Chapter

A Taxonomy of Social Engineering Defense Mechanisms

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Humans have become the weakest point in the information security chain, and social engineers take advantage of that fact. Social engineers manipulate people psychologically to convince them to divulge sensitive information or to perform malicious acts. Social engineering security attacks can be severe and difficult to detect. Therefore, to prevent these attacks, employees and their organizations should be aware of relevant defense mechanisms. This research develops a taxonomy of social engineering defense mechanisms that can be used to develop educational materials for use in various kinds of organizations. To develop the taxonomy, the authors conducted a systematic literature review of related research efforts and extracted the main target points of social engineers and the defense mechanisms regarding each target point.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The identified technical SE techniques are listed and displayed (Table 6). Fake Social Network Accounts [39] Fake Emails [21,25] Fake Websites [13,21] Fake Mobile Applications / Plugin [21,22,33,40] File Masquerading [22,40] Hacking [39] Malware [13,41] Need & greed attack [22] QRishing [22] Pharming [33,42] Phishing [2, 3, 5, 6-9, 15, 21-25, 27-41, 43-48] Pop-up windows [25,29,33,41,47] Ransomware [3,15,21,33,40,49] Robocalls [33,50] Scareware [9,37,40] Smishing [7,21,22,24,34,35,44] Social Media [2,15,48,51] Spamming [21,29]. ...
... The identified technical SE techniques are listed and displayed (Table 6). Fake Social Network Accounts [39] Fake Emails [21,25] Fake Websites [13,21] Fake Mobile Applications / Plugin [21,22,33,40] File Masquerading [22,40] Hacking [39] Malware [13,41] Need & greed attack [22] QRishing [22] Pharming [33,42] Phishing [2, 3, 5, 6-9, 15, 21-25, 27-41, 43-48] Pop-up windows [25,29,33,41,47] Ransomware [3,15,21,33,40,49] Robocalls [33,50] Scareware [9,37,40] Smishing [7,21,22,24,34,35,44] Social Media [2,15,48,51] Spamming [21,29]. ...
... These techniques use the victim directly to obtain confidential information (Table 7). Direct Approach [22] Distraction Approach [13,22] Dumpster Diving [22-25, 31, 33, 36, 43, 45, 47, 48, 52] Hoaxing [29,30] Quid pro quo [3,23,27,28,30,32,33,[36][37][38] Pretexting / Impersonation [3, 8, 9, 13, 22-25, 27, 28, 30-38, 43, 5, 47, 48, 53] Red Team [8] Reverse Social Engineering [22,23,[33][34][35][36]47] Role-playing [31] Shoulder Surfing [22-25, 27, 28, 31, 33-37, 45, 48] Scamming [21] Support Staff and Technical Expert [29] Tailgating ou Piggybacking [3, 8, 24, 25, 29-38, 48, 51, 53] Whaling [7,24,33,34,37] Here, we can observe that Pretexting / Impersonation, Tailgating / Piggybacking and Shoulder Surfing are the most non-technical techniques that attackers use. ...
Article
Knowledge of Social Engineering is crucial to prevent potential attacks related to organizational Information Security. The objective of this paper aims to identify the most common social engineering techniques, success attack factors, and obstacles, as well as the good practices and frameworks that could be adopted concerning their mitigation. As an analysis methodology, a Systematic Literature Review was carried out. The findings revealed that the discussion about SE attacks has increased and that the most imminent threat is phishing. Exploiting human vulnerabilities is a growing threat when the attack is not carried out directly through technical means. There continue to be more technical attacks than non-technical attacks. Encouraging organizational security prevention, like training, education, technical controls, process development, defense in detail, and the development of security policies, should be considered mitigating factors for the negative impact of SE attacks. Most SE frameworks/models are focused on attack techniques and methods, mostly on technical components, decorating human factor. As a novelty, we found the opportunity to develop a new framework that could improve coverage of the gaps found, supported on security international standards, that could help and support researchers in developing their work, understanding open research topics, and providing a clearer understanding of this type of threat. Doi: 10.28991/ESJ-2024-08-02-025 Full Text: PDF
... Social Engineering. Several papers have presented taxonomies of different social engineering (SE) attacks [23,50,72,78,133]. Alharthi et al. categorized the techniques in two types: technical, where the attacker uses media (e.g., mobile text, phishing site) to manipulate the user to reveal sensitive data, and non-technical, where the attacker directly interacts with the target. ...
