Towards a Proof-of-Principle of an LLM-powered Low Resource Social Engineering Attack Coach

This article investigates the potential misuse of large language models (LLM) for low-resource, highly personalised social engineering attacks. The study explores how ChatGPT can infer personality traits during natural conversations by leveraging publicly available personal information, such as social media data, as an entry point. Utilising the social engineering personality framework (SEPF), the research endeavours to optimise attack vectors based on the Big Five personality traits, with the objective of enhancing the persuasiveness of social engineering strategies. The approach is divided into four phases: verifying conversational capabilities, conducting personality analyses, applying the SEPF for attack optimisation, and evaluating the persuasiveness of personalised attacks. The present paper offers a proof-of-principle for the initial phase, demonstrating ChatGPT’s capacity to engage in natural conversations while conducting personality analyses in a discreet manner. The findings indicate that while ChatGPT exhibits the capacity to simulate human-like interactions, limitations in conversational variance and the reliability of personality assessment were observed. The study identifies challenges such as generalisations, lack of score differentiation, and confirmation bias, and proposes refinements like increasing interaction depth, adjusting scoring scales, and using tailored personas. Subsequent research will investigate enhanced personality inference techniques, personalisation of attack vectors, and their impact on susceptibility to social engineering attacks

Research Project: ATHENA - Boosting cyber resilience of critical infrastructure in the water sector through innovative and co-created competence building

The EU-sponsored ATHENA project explores innovative training approaches with the objective of enhancing cyber resilience in the critical infrastructure in the water sector

Identifying Personality Factors in Large Language Models using a Psycho-Lexical Approach

Introduction: In the field of human psychology, the study of personality traits was a major research endeavour extending over several decades. Considering personality as stable, underlying dimensions that influence behaviour, a similar construct can be assumed in large language models (LLMs). However, most research in the field of machine personality relies on unverified assumptions or is afflicted by methodological weaknesses. The present work is the first to present a psycho-lexical analysis of machine personality. Methods: The psycho-lexical approach together with an exploratory factor analysis was adopted. Interview-like interactions were conducted with various LLMs (N = 400), and their behaviour was evaluated using a set of adjectives commonly used to describe personality traits. The ratings were subjected to an exploratory factor analysis to extract LLM-specific personality factors. Results: Five stable factors were extracted and interpreted. The five factors were termed Antagonism, Spirit, Conscientiousness, Negative Introversion, and Simple-Mindedness. Conclusion: The present work addresses the lack of systematic and fundamental approaches to the study of personality in LLMs. It is the first to present an LLM-specific factor structure of personality, suggesting that humans and LLMs exhibit different personality traits

Towards a Proof-of-Principle of an LLM-Powered Low Resource Social Engineering Attack Coach

This article investigates the potential misuse of large language models (LLM) for low-resource, highly personalised social engineering attacks. The study explores how ChatGPT can infer personality traits during natural conversations by leveraging publicly available personal information, such as social media data, as an entry point. Utilising the social engineering personality framework (SEPF), the research endeavours to optimise attack vectors based on the Big Five personality traits, with the objective of enhancing the persuasiveness of social engineering strategies. The approach is divided into four phases: verifying conversational capabilities, conducting personality analyses, applying the SEPF for attack optimisation, and evaluating the persuasiveness of personalised attacks. The present paper offers a proof-of-principle for the initial phase, demonstrating ChatGPT’s capacity to engage in natural conversations while conducting personality analyses in a discreet manner. The findings indicate that while ChatGPT exhibits the capacity to simulate human-like interactions, limitations in conversational variance and the reliability of personality assessment were observed. The study identifies challenges such as generalisations, lack of score differentiation, and confirmation bias, and proposes refinements like increasing interaction depth, adjusting scoring scales, and using tailored personas. Subsequent research will investigate enhanced personality inference techniques, personalisation of attack vectors, and their impact on susceptibility to social engineering attacks

Cybersecurity-related support needs and challenges incurred by informal support: a study among Estonian home users

Estonia, recognized for its robust e-services and cybersecurity, currently lacks a dedicated cybersecurity support service for laypeople to address private cybersecurity issues. Instead, citizens rely primarily on friends and family for assistance. This study explores the cybersecurity support needs of Estonian home users, analyzing the concept of “cybersecurity caregiving,” where individuals offer voluntary, informal cybersecurity help. Using a mixed-methods approach, the study conducted seven interviews and surveyed 161 participants, broadly reflecting Estonia’s demographic makeup. Key findings indicate that users seek support primarily in cyber incident handling and situational awareness, with desired support characterized by accuracy, speed, accessibility, understandability, and cost-free availability. However, informal support often lacks accuracy and promptness, highlighting a gap that a professional support service could address. Additional findings reveal demographic-based risk patterns, where younger users, high-frequency internet users, and men report higher anticipation of poor advice, while women report dependency on cybersecurity caregivers. The study underscores the need for (1) education on personal cybersecurity priorities and self-reliance in cybersecurity; (2) empowering cybersecurity caregivers with resources; and (3) establishing a professional cybersecurity support services. It makes recommendations to bolster Estonia’s cyber resilience and proposes potential future research to address gaps for non-Estonian speakers and minors

