Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process. The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.

show abstract

“…The SE requests that the target navigates to a web address and enter confidential information [40,41].…”

Section: Bidirectional Communication -Templatementioning

confidence: 99%

“…The malware masked itself on systems and was designed to erase itself if it tried to compromise a system and was unsuccessful [40,41].…”

Section: Unidirectional Communication -Templatementioning

confidence: 99%

Social engineering attack examples, templates and scenarios

Mouton

Leenen

Venter

2016

Computers & Security

134

View full text Add to dashboard Cite

show abstract

“…The study focused on IT departments and a more abstract view of SEAs without considering SEAs concepts related to critical human factors and their relationships to the concept of SI. Greitzer et al (2014) looked at the insider threat that derives from SEAs [21]. The study considered some related human factors but concentrated mainly on unintentional insider threats whilst observing psychological and social characteristic of people.…”

Section: Social Engineering Attacks Taxonomymentioning

confidence: 99%

An information security risk-driven investment model for analysing human factors

Alavi

Islam

Mouratidis

2016

ICS

View full text Add to dashboard Cite

show abstract

“…The Insider threat patterns provided by CERT [6] use the System Dynamics models, which can express dependencies between variables. The System Dynamics approach has also been successfully applied in other approaches to Insider threats, for example, in the modeling of unintentional insider threats [11]. Axelrad et al [2] have used Bayesian networks for modelling Insider threats in particular the human disposition.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

Isabelle Modelchecking for Insider Threats

Kammüller¹

2016

Data Privacy Management and Security Assurance

View full text Add to dashboard Cite

Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

Cited by 69 publications

References 21 publications

Social engineering attack examples, templates and scenarios

Social engineering attack examples, templates and scenarios

An information security risk-driven investment model for analysing human factors

Isabelle Modelchecking for Insider Threats

Contact Info

Product

Resources

About