Appropriate access: The social engineer must know that the person being targeted has the
appropriate credentials to manipulate or access the information or system that is of interest.
For example, if a social engineer is attempting to steal confidential information about software
being developed by a firm, gaining access into the secretary’s computer may not yield results
if the secretary’s computer is not connected to the server that holds the software’s code.
ii. Assessed resistance: Although only 11 of the 138 people put up any resistance to the social
engineering attempts demonstrated at DEFCON 18 security conference, the social engineer
must evaluate the selected target’s resistance to an attempt at social engineering in order to
determine whether the target’s viability. For example, a social engineer attempting a
technology-based attack would be interested in factors such as the employee’s level of
technical knowledge while an attacker using a human-based approach may seek out
disgruntled ex-employees that will not hesitate to share information about their past employer.