Skip to main content
General

What is Critical Thinking?

By September 12, 2018No Comments

In the field of security awareness and associated training, the term “critical thinking” is thrown about as an effective defense against social engineering attacks. So, what is critical thinking? And how can it be applied in day-to-day activities to make a user or an entire user-base more secure? 

critical thinking

According to the Foundation for Critical Thinking, a “well-cultivated critical thinker” gathers and assesses relevant information and comes to well-reasoned conclusions and solutions. One also thinks open-mindedly within alternative systems of thought, while recognizing and assessing their assumptions, implications, and practical consequences. 

Let’s break that down a bit. “Gathers and assesses relevant information,” is a very important piece. These days we are overwhelmed with the amount of information we have access to. So, it is vitally important to be able to see through that fog and focus on what is relevant for a given situation.  

“Comes to well-reasoned conclusions and solutions,” is a bit more subjective and changes given different circumstances. From a social engineering defense perspective, this often relates to using stated policies and procedures as your guidepost to a well-reasoned solution. If the attacker is asking for information that is proprietary or confidential in nature, then the policies stated by your company should clearly state what to do in that situation. 

That last bit, “recognizing and assessing their assumptions, implications, and practical consequences,” is where it all comes together in the mind of a critical thinker. What is going to happen if I give this attacker the information they are asking for or act as requested? The consequence of that action could range from minor to devastating to an individual or company. That needs to be addressed before the action is taken, or at a minimum, if a link was clicked or information was disclosed, it needs to be recognized that a mistake was made and then the individual should report the activity to the appropriate security contact(s). 

How do we improve our critical thinking skills?

The primary obstacle to critical thinking is emotion. This is a tactic all social engineers use to subvert the training the user may have received and get them to act even though it may not be in their best interest.  

The most common emotional triggers used by attackers are fear, trust, curiosity, and greed. These can be used together or independently to try to flood the target with enough emotion that critical thinking just isn’t possible. That moment can actually be the trigger that critical thinking is necessary for that situation.  

When you receive an email or a phone call and, for whatever reason, you start to feel overly emotional about the content or message being presented, that is when you should step back and re-evaluate the situation. Nothing, short of a direct life or death moment, will be adversely affected by an extra minute or two of analysis. That short period of time could be enough for your intellectual mind to see the flaw, danger, or consequence that your emotional mind looked right past. 

The ability to effectively think critically really comes down to practice and insight into your own mental state. All of this can be taught as part of a security awareness program, and it will have far-reaching impacts on the daily lives of those that practice it, both personally and professionally as a defense against social engineering attacks.  

Take notice if you are emotional in a situation, evaluate the request that is being made, and understand the consequences of taking that action. Be a critical thinker by applying these simple strategies. Well, simple to say but it takes practice to master. 

Sources:
https://www.criticalthinking.org/pages/defining-critical-thinking/766
https://techgenix.com/social-engineering-attacks/ 

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now