However, because of the way the human mind operates, it is now also a social engineering technique in regular use to overwhelm the human mind with the impression that the level of expected effort to pursue what should be a reasonable and preferable option within easy reach will instead take a huge and unsatisfying amount of time to achieve. After all, there is rarely any option on the cookie permission boxes to “Proceed with minimum cookies” or “Reject all” – and continue to read the page.
The more I collated and understood about the techniques, the more I noticed how many of them had fallen into mainstream usage. They had become standard tactics for most large and successful organizations.
Subliminal imagery, the subtle use of particular language to slip suggestions straight into the reader’s subconscious, selective social proof, reverse psychology, the illusion of choice and even outright bullying … I thought I had some idea of how these tactics were in use to hack the human mind, especially through the technologies we use. But it turned out that even I had vastly underestimated the degree to which PsyOps have become the backbone of trillions of dollars of income.
Due to the amount of psychology I had to explore – and on the recommendation of my copy editor – I also had to enlist the help of a psychologist to ensure my exploration of how the human mind could be exploited (and defended) would not be too egregious to those that worked in that field.
So where did I end up with all that research? Was I able to identify indicators of human compromise and a human hacking kill chain? In short, yes.
It turns out that hacking humans, just like hacking computers, is indeed a process, or to be more precise, many different process options – all of which share some common components.
What each human hacking technique has in common is that they each need to get access to their human targets. But what was a real eye-opener was that just like the techniques of the advanced persistent threat, the most effective human hacking seeks to embed its techniques into our everyday lives and to go unnoticed for as long as possible.
I no longer look at content delivered through technology in the same way. I sit and pull apart the vast array of techniques packed into web pages and even emails, and I reduced the number of organizations I subscribe to and have increased my efforts to protect my identity.
This book has changed my life. It forced me to analyze and improve what I knew about making effective, persuasive arguments, and to recognize how the things that we do not think make a difference to the way we make life choices (but do) are exactly the items that are used to hack the human mind.
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/how-to-hack-a-human