Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention

The objective of this study is to get insight into the effectiveness of an information campaign to counter a social engineering attack via the telephone.\ud Four different offenders phoned 48 employees and made them believe that their PC was distributing spam emails. Targets were told that this unfortunate situation could be solved by downloading and executing software from a website (i.e. an untrusted one). A total of 46.15 % of the employees not exposed to the intervention followed the instructions of the offender. This was significantly different to those exposed to an intervention 1 week prior to the attack (9.1%); however there was no effect for those exposed to an intervention 2 weeks prior to the attack (54.6%). This research suggests that scam awareness-raising campaigns reduce vulnerability only in the short term

Investigating the usability and utility of tangible modelling of socio-technical architectures

Socio-technical models are models that represent social as well as technical elements of the modeling subject, where the technical part consists of both physical and digital elements. Examples are enterprise models and models of the target of assessment used in risk assessment. Constructing and validating these models often implies a challenging task of extracting and integrating information from a multitude of stakeholders which are rarely modelling experts and don’t usually have the time or desire to engage in modelling activities.\ud We investigate a promising approach to overcome this challenge by using physical tokens to represent the model. We call the resulting models tangible models.\ud In this paper we illustrate this idea by creating a tangible representations of a socio-technical modelling language used in Risk Assessment and provide an initial validation of the relative usability and utility of tangible versus abstract modelling by an experiment and a focus group, respectively. We discuss possible psychological and social mechanisms that could explain the enhanced usability and utility of tangible modelling approaches for domain experts. Finally, we discuss the generalizability of this approach to other languages and modelling purposes

Physical location of smart key activators:A building security penetration test

Purpose When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study aims to present the results of a penetration test involving smart locks in the context of building security. The authors investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures. Design/methodology/approach Twenty-seven different “offenders” visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key. Findings A total of 58.6 per cent of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away. Research limitations/implications The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers. Originality/value No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems). </jats:sec

Het succes van social engineering

Social engineering is een aanvalstechniek waarin misleiding en bedrog worden gebruikt om doelwitten actief te laten meewerken aan hun eigen slachtofferschap. In dit artikel wordt aan de hand van een praktisch voorbeeld en bijbehorende heorieën inzicht gegeven in social engineering-praktijken. Daarnaast zal er ook orden ingegaan op een drietal experimenten (i.e. face-to-face, telefoon en e-mail) waarin systematisch onderzoek naar dit gevaar centraal staat. De resultaten geven inzicht in hoe kwetsbaar een organisatie is voor social engineering en welke medewerkers het meeste baat hebben bij een bewustwordingscampagne. Social engineering is the usage of social manipulation and psychological tricks to make the targets assist offenders in their attack. This paper aimed to discuss the success of social engineering attacks and interventions in an organisational setting. Three kinds of social engineering experiments were discussed, each using a different modality (i.e. face-to-face (f2f), email and telephone). In each experiment, the targets (i.e. participants) were persuaded to perform actions that contribute to their victimisation. A portion of the participants in both the f2f and telephone experiment received an intervention to reduce victimisation. The conclusion is that awareness raising about dangers, characteristics and countermeasures related to social engineering proved to have a significant positive effect on protecting the target. The results of these experiments allow practitioners to focus awareness campaigns to maximise their effectivenes

How effective are social engineering interventions? A meta-analysis

Purpose: Social engineering is a prominent aspect of online crime. Various interventions have been developed to reduce the success of this type of attacks. This paper aims to investigate if interventions can help to decrease the vulnerability to social engineering attacks. If they help, the authors investigate which forms of interventions and specific elements constitute success. Design/methodology/approach: The authors selected studies which had an experimental design and rigorously tested at least one intervention that aimed to reduce the vulnerability to social engineering. The studies were primarily identified from querying the Scopus database. The authors identified 19 studies which lead to the identification of 37 effect sizes, based on a total sample of N = 23,146 subjects. The available training, intervention materials and effect sizes were analysed. The authors collected information on the context of the intervention, the characteristics of the intervention and the characteristics of the research methodology. All analyses were performed using random-effects models, and heterogeneity was quantified. Findings: The authors find substantial differences in effect size for the different interventions. Some interventions are highly effective; others have no effect at all. Highly intensive interventions are more effective than those that are low on intensity. Furthermore, interventions with a narrow focus are more effective than those with a broad focus. Practical implications: The results of this study show differences in effect for different elements of interventions. This allows practitioners to review their awareness campaigns and tailor them to increase their success. Originality/value: The authors believe that this is the first study that compares the impact of social engineering interventions systematically

Argumentation-based security requirements elicitation: the next round

Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security

Spear phishing in organisations explained

Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account. Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables