Abstract
Today, social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems. Cybersecurity experts use the term “social engineering” to highlight the “human factor” in digitized systems, as social engineering attacks aim at manipulating people to reveal sensitive information. In this paper, we explore how discursive framings of individual versus collective security by cybersecurity experts redefine roles and responsibilities at the digitalized workplace. We will first show how the rhetorical figure of the deficient user is constructed vis-à-vis notions of (in)security in social engineering discourses. Second, we will investigate the normative tensions that these practices create. To do so, we link work in science and technology studies on the politics of deficit construction to recent work in critical security studies on securitization and resilience. Empirically, our analysis builds on a multi-sited conference ethnography during three cybersecurity conferences as well as an extensive document analysis. Our findings suggest a redistribution of institutional responsibility to the individual user through three distinct social engineering story lines—“the oblivious employee,” “speaking code and social,” and “fixing human flaws.” Finally, we propose to open up the discourse on social engineering and its inscribed politics of deficit construction and securitization and advocate for companies and policy makers to establish and foster a culture of collective cyber in/security and corporate responsibility.
Highlights
Today, social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems and information technology (IT) infrastructures (Abraham and ChengalurSmith 2010, 183)
Contributing to the emerging conversations between STS and critical security studies (CSS) on cyber in/security, we propose to extend the discourse on social engineering and the inscribed politics of deficit construction and securitization
The deficit model and resilience, entail a normative assumption of shifting from collective to individual responsibility: They depart from an understanding of the individual subject as “lacking”— either of sufficient education and knowledge to arrive at informed decisions in the case of the deficit model or the capacity to respond to crisis and disruption with adequate self-protection in the case of the resilience paradigm
Summary
Social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems and information technology (IT) infrastructures (Abraham and ChengalurSmith 2010, 183). Linking both approaches allows us to see the broader societal issue at stake here—from changing work routines and novel forms of expertise and epistemic authority in legitimizing security issues, to the politics of deficit construction and calls for more resilience as key elements in any securitization process Both concepts, the deficit model and resilience, entail a normative assumption of shifting from collective to individual responsibility: They depart from an understanding of the individual subject as “lacking”— either of sufficient education and knowledge to arrive at informed decisions in the case of the deficit model or the capacity to respond to crisis and disruption with adequate self-protection in the case of the resilience paradigm. Resilience, achieved through additional education and training, becomes the proposed solution to and standard of success for the deficient user problem
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
