top of page

The Psychology Behind Social Engineering Tactics Used to Target Critical Infrastructure 

Updated: Jun 5

Abstract: Social engineering is a significant threat to critical infrastructure, where attackers use various psychological tactics to gain access to sensitive data and systems. This paper examines the psychology behind social engineering tactics used to target critical infrastructure. The article discusses attackers’ techniques and explores the psychological principles that make these tactics effective. The paper also proposes strategies for mitigating social engineering risks to critical infrastructure. 


Keywords: Social engineering, Critical infrastructure, Psychology, Tactics, Risk Mitigation 


The Psychology Behind Social Engineering Tactics, Used to Target Critical Infrastructure 


Introduction - Critical infrastructure plays a vital role in the functioning and daily lives of modern society. Many times, they go unseen and even unnoticed until there is an issue. Let’s examine the litany of services, a modern society uses on a regular basis: water, sewer, trash, court, payment processing, and emergency services such as dispatch, poison control, fire, police, and ambulatory, to name a few. All these services are vulnerable to cyberattacks, including social engineering attacks. Social engineering attacks are when an attacker uses psychological tactics to trick people into divulging sensitive information or gaining unauthorized access to systems. The psychology behind social engineering tactics used to target critical infrastructure is an important area of research as it can help devise strategies to mitigate the risk of these attacks. 


Techniques Used by Attackers - Social engineering attackers use various methods to manipulate their victims. These techniques can include phishing, pretexting, baiting, and quid pro quo. Phishing involves sending emails that appear legitimate to trick the recipient into clicking on a link or providing sensitive information. These are the easiest to accomplish because attackers can send an alarming number of emails with the click of a button. This requires a low skillset of the attackers, and the barrier of entry is low with the rise of email marketing. Pretexting consists in creating a false identity to gain access to information or systems. Baiting involves leaving a physical device, such as a USB drive, in a public place, hoping that someone will pick it up and use it. Quid pro quo involves offering a benefit in exchange for sensitive information or access. 


Psychological Principles Behind Social Engineering Tactics - Social engineering tactics are effective because they exploit human psychology. People tend to trust authority figures, and attackers often impersonate them to gain access. People also tend to respond to urgency, and attackers use this to create a sense of urgency, promptingprompt victims to act quickly without thinking. Many times, attackers will impersonate a large corporation (Amazon, UPS, Norton) or banking institutions (Bank of America, Discover Card, PayPal). The risk of losing money causes people to panic quickly, so they don’t think as clearly as they would under normal circumstances, making victims overlook safety measures and act irrationally. People tend to reciprocate favors, and attackers exploit this to offer benefits in exchange for sensitive information or access. People also tend to comply with social norms, and attackers use this to create a sense of conformity, prompting victims to behave in a certain way. 


Strategies for Mitigating Social Engineering Risks - Mitigating social engineering risks requires a multi-pronged approach. Organizations should conduct regular security training for employees to raise awareness about the dangers of social engineering attacks and how to identify them. They should also implement strong access controls and authentication mechanisms to prevent unauthorized access. Organizations should also conduct regular security assessments to identify and address vulnerabilities promptly. Finally, organizations should have an incident response plan to respond quickly and effectively to social engineering attacks or their repercussions


Conclusion - The psychology behind social engineering tactics used to target critical infrastructure is complex and multifaceted. Attackers use various techniques to exploit human psychology, making social engineering attacks a significant threat to critical infrastructure. Mitigating social engineering risks requires a multi-pronged approach that includes regular security awareness training, strong access controls, regular security assessments, and an incident response plan. By understanding the psychology behind social engineering tactics, organizations can better prepare themselves to protect their critical infrastructure from these attacks. 



  • Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. John Wiley & Sons. 

  • National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. U.S. Department of Commerce 



bottom of page