Social engineering attacks have posed a serious security threat to cyberspace. However, there is much we have yet to know regarding what and how lead to the success of social engineering attacks. This paper proposes a conceptual model which provides an integrative and structural perspective to describe how social engineering attacks work. Three core entities (effect mechanism, human vulnerability and attack method) are identified to help the understanding of how social engineering attacks take effect. Then, beyond the familiar scope, we analyze and discuss the effect mechanisms involving 6 aspects (persuasion, social influence, cognition & attitude & behavior, trust and deception, language & thought & decision, emotion and decision-making) and the human vulnerabilities involving 6 aspects (cognition and knowledge, behavior and habit, emotions and feelings, human nature, personality traits, individual characters), respectively. Finally, 16 social engineering attack scenarios (including 13 attack methods) are presented to illustrate how these mechanisms, vulnerabilities and attack methods are used to explain the success of social engineering attacks. Besides, this paper offers lots of materials for security awareness training and future empirical research, and the model is also helpful to develop a domain ontology of social engineering in cybersecurity.
INDEX TERMSSocial engineering, attack model, working mechanism, human hacking, attack scenario, vulnerability, principle, psychology cognition and behavior, education awareness and training, security.
