Conference PaperPDF Available

Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment

Authors:

Abstract and Figures

We propose a controlled experiment to assess how well creativity techniques can support social engineering threat assessment. Social engineering threats form the basis for the elicitation of security requirements , a type of quality requirement, which state what threat should be prevented or mitigated. The proposed experiment compares a serious game and the Morphological Forced Connections technique with regard to their productivity, as well as completeness and precision.
Content may be subject to copyright.
Creativity Techniques for Social Engineering
Threat Elicitation: A Controlled Experiment
Kristian Beckers1, Veronika Fries2, Eduard C. Groen3, and Sebastian Pape1,4
1Social Engineering Academy
kristian.beckers,sebastian.pape@social-engineering.academy
2Technical University of Munich
veronika.fries@in.tum.de
3Fraunhofer IESE
eduard.groen@iese.fraunhofer.de
4Goethe University Frankfurt
sebastian.pape@m-chair.de
Abstract. We propose a controlled experiment to assess how well cre-
ativity techniques can support social engineering threat assessment. So-
cial engineering threats form the basis for the elicitation of security re-
quirements, a type of quality requirement, which state what threat should
be prevented or mitigated. The proposed experiment compares a serious
game and the Morphological Forced Connections technique with regard
to their productivity, as well as completeness and precision.
Social engineering is the illicit acquisition of information about computer sys-
tems by primarily non-technical means. Although the technical security of most
critical systems is usually being regarded, such systems remain highly vulnerable
to attacks from social engineers that exploit humans to obtain information (e.g.,
phishing) [3, 4]. To develop systems that are more resilient to threats from social
engineering, the security requirements should specifically address such threats.
Moreover, performing a threat assessment of social engineering is hard, be-
cause an attacker (a) does not need any (advanced) technical skills, and (b) can
conduct an attack without advanced equipment. Hence, anyone can inflict signif-
icant damage through social engineering5. We have developed a serious game for
social engineering [1, 2] (see Fig. 1), which is suitable for educating non-security
experts about the threats of social engineering, as well as for eliciting security
requirements to prevent and mitigate social engineering threats. The empirical
elicitation and assessment of security requirements concerning social engineering
is difficult, as it is not the system’s security measures themselves that are causing
the security threat, but unpredictability of humans with system knowledge. For
example, humans can give away passwords. In the business context, these tech-
niques additionally rely on the participation of common employees, who posses
the required practical and domain knowledge.
5http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf
Copyright 2017 for this paper by its authors.
Copying permitted for private and academic purposes.
2 Kristian Beckers, Veronika Fries, Eduard C. Groen, and Sebastian Pape
Figure 1: Game on Social Engineering
This makes foreseeing possible social
engineering threats the main challenge.
The elicitation of requirements to this
end draws on the stakeholders’ abil-
ity to make new associations, and
therefore requires creativity techniques
for the combination of existing (work)
practices and potential threats.
In order to validate the suitability and effectiveness of our game (cf. [1, 2])
for eliciting security requirements concerning social engineering, we propose to
conduct an experiment of 90 minutes in which we compare its yield for social
engineering threat elicitation with that of the Morphological Forced Connections
technique [5]. This established creativity technique was chosen because of its
suitability to transform a combination of preexisting (work) aspects into new
conceptual combinations (i.e., a threat) through inference.
The context of our experiment is the CreaRE workshop. Social engineering
threats for a predefined scenario are elicited from the participants in either of
two conditions. Our hypothesis concerns the productivity and precision of both
approaches. We hypothesise that the serious game is more productive and precise
than the creativity technique. We define true positives (TP) as correctly iden-
tified threats (i.e., correct result that experts have previously found or or that
they verify during the experiment). False positives (FP) are threats reported by
participants but not verified by expert review. We measure productivity in the
number of TP discovered during a limited time frame and precision as the per-
centage of TP of the overall discovered threats. The independent variable is the
technique used for the social engineering threat assessment, with two levels: ”so-
cial engineering game” and ”Morphological Forced Connections technique”. The
dependent variables are the total number of threats elicited with each method,
the number of threats that are identified to be correct, and the time required to
identify these threats. The correctness is validated by security experts reviewing
the elicited threats and an assessment of the participants during the experiment.
The results of our experiment should provide an indication of how suitable
the two creativity techniques are for performing social engineering threat elici-
tation. We need additional research to address the fundamental threat of social
engineering to security.
