Article
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Unlike technical attacks, social engineers target people with access to confidential information in order to carry out malicious attacks by influencing and persuading those people (Krombolz et al., 2015). It targets the weakest component in the cybersecurity chain which are the end users of systems (Ozkaya, 2018;Schaab et al., 2017). Unlike systems and network structures, technical protection measures such as firewalls, cryptography methods and anti-virus programmes are all ineffective against this kind of attack (Ozkaya, 2018). ...
... Although these attacks cannot be stopped, they can be detected and prevented (Libicki, 2018). Accordingly, significant studies have been carried out by both researchers and practitioners in recent years on the prevention of social engineering attacks (Schaab et al., 2017;Salahdine and Kaabuch, 2019). Many researchers proposed frameworks and theoretical models in order to investigate the relationship between user characteristics, demographic factors, personality traits and user's susceptibility to various attack vectors of social engineering. ...
... Instead, it has become very clear that the weakest link in an information security system is the end user of system. Even though all high-tech companies are using sophisticated information technologies to protect their systems against different types of this attack, they all have become victim of social engineering due to "human error" (Von Solms and Von Solms, 2004;Krombholz et al., 2015;Schaab et al., 2017). Due to nature of social engineering attacks users cannot be protected from them easily. ...
Article
In information security context, social engineering is defined as malicious activities caused by cybercriminals by means of human interactions. It is mainly a psychological manipulation technique which gets benefit of human error to reach private information. This study used machine learning algorithms to predict individuals' susceptibility to be tricked by social engineering attacks. Simulated scenarios were presented to study participants, and they were asked to identify whether each scenario was a social engineering attack or not. Different kinds of attacks related to various industries were integrated to social engineering simulations. For each participant , different types of social engineering scores were calculated according to their responses. Besides simulations, questionnaires related to demographics, technology usage, and personality traits were filled out by the participants. All of these collected data were used in building predictive classification and regression machine learning models. Through regression and classification models, it was aimed to proactively predict individuals' social engineering risk levels and classify them into different risk groups in terms of different attack types. This research revealed that it is possible to predetermine the social engineering risk levels of individuals. This important finding means that possible attacks can be prevented by raising awareness before the attack occurs. Within the scope of this study, a social engineering risk detection mobile application has also been developed to give practitioners and policy makers an idea of what kind of systems can be developed in order to determine the risk levels of individuals and then to educate them about various attacks. The ones who need to take action against social engineering attacks will get benefit from findings of this research.
... 4 Human users-who are the weakest link in the information security chain-remain susceptible to manipulation by social engineers. 3,5,[8][9][10] According to the study 4 we can categorize the Social engineering attacks into four types: physical, technical, social, and socio-technical. Furthermore, in general, there are two ways to persuade a person as described in relevant studies: the central route and the peripheral route. ...
... Social engineers take the peripheral route as their identities are based upon false information and fraud. 10 If we identify the challenge associated with cybersecurity, we will come to know that most of the organizations primarily focus on countermeasures which involve only the technical aspects of the attacks, while completely ignoring the social engineering aspect, which, arguably, can prove more detrimental for any organization. 4 Furthermore, recently, the policy undertaken by organizations in which the employees were asked to bring their own devices has increased the chances of cyber-attacks on the organizations. ...
... 14 Some of the strategies which help in mitigating cyber attacks are: (a) security awareness training, (b) revised security policies and practices, (c) network restrictions, and (d) company website review. 1 Furthermore, possible ways to mitigate human-based attacks or social engineering attacks are: (a) by implementing policies; (b) audits (pen-testing); and (c) security awareness programs. 10 In future, the emerging challenge is to address the automatic cyber attack techniques which are backed by machine learning techniques using latest attack strategies as knowledge base. 14 For the reader and practitioners, CAPEC (Common Attack Pattern Enumeration and Classification) can be a source of information for researchers and practitioners regarding latest social engineering attacks and other relevant information. ...
Article
Full-text available
The previous year has seen an enormous increase in the studies related to social engineering. This increase is partly due to increasing number of social engineering attacks and partly due to people's inability to identify the attack. Thus, it is of great importance to find solutions which are helpful for human to understand the social engineering attacks and scenarios. To address this, we have performed a literature review of studies (on social engineering) in top‐notch journals and conferences. In this paper, we have enlisted the types of attacks, and the persuasion techniques used by social engineers as listed in the literature. We also combined different theories which researchers tried to use to explain various activities of social engineers. Furthermore, we have mentioned that a better understanding of the social engineering attack scenarios can be done using thematic and game‐based analysis techniques. Preliminary empirical evaluation of the proposed game based method shows overall neutral results. Future extension and evaluation is needed for the proposed methods. Download freely from visiting the below link: https://onlinelibrary.wiley.com/doi/full/10.1002/spy2.73
... attacks. Furthermore, social engineering is highly interdisciplinary, however most defense strategies are advised by IT security experts who rather have a background in information systems than in psychology [184]. The remainder of this chapter is structured as follows: ...
... 2.1.2 surveys defense strategies and compares them to findings in social psychology [183,184] (cf. Sect. ...
... For that purpose, we surveyed the state of the art [183,184] from a computer science, namely IT security viewpoint, as well as from the viewpoint of social psychology. Following Kruger and Kearney [119], social engineering awareness was considered to consist of the three dimensions knowledge, attitude and behavior. ...
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
... The psychological principles used or named by other researchers in social engineering [e.g., 1, 3-5, 36,37] can be mapped onto those five principles. Therefore, we use this list as basis for our investigation on social engineering in cryptocurrency fraud. ...
... Distraction takes many forms in the cases and is usually the main driver for the victims to comply with the social engineers' requests. Due to the distractions the victims are not able to evaluate facts or actions by logical reasoning [36]. In case A the victims get distracted in several ways. ...
... When using compliance principles, the social engineers induce their victims to use automatic decision mechanisms rather than rational reasoning [36]. These mechanisms are also called heuristics or mental shortcuts. ...
