Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Social manipulation i en straffrättslig kontext - beaktas mänskliga sårbarhetsfaktorer i den straffrättsliga bedömningen?

Johansson Wintzell, Ellen LU (2020) JURM02 20201
Department of Law
Faculty of Law
Abstract (Swedish)
Genom att utnyttja generella socialpsykologiska mänskliga sårbarhetsfaktorer kan en gärningsperson manipulera en individ att lämna ifrån sig konfidentiell information. Utnyttjandet av mänsklig kontakt och förtroende i syfte att erhålla information kan företas med hjälp av informationsteknik eller genom en mer traditionell och humanistisk interaktion. Denna typ av utnyttjande benämns som social manipulation. Gärningspersonen använder beteendepsykologiska verktyg i syfte att skapa en illusion av känslor, vilket gärningspersonen sedermera utnyttjar för att utöva inflytande över denne.

Under förutsättning att de straffrättsliga rekvisiten i lag (2018:558) om företagshemligheter är uppfyllda kan informationen utgöra en företagshemlighet och... (More)
Genom att utnyttja generella socialpsykologiska mänskliga sårbarhetsfaktorer kan en gärningsperson manipulera en individ att lämna ifrån sig konfidentiell information. Utnyttjandet av mänsklig kontakt och förtroende i syfte att erhålla information kan företas med hjälp av informationsteknik eller genom en mer traditionell och humanistisk interaktion. Denna typ av utnyttjande benämns som social manipulation. Gärningspersonen använder beteendepsykologiska verktyg i syfte att skapa en illusion av känslor, vilket gärningspersonen sedermera utnyttjar för att utöva inflytande över denne.

Under förutsättning att de straffrättsliga rekvisiten i lag (2018:558) om företagshemligheter är uppfyllda kan informationen utgöra en företagshemlighet och således erhålla rättsligt skydd. Bedömningen av rekvisiten avseende vilken typ av information som omfattas av lagstiftningens skydd är tämligen generös. Rättskällematerialet ger ingen indikation på att lagstiftaren avsett att rättstillämparen, vid den straffrättsliga bedömningen, ska fästa avseende vid det tillvägagångssätt som den tilltalade använde sig av. Huruvida den metod som gärningspersonen använt sig av, då denne berett sig tillgång till företagshemligheten, är rättsstridig har ingen betydelse vid bedömning av straffansvar. De angreppssätt som lagstiftningen föreskriver tyder på att rekvisitens struktur har något av en teknisk karaktär, eftersom de ger intryck av att primärt fokusera på de faktiska omständigheterna istället för på emotionella faktorer.

Företag har ofta ett visst egenintresse av att vidmakthålla konfidentialiteten i intern information. I syfte att förstärka skyddet för företagshemligheter kan utomrättsligt skydd uppbäras genom företagandet av systematiskt informationssäkerhetsarbete. Verksamhetens arbete med informationssäkerhet uppställer emellertid ett visst mått av kunskap avseende förmåga att identifiera säkerhetsrisker och utifrån dessa vidta lämpliga och effektiva säkerhetsåtgärder. Informationssäkerhetsbegreppet står i nära förbindelse med teknik- och datavetenskap. Detta kan vara en anledning till att verksamheter ofta koncentrerar informationssäkerhetsarbetet till att utarbeta tekniska skyddsåtgärder i syfte att motverka externa IT-relaterade hot. Oberoende av verksamhetens tekniska skyddsnivå kvarstår emellertid säkerhetsproblemets slutpunkt – arbetstagarna. Så länge som mänsklig arbetskraft existerar befaras mänskliga sårbarhetsfaktorer utgöra en beständig riskfaktor.

