Hacking Humans? Social Engineering and the Construction of the “Deficient User” in Cybersecurity Discourses

Abstract

Today, social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems. Cybersecurity experts use the term “social engineering” to highlight the “human factor” in digitized systems, as social engineering attacks aim at manipulating people to reveal sensitive information. In this paper, we explore how discursive framings of individual versus collective security by cybersecurity experts redefine roles and responsibilities at the digitalized workplace. We will first show how the rhetorical figure of the deficient user is constructed vis-à-vis notions of (in)security in social engineering discourses. Second, we will investigate the normative tensions that these practices create. To do so, we link work in science and technology studies on the politics of deficit construction to recent work in critical security studies on securitization and resilience. Empirically, our analysis builds on a multi-sited conference ethnography during three cybersecurity conferences as well as an extensive document analysis. Our findings suggest a redistribution of institutional responsibility to the individual user through three distinct social engineering story lines—“the oblivious employee,” “speaking code and social,” and “fixing human flaws.” Finally, we propose to open up the discourse on social engineering and its inscribed politics of deficit construction and securitization and advocate for companies and policy makers to establish and foster a culture of collective cyber in/security and corporate responsibility.