Chapter
Full-text available
Social engineering is one of the preferred methods used by criminals to gain unauthorized access to information and information systems. Social engineering targets especially the users of a system. It is increasingly being applied to cryptocurrency users. The paper looks at five cases of cryptocurrency frauds that left a lasting impression in the cryptocurrency community. The cases are systematically investigated using an ontological model for social engineering attacks. The paper analyses which psychological tricks or compliance principles have been used by the social engineers in these cases. With the exploitation of principles such as “Distraction”, “Authority”, and “Commitment, Reciprocation & Consistency” the attackers gained access to users’ financial values, stored in cryptocurrencies, without undermining the security features of the blockchain itself. One reason for the attackers’ success is a lack of knowledge about risks and security among cryptocurrency users. Efforts to increase the information security awareness of cryptocurrency and blockchain users is recommended to protect them.
... In a previous work, we provided a mapping between social psychology and IT-security regarding Social Engineering defence [17]. In particular, we analysed social psychology methods of training against persuasion and mapped them to trainings in IT security. ...
... To fill the gap, identified by Schaab et al. [17], we designed a game that does not only provide knowledge, but rather trains people by implementing theories from social psychology on the resistance to persuasion. In this section, we give a brief overview of key design decisions, their rationale and our goals (cf. ...
... Part of a well-defined cyber security program, is the creation of information security awareness and training campaigns that would be able influence the adoption of an overall secure behaviour. To accomplish that, modern training strategies are not only limited to learning software and hardware skills, but also include training to understand actual cyber security threats along with resistance-training techniques [19]. However, cyber range training that does not have the capacity to fit the necessities of an organisation and to effortlessly adjust to the quickly developing scene, is deficient, and rapidly becomes obsolete [20]. ...
... SDL is similar to the CTTP Specification Language [5] used in THREAT-ARREST, that allow us to specify the different components of a cyber system. Erdogan et al. [10] introduce a training and evaluation approach based on the CORAS risk models [19] that specify cyberrisk models in order to facilitate real-time risk assessment and evaluation of trainees. Similarly, the definition of the CTTP Models will drive the training process, and align it (where possible) with operational cyber system security assurance mechanisms to ensure the relevance of training. ...
Conference Paper
Full-text available
In light of the ever-increasing complexity and criticality of applications supported by ICT infrastructures, Cyber Ranges emerge as a promising solution to effectively train people within organisations on cyber-security aspects, thus providing an efficient mechanism to manage the associated risks. Motivated by this, the work presented herein introduces the model-driven approach of the THREAT-ARREST project for Cyber Range training, presenting in detail the Cyber Threat Training and Preparation (CTTP) models. These models, comprising sub-models catering for different aspects of the training, are used for specifying and generating the Training Programmes. As such, the paper also provides details on implementation aspects regarding the use of these models in the context of a usable cyber range training platform and two specific training scenarios.
... Applications and Information included in IoT are more sensitive and need stringent security measures. Various studies show that human are the weakest link [3][4][5][6][7], who are vulnerable to attack, e.g. hospitals I.T systems, smart cars, and smart phones [1,2]. ...
... Graph matrix plots all the scatter plots between the specified variables. This enables us to get a "feel" for the data before any regression analysis.7 The coefficient value for Fun to Play in the first equation comes out to be -0.047 in our multivariate model. ...
Article
Full-text available
Context: In the current era of digital technology, social engineers are using various tactics to undermine human weaknesses. Social Engineers target human psychology to achieve their target(s) which are in the form of data, account details, or IT devices etc. According to our research, one of the first methods social engineers used to target victims is Phishing/Spear Phishing. Objective: The objective of this study is to utilize serious game to: i) educate players regarding phishing and spear-phishing attacks; ii) make aware and educate players regarding dangers associated with excessive online information disclosure. Method: In order to address the objectives we have: i) performed an in-depth literature review to extract insights related to social engineering, phishing, game design, learning functions, human interaction, and game-based learning etc; ii) proposed and aligned the game design with social engineering ontology concepts; iii) performed an empirical evaluation to evaluate the effectiveness of the designed board game. Conclusion: From this research study, we conclude that: i) PhishI game is useful in educating players regarding excessive online information disclosure and phishing awareness; ii) game-based learning is an effective method for inculcating and general cyber-related awareness in players.
... Modern training strategies are not only limited to learning software and hardware skills, but also include training to understand real-life security threats along with resistance-training techniques [17], [18], [19]. Psychological threat handling capability comprises of training a person to know how to assess persuasion skills of an imposter. ...
Conference Paper
Full-text available
The study aims to assess popular awareness training solutions and techniques used by organizations to defend and mitigate cyber security social engineering threats. Social engineering threats are the most unpredicted threats an organization faces, leading to loss of confidential data, finances, intellectual property, and consumer credibility. Therefore, it is very important that an organization is well prepared to defend its information systems against social engineering threats. Literature in this domain presents various types of contemporary training and awareness solutions used at the corporate level to address social engineering threats, with the most prominent being reviewed in this study. Latest training methods identified in this study include serious games, gamification, virtual labs, tournaments, simulations, and the use of other modern applications. Similarly, current awareness programs that educate against social engineering threats including video streaming, compliances, theme-based trainings, awareness campaigns, and conferences are also included.
... Other means to verify witness presence include the following: Contextual QR codes [36], challenge questions, puzzles and CAPTCHA-like tests [37], whose solutions require information mined at the point of interests. In addition, collaborative social challenges [38], [39] between citizens are means to introduce social proofs based on social psychology as well as community trust for protection against social engineering attacks [40]. Moreover, communities can also institutionalize their own digital witnesses based on privacy-preserving forensic techniques introduced in the context of blockchain [41], [42]. ...
Preprint
Smart City data intensive urban environments are becoming highly complex and evolving by the digital transformation. Repositioning the democratic values of citizens' choices in these complex ecosystems has turned out to be imperative in an era of social media filter bubbles, fake news and opportunities for manipulating electoral results with such means. This paper introduces a new paradigm of augmented democracy that promises citizens who actively engage in a more informed decision-making integrated in public urban space. The proposed concept is inspired by a digital revive of the Ancient Agora of Greece, an arena of public discourse, a Polis where citizens assemble to actively deliberate and collectively decide about public matters. At the core of the proposed paradigm lies the concept of proving witness presence that makes decision-making subject of providing evidence and testifying for choices made in the physical space. This paper shows how proofs of witness presence can be made using blockchain consensus. It also shows how complex crowd-sensing decision-making processes can be designed with the Smart Agora platform and how real-time collective measurements can be performed in a fully decentralized and privacy-preserving way. An experimental testnet scenario on sustainable use of transport means is illustrated. The paramount role of dynamic consensus, self-governance and ethically aligned artificial intelligence in the augmented democracy paradigm is outlined.
... An experiment was performed to check the effectiveness of the activity and it was concluded that it plays a decisive role in the design process. Scenario-based approach (serious game on security requirements) [30]: In this study, the author proposed a serious game in which players first have to understand a hypothetical office environment given in the form of an office map. Office map contains all the information regarding office employees' positions, communication systems, floor plan, and so on. ...
Article
Full-text available
Requirements elicitation is one of the essential steps towards software design and construction. Business analysts and stakeholders often face challenges in gathering or conveying key software requirements. There are many methods and tools designed by researchers and practitioners but with the persistent development of new technologies, there is a need to make requirements gathering and design‐rationale process more efficient and adaptable. Storytelling is an emerging concept and researchers are witnessing its effectiveness in education, community building, information system, and requirement elicitation. Objectives of this study are to devise a method for requirements elicitation and improving design‐rationales using story‐based techniques and evaluate the effectiveness of the proposed activity. To answer the research objectives, the authors have conducted open‐ended interviews to get feedback on the proposed method; the authors have case requirement from a running project to map how this method can be useful; and performed empirical evaluation of the proposed card‐based activity. The estimated regression model, in our study, has shown that participants' perception about the simplicity/easiness and the joy of playing the game has an eventual positive effect on requirements elicitation through enhancing user's desire to play the game, which in turn increases the collaborative learning outcomes of the game.
... As for PERSUADED, the scientific foundation of this game are findings from Schaab et al. [16,17]. The authors analysed social psychology methods of training against persuasion and mapped them to trainings in IT security. ...
Conference Paper
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player's context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
... As for PERSUADED, the scientific foundation of this game are findings from Schaab et al. [16,17]. The authors analysed social psychology methods of training against persuasion and mapped them to trainings in IT security. ...
Chapter
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
... There is a good number of studies in the published literature to answer this question. Some answer the question from the psychology perspective [1], some answered from the human weakness perspective [2]. Some explained persuasive methods as a possible explanation, and other use social engineering attack scenarios to extract valuable information [3], [4]. ...
Conference Paper
Human remains susceptible to manipulations, and social engineers are expert of these techniques. To better understand the attack and defense strategies of social engineering attack, there is a need to map social engineering strategies with the war strategies. We can find plenty of war strategist and books on war strategies. By mapping the knowledge, we may get unique ways of defense and can further identify social engineering attack patterns. In this study, we have mapped the principles suggested by Sun-Tzu with social engineering attacks and further mentioned the initial results (by showing examples for each case). We aim to extend this work and further verify the effectiveness of this strategy in near future.
... Additionally, scammers also base attacks on the current news situation, such as COVID-19 Ransomware [15]. While a couple of defense methods and counteracting training methods [16,17] exist, at present, most of them can not be adapted fast enough to cope with this amount and speed of new variations. ...
Conference Paper
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game Cy-berSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
... However, he also claims that no hardware or software is able to protect an organization fully against social engineering attacks. In addition to that, social engineering is highly interdisciplinary, however most defense strategies are advised by IT security experts who rather have a background in information systems than psychology [26,27]. ...
Conference Paper
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees' awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.
... This section will examine the devices, strategies, and methodology used by attackers to target users of social media. Due to envy, greed, financial hardship, inadequate upbringing, and other factors, there are a lot of individuals on social media who have bad intentions (Schaab, Beckers, and Pape, 2017). Before a consumer is provided the link, attackers utilize a variety of methods to compromise the URLs of rogue websites. ...
Thesis
A fresh discussion on user privacy has been generated by recent moves taken by social media networks. Users' personal information has reportedly been accessed for advertising purposes with or without their agreement, and user data has reportedly been sold to other parties. Social media platforms are also fertile grounds for a new generation of security dangers. The volume of data that users are uploading on social media sites has made social engineering a serious security risk. Hackers don't have to go far to get information that they may exploit to harm victims. It is difficult for social media users to continue using these sites worry-free due to attackers who skulk on them or collaborate with the revenue-focused social media networks.
... For example, the attacker posts as women to lure men to send them money for made-up reasons, for example, "My Internet service will be suspended for accumulated bills, please help me pay or I'll not be able to chat with you if my Internet is suspended". This attack exploits the LIKING AND SIMILARITY factor because victims have the tendency to react positively to someone that they have some relationship with Schaab et al. [2017]. ...
Preprint
Full-text available
Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this SoK paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.
... Additionally, scammers also base attacks on the current news situation, such as COVID-19 Ransomware [15]. While a couple of defense methods and counteracting training methods [16,17] exist, at present, most of them can not be adapted fast enough to cope with this amount and speed of new variations. ...
Chapter
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game CyberSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
... However, he also claims that no hardware or software is able to protect an organization fully against social engineering attacks. In addition to that, social engineering is highly interdisciplinary, however most defense strategies are advised by IT security experts who rather have a background in information systems than psychology [26,27]. ...
Chapter
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees’ awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.
... The conceptual framework for this paper was based on the social engineering defensive framework (SEDF). Organizations and employees view social engineering and enterprise security as being an important concept but may not realize the extensive damage an attack can have on the organization (Schaab et al., 2017). A major misconception about social engineering and enterprise security indicates one is more important than is the other. ...
Article
The focus of this research was to explore present control methods and solutions used throughout technology-based, healthcare-based, and manufacturing-based organizations in southwest Georgia to determine their effectiveness for reducing potential threats. Semi-structured interviews with open-ended questions are used to explore 30 information technology professionals' lived experiences with IT security policies and procedures. Two research questions guided the qualitative exploratory case study: How important is social engineering and enterprise security to the organization? and How are organizations evaluating and managing existing organizational solutions? Several themes emerged: (a) lack of education and inadequate information can affect the decision-making process, (b) response times from management is a key factor in reducing threats, (c) a sense of failure is always present, (d) failed IT policy management can increase organizational vulnerability, and (e) social engineering still has a negative stigma in the business environment. The findings suggest that although steps were made to change the perception of social engineering and enterprise security, additional work is needed to ensure employees are aware of how social engineering and enterprise security can affect their organization productivity. Key Words: Information systems, information technology, social engineering, enterprise security, control methods, policies, procedures, management
... Engineers use tricks to get what they want from the human assets, which are considered as one of the weakest link in information security [1,2,3]. Social engineering is not only to get the secret information from the victim but also to exploit victim for some situation, event or activity [4,5,6,7]. ...
