Vulnerability to social engineering in social networks : a proposed user-centric framework

Social networking sites have billions of users who communicate and share their personal information every day. Social engineering is considered one of the biggest threats to information security nowadays. Social engineering is an attacker technique to manipulate and deceive users in order to access or gain privileged information. Such attacks are continuously developed to deceive a high number of potential victims. The number of social engineering attacks has risen dramatically in the past few years, causing unpleasant damage both to organizations and individuals. Yet little research has discussed social engineering in the virtual environments of social networks. One approach to counter these exploits is through research that aims to understand why people fall victim to such attacks. Previous social engineering and deception research have not satisfactory identified the factors that influence the users' ability to detect attacks Characteristics that influence users' vulnerability must be investigated to address this issue and help to build a profile for vulnerable users in order to focus on increasing the training programs and education for those users. In this context, the present study proposes a user-centric framework to understand the user's susceptibility, relevant factors and dimensions

A pilot study of cyber security and privacy related behavior and personality traits

ABSTRACT Recent research has begun to focus on the factors that cause people to respond to phishing attacks as well as affect user behavior on social networks. This study examines the correlation between the Big Five personality traits and email phishing response. Another aspect examined is how these factors relate to users' tendency to share information and protect their privacy on Facebook (which is one of the most popular social networking sites). This research shows that when using a prize phishing email, neuroticism is the factor most correlated to responding to this email, in addition to a gender-based difference in the response. This study also found that people who score high on the openness factor tend to both post more information on Facebook as well as have less strict privacy settings, which may cause them to be susceptible to privacy attacks. In addition, this work detected no correlation between the participants estimate of being vulnerable to phishing attacks and actually being phished, which suggests susceptibility to phishing is not due to lack of awareness of the phishing risks and that real-time response to phishing is hard to predict in advance by online users. The goal of this study is to better understand the traits that contribute to online vulnerability, for the purpose of developing customized user interfaces and secure awareness education, designed to increase users' privacy and security in the future

SPICE: A Software Tool for Studying End-user’s Insecure Cyber Behavior and Personality-traits

Insecure cyber behavior of end users may expose their computers to cyber-attack. A first step to improve their cyber behavior is to identify their tendency toward insecure cyber behavior. Unfortunately, not much work has been done in this area. In particular, the relationship between end users cyber behavior and their personality traits is much less explored. This paper presents a comprehensive review of a newly developed, easily configurable, and flexible software SPICE for psychologist and cognitive scientists to study personality traits and insecure cyber behavior of end users. The software utilizes well-established cognitive methods (such as dot-probe) to identify number of personality traits, and further allows researchers to design and conduct experiments and detailed quantitative study on the cyber behavior of end users. The software collects fine-grained data on users for analysis

Evidence of personality traits on phishing attack menace among selected university undergraduates in Nigerian

Access ease, mobility, portability, and improved speed have continued to ease the adoption of computing devices; while, consequently proliferating phishing attacks. These, in turn, have created mixed feelings in increased adoption and nosedived users’ trust level of devices. The study recruited 480-students, who were exposed to socially-engineered attack directives. Attacks were designed toretrieve personal dataand entice participants to access compromised links. Wesought to determine the risks of cybercrimes among the undergraduates in selected Nigerian universities, observe students’ responses and explore their attitudes before/after each attack. Participants were primed to remain vigilant to all forms of scams as WE sought to investigate attacks’ influence on gender, students’ status, and age to perceived safety on susceptibility to phishing. Results show that contrary to public beliefs, age, status, and gender were not among the factors associated with scam susceptibility and vulnerability rates of the participants. However, the study reports decreased user trust levels in the adoption of these new, mobile computing devices

Assessing Generational Differences in Susceptibility to Social Engineering Attacks. A Comparison Between Millennial and Baby Boomer Generations