Dictionary Attack with Transformed Russian Words using QWERTY Keyboard Layout

Despite the known vulnerabilities of passwords, the username-password combination remains the most widely used authentication method. Many users still choose simple, memorable passwords, making them susceptible to dictionary attacks. These attacks are especially effective when using target-specific wordlists. This paper introduces a novel wordlist tailored to Russian-speaking users who may type passwords using the QWERTY layout while writing in Russian, leading to seemingly random character strings. Based on this assumption, a dictionary of transformed Russian words was compared with one million unique Russian passwords. The analysis revealed that around 1% of the passwords exactly matched transformed entries, and an additional 6% partially matched, supporting the effectiveness of this new wordlist approach

Patient informed consent, ethical and legal considerations in the context of digital vulnerability with smart, cardiac implantable electronic devices

Advancements in digitalisation with cardiac implantable electronic devices (CIEDs) allow patients opportunities for improved autonomy, quality of life, and a potential increase in life expectancy. However, with the digital and functional practicalities of CIEDs, there exists also cyber safety issues with transferring wireless information. If a digital network were to be hacked, a CIED patient could experience both the loss of sensitive data and the loss of functional control of the CIED due to an unwelcome party. Moreover, if a CIED patient were to become victim of a cyber attack, which resulted in a serious or lethal event, and if this information were to become public, the trust in healthcare would be impacted and legal consequences could result. A cyber attack therefore poses not only a direct threat to the patient’s health but also the confidentiality, integrity, and availability of the CIED, and these cyber threats could be considered “patient-targeted threats.” Informed consent is a key component of ethical care, legally concordant practice, and promoting patient-as-partner therapeutic relationships [1]. To date, there are no standardised guidelines for listing cybersecurity risks within the informed consent or for discussing them during the consent process. Providers are responsible for adhering to the ethical principles of autonomy, beneficence, non-maleficence, and justice, both in medical practice generally and the informed consent process specifically. At present, the decision to include cybersecurity risks is mainly left to the provider’s discretion, who may also have limited cyber risk information. Without effective and in-depth communication about all possible cybersecurity risks during the consent process, CIED patients can be left unaware of the privacy and physical risks they possess by carrying such a device. Therefore, cyber risk factors should be covered within the patients’ informed consent and reviewed on an ongoing basis as new risk information becomes available. By including cyber risk information in the informed consent process, patients are given the autonomy to make the best-informed decision

Human-Human Communication in Cyber Threat Situations

. In cyber threat situations, decision-making processes within organiza� tions and between the affected organization and external entities are high-stake. They require human communication entailing technical complexity, time pressure, interdisciplinary factors, and often an insufficient information basis. Communi� cation in cyber threat situations can thus be challenging and has a variety of implications for decision-making. The cyber-physical system is a rapidly chang� ing socio-technical system that is understudied in terms of how cyber events are communicated and acted upon to secure and maintain cyber resilience. The present study is the first to review human-to-human communication in cyber threat situa� tions. Our aims are to outline how human-human communication performance in cybersecurity settings have been studied, to uncover areas where there is poten� tial for developing common standards for information exchange in collaborative settings, and to provide guidance for future research efforts. The review was car� ried out according to the PRISMA guidelines and articles were searched for on scientific databases. Articles focusing on human-human communication in cyber threat situations published in peer reviewed journals or as conference papers were included. A total of 17 studies were included in the final review. Most of the studies were correlational and exploratory in nature. Very few studies characterize com� munication in useful goal-related terms. There is a need for more collaboration between cyber defense exercise-organizers and cognitive scientists. Future studies should assess how team mental model-development affects team communication and performance in cyber defense exercises

Mental motstandskraft

Hvordan utkjempes mellomstatlig konflikt i cyberdomenet? De nye mulighetene knyttet til kunstig intelligens, stordata og digital overvåkning er i ferd med å endre hvordan stater driver moderne krigføring. Dataangrep og storskala påvirkningsoperasjoner har blitt viktige verktøy for å oppnå mål og økt innflytelse. Denne nye virkeligheten representerer en stor utfordring for nasjonale forsvarsinstitusjoner som må omstille seg til et nytt og foreløpig temmelig ukjent terreng. Hensikten med denne boken er å gi en praktisk introduksjon i hvordan stater bruker cyberdomenet til å utøve både hard og myk makt. Boken undersøker det juridiske og etiske handlingsrommet for cyberoperasjoner og diskuterer hvilke erfaringer vi kan trekke fra tidligere hendelseshåndteringer. Boken er for deg som er interessert i, jobber med eller utdanner deg innen teknologi eller sikkerhetspolitikk. Den er skrevet som en tverrfaglig innføring med norske eksperter fra en rekke fagdisipliner ved ledende institusjoner