Introduction
A realisation hit me recently. I felt inclined to write it down as I thought it was interesting, maybe even original to some degree. Equally, it might be the caffeinated ramblings of someone who needs more sleep.
My contention is this. The principles of Gestalt theory can be used to better understand and harmonise some of the concepts in modern social engineering.
It struck me that Gestalt framed the concepts within social engineering in a rather elegant way. After a cursory look, I’m surprised that nothing has been said on the matter (as far as I can tell anyway). After all, Gestalt is about human perception and how we take an inherently holistic approach to the aggregate of information.
I appreciate that as this is a somewhat unusual concept which means I’ve got to do some pretty heavy lifting in terms of outlining not only the concepts but relate them in a somewhat meaningful way.
But . . . there is something that needs to be addressed first.
A quick note on bias
The term cognitive bias is thrown around like it is the original sin of the modern age. Arguably bias is just a preference either by virtue of essential biological mechanisms or based in our experience. Whilst there seems to be some kind of crusade to rid the world of bias (or more accurately, unfashionable preferences) it is a position which denies the reality of the human condition.
Bias is the natural consequence of how we perceive the world. We cannot function using a fully rational interpretation of the world. We need rule of thumb and mental shortcuts so we can operate in a reasonable way. This is the biological reality we are confined to and biases are a part of that.
The Gestalt principles we will discuss are heuristics which have a causal relationship to cognitive biases. It’s useful (and an oversimplification) to consider that heuristics give rise to cognitive biases. Cognitive biases are a by-product of heuristics. The reason we use heuristics is down to the practical reality of being human and the physical expenditure and performance reduction of using System 2 thinking. I talk about Dual Process Theory in a previous article and how heuristics and biases inform the majority of our decision making.
But, back to the subject in hand.
What is Gestalt?
I am specifically referring to the “laws of perceptual organisation.” These are better described or thought about as principles or heuristics. The seven principles describe how we perceive information when it is presented. These all relate to pattern recognition and prediction in some way, either directly or as a way to group information in order to make a prediction.
When we refer to the Gestalt of something we are talking about the combined elements that are perceived as a single entity. Perhaps it is similar to how a system or application that is constituted as a whole despite being forms of many hardware or software components.
Gestalt principles describe an inherent exploitability in the human interpretation of the world which makes them effective to deploy in a social engineering context. I’ll give an example of a related cognitive bias which helps us understand the principle a little more deeply. This isn’t a 1:1 relationship or a complete picture however in this context it helps us to understand the principle.
So let’s have a quick look at the Gestalt laws.
Prägnanz - The law of simplicity
This principle tells us that complex concepts and structures are understood in a simplified form. Our minds try to understand complexity by using symmetrical and more stable structures.
This is related to the cognitive closure bias where we seek a clear and definitive answer to a problem. We will preference simple answers even if they are incomplete as they are more easily understood.
The law of proximity
The mind has a tendency to conceptualise things that are close together as group and implies a relationship between them. This helps organise information efficiently.
This is related to clustering illusion, a bias that leads us to believe that grouped elements have inherent relationship.
The law of similarity
Elements that bear resemblance are grouped together, it helps identify relationships in the external environment.
This is related to stereotyping and confirmation bias. Over simplification such as stereotyping can lead us to make assumptions that may not be true. Confirmation bias can reinforce pre-existing ideas about a group.
The law of figure-ground
This allows us to distinguish a foreground element from a background one. It gives focus on what is important.
This is related to Salience bias where we will over focus on the figure rather than the ground. We will place more importance on the figure which can sway judgement.
The law of closure
The mind will complete patterns where there is incomplete information. In part this is why we can identify shapes, faces, or forms even if they are obscured.
This is related to Illusory Pattern Perception where connections can be made where they don’t really exist.
The law of continuity (good continuation)
We naturally perceive elements to form a coherent, unified whole. It is a logical progression depending on our intuition around causality.
This is related to Anchoring bias where we rely too heavily on an initial piece of information that we are provided. Additionally, because of the predictive aspects of the law of continuity Sequential bias can come into play placing too much emphasis on the immediately preceding information.
The law of common fate
Elements that move together or change in synchrony are perceived as part of the same group. Our perception tunes into any coordinated behaviour, interpreting it as a sign of shared purpose or origin.
This is related to Social Proof or Herd Behaviour. The tendency is that the behaviour or beliefs of the common group are correct.
So what does this have to do with social engineering?
Gestalt outlines a number of laws that detail pattern recognition and predictive behaviour within humans which are clearly exploitable by social engineers. They can depend on people making connections by virtue of the information they are presented which may or may not be true.
So let’s step through some aspects of social engineering and see how they relate to Gestalt.
Pretexting
Broadly accepted definitions will describe “the process of developing a credible backstory (or "pretext") that supports the false identity or scenario”. This is about creating a believable situation or identity. In social engineering, the goal is to avoid scrutiny by carefully curating expectations so that interactions appear to conform to accepted paradigms and social norms.
We might imagine a scenario where gaining access to a building is needed. It could be advantageous to present as an engineer or workman to gain access to the building. The pretext in this scenario would require wearing the right uniform, carrying the right accessories, using appropriate language, and being there for an expected reason. The pretext needs to be consistent, and incongruence can break the illusion. In social engineering pretexting will require intelligence gathering so that the expectations can be understood which can include activities like dumpster diving to obtain internal documents.
The law of closure does a lot of work here whereby the target will be expected to complete the picture in their own mind which sells the illusion. The heuristic comes into play quite strongly to the benefit of the social engineer.