Problematiken kan i huvudsak porträtteras på två sätt. För det första utgörs svårigheten av att överhuvudtaget förmå identifiera och upptäcka social manipulation som är en vanlig förekommande företeelse. Röjandet av verksamhetens konfidentiella information kan få omfattande skadeverkningar, vilket kan hämma det konkurrensfrämjande arbetet. För det andra har den rättsliga implikationen av social manipulation i den befintliga forskningen endast poängterats, men förefaller inte ha studerats i vare sig Sverige eller utomlands. Uppsatsens syftar således till att, med stöd av den rättsdogmatiska och den rättsanalytiska metoden, undersöka om straffrätten korrelerar med social manipulation. Genom att använda lagen om företagshemligheter som ett illustrerande exempel granskas i vilken mån som straffrätten beaktar utnyttjandet av mänskliga svagheter i den straffrättsliga bedömningen. Studiet av rättskällorna ger en antydan om att vare sig upphovet till eller effekterna av social manipulation uttryckligen beaktas vid den straffrättsliga bedömningen.

Trots att forskningsfältet avseende social manipulation är tämligen brett har forskningen hittills inte behandlat företeelsen i den rättsvetenskapliga kontexten. Social manipulation har, enligt min undersökning, uteslutande studerats i en sociologisk, beteende- och datavetenskaplig kontext. Behovet av att belysa social manipulation i den rättsvetenskapliga kontexten torde således vara stort. I syfte att öka medvetenheten, förmå identifiera och belysa en allmänt utbredd och tämligen förtäckt angreppsmetod har förevarande uppsats för avsikt att utgöra en ansats till att åskådliggöra denna problematik. (Less)
Abstract
By utilizing general social psychological human vulnerability factors, an offender can manipulate an individual to disclose confidential information. The utilization of human contact and trust for the purpose of obtaining information can be done with the help of information technology or through traditional humanistic interaction. This type of exploitation is referred to as social engineering. The perpetrator uses behavioral psychological tools in order to create an illusion of emotions, which the perpetrator subsequently uses to exert influence over an individual.

Provided that the criminal prerequisite of the Trade Secrets Act (2018:558) is fulfilled, the information may constitute a company secret and thus obtain legal protection.... (More)
By utilizing general social psychological human vulnerability factors, an offender can manipulate an individual to disclose confidential information. The utilization of human contact and trust for the purpose of obtaining information can be done with the help of information technology or through traditional humanistic interaction. This type of exploitation is referred to as social engineering. The perpetrator uses behavioral psychological tools in order to create an illusion of emotions, which the perpetrator subsequently uses to exert influence over an individual.

Provided that the criminal prerequisite of the Trade Secrets Act (2018:558) is fulfilled, the information may constitute a company secret and thus obtain legal protection. The assessment of the prerequisite regarding the type of information covered by the legislation is fairly generous. The legal source material does not give any indication that the legislature intended that the legal practitioner should adhere to the procedure itself when the accused exploited human weaknesses. Whether the method used by the perpetrator when he or she has obtained access to the company secret is illegal has no significance in the assessment of criminal liability. The approaches listed by the legislation indicate that the prerequisite’s structure has something of a technical character as they give the impression of focusing primarily on the facts rather than emotional factors.

Companies often have a certain self-interest in maintaining the confidentiality of intern information. In order to strengthen the protection of trade secrets, extrajudicial protection can be obtained through systematic information security work. The company's work on information security establishes a certain measure of knowledge regarding the ability to identify security risks. With these risks in mind, the company should consider taking appropriate and effective security measures. The concept of information security is closely related to technology and computer science. This may be one of the reasons why companies often prioritize information security work of technical protection measures. This, in order to counteract external IT-related threats. However, regardless of the technical level of protection in the company, the endpoint of the security problem remains - the employee. As long as human labor exists, human vulnerability factors are considered to be a permanent risk factor.

The problem can mainly be portrayed based on two aspects. First, the difficulty consists in the ability to identify and detect social engineering, which is a common occurrence. Clearing the company ́s confidential information can have significant adverse effects, which can hamper the promotion process. Secondly, the legal implication of social engineering in existing research has only been emphasized but does not appear to have been studied in either Sweden or internationally. This is why the aim of the thesis is to, with the support of the legal dogmatic method and the legal analytical method, investigate whether criminal law correlates with social engineering. The Trade Secrets Act is used as an illustrative example in order to showcase the extent of the exploitation of human weaknesses in the criminal law assessment. The study of legal sources gives an indication that neither the origin nor the effects of social engineering are explicitly taken into account in the criminal law assessment.

