[mmanfrin]

For those of you misreading this comment: Aelinsaar is saying that if a system/target is vulnerable to social engineering, then hacking (code) that system/target is not clever.

[ewzimm]

You could take that concept pretty far. There's no computer system that doesn't involve a human element (CS101). And yet some of the most clever people spend their time finding ways to hack the machine element. Their work inevitably gets understood and integrated into software, either through voluntary submissions through bug bounties or otherwise.

Social engineering has been understood for a long time, and yet we can't develop defenses in the same way we can develop defenses in software. So we have an underpaid workforce of software hackers uncovering vulnerabilities which get patched and an overpaid workforce of social engineers exploiting unpatchable vulnerabilities in the human condition.

Who is really being exploited here?

[Aelinsaar]

You don't need to crack a safe if you can get the combination from the owner. You don't need to pick a lock if you can pick the key from a pocket. It also goes to the classic XKCD comic about the realities of crypto: https://xkcd.com/538/

As for why so little attention is paid to the human side, I think you said it, "We can't develop defenses the same way we can develop defenses in software." Not only that, but a human being who's brilliant in their role in your company, might be singularly unsuited to learning lessons about social engineering.

I suppose if you want a humorous and somewhat dystopian sci-fi view of how this could be managed... you ever read 'Snow Crash'?