Conference PaperPDF Available

HATCH: Hack And Trick Capricious Humans – A Serious Game on Social Engineering

Authors:

Abstract and Figures

Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Content may be subject to copyright.
HATCH: Hack And Trick Capricious Humans –
A Serious Game on Social Engineering
Kristian Beckers
Technische Universit¨
at M¨
unchen (TUM)
Institute of Informatics
Boltzmannstr. 3
85748 Garching, Germany
kristian.beckers@tum.de
Sebastian Pape
Goethe-University Frankfurt
Faculty of Economics
Theodor-W.-Adorno-Platz 4
60323 Frankfurt, Germany
sebastian.pape@m-chair.de
Veronika Fries
Technische Universit¨
at M¨
unchen (TUM)
Institute of Informatics
Boltzmannstr. 3
85748 Garching, Germany
veronika.fries@tum.de
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical
means. Although the technical security of most critical systems is usually being regarded in penetration
tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural
patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train
people to teach them how these attacks work and how to detect them. We propose a serious game that
helps players to understand how social engineering attackers work. The game can be played based on the
real scenario in the company/department or based on a generic office scenario with personas that can be
attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall
cause a lasting learning effect.
Security, Methods, Education, Social Engineering, Serious Gaming
1. INTRODUCTION
Traditional penetration testing approaches often fo-
cus on vulnerabilities in network or software systems
(Mitnick and Simon (2009)). Few approaches even
consider the exploitation of humans via social en-
gineering. While the amount of social engineering
attacks and the damage they cause rises yearly the
awareness of these attacks by employees remains
low (Hadnagy (2010, 2016); Proofpoint (2016)).
Recently, serious games have built reputation for
getting employees of companies involved in security
activities in an enjoyable and sustainable way. While
still preserving a playful character, serious games
are used for e.g. security education and threat
analysis (Williams et al. (2009, 2010), Shostack
(2012, 2014), Denning et al. (2013)). We believe that
there is a major benefit for adapting serious games
specifically for social engineering (Beckers and Pape
(2016a)). Our game aims at enabling common em-
ployees to elicit social engineering threats for their
companies (real world scenario). Additionally, we
have developed a generic scenario for training and
awareness rising, which provides a description of a
fictional office scenario with personas. In this paper
we present our game, the generic scenario and our
preliminary results of its application with students,
academics, and industry.
Figure 1: Picture of a Game Session
2. DESIGN OF THE GAME
In short, the rules of the game are as follows:
1. Each player draws a card from the deck of
human behavioral patterns (principles), e.g.
the Need and Greed principle. The game is
designed based on existing published work
(e.g. Stajano and Wilson (2011), c.f. Beckers
and Pape (2016b)).
2. Each player draws three cards from the deck
of the social engineering attack techniques
(scenarios), e.g. phishing. The game is
c
The Authors. Published by BISL.
Proceedings British HCI 2016 - Fusion, Bournemouth, UK
HATCH: Hack And Trick Capricious Humans – A Serious Game on Social Engineering
Beckers Pape Fries
designed based on existing published work
(e.g. Gulati (2003); Peltier (2006), c.f. Beckers
and Pape (2016b)).
3. The players decide if they are insiders or
outsiders to the organization.
4. Each player presents an attack to the group
and the others discuss if the attack is feasible.
5. The players get points based on how viable
their attack is and if the attack was compliant
to the drawn cards. The player with the most
points wins the game.
6. As debriefing, the perceived threats are
discussed and the players reflect their attacks.
They may be supported by the company’s
security personal.
3. INDEPENDENT SCENARIO
We created a generic scenario that people can relate
to with little effort. We came up with the ACME office
company, a medium sized producing company for
paper. Therefore, we described 10 employees, their
roles in the company, familiarisation with computers
and attitudes towards security and privacy (see
Fig. 2 as an example).
Axel
Persona
Axel works in the front desk of ACME
Office. He decides who is allowed to enter
the building and who is not.
Axel lived most of his life without computers
and knows how to operate basic software.
He is concerned with keeping ACME Office
free of unauthorized persons.
