A Model for Investigating Organizational Impact on Information Security Behavior

The increased amount of attacks targeting humans accessing and using computers has made it significantly important to understand human and organizational behavior in attacks and how resilient behavior can be achieved. This paper presents a research model that attempts to understand how organizational and human factors complement each other in shaping information security behavior. The model was developed through an inductive approach, in which content domain experts were interviewed to gain a deeper understanding of the phenomena. Common patterns that were identified in the interviews were then combined with data collected through surveying the literature. Specifically, the research model includes constructs related to the organization and promotion of information security, constructs related to perceptions of information security awareness and the social conditions within an organizational setting, and individual constructs related to an individual’s perceptions of attitude, normative beliefs, and self-efficacy. Implications for continuing research and how the model will be tested empirically are discussed

A Taxonomy for Social Engineering attacks

As the technology to secure information improves, hackers will employ less technical means to get access to unauthorized data. The use of Social Engineering as a non tech method of hacking has been increasingly used during the past few years. There are different types of social engineering methods reported but what is lacking is a unifying effort to understand these methods in the aggregate. This paper aims to classify these methods through taxonomy so that organizations can gain a better understanding of these attack methods and accordingly be vigilant against them

Countermeasures for Social Engineering-based Malware Installation Attacks

Social engineering exploits vulnerabilities at different layers (i.e. technical, social layer) in an organizational defense structure. It is therefore important to understand how to defend against these attacks using a holistic defense approach including multiple countermeasures. The literature suggests a plethora of countermeasures, little research has however been done to assess their effectiveness in managing social engineering threats. In this paper we attempt to obtain a deeper understanding of how to defend against a type of social engineering attack that attempts to install malware on computers through e-mail or portable media. We explore commonly proposed countermeasures needed to prevent this type of attack, and if any dependencies between them exist. Through a combined method approach of surveying the literature and conducting semi-structured interviews with domain experts we identified a set of countermeasures that provide empirical input for future studies but could potentially also give organizations guidance on how to manage social engineering-based malware installation attacks

A Reading Preference and Risk Taxonomy for Printed Proprietary Information Compromise in the Aerospace and Defense Industry

The protection of proprietary information that users print from their information systems is a significant concern. Researchers have repeatedly indicated that human behaviors and perception are important factors influencing the information security of organizations and have called for more research. In this study, we focused on the investigation of user reading preference, user perceived risk, and seven demographics in the context of compromising printed proprietary information. A Reading Preference and Risk (RPR) taxonomy was developed to classify users respective to potential risks to printed proprietary information. Results of a Webbased survey show that employees were dispersed across the RPR Taxonomy with 15.1% identified as potentially problematic. Our results also showed an overall reading preference for print materials and a high-perceived risk for compromising printed proprietary information. Significant differences between the constructs and demographics suggest that a user’s likelihood to compromise printed proprietary information is affected by frequency of user exposure, confidentiality level, and previous user experience with the compromise of proprietary information. Additionally, age, gender, and a user’s desire to retain e-training content in memory had a significant effect on user reading preference

Effect of Frame of Mind on Users’ Deception Detection Attitudes and Behaviours

As the World Wide Web grows, the number and variety of deceptive attacks targeting online consumers likewise increases. Extant research has examined online deception from an information processing perspective, that is, how users process information when they encounter deceptive attacks. However, users’ ability to process information is based on what the users are thinking or their frame of mind while engaged with that information. Frame of mind has not been well studied in the security domain. This study proposes the effect of users’ frame of mind on their attitude towards online deception and their actual deception detection behaviour. Specifically, we propose that human information needs and the framing (positive or negative) of important information such as warnings are significant components of users’ frames of mind that impact their vulnerability to online attacks. We conclude the paper by discussing in detail the experimental setup and expected contributions from the analysis

A Naturalistic Methodology for Assessing Susceptibility to Social Engineering Through Phishing

Phishing continues to be a prevalent social engineering attack. Attacks are relatively easy to setup and can target many people at low cost. This study presents a naturalistic field experiment that can be staged by organisations to determine their exposure. This exercise provides results with high ecological validity and can give organisations the information they need to craft countermeasures to social engineering risks. The study was conducted at a university campus in Kenya where 241 valid system users, also known as “insiders,” are targeted in a staged phishing experiment. The results show that 31.12% of the insiders are susceptible to phishing and 88% of them disclose passwords that grant access to attackers. This study outlines various ethical considerations that ensure such exercises do not present any actual harm. The design of data collection instruments is discussed in depth to allow organisations the opportunity to develop similar tools for routine threat assessment

Necessity for ethics in social engineering research

Social engineering is deeply entrenched in the fields of both computer science and social psychology. Knowledge is required in both these disciplines to perform social engineering based research. Several ethical concerns and requirements need to be taken into account when social engineering research is conducted to ensure that harm does not befall those who participate in such research. These concerns and requirements have not yet been formalised and most researchers are unaware of the ethical concerns involved in social engineering research. This paper identifies a number of concerns regarding social engineering in public communication, penetration testing and social engineering research. It also discusses the identified concerns with regard to three different normative ethics approaches (virtue ethics, utilitarianism and deontology) and provides their corresponding ethical perspectives as well as practical examples of where these formalised ethical concerns for social engineering research can be beneficial.http://www.elsevier.com/locate/COSE2016-11-30hb201

Social engineering attack examples, templates and scenarios

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process.The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.http://www.elsevier.com/locate/cose2017-06-30hb2016Computer Scienc