When conducting a risk assessment, which one of the following is NOT an acceptable social
engineering practice?

A.
Shoulder surfing

B.
Misrepresentation

C.
Subversion

D.
Dumpster diving

Explanation:
Shoulder Surfing: Attackers can thwart confidentiality mechanisms by network monitoring, shoulder
surfing, stealing password files, and social engineering. These topics will be address more in-depth in
later chapters, but shoulder surfing is when a person looks over another person’s shoulder and
watches keystrokes or data as it appears on the screen. Social engineering is tricking another person
into sharing confidential information by posing as an authorized individual to that information. Shon
Harris: CISSP Certification pg. 63. Shoulder surfing is not social engineering.