Today I was reading the story of the wolf and the seven little goats to my daughter. I could help thinking that the wolf applied social engineering to get in to the house of the little goats.

The old story, written down by the brothers Grimm, is about seven little goats. They are left alone in the house by their mother with explicit instructions not to open the door to anyone. The mother knows that the wolf wants the little goats for dinner. She instructs the little ones with two ways to distinguish the wolf from herself. The has a soft voice, unlike the wolf. The wolf has dark hair, the mother has white hair. Of course the wolf shows up. He is challenged and discovered as a wolf two times. But he does find a way to make his voice sound soft and make his arms white. In the end the little goats think he is their mother and let him in.

What can we learn about this old story? Social engineering, the art of deception, is often used to breach the security of a company. But what can we do about it? In the story the little goats are trained to recognize an intruder. But this doesn't prove to be enough. Teaching your employees how to challenge possible intruders is not enough.

The goats make two errors. The first one is to give away the specific challenges. This is most of the times inevitable. But this has to be taken in to account in their judgment. The second is that they fail to recognize a-typical behavior. The wolf comes back multiple times and tries hard to convince them that he is their mother. The mother probably will do this another way. For example by using a key to open the door.

The cognitive bias, well know in social psychology (as mentioned in this paper), is referred to as Fundamental Attribution Error (FAE). It is the tendency in forming ones judgment of others to underestimate the importance of the specific situation in which the behavior is shown. In the case of the story the two errors made fall in this category.

Now: what to do about this within your security protocol. You have to train your staff in recognizing odd behavior within a specific situation. Not only do they need to understand standard challenges from the protocol, but they have to learn to challenge odd behavior. And foremost they have to never open the door if there is any doubt.