... We now discuss some of the most common social engineering techniques. Existing works categorize social engineering as non-technical vs. technical [23] or human-based vs. computer-based [133]. We categorize based on a similar concept of local vs. ...
... • Tailgating: A tailgating attack is effective for attackers to have physical access to an organization or a resource. For example, an attacker can pretend to forget to bring his card and manipulate the target to give him access to a building or secure zone [23,133]. RFID card attacks are also common now since many organizations use these as an access token due to low cost and good user experience. ...
Article
Full-text available
Adversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a categorization of reconnaissance techniques based on the source as third-party, human-, and system-based information gathering. This paper provides a comprehensive view of adversarial reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber attacks as well as insights that can improve defensive strategies, such as cyber deception.
... Hadnagy defines Social Engineering as "any act that influences a person to take any action that may or may not be in their best interest" (Hadnagy 2018). State-of-the-art defensive solutions traditionally rely on (i) detecting the occurrence of an attack with technical means (i.e., filtering a phishing email); or (ii) rising people awareness to make them able to discriminate a malicious interaction (Alharthi, Hammad, and Regan 2020). However, those methods may not be effective due to (i) the high variety of attacks and the difficulty to detect a spoofed interaction and (ii) the natural-ly compliant behavior of humans when unable to discriminate what is right or wrong (Junger, Montoya, and Overink 2017). ...
Conference Paper
Full-text available
Social engineering is rising more and more concerns due to its ability to bypass traditional cyber security defense systems. In the last four years, we studied how to develop an intelligent system able to prevent humans' compliance with social engineering threats, based on the real-time assessment of humans' physiological reactions. Moreover, we explored how social robots could exploit such a system to actively support humans' decision-making. The current manuscript resumes four experiments we conducted and present the challenges we plan to tackle in the next future.
Chapter
Social engineering entails obtaining important information. Attackers may request varied victim details. After targeting someone, attackers aim to steal their bank account information or passwords or breach into their machine to install malicious software to take control. Social engineering is simpler than software infiltration because attackers exploit victim confidence. Tricking someone into giving their password is simpler than hacking it. Trusting people and things is crucial to security. Finding out if someone is who they say they are is crucial. Trusting a website and giving your personal information: when? Thus, every respected security expert agrees that the weakest link in the security system is the believer. Even with locks and deadbolts on our doors and windows, guard dogs, alarm systems, floodlights, barbed wire fences, and armed guards, the pizza delivery man at the gate can get in. This chapter expands on social engineering and safety.
Article
Internet-based social engineering (SE) attacks are a major cyber threat. These attacks often serve as the first step in a sophisticated sequence of attacks that target, among other things, victims’ credentials and can cause financial losses. The problem has received mounting attention in recent years, with many publications proposing defenses against SE attacks. Despite this, the situation has not improved. In this article, we aim to understand and explain this phenomenon by investigating the root cause of the problem. To this end, we examine Internet-based SE attacks and defenses through a unique lens based on psychological factors (PFs) and psychological techniques (PTs). We find that there is a key discrepancy between attacks and defenses: SE attacks have deliberately exploited 46 PFs and 16 PTs in total, but existing defenses have only leveraged 16 PFs and seven PTs in total. This discrepancy may explain why existing defenses have achieved limited success and prompt us to propose a systematic roadmap for future research.
Chapter
The use of technology has increased exponentially thanks to the facilities it provides in academic, personal, social, and business activities. Therefore, security information is important to guarantee information privacy. Social engineering is one of the most used techniques by cybercriminals to exploit different risk factors. They take advantage of ignorance and false confidence to evade security mechanisms to access information systems and obtain private information. The aim of this study was to evaluate the behavior of users exposed to fraud and risk factors that can affect a university information system in order to propose methods to avoid future incidents. Participants answered a pre-test to evaluate their knowledge about the risks of social networks. Five social engineering attacks were implemented on university students using computational and non-computational techniques under controlled scenarios. Website attack vectors, infectious media generator, QR code generator, shoulder surfing and vishing were used. Overall, results showed that 57% of the participants were victims of at least one of social engineering attacks. Consequently, it is advisable to apply different techniques to increase students’ awareness and knowledge of information security to help reduce future attacks.KeywordsInformation SecuritySocial EngineeringRisk factorsCyberattackCybercriminal
Article
Full-text available
The purpose of this paper was to develop and validate an enhanced social engineering framework to mitigate against social engineering attacks. The study formulated a theoretical framework which was informed by the strengths and weaknesses of existing social engineering frameworks, the framework was also guided by the Dhillon's balanced control theory. The theoretical framework was validated by experts using the Delphi technique which comprised of three rounds. A sample of 25 experts from three higher education institutions which met the inclusion criteria were selected. The study was guided by the interpretivism philosophy to get a deep understanding of the phenomenon under study. The findings reveal that social engineering awareness, organizational security policy and Internet of Things (IOT) security succor in reducing social engineering attacks. The findings from this study will be utilized by decision makers in higher education sector to come up with engaging social engineering training programs, set up an organizational security policy and preclude IOT attacks to mitigate social engineering attacks in higher education. The study contributes to the field of social engineering with an enhanced social engineering framework that mitigate against social engineering attacks. The study adds to under‐represented social engineering framework in higher education.
Conference Paper
Full-text available
In the information security chain, humans have become the weakest point, and social engineers take advantage of that fact by psychologically manipulating people to persuade them to disclose sensitive information or execute malicious acts. Social engineering security attacks can be severe and hard to detect. Therefore, to prevent such attacks, organizations and their employees should be aware of the defense mechanisms that can mitigate the risk of these attacks. To that end, the authors (1) developed a taxonomy of social engineering defense mechanisms and also (2) designed and distributed a survey to measure employees’ level of awareness of these mechanisms. To develop the taxonomy, the authors reviewed the related literature and extracted the main defense mechanisms. To measure employees’ level of awareness of social engineering defense mechanisms, the authors designed and distributed a survey in which 791 employees participated. Finally, after collecting and analyzing the data, the authors found that more than half of the surveyed employees are not aware of social engineering attacks and their defense mechanisms. Such a worrisome result shows that employees and organizations are extremely vulnerable to such attacks, and serious steps need to be taken to elevate the employees’ awareness level against these emerging security threats.
Conference Paper
Full-text available
The study aims to assess popular awareness training solutions and techniques used by organizations to defend and mitigate cyber security social engineering threats. Social engineering threats are the most unpredicted threats an organization faces, leading to loss of confidential data, finances, intellectual property, and consumer credibility. Therefore, it is very important that an organization is well prepared to defend its information systems against social engineering threats. Literature in this domain presents various types of contemporary training and awareness solutions used at the corporate level to address social engineering threats, with the most prominent being reviewed in this study. Latest training methods identified in this study include serious games, gamification, virtual labs, tournaments, simulations, and the use of other modern applications. Similarly, current awareness programs that educate against social engineering threats including video streaming, compliances, theme-based trainings, awareness campaigns, and conferences are also included.
Conference Paper
Full-text available
In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016--March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords---which originate from thousands of online services---enable an attacker to obtain a victim's valid email credentials---and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7--25% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.
Conference Paper
Full-text available
Cybersecurity threats and vulnerabilities are causing substantial financial losses for governments and organizations all over the world. Intentional and unintentional users' misuse of information systems (IS) resources represents 50% to 75% of cybersecurity threats. Computer Crime and Security Survey revealed that nearly 60% of security breaches occurred from inside the organization by authorized users. Computer users are deemed as one of the weakest links in the IS security chain. In this study, we examined the effect of user computer self-efficacy (CSE), cybersecurity countermeasures awareness (CCA), and cybersecurity skills (CS) on users' computer misuse intention (CMI) at a government agency. Our results show that the factor of users' awareness of computer monitoring (UAC-M) and cybersecurity initiative skill (CIS) were significant contributors to CMI. UAC-M and CSE were significant contributors to cybersecurity computing skill (CCS). Users' awareness of security policy (UAS-P) was a significant 1 contributor to cybersecurity action skill (CAS). However, CSE had no direct influence on misuse behavior. We conclude the paper with discussion about the results along with suggestions for future research.
Article
Full-text available
Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This article presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.
Article
Full-text available
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. The growing trend towards BYOD (bring your own device) policies and the use of online communication and collaboration tools in private and business environments aggravate the problem. In globally acting companies, teams are no longer geographically co-located, but staffed just-in-time. The decrease in personal interaction combined with a plethora of tools used for communication (e-mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times and RSA have shown that targeted spear-phishing attacks are an effective, evolutionary step of social engineering attacks. Combined with zero-day-exploits, they become a dangerous weapon that is often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.
Conference Paper
Full-text available
The field of information security is a fast growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and the human element is thus a weak link. A social engineering attack targets this weakness by using various manipulation techniques in order to elicit sensitive information. The field of social engineering is still in its infancy stages with regards to formal definitions and attack frameworks. This paper proposes a social engineering attack framework based on Kevin Mitnick's social engineering attack cycle. The attack framework addresses shortcomings of Mitnick's social engineering attack cycle and focuses on every step of the social engineering attack from determining the goal of an attack up to the success conclusion of the attack. The authors use a previously proposed social engineering attack ontological model which provides a formal definition for a social engineering attack. The ontological model contains all the components of a social engineering attack and the social engineering attack framework presented in this paper is able to represent temporal data such as flow and time. Furthermore, this paper demonstrates how historical social engineering attacks can be mapped to the social engineering attack framework. By combining the ontological model and the attack framework one is able to generate social engineering attack scenarios and to map historical social engineering attacks to a standardised format. Scenario generation and analysis of previous attacks are useful for the development of awareness, training purposes and the development of counter measures against social engineering attacks.
Article
Full-text available
The objective of this research is to present and demonstrate an analytical approach towards Social Engineering. A questionnaire was created and a survey was conducted accordingly to determine the understanding of IT practitioners and social networking users based in India. Based on the responses an advanced model of Social Engineering based attacks was developed. This model can be used in development of Organization-wide Information Security policy and Information Security Awareness Program
Article
Full-text available
Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which fre-quently used patterns such as a graphical password might be inferred. In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first in-vestigate the conditions (e.g., lighting and camera orien-tation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that in-terfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we pro-vide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android pass-word pattern.
Article
Full-text available
This working paper has been thoroughly revised and superseded by two distinct articles. The first is a revised and peer-reviewed version of the original article: Okoli, Chitu (2015), A Guide to Conducting a Standalone Systematic Literature Review. Communications of the Association for Information Systems (37:43), November 2015, pp. 879-910. This article presents a methodology for conducting a systematic literature review with many examples from IS research and references to guides with further helpful details. The article is available from Google Scholar or from the author's website. The second extension article focuses on developing theory with literature reviews: Okoli, Chitu (2015), The View from Giants’ Shoulders: Developing Theory with Theory-Mining Systematic Literature Reviews. SSRN Working Paper Series, December 8, 2015. This article identifies theory-mining reviews, which are literature reviews that extract and synthesize theoretical concepts from the source primary studies. The article demonstrates by citation analysis that, in information systems research, this kind of literature review is more highly cited than other kinds of literature review. The article provides detailed guidelines to writing a high-quality theory-mining review.
Article
Full-text available
Social engineering is a methodology that allows an attacker to bypass technical controls by attacking the human element in an organization. There are many techniques commonly used in social engineering including but not limited to Trojan and phishing email messages, impersonation, persuasion, bribery, shoulder surfing, and dumpster diving. Hackers rely on social engineering attacks to bypass technical controls by focusing on the human factors. Social engineers often exploit the natural tendency people have toward trusting others who seem likeable or credible, deferring to authority or need to acquiesce to social conformity. Mitigation of social engineering begins with good policy and awareness training, but there are a number of other approaches an organization can take to defend against this type of an attack. Social engineering attacks are likely to increase, and it is becoming increasingly important for organizations to address this issue.
Conference Paper
This paper examines the role and value of information security awareness efforts in defending against social engineering attacks. It categories the different social engineering threats and tactics used in targeting employees and the approaches to defend against such attacks. While we review these techniques, we attempt to develop a thorough understanding of human security threats, with a suitable balance between structured improvements to defend human weaknesses, and efficiently focused security training and awareness building. Finally, the paper shows that a multi-layered shield can mitigate various security risks and minimize the damage to systems and data.
Article
Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.
Article
With increasing development and adoption of information and communication technology initiatives internationally, evolving trends such as bring your own device (BYOD) is rapidly changing operational methods of organizations in attempt to improve efficiency and productivity. However, for organizations to successfully benefit from BYOD, several dynamics relating to security and privacy in BYOD environments must be examined and understood. This article reviews information security and privacy, mobile computing, and current organizational practices that shed light on BYOD and the issues behind its adoption. The review will assist organizations and IT professionals to understand the increasing demands of BYOD, and its challenges.
Article
A True Story One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system. In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.
Article
Hacker folklore abounds with awe-inspiring tales of gaunt, caffeine-sustained teenagers tirelessly picking global electronic locks from afar in a quest for knowledge or recognition. Sometimes it is difficult to remind ourselves that the reality is a lot less enchanting. Certainly, although hackers are known to proclaim an enthusiasm for artfully finding and breaching loopholes (in both code and law), it would appear that most just want to get access to accounts by the most expedient means possible. Even if you do not share this perception, it is a good level at which to pitch your security policy. To use an analogy, security policies which seek to prevent an intruder from gaining access to a house by hang-gliding onto the roof and abseiling down the chimney should also consider that the front door ought not to be open.
Article
Chapter
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intra-domain and inter-domain environment.
Article
Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.
Article
An extensive series of studies has shown that group decisions on life-situation items involving a risky dimension are significantly different from the average of the initial individual decisions of the members of the group. The present study investigates the possibility that widely held values and individuals' perceptions of their own riskiness relative to “other people like them” are important factors in individual and group decisions on life-situation items. Initial individual decisions on the items are found to be consistent with widely held values as assessed on a separate instrument. Significant differences between individuals' perceptions of their own and others' riskiness are also found. The life-situation items were divided into two types of items, on the bases of widely held values and the subjects' perceptions of their own relative riskiness. For items on which the widely held values favored the risky alternative and on which subjects considered themselves relatively risky, unanimous group decisions were more risky than the average of the initial individual decisons. The group decisions tended to be more cautious on items for which widely held values favored the cautious alternative and on which subjects considered themselves relatively cautious. The results are interpreted as supporting both the Nordhøy-Marquis general values hypothesis and the Brown “value to being relatively risky or relatively cautious” hypothesis.
Conference Paper
Social Engineering is an undeniable and pervasive threat to the security of information systems of an organization due to its reliance on social nature of human beings. Social engineering uses dynamic art of manipulating social behavior of human relationships to obtain unauthorized and privileged information. Corporations have pressing need to design and implement reasonable countermeasures and controls to effectively mitigate social engineering attacks. In this paper, we propose a framework for development of social engineering susceptibility index (SESI) that reveals real risks from social engineering attack that an organization's employees are exposed to. Risk managers can compute the SESI index, which is based on social network theory propositions, to understand risk exposure of a critical group of individuals or organizational departments to proactively engage in elevating security measures. The framework equips risk managers with an understanding to design better security decisions and proper policies and measures to reduce risk.
