But, he told his audience at RSA Europe this week, the reason why social engineering as a science exists, is that basic stupidity is unstoppable.
Despite the fact that social engineering is such an inexact science, he says, it is really espionage practised at a lower level, and centers on four main areas of susceptibility of the person being socially engineered: money, ideology, coercion and ego.
“It's worth noting that social engineering is a short term hit [in security terms] whilst spying is a hit with a longer agenda”, he said, adding APT – advanced persistent threats – are actually a form of social engineering in a specialised sense.
Winkler went on to say that there are subtle differences in the different types of social engineering that are now being used by hackers and cybercriminals, but it is important, he explained, to differentiate between the fact that stupidity is different from manipulation, despite the fact that both form part of the umbrella methodology that is social engineering.
Is social engineering an effective strategy for cybercriminals?
Most definitely, argues Winkler, who says that its complexity and diversity is what makes the process so effective against otherwise secure IT defences within a corporate.
And, whilst most socially engineered attacks have a low probability of success compared to `conventional' cybersecurity attacks, the payback he notes, can be immense in terms of a `return on investment' for hacker.
So how do you counter the socially engineered attack?
Winkler says that IT security professionals need to “stop saying don't do that” and make their IT security systems and procedures as simple as possible, so that end users adopt the technology without too many problems,
“You also need to adopt penalties as a form of incentive and use technology very much as a fail-safe”, he said, adding that education is a useful tool in this regard, as giving people common knowledge allows them to use their common sense.