Digitaalse ühiskonna ajastul on sotsiaalse manipuleerimise ründed (social engineering attacks)väga edukad ja kahjuks kasutajad ei suuda ennast selliste rünnakute vastu kaitsta. Sotsiaalne manipuleerimine (social engineering) on keeruline probleem, mistõttu on väga raske eristada kõige kaitsetumaid kasutajaid. Sellised ründed ei ole suunatud ainult noorte ja töötajate vastu, vaid on laiaulatuslikud sõltumata vanusest. Tehnoloogia kiire kasvu ja selle ebasihipärase kasutamise tõttu on kõik selliste rünnakute poolt mõjutatud, kõik on haavatavad (Purkait, 2012; Aggarwal et al., 2012). Kasutajaid peetakse turvalisuse "nõrgimaks lüliks" (Mohebzada et al., 2012; Mitnick and Simon, 2011), ja seega konfidentsiaalse info kaitsmine peaks olema kõikide inimeste eesmärk. Hoolimata sellest, et on olemas erinevaid lahendusi kasutajate koolitamiseks selliste rünnakute vältimiseks, andmepüük on jätkuvalt edukas (Dhamija et al., 2006). See on eelkõige seetõttu, et küberteadlikkuse koolitused, teoreetilised kursused või raamistikud eeldatakse olevat võrdselt efektiivsed kõikidele kasutajatele vaatamata nende vanusest, kuigi kogemus näitab et see ei ole tõsi (Alseadoon, 2014). Selleks, et koolitused saaksid olla efektiivsed, on oluline et need on koostatud lähtudes sotsiaalse manipuleerimise turvanõrkustest, mis on erinevatel vanusegruppidel erinevad. Käesoleva töö eesmärgiks on põlvkondade unikaalsete tunnuste (demograafilised ja isikulised) ja nende haavatavuste faktorite määratlemine. Sellealusel on loodud raamistik, mis on võimalik rakendada ja mis addresseerib neid nõrkusi. Arvesse võttes probleemi keerikust, käesolev uurimistöö näitab, et on vaja läbi viia edasisi uurimusi laiemast perspektiivist lähtuvalt lisades "põlvkondade" elemendi uurimiseesmärkidesse, et kas on erinevusi haavatuse riskide osas läbi põlvkondade. Käesolev uurimistöö kasutab nii kvalitatiivseid kui kvantitatiivseid meetodeid eesmärkide saavutamiseks. Andmekogumise rünnaku efektiivsuse hindamisel analüüsitakse kasutajate käitumist ning antakse sellele psühholoogiline tõlgendus. Esimene uurimisküsimus keskendub sotsiaalne manipulatsiooni haavatavuse faktorite määratlemisele ja kvantitatiivsed andmed (statistiline analüüs) näitavad, et põlvkond on oluline element potentsiaalsete sotsiaalse manipulatsiooni ohvrite eristamisel, kusjuures arvutikasutusoskus ja haridustase ei määra olulist rolli hindamaks kasutajate tõenäosust langeda selliste rünnakute ohvriks. Eelpool toodud faktorite ja ka eelnevate uuringute alusel, ei ole ka sugu määrav faktor haavatavuse ennustamisel (Parsons et al., 2013). Teine uurimisküsimus püüab selgitada, mis põhjustab põlvkondade haavatavuse erinevusi ning uuringu tulemused näitavad, et Y-põlvkonna isikuomadused, sh teadvus, ekstravertsus ja meeldivus on põhifaktorid, mis mõjutavad haavatavust. Viimasena, lisaks tugeva aluse loomisel edaspidiseks põlvkondade haavatavuse uurimisel, pakub käesolev töö välja raamistiku, milles on eeltoodud leiud arvesse võetud ja mille eesmärk on vähendada Y-põlvkonna haavatust sotsiaalse manipuleerimise rünnakutele. Käesoleva magistritöö unikaalsus seisneb üldises lähenemisviisis: alates ulatuslikus kirjanduse ülevaates "põlvkondade" haavatavuse faktorite määratlemisega, statistilise analüüsiga haavatavuste hindamiseks ja lõpetades lahenduse väljapakkumisega, mis aitab lahendada "põlvkondade" turvalisuse probleemi.In the age of digital society Social Engineering attacks are very successful and unfortunately users still cannot protect themselves against these threats. Social Engineering is a very complex problem, which makes it difficult to differentiate among vulnerable users. These attacks not only target young users or employees, they select massively, regardless of the users' age. Due to the rapid growth of technology and its misuse, everyone is affected by these attacks, everyone is vulnerable to them (Purkait, 2012; Aggarwal et al., 2012). Users are considered the "weakest link" of security (Mohebzada et al., 2012; Mitnick and Simon, 2011) and as such, protecting confidential information should be the ultimate goal of all people. However, despite the fact that a number of different strategies exists to educate or train endusers to avoid these attacks, they still do, phishing still succeeds (Dhamija et al., 2006). This is mainly because the existing security awareness trainings, theoretical courses, or frameworks are expected to be equally effective for all users regardless of their age, but experience has shown that this is not true (Alseadoon, 2014). In order for these security trainings to be effective, it is essential that they are composed based on the Social Engineering security weaknesses attributed differently to different generations. Identifying unique characteristics (demographic and personality) of generations, determinants of their vulnerability is what this work aims to do. Then frameworks crafted based on that information (addressing these weaknesses) would be of use and worth implementing. Therefore, taking into consideration the complexity of this problem, this study suggests that there is a need to research it from a broader perspective, adding the "generation" element into the study focus to find out if there is indeed any difference in susceptibility among generational cohorts. In order to do so, this research will adapt both qualitative and quantitative methods towards reaching its objectives. Collected-data of users' performance in a phishing assessment are analyzed and psychological translation of results is provided. Thus, the first research question seeks to address what factors determinate endusers vulnerability to Social Engineering, and results from quantitative data (statistical analysis) show that generation is an important element to differentiate potential victims of Social Engineering, whilst computer-efficacy or educational level do not play any noteworthy role in predicting endusers' likelihood of falling for these threats. In consistency with the above elements and previous studies, also gender is shown no potentiality in predicting susceptibility (Parsons et al., 2013). The second research question deems to explain what makes generations differ in susceptibility and this study's findings propose that generation Y personality traits such as consciousness, extraversion and agreeableness are key influencers of their shown vulnerability. Finally, along with establishing strong foundations for future research in studying generations susceptibility to Social Engineering, this thesis employ these findings in proposing a framework aiming to lessen millennial likelihood to Social Engineering victimization. The originality of this study lies on its overall approach: starting with an exhaustive literature review towards identifying factors impacting generations' susceptibility level, then statistically measuring their vulnerability, to finish with a solution proposal crafted to suit the observed generational security weaknesses

“A Bank Would Never Write That!” - A Qualitative Study on E-Mail Trust Decisions

In order to communicate the risk of fraudulent e-mails to users properly, it is important to know which aspects they focus on when evaluating the trustworthiness of an e-mail. To that end, a study was conducted to test predictions derived from a decision model by asking participants how they would react to each of eight e-mails and why. The study confirms results from previous research showing that content as well as visual and linguistic aspects, but also technical aspects such as sender address and link URL are considered by recipients. It also adds new findings like the fact that through experience and education, users form rules such as “A bank will never ask you for account details via e-mail” or the fact that attachments in HTML format or implausible sending times raise suspicions in users. These findings can be used to inform the design of anti-fraud education and user interfaces of e-mail clients

Analyzing Social and Stylometric Features to Identify Spear phishing Emails

Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This information is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec's enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.Comment: Detection of spear phishing using social media feature