Conference Paper
Trusted people can fail to be trustworthy when it comes to protecting their aperture of access to secure computer systems due to inadequate education, negligence, and various social pressures. People are often the weakest link in an otherwise secure computer system and, consequently, are targeted for social engineering attacks. Social Engineering is a technique used by hackers or other attackers to gain access to information technology systems by getting the needed information (for example, a username and password) from a person rather than breaking into the system through electronic or algorithmic hacking methods. Such attacks can occur on both a physical and psychological level. The physical setting for these attacks occurs where a victim feels secure: often the workplace, the phone, the trash, and even on-line. Psychology is often used to create a rushed or officious ambiance that helps the social engineer to cajole information about accessing the system from an employee. Data privacy legislation in the United States and international countries that imposes privacy standards and fines for negligent or willful non-compliance increases the urgency to measure the trustworthiness of people and systems. One metric for determining compliance is to simulate, by audit, a social engineering attack upon an organization required to follow data privacy standards. Such an organization commits to protect the confidentiality of personal data with which it is entrusted. This paper presents the results of an approved social engineering audit made without notice within an organization where data security is a concern. Areas emphasized include experiences between the Social Engineer and the audited users, techniques used by the Social Engineer, and other findings from the audit. Possible steps to mitigate exposure to the dangers of Social Engineering through improved user education are reviewed.
Article
Social engineering is the con man's “low-tech” approach to the high-tech world of the Internet. This article explains social engineering concepts, the impact they can have on an organization, and controls the organization can implement to limit its exposure to those attacks.
Article
Purpose – Recently, the role of human behavior has become a focal point in the study of information security countermeasures. However, few empirical studies have been conducted to test social engineering theory and the reasons why people may or may not fall victim, and even fewer have tested recommended treatments. Building on theory using threat control factors, the purpose of this paper is to compare the efficacy of recommended treatment protocols. Design/methodology/approach – A confirmatory factor analysis of a threat control model was conducted, followed by a randomized assessment of treatment effects using the model. The data were gathered using a questionnaire containing antecedent factors, and samples of social engineering security behaviors were observed. Findings – It was found that threat assessment, commitment, trust, and obedience to authority were strong indicators of social engineering threat success, and that treatment efficacy depends on which factors are most prominent. Originality/value – This empirical study provides evidence for certain posited theoretical factors, but also shows that treatment efficacy for social engineering depends on targeting the appropriate factor. Researchers should investigate methods for factor assessment, and practitioners must develop interventions accordingly.
Article
Purpose The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation. Design/methodology/approach An e‐mail‐based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security‐aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation. Findings In spite of a short window of operation for the experiment, the results revealed that 23 per‐cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online. Research limitations/implications After running for approximately 3.5 h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended. Practical implications Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial. Originality/value This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e‐mail‐based social engineering study that was conducted amongst staff within a cooperating organisation.
Article
Social engineering is a significant problem involving technical and nontechnical ploys in order to acquire information from unsuspecting users. This paper presents an assessment of user awareness of such methods in the form of email phishing attacks. Our experiment used a webbased survey, which presented a mix of 20 legitimate and illegitimate emails, and asked participants to classify them and explain the rationale for their decisions. This assessment shows that the 179 participants were 36% successful in identifying legitimate emails, versus 45% successful in spotting illegitimate ones. Additionally, in many cases, the participants who identified illegitimate emails correctly could not provide convincing reasons for their selections.
Social engineering: An attack vector most intricate to tackle
  • A Thapar
A. Thapar, Social engineering: An attack vector most intricate to tackle, CISSP: Infosec Writers.
Hillary clinton emails take long path to controversy
  • S Shane
  • M S Schmidt
S. Shane, M. S. Schmidt, Hillary clinton emails take long path to controversy, The New York Times.
Is security design theory framework and six approaches to the application of ISPS and guidelines
  • M T Siponen
  • J Iivari
  • MT Siponen
M. Siponen, J. Iivari, Is security design theory framework and six approaches to the application of isps and guidelines, Journal of the Association for Information Systems 7 (7) (2006) 445-472.