Article
Full-text available
Malicious scammers and social engineers are causing great harms to modern society, as they have led to the loss of data, information, money and many more for individuals and companies. Knowledge about social engineering is wide-spread and it exits in non-academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources, guided by academic principles around social engineering, and solicit existing social engineering scenarios from public awareness education materials, news stories, research literature, official advisories to public departments. We adopted grounded theory to extract the general knowledge behind social engineering, such as, attacking cycles, information gathering strategies, psychological principles, attack vectors etc. In this paper, we aim to review and synthesize a body of knowledge (rationale and motivation of social engineers). The study aims to: i) understand the rationale of social engineers; ii) capture the knowledge of social engineering attacks and extract important information from the sources; iii) propose an activity for counteracting social engineering attacks, and how it can be used in security education.
... This way players can learn about the attackers' perspective, their vulnerabilities and get a better understanding of potential attack vectors. HATCH builds on previous work examining the psychological principles of social engineering [146] and investigating which psychological techniques induce resistance to persuasion applicable for social engineering [147]. ...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by a set of guidelines and practical advice in each phase and sub-phases of the framework that would be useful for the enhancement of a CSA program. The guidelines and advice on "what to do in each phase" as well as "what to expect in each phase" will be useful for CSA professionals, individuals, or organizations who intend to design a CSA program. In addition to this, the report also presents the evaluation criteria of two CSA mechanisms, which are posters and serious games.
... Schaab et al. [48] examined the psychological principles of social engineering and investigated which psychological techniques induce resistance to persuasion applicable for social engineering. Based on the identified gaps [49], the serious game HATCH [5] is proposed to foster the players' understanding of social engineering attacks. When playing HATCH, players attack personas in a virtual scenario based on cards with psychological principals and social engineering attacks. ...
Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
... However, the latest Data Breach Investigations Report [1] also reports another increase of financially motivated SE, where the attacker directly ask for some money, i. e. by impersonating CEOs or other high-level executives. While a couple of defense methods and counteracting training methods [2,3] exist, at present, companies have three main strategies to fend off SE attacks: SE penetration testing, security awareness training and campaigns. ...
Article
Full-text available
Zusammenfassung It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associated measures, as for example social engineering penetration testing can be very intrusive.
... In recent years, networks have become part of everyday life, and because of this, they became of high interest to researchers. With the development of computer science, large graphs took on essential roles in many scientific areas such as biology [1], chemistry [2], computer science [3], social engineering [4,5], marketing [6,7] or controlling disease spread. Nowadays, the use of graph databases is also becoming more common and popular, since many areas can take advantage of the benefits provided by graph structure and graph databases. ...
Article
Full-text available
Graphs can be found in almost every part of modern life: social networks, road networks, biology, and so on. Finding the most important node is a vital issue. Up to this date, numerous centrality measures were proposed to address this problem; however, each has its drawbacks, for example, not scaling well on large graphs. In this paper, we investigate the ranking efficiency and the execution time of a method that uses graph clustering to reduce the time that is needed to define the vital nodes. With graph clustering, the neighboring nodes representing communities are selected into groups. These groups are then used to create subgraphs from the original graph, which are smaller and easier to measure. To classify the efficiency, we investigate different aspects of accuracy. First, we compare the top 10 nodes that resulted from the original closeness and betweenness methods with the nodes that resulted from the use of this method. Then, we examine what percentage of the first n nodes are equal between the original and the clustered ranking. Centrality measures also assign a value to each node, so lastly we investigate the sum of the centrality values of the top n nodes. We also evaluate the runtime of the investigated method, and the original measures in plain implementation, with the use of a graph database. Based on our experiments, our method greatly reduces the time consumption of the investigated centrality measures, especially in the case of the Louvain algorithm. The first experiment regarding the accuracy yielded that the examination of the top 10 nodes is not good enough to properly evaluate the precision. The second experiment showed that the investigated algorithm in par with the Paris algorithm has around 45–60% accuracy in the case of betweenness centrality. On the other hand, the last experiment resulted that the investigated method has great accuracy in the case of closeness centrality especially in the case of Louvain clustering algorithm.
Article
Context Cybersecurity has seen a rise in behavioral investigation during the past decades. This includes studies being carried out at the primary as well as secondary levels. There are a number of reviews on cybersecurity behavioral research that are reported in different publication venues. To get a holistic view of the cybersecurity behavioral research, a synthesis of this literature as a tertiary study is needed. Objective This paper aims to investigate the demographic, specific and quality trends regarding reviews by synthesizing secondary literature in cybersecurity behavioral research. Method We use a systematic literature review protocol to carry out tertiary study till February 2022. A total of 107 secondary studies including regular as well as systematic reviews are included in our tertiary study. Results The results reveal a growing trend in secondary studies. The quality of the secondary studies lacks quality assessment of primary study and adoption of a synthesis method as per Database of Abstract of Reviews of Effect (DARE) quality assessment criteria. Another finding is the nascent area of cybersecurity behavioral research that is still at the theory development stage due to latest endeavors to identify theoretical building blocks and inconsistent findings in empirical results. Gaps exist in the conceptualization of constructs as taxonomies need to be constructed for non-organizational settings. The replication of studies is lacking as almost half of the secondary studies lack systematic approach to carry out reviews. The dominant epistemological and ontological beliefs are positivist in nature with paucity of research that employs other paradigms to study the human aspect of cybersecurity.