Although the field of social engineering research is fairly broad, research to date has not addressed the phenomenon in a jurisprudence context. Social engineering, according to my research, has only been recognized in the context of sociological, behavioral- and computer science. In order to raise awareness, to be able to identify and elucidate a generally widespread and fairly disguised method of attack, the present thesis is intended to constitute an approach to illustrate this problem. (Less)
Please use this url to cite or link to this publication:
author
Johansson Wintzell, Ellen LU
supervisor
organization
alternative title
Social engineering in a criminal law context - are human vulnerability factors considered in the criminal law assessment?
course
JURM02 20201
year
type
H3 - Professional qualifications (4 Years - )
subject
keywords
straffrätt, criminal law, social manipulation, social engineering, informationssäkerhet, information security, företagshemligheter, trade secrets
language
Swedish
id
9010387
date added to LUP
2020-06-15 09:24:19
date last changed
2020-06-15 09:24:19
@misc{9010387,
  abstract     = {{By utilizing general social psychological human vulnerability factors, an offender can manipulate an individual to disclose confidential information. The utilization of human contact and trust for the purpose of obtaining information can be done with the help of information technology or through traditional humanistic interaction. This type of exploitation is referred to as social engineering. The perpetrator uses behavioral psychological tools in order to create an illusion of emotions, which the perpetrator subsequently uses to exert influence over an individual.

Provided that the criminal prerequisite of the Trade Secrets Act (2018:558) is fulfilled, the information may constitute a company secret and thus obtain legal protection. The assessment of the prerequisite regarding the type of information covered by the legislation is fairly generous. The legal source material does not give any indication that the legislature intended that the legal practitioner should adhere to the procedure itself when the accused exploited human weaknesses. Whether the method used by the perpetrator when he or she has obtained access to the company secret is illegal has no significance in the assessment of criminal liability. The approaches listed by the legislation indicate that the prerequisite’s structure has something of a technical character as they give the impression of focusing primarily on the facts rather than emotional factors.

Companies often have a certain self-interest in maintaining the confidentiality of intern information. In order to strengthen the protection of trade secrets, extrajudicial protection can be obtained through systematic information security work. The company's work on information security establishes a certain measure of knowledge regarding the ability to identify security risks. With these risks in mind, the company should consider taking appropriate and effective security measures. The concept of information security is closely related to technology and computer science. This may be one of the reasons why companies often prioritize information security work of technical protection measures. This, in order to counteract external IT-related threats. However, regardless of the technical level of protection in the company, the endpoint of the security problem remains - the employee. As long as human labor exists, human vulnerability factors are considered to be a permanent risk factor.

The problem can mainly be portrayed based on two aspects. First, the difficulty consists in the ability to identify and detect social engineering, which is a common occurrence. Clearing the company ́s confidential information can have significant adverse effects, which can hamper the promotion process. Secondly, the legal implication of social engineering in existing research has only been emphasized but does not appear to have been studied in either Sweden or internationally. This is why the aim of the thesis is to, with the support of the legal dogmatic method and the legal analytical method, investigate whether criminal law correlates with social engineering. The Trade Secrets Act is used as an illustrative example in order to showcase the extent of the exploitation of human weaknesses in the criminal law assessment. The study of legal sources gives an indication that neither the origin nor the effects of social engineering are explicitly taken into account in the criminal law assessment.

Although the field of social engineering research is fairly broad, research to date has not addressed the phenomenon in a jurisprudence context. Social engineering, according to my research, has only been recognized in the context of sociological, behavioral- and computer science. In order to raise awareness, to be able to identify and elucidate a generally widespread and fairly disguised method of attack, the present thesis is intended to constitute an approach to illustrate this problem.}},
  author       = {{Johansson Wintzell, Ellen}},
  language     = {{swe}},
  note         = {{Student Paper}},
  title        = {{Social manipulation i en straffrättslig kontext - beaktas mänskliga sårbarhetsfaktorer i den straffrättsliga bedömningen?}},
  year         = {{2020}},
}