Noted social engineer Kevin Mitnick discussed pretexting. Mitnick used social engineering to undertake a number of hacks that put him on the FBI’s most wanted list. His high-profile arrest in 1995 and subsequent imprisonment highlighted the importance of understanding and defending against social engineering attacks. Kevin Mitnick become one of the most notable figures in the realm of hacking and social engineering. His hacks exposed critical flaws in how organisations managed human aspects of security and fundamentally changed how businesses and governments detect and defend against social engineering attacks. Mitnick discusses the concept of pretexting when he says the following.
Much of the seemingly innocuous information in a company's possession is prized by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability.
(Mitnick, 2002)
This is often similarly quoted (possibly misquoted) as ‘social engineers veil themselves in a cloak of believability’. The main point here is that the social engineer must use the available information to make themselves seem consistent to the environment so that they can achieve their goals.
Social engineers like Mitnick speak to a pretext where the elements are coherent. In essence they are invoking principles of Gestalt Theory although it is never directly referenced. Gestalt Theory talks about perception and how people will tend to perceive objects and situations as organised whole events rather than individual components. Social engineers have identified experientially that the strength of pretext is dependent on the perception of it in totality which speaks to the law of closure.
The law of continuity can also come into play where a social engineer has created a series of events that follow to a logical conclusion. Where the pretext is a workman gaining access to the building then they could have placed calls or e-mail to the reception staff so that the workman are expected. This type of scenario is related to the influence principle of commitment. This scenario creation can contribute to both the pretext and the broader Gestalt improving chances of success.
According to Gestalt principles, when individuals perceive all elements as part of a cohesive whole, they naturally fill in any missing details in the process known as closure. This is why even minor inconsistencies can break the overall illusion. This is why consistency becomes important as a break in the Gestalt disrupts the conclusions that are drawn by the target.
Consistency
Robert Cialdini’s 1984 work ‘Influence: The Psychology of Persuasion’ is directly referenced when social engineering is discussed. It can be considered to be a foundational text in relation to the practice. It is viewed by some to be the marketing manifesto as the principles of influence it outlines have powerful application in a sales context, especially when discussing consistency.
Cialdini discusses consistency in the context of influence. Consistency is a principle of influence defined by Cialdini and has become part of the social engineering canon. Incongruence with the environment can break believability as the social engineer becomes inconsistent with that environment. Inconsistency breaks the Gestalt and breaks the pretext. Cialdini understood that incongruence is easily detectable by an observer and attracts additional scrutiny.
It should be noted that consistency is a previous described principle of influence but where Cialdini takes the concept to its conclusion is in by talking about exploiting the inconsistency in the target rather than ensuring consistency within the self. Cialdini asserts that people will make bad decisions, and ones that can be used to their detriment to maintain internal consistency and how they project consistency outwardly. He explains.
If I can convince you to make a commitment (that is, to take a stand, to go on record), I will have set the stage for your automatic and ill-considered consistency with that earlier commitment. Once a stand is taken, there is a natural tendency to behave in ways that are stubbornly consistent with the stand.
(Cialdini R. , 1984)
Consistency is of importance when talking about influence and manipulation due to human pattern recognition.
Rapport and Liking
At its core, social engineering depends on the influence or manipulation of another person to achieve a desired outcome. One of the key methods of achieving this is through establishing rapport. By establishing a connection with a targeted individual, a social engineer can establish trust making subsequent actions easier to achieve.
Rapport building in social engineering often involves eliciting empathy, which can promote oxytocin production which is sometimes referred to as the 'love hormone' which enhances trust. Paul J. Zak’s book “The Moral Molecule” describes oxytocin’s role in trust formation and shows how positive social interactions can foster a sense of connection and reliability. Obviously, this is advantageous to a social engineer.
Social engineers benefits from manipulating features present in group dynamics such as consensus or social proof. Cialdini describes this as follows.
We view a behaviour as more correct in a given situation to the degree that we see others performing it.
(Cialdini R. , 1984)
This is also known as the bystander effect and was demonstrated experimentally in the 1950s in the Asch Conformity Experiments where participant responded to questions incorrectly when the answer was obvious, but the wider group selected the incorrect answer. This is an example of the law of common fate.
Conclusion
I’ll assume that if you have gotten this far then you know enough about the subject matter to have your own thoughts on it. I could go on but I’ll let the law of closure fill in the rest for you. At this point you either have a favourable inclination towards the perspective I’ve outline or you are now just indulging a peculiar curiosity.
Gestalt gives us a useful lens in which to understand social engineering concepts and is by no means complete. What it does do is steps us away from the consequence of the way we think towards addressing the principles of how we think. Biases have always seemed too ‘after the fact’ to be practicable in any comprehensible sense to me. Applying Gestalt helps in consolidating disparate threads into a set of workable principles that explain why the principles of influence work.
Perhaps then, Gestalt itself is the mechanism that allows us to see the ‘Gestalt’ of social engineering. There is a reductionist aspect to this . . . and this is where I bamboozle you with some metatheoretical elegance. Gestalt itself is a form of Prägnanz, the law of simplicity. Gestalt is what it describes. By breaking down psychology into a simple set of laws it is a simplification in its own right. Gestalt is both the description and the example. You might need to read that a couple of times, it’s mad, I know!
A cynic would say that my application of Gestalt is flawed because of this simplification but I might argue that I am aligning to mechanisms of human comprehension as they are emergent from the fundamentals of our biological construct.
Or . . . I might just be fucking with your head at this point.