Article
Passwords are among the most commonly used methods of user authentication. Password strength estimators can significantly help users to choose passwords of reasonable strength. These estimates are, however, useful for end users and administrators only in those cases where they provide sufficiently precise password strength estimations. Tools for estimating password strength have mainly been tested against English, or in some cases Chinese or other widespread and global languages. Only very few studies can be found in the literature regarding how to adapt these tools for other, less widespread languages, and what results are produced by so adapted tools. This article presents the approach and reports the results of adapting the zxcvbn estimation engine for the Czech and Slovak languages. The results of this work – an adapted version of zxcvbn (including various dictionaries) – are available for download on GitHub as open-source software. For testing password strength estimation quality, we used a large set of leaked passwords from the Czech environment (approx. 3.1 million passwords), which we divided up into 12 categories. The main results are: (1) The password strength estimation improved for all 12 of the categories. (2) The overall size of zxcvbn did not increase significantly, thanks to adjustments and optimizations of both the original English dictionaries and the newly added Czech and Slovak ones. (3) The speed of operation increased by 4 to 12% depending on the version of the dictionaries used. (4) Besides the direct results for Czech and Slovak, the method described in the article can be utilized as a methodology for adapting zxcvbn for other less-widespread European languages.
Article
Social engineering is an attack on information security for accessing systems or networks. Social engineering attacks occur when victims do not recognize methods, models, and frameworks to prevent them. The current research explains user studies, constructs, evaluation, concepts, frameworks, models, and methods to prevent social engineering attacks. Unfortunately, there is no specific previous research on preventing social engineering attacks that effectively and systematically analyze it. Current prevention methods, models, and frameworks of social engineering attacks include health campaigns, human as security sensor frameworks, user-centric frameworks, and user vulnerability models. The human as a security sensor framework needs guidance that will explore cybersecurity as super-recognizers, likely policing act for a secure system. This paper intends to critically and rigorously review prior literature on the prevention methods, models, and frameworks of social engineering attacks. We conducted a systematic literature review based on Bryman & Bell’s literature review method. We found a new approach in addition to methods, frameworks, models and evaluations to prevent social engineering attacks based on our review, which is using a protocol. We found the protocol to effectively prevent social engineering attacks, such as health campaigns, the vulnerability of social engineering victims, and co-utile protocol, which can manage information sharing on a social network. We present this systematic literature review to recommend ways to prevent social engineering attacks.
Chapter
Full-text available
When the human being, the most precious being created, humanity and the most sacred need of humanity come together,this puts enormous responsibility on researchers and scientists. With this responsibility, the methods, developments, research and rapid development of computer technologies that have been used for centuries have changed the need for education and service delivery, and even opened a new way. A new period in education for learning human interaction with computer has also started. The learning function reaches the masses at the same time and can meet individual needs. Even work on curriculum design with artificial intelligence has begun. Humancomputer interactive open and distance learning, which concerns masses on a macro scale and individuals on microscale, has strategic importance for societies. It is important to determine strategies for open and distance learning products and services with a proactive approach and analytical and algorithmic methods. In this study, strategic concepts in human computer interaction studies are discussed in the context of open and distance learning.
Article
Smart Cities evolve into complex and pervasive urban environments with a citizens’ mandate to meet sustainable development goals. Repositioning democratic values of citizens’ choices in these complex ecosystems has turned out to be imperative in an era of social media filter bubbles, fake news and opportunities for manipulating electoral results with such means. This paper introduces a new paradigm of augmented democracy that promises actively engaging citizens in a more informed decision-making augmented into public urban space. The proposed concept is inspired by a digital revive of the Ancient Agora of Athens, an arena of public discourse, a Polis where citizens assemble to actively deliberate and collectively decide about public matters. The core contribution of the proposed paradigm is the concept of proving witness presence: making decision-making subject of providing secure evidence and testifying for choices made in the physical space. This paper shows how the challenge of proving witness presence can be tackled with blockchain consensus to empower citizens’ trust and overcome security vulnerabilities of GPS localization. Moreover, a novel platform for collective decision-making and crowd-sensing in urban space is introduced: Smart Agora. It is shown how real-time collective measurements over citizens’ choices can be made in a fully decentralized and privacy-preserving way. Witness presence is tested by deploying a decentralized system for crowd-sensing the sustainable use of transport means. Furthermore, witness presence of cycling risk is validated using official accident data from public authorities compared against wisdom of the crowd. The paramount role of dynamic consensus, self-governance and ethically aligned artificial intelligence in the augmented democracy paradigm is outlined.
Article
Full-text available
Improving cyber security is the purpose of all states. Military-industrial complex is in need of creating innovative protection systems for their cyber space. A lack of such security systems can lead to the global disaster, using nuclear weapons. Today’s legal regulation of the national personal data still does not provide for legal regulation of user data which can be obtained via gadgets fitted with cameras, speakers, applications. Apart from information leakage as a result of hacker attacks, and accidental cyber leaks, the great problem is related to unlawful leakage and data stolen by company employees. Although the legislation of personal data protection is improving with allowance for precedents in this sphere leading to cybercrimes, an amount of unlawful use of personal data by company employees do not decrease due to a lack of accountability and behavior code in the sphere of personal data processing.
Article
Full-text available
Three studies examined the impact of a treatment designed to instill resistance to deceptive persuasive messages. Study 1 demonstrated that after the resistance treatment, ads using illegitimate authority-based appeals became less persuasive, and ads using legitimate appeals became more persuasive. In Study 2, this resistance generalized to novel exemplars, persevered over time, and appeared outside of the laboratory context. In Study 3, a procedure that dispelled participants' illusions of invulnerability to deceptive persuasion maximized resistance to such persuasion. Overall, the present studies demonstrate that attempts to confer resistance to appeals will likely be successful to the extent that they install 2 conceptual features: perceived undue manipulative intent of the source of the appeal and perceived personal vulnerability to such manipulation.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Article
Full-text available
We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.
Conference Paper
Full-text available
Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini’s principles of influence, Gragg’s psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies.
Article
Full-text available
Practitioners, researchers and policy-makers involved with cyber security often talk about “security hygiene:” ways to encourage users of computer technology to use safe and secure behavior online. But how do we persuade workers to follow simple, fundamental processes to protect themselves and others? These issues are raised by behavioral scientists, to encourage worker, passenger and patient compliance. In this paper, we explore and summarize findings in social psychology about moral values and habit formation, and then integrate them into suggestions for transforming staff security behavior online.
Article
Full-text available
Consumers have knowledge about persuasion that includes naïve theories about persuasion. The present work examines naïve theories with regard to whether consumers associate the meaning of persuasion as something that is either good or bad. Furthermore, naïve theories about persuasion are demonstrated to affect how consumers respond to a persuasive message. Two studies are presented, one that manipulates and another that measures naïve theories related to the meaning of persuasion. The meaning associated with persuasion is found to play a significant role in influencing the amount of message elaboration that consumers engage in. Implications for attitude change and advertising, persuasion knowledge, and the importance for further research on the meanings attached to persuasion are discussed.
Article
Full-text available
Persuasion is an important element of human communication. But in many situations, we resist rather than embrace persuasive attempts. Resistance to persuasion has been studied in many different disciplines, including communication science, psychology, and marketing. The present paper reviews and connects these diverse literatures, and provides an organizing framework for understanding and studying resistance. Four clusters of resistance strategies are defined (avoidance, contesting, biased processing, and empowerment), and these clusters are related to different motivations for resisting persuasion (threat to freedom, reluctance to change, and concerns of deception). We propose that, while avoidance strategies may be triggered by any of these motivations, contesting strategies are linked primarily to concerns of deception, while empowerment and biased processing strategies are most common when people are reluctant to change.
Article
Full-text available
The effect of a persuasive communication on individuals’ attitudes can be influenced by the cognitive behavior they have performed in an earlier, unrelated situation. Inducing participants to make supportive elaborations about a series of propositions activated a bolstering mind-set that increased the effectiveness of an unrelated advertisement they encountered subsequently. However, inducing participants to refute the implications of a series of propositions activated a counterarguing mind-set that decreased the ad’s effectiveness. These mind-sets had more impact when the cognitive behavior they activated differed from the behavior that would occur in the absence of these mind-sets. When the implications of a persuasive message were difficult to refute, inducing a counterarguing mind-set increased its effectiveness. Finally, watching a political speech or debate activated different mind-sets, depending on participants’ a priori attitude toward the politicians involved, and these mind-sets influenced the impact of an unrelated commercial they considered later.
Article
Full-text available
Examined individual differences in intrinsic motivation to engage in effortful cognitive endeavors in 2 experiments involving 293 undergraduates. Results of Exp I indicate that Ss high in need for cognition were more likely to think about and elaborate cognitively on issue-relevant information when forming attitudes than were Ss low in need for cognition. Analyses further indicated that Ss low in need for cognition acted as cognitive misers rather than as verbal dolts. In Exp II, individual differences in need for cognition were used to test the prediction from the elaboration likelihood model that Ss who tend to engage in extensive issue-relevant thinking when formulating their position on an issue tend to exhibit stronger attitude–behavior correspondence. Results confirm this hypothesis: The attitudes of Ss high in need for cognition, which were obtained in a survey completed approximately 8 wks before the 1984 presidential election, were more predictive of behavioral intentions and reported voting behavior than were the attitudes of Ss low in need for cognition. (49 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Book
Full-text available
Simple Heuristics That Make Us Smart invites readers to embark on a new journey into a land of rationality that differs from the familiar territory of cognitive science and economics. Traditional views of rationality tend to see decision makers as possessing superhuman powers of reason, limitless knowledge, and all of eternity in which to ponder choices. To understand decisions in the real world, we need a different, more psychologically plausible notion of rationality, and this book provides it. It is about fast and frugal heuristics--simple rules for making decisions when time is pressing and deep thought an unaffordable luxury. These heuristics can enable both living organisms and artificial systems to make smart choices, classifications, and predictions by employing bounded rationality. But when and how can such fast and frugal heuristics work? Can judgments based simply on one good reason be as accurate as those based on many reasons? Could less knowledge even lead to systematically better predictions than more knowledge? Simple Heuristics explores these questions, developing computational models of heuristics and testing them through experiments and analyses. It shows how fast and frugal heuristics can produce adaptive decisions in situations as varied as choosing a mate, dividing resources among offspring, predicting high school drop out rates, and playing the stock market. As an interdisciplinary work that is both useful and engaging, this book will appeal to a wide audience. It is ideal for researchers in cognitive psychology, evolutionary psychology, and cognitive science, as well as in economics and artificial intelligence. It will also inspire anyone interested in simply making good decisions.
Article
Full-text available
Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.
Article
Full-text available
In this article, the author discusses why users compromise computer security mechanisms and how to take remedial measures. Confidentiality is an important aspect of computer security. It depends on authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, authentication procedures are divided into two stages: identification and secret password. To date, research on password security and the usability of these mechanisms has rarely been investigated. Since security mechanisms are designed, implemented, applied and breached by people, human factors should be considered in their design. It seems that currently, hackers pay more attention to the human link in the security chain than security designers do, by using social engineering techniques to obtain passwords. The key element in password security is the crackablity of a password combination. System-generated passwords are essentially the optimal security approach; user-generated passwords are potentially more memorable and thus less likely to be disclosed. Password composition, alphanumeric password is more secure than one composed of letters alone. INSET: Recommendations.
Article
Full-text available
Modern global economic and political conditions, technological infrastructure, and socio-cultural developments all contribute to an increasingly turbulent and dynamic environment for organizations, which maintain information systems (IS) for use in business, government, and other domains. As our institutions (economic, political, military, legal, social) become increasingly global and inter-connected; as we rely more on automated control systems to provide us with energy and services; and as we establish internet-based mechanisms for coordinating this global interaction, we introduce greater vulnerability to our systems and processes. This increased dependence on cyberspace also inflates our vulnerability – isolation is no longer an option. Perhaps no aspect of this phenomenon is as alarming and challenging as the need to understand and address the various risks to the security of the IS on which we depend.
Article
Full-text available
Much research in the last two decades has demonstrated that human responses deviate from the performance deemed normative according to various models of decision making and rational judgment (e.g., the basic axioms of utility theory). This gap between the normative and the descriptive can be interpreted as indicating systematic irrationalities in human cognition. However, four alternative interpretations preserve the assumption that human behavior and cognition is largely rational. These posit that the gap is due to (1) performance errors, (2) computational limitations, (3) the wrong norm being applied by the experimenter, and (4) a different construal of the task by the subject. In the debates about the viability of these alternative explanations, attention has been focused too narrowly on the model response. In a series of experiments involving most of the classic tasks in the heuristics and biases literature, we have examined the implications of individual differences in performance for each of the four explanations of the normative/descriptive gap. Performance errors are a minor factor in the gap; computational limitations underlie non-normative responding on several tasks, particularly those that involve some type of cognitive decontextualization. Unexpected patterns of covariance can suggest when the wrong norm is being applied to a task or when an alternative construal of the task should be considered appropriate.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Conference Paper
Social engineering refers to the selection of techniques that exploit human weaknesses and manipulate people into breaking normal security procedures. This may involve convincing people to perform atypical actions or divulge confidential information. It remains a popular method of bypassing security because attacks focus on the weakest link in the security architecture: the staff of the organization, instead of directly targeting technical controls, such as firewalls and authentication systems. This paper investigates the level of susceptibility to social engineering amongst staff within a cooperating organization. An email-based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link and install a claimed software update. The message utilized a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security-aware users. In spite of a short window of operation for the experiment, the results revealed that 23% of the recipients were successfully snared by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online.
Article
Methodologies for the penetration testing of computer networks and social engineering tests are presented. These tests concentrate on locating and identifying potential victims, getting to know their vulnerabilities and then exploiting these vulnerabilites. In case of social engineering tests, care must be taken to protect the victim from discipline or dismissal. The best approach is to provide a tightly-structured audit-style of social engineering test in which the objectives and the results can be clearly specified and considered to be universally fair and appropriate.
Article
The efficacy of inoculation theory has been confirmed by decades of empirical research, yet optimizing its effectiveness remains a vibrant line of investigation. The present research turns to psychological reactance theory for a means of enhancing the core mechanisms of inoculation—threat and refutational preemption. Findings from a multisite study indicate reactance enhances key resistance outcomes, including: threat, anger at attack message source, negative cognitions, negative affect, anticipated threat to freedom, anticipated attack message source derogation, perceived threat to freedom, perceived attack message source derogation, and counterarguing. Most importantly, reactance-enhanced inoculations result in lesser attitude change—the ultimate measure of resistance.
Article
The present research was designed to determine whether the recall of attitudinally-relevant behavior bolsters a newly-formed attitude as evidenced by the persistence of attitudes and the selectivity of memory. Experimental subjects heard a persuasive message that changed their attitudes as compared with those of a survey control group. Half of the experimental subjects were then induced to recall autobiographical behavior relevant to the message (relevant recall condition); the other half were asked to recall behavior irrelevant to the message. Attitudes were assessed following this recall and at a second session, 2 weeks later. At the second session, a test of memory for the persuasive message and a counterattack (provided at the end of the initial session) was administered. Subjects in the relevant behavior recall condition remembered more information from the persuasive message and less from the counterattack than those recalling irrelevant behavior. The attitude persistence results were less conclusive. The selective memory results support the hypothesis that behavioral recall bolsters newly formed attitudes. However, such bolstering per se may not be sufficient to prevent attitude decay.
Article
Hackers frequently use social engineering attacks to gain a foothold into a target network. This type of attack is a tremendous challenge to defend against, as the weakness lies in the human users, not in the technology. Thus far, methods for dealing with this threat have included establishing better security policies and educating users on the threat that exists. Existing techniques aren't working as evidenced by the fact that auditing agencies consider it a given that will be able to gain access via social engineering. The purpose of this research is to propose a better method of reducing an individual's vulnerability to social engineering attacks.
Article
From the Publisher:A Legendary Hacker Reveals How To Guard Against the Gravest Security Risk of All–Human NatureAuthor Biography: Kevin D. Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News, and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. William L. Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.
Article
The key to maintaining the confidentiality, integrity, and availability of an organizations information and information systems is controlling who accesses what information. This is accomplished by being able to identify the requestor, verifying the requestor is not an impostor, and ensuring that the requestor has the proper level of clearance to access a given resource. There have always been those that attempt to by-pass this security mechanism through brute force or guile. In the past, those who use guile have been called confidence men and con artists. Today, these people are called social engineers, but the tactics remain the same even if the objectives have changed.
Article
In Study 1, over 200 college students estimated how much their own chance of experiencing 42 events differed from the chances of their classmates. Overall, Ss rated their own chances to be significantly above average for positive events and below average for negative events. Cognitive and motivational considerations led to predictions that degree of desirability, perceived probability, personal experience, perceived controllability, and stereotype salience would influence the amount of optimistic bias evoked by different events. All predictions were supported, although the pattern of effects differed for positive and negative events. Study 2 with 120 female undergraduates from Study 1 tested the idea that people are unrealistically optimistic because they focus on factors that improve their own chances of achieving desirable outcomes and fail to realize that others may have just as many factors in their favor. Ss listed the factors that they thought influenced their own chances of experiencing 8 future events. When such lists were read by a 2nd group of Ss, the amount of unrealistic optimism shown by this 2nd group for the same 8 events decreased significantly, although it was not eliminated. (22 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Why do so many people spend so much of their hard-earned money playing the lottery? Why do so many people keep at it week after losing week? We explore the possible roles of certain internal and external factors in this behavior. The internal factor is the process of counterfactual thinking (CFT)—that is, imagining what might have been or might still be, or comparing reality (the facts; what is) with what might have been or might still be. The external factor we examine is lottery advertising, which we argue often exploits the normal human capacity for counterfactual thinking. More specifically, we discuss how an inherent feature of virtually all lottery purchases—negative outcome—tends to induce CFT, and how certain cognitive features of counterfactual thinking—such as its salience and degree of absurdity—are manipulated by lottery advertising. We also discuss how certain affective features of lottery-related counterfactual thinking—high personal involvement, direction of CFT, affective assimilation and contrast effects of CFT, and perceived proximity of actual outcome to counterfactual alternatives—are exploited by lottery advertising. We conclude with implications for research and public policy. © 2000 John Wiley & Sons, Inc.
Book
This classic text surveys a number of different theoretical approaches to the related phenomena of attitude and belief change. These theories are grouped into seven major approaches, each presented and evaluated in a separate chapter. Each contributes in an important way to a complete understanding of the persuasion process. Appropriate for both upper level undergraduates and graduates in the social sciences.
Article
The abstract for this document is available on CSA Illumina.To view the Abstract, click the Abstract button above the document title.
Article
Social engineering is the con man's “low-tech” approach to the high-tech world of the Internet. This article explains social engineering concepts, the impact they can have on an organization, and controls the organization can implement to limit its exposure to those attacks.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Article
In theories and studies of persuasion, people's personal knowledge about persuasion agents' goals and tactics, and about how to skillfully cope with these, has been ignored. We present a model of how people develop and use persuasion knowledge to cope with persuasion attempts. We discuss what the model implies about how consumers use marketers' advertising and selling attempts to refine their product attitudes and attitudes toward the marketers themselves. We also explain how this model relates to prior research on consumer behavior and persuasion and what it suggests about the future conduct of consumer research. Copyright 1994 by the University of Chicago.
Article
The cohesiveness of small groups is defined in terms of intermember attraction and the rationale for such an approach is discussed. The empirical literature, restricted primarily to investigations published 1950-1962, is reviewed with the aim of evaluating the status of variables hypothesized as having antecedent or consequent relationships with interpersonal attraction. To this end, studies from diverse fields, for example, group dynamics, personality, and learning, are brought together and categorized. Theoretical positions concerned with the development of liking between persons and the effects which liking has upon subsequent behavior are also examined by specifying predictions from systematic formulations and comparing them with the research data. The major intent of this paper is to document relationships which have been clearly established and to identify those which are still equivocal or unexplored. (7 p. ref.) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
This articles describes a procedure for the study of destructive obedience in the laboratory. It consists of ordering a naive S to administer increasingly more severe punishment to a victim in the context of a learning experiment. Punishment is administered by means of a shock generator with 30 graded switches ranging from Slight Shock to Danger: Severe Shock. The victim is a confederate of the E. The primary dependent variable is the maximum shock the S is willing to administer before he refuses to continue further. 26 Ss obeyed the experimental commands fully, and administered the highest shock on the generator. 14 Ss broke off the experiment at some point after the victim protested and refused to provide further answers. The procedure created extreme levels of nervous tension in some Ss. Profuse sweating, trembling, and stuttering were typical expressions of this emotional disturbance. One unexpected sign of tension––yet to be explained––was the regular occurrence of nervous laughter, which in some Ss developed into uncontrollable seizures. The variety of interesting behavioral dynamics observed in the experiment, the reality of the situation for the S, and the possibility of parametric variation within the framework of the procedure, point to the fruitfulness of further study.
Article
Early studies of intuitive judgment and decision making conducted with the late Amos Tversky are reviewed in the context of two related concepts: an analysis of accessibility, the ease with which thoughts come to mind; a distinction between effortless intuition and deliberate reasoning. Intuitive thoughts, like percepts, are highly accessible. Determinants and consequences of accessibility help explain the central results of prospect theory, framing effects, the heuristic process of attribute substitution, and the characteristic biases that result from the substitution of nonextensional for extensional attributes. Variations in the accessibility of rules explain the occasional corrections of intuitive judgments. The study of biases is compatible with a view of intuitive thinking and decision making as generally skilled and successful.
Article
Traditional micro-economic theory assumes that consumer preferences are independent of market forces like supply, demand and price. However, this assumption is inconsistent with psychological research on commodity theory (Brock 1968). This research has found that scarcity enhances the desirability of experiences and objects. Two studies were conducted to test the possibility that these scarcity effects on desirability are due to a tendency for people to assume that scarce things cost more. Consistent with this hypothesis, study 1 found that scarcity increased the desirability of art prints only when subjects had been primed to think about the expensiveness of art prints in general. Study 2 further supported the hypothesis by finding that scarcity enhanced the desirability of wine only when subjects did not know how much the wine cost. The economic, marketing and research implications of these results are discussed.
Dimensional Research Study about Social Engineering
  • Anon
Anon, 2011. Dimensional Research Study about Social Engineering. In Analysis of Social Engineering Threats with Attack Graphs. Beckers, Kristian Krautsevich, Leanid Yautsiukhin, Artsiom.
A Serious Game for Eliciting Social Engineering Security Downloaded by Goethe
  • K Beckers
  • S Pape
Beckers, K. and Pape, S., 2016. A Serious Game for Eliciting Social Engineering Security Downloaded by Goethe-Universität Frankfurt At 04:49 02 May 2017 (PT) Requirements. In RE.
Psychosocial Risks: can their effects on the Security of Information Systems really be ignored
  • E D Frangopoulos
  • M M Eloff
  • L M Venter
Frangopoulos, E.D., Eloff, M.M. and Venter, L.M., 2012. Psychosocial Risks: can their effects on the Security of Information Systems really be ignored? In N. L. Clarke & S. Furnell, eds. 6th International Symposium on Human Aspects of Information Security and Assurance, {HAISA} 2012, Crete, Greece, June 6-8, 2012. Proceedings. University of Plymouth, pp. 52-63. Available at: http://www.cscan.org/openaccess/?paperid=35.
The threat of social engineering and your defense against it”, SANS Reading Room
  • R Gulati
Gulati, R., 2003. The Threat of Social Engineering and your defense against it. SANS Reading Room.
A Taxonomy for Social Engineering attacks
  • K Ivaturi
  • L Janczewski
Ivaturi, K. and Janczewski, L., 2011. A Taxonomy for Social Engineering attacks. Proceedings of CONF-IRM.
Understanding and Auditing. SANS Institute Infosec Reading room
  • C Jones
Jones, C., 2004. Understanding and Auditing. SANS Institute Infosec Reading room.
  • K Manske
Manske, K., 2009. An Introduction to Social Engineering. Information Security Journal: A Global Perspective, 9(5), pp.1-7.
Obedience to authority
  • S Milgram
Milgram, S., 1974. Obedience to authority, London: Tavistock.
The " Social Engineering " of Internet Fraud. nternet Society's INET'99 conference
  • J J J Rusch
Rusch, J.J.J., 1999. The " Social Engineering " of Internet Fraud. nternet Society's INET'99 conference, pp.1-12. Available at: http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2.htm.
Progress in CryptologyAFRICACRYPT 2008 SE-5. Lecture Notes in Computer Science
  • B Schneier
Schneier, B., 2008. The Psychology of Security. In S. Vaudenay, ed. Progress in CryptologyAFRICACRYPT 2008 SE-5. Lecture Notes in Computer Science. Springer Berlin Heidelberg, pp. 50-79. Available at: http://dx.doi.org/10.1007/978-3-540-68164-9_5.
Measuring the Effectiveness of Information Security Awareness Program
  • I Veseli
Veseli, I., 2011. Measuring the Effectiveness of Information Security Awareness Program. Gjøvik University College.