References
1. Beckers K., Pape S. A Serious Game for Eliciting Social Engineering Security
Requirements, Proceedings of RE, IEEE Computer Society, pp. 16-25, 2016
2. Beckers K., Pape S., Fries V. HATCH: Hack And Trick Capricious Humans - A
Serious Game on Social Engineering, Proceedings of BHCI, ACM, pp. 1-3, 2016
3. Mitnick, K.D., Simon, W.L.: The Art of Deception. Wiley (2009)
4. Hadnagy. C.: Social Engineering - The Art of Human Hacking. Wiley (2011)
5. Boden. M.A.: The Creative Mind: Myths & Mechanisms (2nd Ed), Routledge (2004)
... It has been found that interdependency creates loopholes and open doors for social engineering attackers [29,58,181]. Moreover, previous studies [60,182] have indicated that social engineering attackers take advantage of interdependencies by synchronising such activities and sharing resources. ...
Thesis
Full-text available
Due to the ever-increasing adaptation of digital technologies, most organisations are currently vulnerable to social engineering threats. In the context of cybersecurity, social engineering is expressed as the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal within the domain of a technical organisation or IT firm, etc. Typically, the attackers or cybercriminals exploit the emotions of human workforces to gain illegal access to their personal or administrative details, credentials, and other classified information. In this research study, various countermeasures have been proposed to mitigate the social engineering threats encountered by these organisations. Firstly, a comprehensive literature review has been undertaken to identify the most frequently occurring cybersecurity and social engineering threats, such as social phishing and spear phishing, electronic theft and email fraud, etc. The primary focus of evaluating the literature is to ascertain the human elements related to the cybersecurity threats in order to recognise staff’s vulnerabilities and lack of awareness, which are exploited by hackers. Thus, these issues can contribute to various cybersecurity loopholes and attacks, which consist of the malfunctioning of the information systems, the transfer of unauthorised funds, and the stealing of credentials, etc. Secondly, this research study has employed two research methodologies—namely, qualitative and quantitative methods—to determine the significance of human behaviours related to cybersecurity. The qualitative study is based on a thorough analysis of the cybersecurity experts’ responses, and it has identified that the employees’ awareness levels positively correlate with the avoidance of cybersecurity breaches in an organisation. Therefore, the organisations can enhance their employees’ contextual knowledge about the most prevalent cybersecurity threats to handle the social engineering attacks. Moreover, the quantitative methodology has been employed by surveying 265 employees from various organisations; and the results intimate that the probability of social engineering attacks can be significantly reduced if the awareness levels of employees can be substantiated and improved. Thirdly, this research study specifies an advanced taxonomy of various social engineering threats based on the qualitative and quantitative analyses. This taxonomy serves as an essential element of this research study, with the primary objectives of facilitating the development and implementation of improved preventive measures and emphasising the significance of ISA in an organisation. Finally, a policy framework has been developed which elaborates on the recommended policies and procedures for organisations to use to disseminate cybersecurity awareness across their employees. For this purpose, the framework outlines three key activities—incident, investigate, and invigilate—required to prepare the employees for the overall improvement of an organisation’s ISA. Consequently, the cybersecurity managers can steer, prioritise, and optimise their human resources to achieve more effective outcomes.
... Interdependency creates loopholes and open doors for social engineers [7,45,88]. Moreover, previous studies [9,89] indicate that social engineers take advantage of interdependencies by synchronizing such activities and sharing resources. Social engineers create a special network that generates a larger scale attack able to impact an entire organization. ...
Article
Full-text available
The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.
... Interdependency creates loopholes and open doors for social engineers [6,30,61]. Moreover, previous studies [8,62] indi- cate that social engineers take advantage of interdependencies by synchronizing such activities and sharing resources. Social engineers create a special network that gener- ates a larger scale attack impacting an entire organization. ...
Conference Paper
Full-text available
Information security is one of the growing sources of concern that organizations are dealing with today. With increased levels of sophistication of social engineering threats, the exploits from such attacks are evolving. This study highlights some of the challenges that organizations encounter in the process of developing the human knowledge to fight against social engineering attacks. Despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. This study further discusses the need for human resource departments to impose training requirements for new hires as part of onboarding processes. The factors influencing users' proficiency in the process of threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
The Art of Deception
  • K D Mitnick
  • W L Simon
Mitnick, K.D., Simon, W.L.: The Art of Deception. Wiley (2009)