Axel informs himself about new ways of
surveillance useful for ACME Office.
Axel
Figure 2: A persona1within our ACME Office scenario
4. PRELIMINARY RESULTS
To validate our research, we initially played the
context-specific version with 25 full time employees
of the Technical University Munich and Goethe-
University Frankfurt with a university degree. We
1Picture is taken from Flickr https://flic.kr/p/Ch2gjk
were initially interested if the players could elicit
possible and context-specific threats for their
respective environments. We played in total 49 turns
of the game in which a player suggests a threat. The
players deemed 42 of these threats possible and 7
were rated not possible by the players. The results
suggest that the players were able to elicit threats
with the game (c.f. Beckers and Pape (2016a)).
Afterwards, we were interested to measure if playing
the game raises the security awareness of the
players. Kruger and Kearny (Kruger and Kearney
(2006)) measure security awareness in terms of
knowledge (what an employee knows), attitude
(what an employee thinks), and behaviour (what
an employee does). We created a set of 14
questions that measured security awareness with
relation to the attack scenarios in our game on
a 5-point Likert scale. The answers range from
totally disagree to totally agree. We assessed the
questionnaires with games played with 10 full time
employees from academia and 4 senior employees
of an organisation A. The academics used our
ACME office scenario and the senior employees
the context-specific version of the game. We could
measure on average between 0.5 and 1 point
increase in security awareness with the players
after they played HATCH. There was no statistical
significant difference in persons who worked with
ACME office scenario and the ones with the context-
specific version of the game.
In future, we will try both versions of the game with
a larger sample of participants and we are planning
to measure the flow construct (Csikszentmihalyi
(2000)) in relation to playing the game. In particular,
we are planning to use the Flow Kurz Skala
(Rheinberg et al. (2016)) to measure how intensive
the player emerge in the game and correlate this
to the difference in security awareness before and
after the game. We assume that the flow experience
is positively correlated to an increased security
awareness. Additionally, we will create more generic
scenarios to allow players with different background
an easier access to the game.
5. ACKNOWLEDGEMENTS
We thank all the players of our game that provided
us with invaluable feedback and spend their precious
time with us improving the game. This research
has been partially supported by Federal Ministry of
Education and Research Germany (BMBF) within
the focal point “IT-Security for Critical Infrastructures”
(grant number 16KIS0240) and the TUM Living Lab
Connected Mobility (TUM LLCM) project funded
by the Bayerisches Staatsministerium f¨
ur Wirtschaft
und Medien, Energie und Technologie (StMWi).
HATCH: Hack And Trick Capricious Humans – A Serious Game on Social Engineering
Beckers Pape Fries
REFERENCES
Beckers, K. and S. Pape (2016a). A serious game for
eliciting social engineering security requirements.
In Proceedings of the 24th IEEE International
Conference on Requirements Engineering, RE 16,
pp. To Appear. IEEE Computer Society.
Beckers, K. and S. Pape (2016b). Theoretical
foundation for: A serious game for social
engineering. Technical report, Technical University
Munich (TUM) and Goethe-University Frankfurt.
http://pape.science/social-engineering/.
Csikszentmihalyi, M. (2000). Beyond Boredom and
Anxiety: Experiencing Flow in Work and Play (25th
Anniversary edition ed.). Jossey-Bass.
Denning, T., A. Lerner, A. Shostack, and T. Kohno
(2013). Control-alt-hack: The design and
evaluation of a card game for computer security
awareness and education. In Proceedings of the
2013 ACM SIGSAC Conference on Computer &
Communications Security, CCS ’13, New York,
NY, USA, pp. 915–928. ACM.
Gulati, R. (2003). The threat of social engineering
and your defense against it. SANS Reading
Room.
Hadnagy, C. (2010). Social engineering: The art of
human hacking. Indianapolis: John Wiley & Sons.
Hadnagy, C. (2016). The social engi-
neering infographic. Technical report,
Social Engineer, Inc. http://www.
social-engineer.org/social-engineering/
social-engineering-infographic/.
Kruger, H. A. and W. D. Kearney (2006). A prototype
for assessing information security awareness.
Comput. Secur. 25(4), 289–296.
Mitnick, K. D. and W. L. Simon (2009). The Art of
Deception. Wiley.
Peltier, T. R. (2006). Social engineering: Con-
cepts and solutions. Information Systems Secu-
rity 15(5), 13–21.
Proofpoint (2016). The human factor report
2016. https://www.proofpoint.com/us/
human-factor-report-2016.
Rheinberg, F., R. Vollmeyer, and S. Engeser
(2016). Flow kurz skala. Technical report.
http://www.psych.uni-potsdam.de/people/
rheinberg/messverfahren/FKS-englisch.pdf.
Shostack, A. (2012). Elevation of privilege:
Drawing developers into threat modeling.
Technical report, Microsoft, Redmond, U.S.
http://download.microsoft.com/download/F/
A/E/FAE1434F-6D22-4581-9804- 8B60C04354E4/
EoP_Whitepaper.pdf.
Shostack, A. (2014). Threat Modeling: Designing for
Security (1st ed.). John Wiley & Sons Inc.
Stajano, F. and P. Wilson (2011, March). Under-
standing scam victims: Seven principles for sys-
tems security. Commun. ACM 54(3), 70–75.
Williams, L., M. Gegick, and A. Meneely (2009).
Protection poker: Structuring software security
risk assessment and knowledge transfer. In
Proceedings of International Symposium on
Engineering Secure Software and Systems, pp.
122–134. Springer.
Williams, L., A. Meneely, and G. Shipley (2010,
May). Protection poker: The new software security
”game”. Security Privacy, IEEE 8(3), 14–20.
... Therefore, at a first glance the use of a serious game for awareness raising and training against SE attacks, e. g. HATCH [11,12], seems to be fine. However, in this paper we investigate the legal challenges to make use of the game HATCH, which offers two different types of scenarios. ...
... The serious game considered for our use case is HATCH [11,12], which aims to improve the employees' understanding of SE. For our analysis, we briefly sketch how HATCH works: Each player is in the role of an attacker. ...
... Virtual scenarios are used when HATCH is used for training and awareness purposes [11]. These consist of a plan of a department or company (see Fig. 1) and for each of the employees shown in the plan there is a persona card that outlines the basic characteristics of the employee (see Fig. 2). ...
Article
Full-text available
Zusammenfassung It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associated measures, as for example social engineering penetration testing can be very intrusive.
... -Sect. 2.2.1 describes the serious game HATCH, along with its two different applications [16,17] (cf. Sect. ...
... They are described in more detailed in the following subsections. [16], PROTECT [72] and CyberSecurity Awareness Quiz [158] HATCH [16,17] (cf. Sect. ...
... Hack and Trick Capricious Humans (HATCH) is a physical (tabletop) serious game on social engineering [16,17]. The game is available in two versions, a real life scenario and a generic version. ...
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
... Therefore, in this paper, we aim to adjust a serious game to a specific target group by adapting it accordingly. For that purpose we chose the serious game HATCH [5] and developed a new scenario for one of its variants in order to be suitable for consulting companies. This approach tackles that problem, that although many serious games for IT security exist, it is still hard to find a accurately fitting serious game for a specific organisation or scenario. ...
... Hack and Trick Capricious Humans (HATCH) is a physical (tabletop) serious game on social engineering [4,5]. The game is available in two versions, a real life scenario and a generic version. ...
... In order to not unnecessarily expose and blame colleagues during a training session, it is based on a virtual scenario with personas as attack victims [16]. The scenario consists of a layout of a medium-sized office and ten employees as personas, printed on cards that contain fictional descriptions of them: their names, role within the organization, familiarization with computers and their attitude towards security and privacy [5]. ...
Chapter
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees’ awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.
... Therefore, in this paper, we aim to adjust a serious game to a specific target group by adapting it accordingly. For that purpose we chose the serious game HATCH [5] and developed a new scenario for one of its variants in order to be suitable for consulting companies. This approach tackles that problem, that although many serious games for IT security exist, it is still hard to find a accurately fitting serious game for a specific organisation or scenario. ...
... Hack and Trick Capricious Humans (HATCH) is a physical (tabletop) serious game on social engineering [4,5]. The game is available in two versions, a real life scenario and a generic version. ...
... In order to not unnecessarily expose and blame colleagues during a training session, it is based on a virtual scenario with personas as attack victims [16]. The scenario consists of a layout of a medium-sized office and ten employees as personas, printed on cards that contain fictional descriptions of them: their names, role within the organization, familiarization with computers and their attitude towards security and privacy [5]. ...
Conference Paper
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees' awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.
... In order to describe the necessity of legal and ethical assessments, we briefly introduce the game HATCH [143], a serious game on social engineering. The aim of HATCH is to foster the players' understanding of social engineering attacks. ...
... We had a look at the following games: Control-Alt-Hack [157] [158], OWASP Cornucopia [159], CyberSecurity Awareness Quiz [150], Data Breach [160], d0x3d! [161] [162], Decisions and Disruptions [163], Friend Inspector [164], HATCH [143] [148], NeoSens Training Method [165], OWASP Operation Digital Chameleon [166], Operation Digital Snake [167], PERSUADED [168], Playing Safe [169], Project config.Play [170], PROTECT [151], Protection Poker [171], Security Requirement Education Game (SREG) [172], Security Tactic Planning Poker (SToPPER) [173], Snakes and Ladders [174], The Agile App Security Game [175], and What.Hack [176]. ...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by a set of guidelines and practical advice in each phase and sub-phases of the framework that would be useful for the enhancement of a CSA program. The guidelines and advice on "what to do in each phase" as well as "what to expect in each phase" will be useful for CSA professionals, individuals, or organizations who intend to design a CSA program. In addition to this, the report also presents the evaluation criteria of two CSA mechanisms, which are posters and serious games.
... Schaab et al. [48] examined the psychological principles of social engineering and investigated which psychological techniques induce resistance to persuasion applicable for social engineering. Based on the identified gaps [49], the serious game HATCH [5] is proposed to foster the players' understanding of social engineering attacks. When playing HATCH, players attack personas in a virtual scenario based on cards with psychological principals and social engineering attacks. ...
Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
... There is a large number of tabletop games for security training or awareness raising [6,8,4,3,14] targeting different domains, asset and areas in the academia. ...
Chapter
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game CyberSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
... There is a large number of tabletop games for security training or awareness raising [6,8,4,3,14] targeting different domains, asset and areas in the academia. ...
Conference Paper
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game Cy-berSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
Thesis
Full-text available
Due to the ever-increasing adaptation of digital technologies, most organisations are currently vulnerable to social engineering threats. In the context of cybersecurity, social engineering is expressed as the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal within the domain of a technical organisation or IT firm, etc. Typically, the attackers or cybercriminals exploit the emotions of human workforces to gain illegal access to their personal or administrative details, credentials, and other classified information. In this research study, various countermeasures have been proposed to mitigate the social engineering threats encountered by these organisations. Firstly, a comprehensive literature review has been undertaken to identify the most frequently occurring cybersecurity and social engineering threats, such as social phishing and spear phishing, electronic theft and email fraud, etc. The primary focus of evaluating the literature is to ascertain the human elements related to the cybersecurity threats in order to recognise staff’s vulnerabilities and lack of awareness, which are exploited by hackers. Thus, these issues can contribute to various cybersecurity loopholes and attacks, which consist of the malfunctioning of the information systems, the transfer of unauthorised funds, and the stealing of credentials, etc. Secondly, this research study has employed two research methodologies—namely, qualitative and quantitative methods—to determine the significance of human behaviours related to cybersecurity. The qualitative study is based on a thorough analysis of the cybersecurity experts’ responses, and it has identified that the employees’ awareness levels positively correlate with the avoidance of cybersecurity breaches in an organisation. Therefore, the organisations can enhance their employees’ contextual knowledge about the most prevalent cybersecurity threats to handle the social engineering attacks. Moreover, the quantitative methodology has been employed by surveying 265 employees from various organisations; and the results intimate that the probability of social engineering attacks can be significantly reduced if the awareness levels of employees can be substantiated and improved. Thirdly, this research study specifies an advanced taxonomy of various social engineering threats based on the qualitative and quantitative analyses. This taxonomy serves as an essential element of this research study, with the primary objectives of facilitating the development and implementation of improved preventive measures and emphasising the significance of ISA in an organisation. Finally, a policy framework has been developed which elaborates on the recommended policies and procedures for organisations to use to disseminate cybersecurity awareness across their employees. For this purpose, the framework outlines three key activities—incident, investigate, and invigilate—required to prepare the employees for the overall improvement of an organisation’s ISA. Consequently, the cybersecurity managers can steer, prioritise, and optimise their human resources to achieve more effective outcomes.
Chapter
Game-based learning is a promising approach to anti-phishing education, as it fosters motivation and can help reduce the perceived difficulty of the educational material. Over the years, several prototypes for game-based applications have been proposed, that follow different approaches in content selection, presentation, and game mechanics. In this paper, a literature and product review of existing learning games is presented. Based on research papers and accessible applications, an in-depth analysis was conducted, encompassing target groups, educational contexts, learning goals based on Bloom’s Revised Taxonomy, and learning content. As a result of this review, we created the publications on games (POG) data set for the domain of anti-phishing education. While there are games that can convey factual and conceptual knowledge, we find that most games are either unavailable, fail to convey procedural knowledge or lack technical depth. Thus, we identify potential areas of improvement for games suitable for end-users in informal learning contexts.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Article
Full-text available
Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.
Conference Paper
We scoped, designed, produced, and evaluated the effectiveness of a recreational tabletop card game created to raise awareness of and alter perceptions regarding-computer security. We discuss our process, the challenges that arose, and the decisions we made to address those challenges. As of May 2013, we have shipped approximately 800 free copies to 150 educators. We analyze and report on feedback from 22 of these educators about their experiences using Control-Alt-Hack with over 450 students in classroom and non-classroom contexts. The responses from the 14 educators who reported on their use of the game in a classroom context variously indicated that: their students' awareness of computer security as a complex and interesting field was increased (11/14); they would use the game again in their classroom (10/14); and they would recommend the game to others (13/14). Of note, 2 of the 14 classroom educators reported that they would not have otherwise covered the material. Additionally, we present results from user studies with 11 individuals and find that their responses indicate that 8 of the 11 had an increased awareness of computer security or a changed perception; furthermore, all of our intended goals are touched upon in their responses.
Article
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equalsome could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
Conference Paper
Discovery of security vulnerabilities is on the rise. As a result, software development teams must place a higher priority on preventing the injection of vulnerabilities in software as it is developed. Because the focus on software security has increased only recently, software development teams often do not have expertise in techniques for identifying security risk, understanding the impact of a vulnerability, or knowing the best mitigation strategy. We propose the Protection Poker activity as a collaborative and informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspective of the participants. An excellent outcome of Protection Poker is that security knowledge passed around the team. Students in an advanced undergraduate software engineering course at North Carolina State University participated in a Protection Poker session conducted as a laboratory exercise. Students actively shared misuse cases, threat models, and their limited software security expertise as they discussed vulnerabilities in their course project. We observed students relating vulnerabilities to the business impacts of the system. Protection Poker lead to a more effective software security learning experience than in prior semesters. A pilot of the use of Protection Poker with an industrial partner will begin in October 2008.
Article
Social engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to steal data or money, steal access to systems or cellular phones, or even steal your identity. Such attacks can be very simple or very complex. Gaining access to information over the phone or through Web sites that you visit has added a new dimension to the role of the social engineer. We will examine ways in which people, companies, government agencies and military organizations have been duped into disclosing information that opened them to attack. We will discuss whom the social engineers of today are and what they are after. We'll also discuss both the low-tech and the newer forms of electronic theft, and explore measures that will keep your personal, customer, supplier and company information out of the hands of the social engineer.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.