July 26, 2011
One of the fundamental tenets of Neurolinguistic Programming (NLP) is the idea of “matching and mirroring” – the idea that we create rapport between individuals by mirroring aspects of their physiology in ourselves and, because they see someone who looks like them, they’re more likely to enter in to a rapportive state with us.
This effect does have some amount of basis and has been studied quite significantly – psychologists tend to call it the “chameleon effect”, based on the landmark 1999 study by Chartrand and Bargh. Their definition:
"The chameleon effect refers to nonconscious mimicry of the postures, mannerisms, facial expressions, and other behaviors of one's interaction partners, such that one's behavior passively and unintentionally changes to match that of others in one's current social environment."
The studies have shown that the effect of mirroring is present across most studies that have been performed – in particular, the Chartrand/Bargh study found significant impacts of mimicry on the rapport set of those studied. (Although, as Chartrand & Bargh note, some studies (LaFrance) have noted that the effect doesn’t exist or depends on other aspects of a relationship between those being studied)
The problem comes when we consider the reason for rapport from an evolutionary perspective – we have evolved rapport and mimicry to facilitate social interaction between humans, not as a one-way process. That is, when I mirror you, I am unconsciously reproducing your state within me – this is facilitated by the “mirror neurons” (the posterior inferior frontal gyrus and adjacent ventral premotor cortex, as well as the rostral inferior parietal lobule as described by Iacoboni) – we are able to mimic another because we perceive their behavior and, in so doing it, represent it within ourselves.
Note that this is the other half of the cybernetic loop that is edited out in the studies (and much traditional teaching of NLP) – in mimicing another successfully, we unconsciously represent their state within ourselves. While the Chartrand/Bargh study talked about the target of the mirroring liking the study confederate more when mirrored, there wasn’t a corresponding questionaire filled out by said confederate to determine whether they had increased liking for the person being mirrored. Obviously, this would have had some methodological concerns. (Note that Chartrand and Bargh noticed the potential issue that this half of the cybernetic loop wasn’t being respected, and attempted to control for other behaviors – however, the question of the subtlety of mirroring behaviors on the behalf of the confederate is still open – I’d love to see a FACS coding of some of the samples of the confederates against those of the participants and note facial / micro-expression similarities.)
The state being mimiced is, in effect, dual-sided – that is, the more precisely we replicate the state of the other person, the more effectively we display the chameleon effect. It is this behavior that Chartrand & Bargh noted in their third experimental condition – that, at an unconscious level, those of us who tend to take other’s perspective (which can correlate to but isn’t the same as the traditional emotional definition of empathy) more often have a better developed set of strategies for adopting mirrored positions with others.
This, in my opinion, leads to a lot of the problems with the traditional NLP model for learning matching and mirroring. As Grinder said in “Whispering in the Wind“, there are two criteria for the evaluation of a model:
- Is it learnable?
- Does it lead to the learner producing results congruent with the original source of the model?
While any six-year old can learn the NLP version of matching and mirroring (i.e. “monkey see, monkey do”), it’s the second condition that is much more problematic. Many who attempt to learn to create rapport through traditional means end up with matching/mirroring processes that, rather than create rapport more often, come off with the subtlety of a bad used car salesman. The reason for this is that we aren’t effectively attempting to teach the student of NLP how to mirror states, but only to broadly mirror large parts of behavior – we’re not respecting that rapport is a cybernetic process with multiple sides to the loop. And anybody teaching it from the perspective of behavior/posture isn’t respecting the other side of the loop (at least consciously).
In fact, in my own modeling of those who are excellent at creating rapport, it’s not their ability to mirror posture or breathing pattern or eye blinks that is most effective – it’s the ability to mirror and represent within themselves the state of those around them and to effectively convey that mirrored state (usually at a completely unconscious level).
Grinder also noted this in Whispering, when he stated that calibration is “the most fundamental of all NLP processes”. The person who is most effective at creating rapport with others is the one who most precisely calibrates the state of the other person and, upon representing that state within themselves, unconsciously adopts whatever behaviors are appropriate, regardless of whether they precisely “mimic” the other person.
The student who attempts to learn to create matching and mirroring without understanding how to effectively calibrate (which, using NLP terminology, is akin to an unconscious shift in to second position) doesn’t become (in the Chartrand/Bargh terminology) a “high perspective taker”, which is one of the fundamental bases of being effective when it comes to matching and mirroring.
That is, the goal in matching and mirroring isn’t to replicate behavior – replication of behavior comes naturally when we effectively can adopt and replicate the state of the other person within the interaction. To attempt to mimic the behavior generally works only in so far as that adopting a matched physiology can assist in replicating state.
October 5, 2009
Anybody in the industry who has talked to me about NLP has understood my utter frustration about the state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months ago.
And, for the past few months, I’ve been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I’ve been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.
But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn’t teach the reader anything useful about how to use NLP in SE. (That shouldn’t be taken as a criticism – I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months… the guys over there are doing the community a phenomenal service).
So, I sat down and started recording the material I had been putting together over the previous months. It’s going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you’re going to get.
September 28, 2009
I had a blast at Hacker Halted last week, and I did a talk that I was incredibly excited about. It was the first time I was going to talk about some of the new research I’ve done and, while I didn’t plan to give out a huge number of details on the methods, I hoped that the talk was going to be well received.
Well, I’m sure that it would have been, had it actually finished. Because I didn’t read the program nearly closely enough, and I prepared a normal 80 minute talk, only to realize that my speaking slot was 45 minutes.
So, I only got about 1/2 way through my slides, and much of the meat was lost. A couple of audience members talked to me afterwards and seemed a bit disappointed, so I promised I’d provide the talk another way.
I do like to keep promises. So I sat down at my computer this morning and recorded the slides and the audio. The entirety of the talk that the audience would have seen is below.
Let me know your thoughts and opinions and ask questions if you have them (since I didn’t get to take audience questions at the conference, either).
September 16, 2009
I’ve been ranting for years that we need more exposure about the threat that is Social Engineering. As time goes on, we move more toward a model where the human is the prime exploit target.
I just found out that some other people are thinking the same way. Today launches the first Social Engineering Framework. I’ve recently become a contributor, as have many incredible names in this industry.
I expect great things from that crew and hope to be part of some of them. Also, keep your eyes out for new developments here – I’ve been head-down working on some SE-related projects that all will hit in Q3 and Q4.
July 22, 2009
I found this article the other day about the teen in Great Britain who managed to completely dupe a bunch of airline executives in believing that he was a millionaire who was looking to buy into their company and expand it. The key to the attack is that greed was the prime motivator in the attack. From the article:
“When asked how he had managed to fool them, one of the airline execs in Jersey stated:
“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””
That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?
The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”
I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.
March 17, 2009
I’ve spent a lot of my time lately working on projects related to social engineering. Writing articles, prepping class material, and just generally having conversations and brushing up on my skills. For those that don’t already know, Chris Nickerson and I are doing a full five-day class on Social Engineering at ChicagoCon in May, and there’s much to prep for.
In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net
Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:
• Types of testing
o Direction of attacks
• Client-side / browser side exploitation
• By hand
• Malicious attachments
? Person to Person
• Social Networks/IM
• Public Manipulation
? Person to Person
• Gaining access to physical credentials
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying