Social engineering in cybersecurity: The evolution of a concept

Abstract This paper offers a history of the concept of social engineering in cybersecurity and argues that while the term began its life in the study of politics, and only later gained usage within the domain of cybersecurity, these are applications of the same fundamental ideas: epistemic asymmetry, technocratic dominance, and teleological replacement. The paper further argues that the term's usages in both areas remain conceptually and semantically interrelated. Moreover, ignorance of this interrelation continues to handicap our ability to identify and rebuff social engineering attacks in cyberspace. The paper's conceptual history begins in the nineteenth-century in the writings of the economists John Gray and Thorstein Veblen. An analysis of scholarly articles shows the concept's proliferation throughout the early to mid-twentieth century within the social sciences and beyond. The paper then traces the concept's migration into cybersecurity through the 1960s–1980s utilizing both scholarly publications and memoir accounts – including interviews with then-active participants in the hacker community. Finally, it reveals a conceptual array of contemporary connotations through an analysis of 134 definitions of the term found in academic articles written about cybersecurity from 1990 to 2017.

[1]  Steve Webb Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age , 2000, Comput. Secur..

[2]  M. Katouzian Land reform in Iran: a case study in the political economy of social engineering , 1974 .

[3]  George Loukas,et al.  You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks , 2016, IEEE Access.

[4]  I. Hilmi Elifoglu Navigating the "Information Super Highway": How Accountants Can Help Clients Assess and Control the Risks of Internet-Based E-Commerce , 2002 .

[5]  Maria Kjaerland,et al.  A taxonomy and comparison of computer security incidents from the commercial and government sectors , 2006, Comput. Secur..

[6]  Thomas J. Owens,et al.  On the Anatomy of Human Hacking , 2007, Inf. Secur. J. A Glob. Perspect..

[7]  Mimi Herrmann,et al.  Security Strategy: From Soup to Nuts , 2009, Inf. Secur. J. A Glob. Perspect..

[8]  RYAN HEARTFIELD,et al.  A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks , 2015, ACM Comput. Surv..

[9]  Samuel T. C. Thompson Helping the Hacker? Library Information, Security, and Social Engineering , 2006 .

[10]  Adam Wierzbicki,et al.  Guest editors' introduction: Foundation of peer-to-peer computing , 2008, Comput. Commun..

[11]  Frederick L. Wettering The Internet and the Spy Business , 2001 .

[12]  Jung Hee Cheon,et al.  Taxonomy of online game security , 2004, Electron. Libr..

[13]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[14]  John Pikoulas,et al.  Multivariate Bayesian Regression Applied to the Problem of Network Security , 2002 .

[15]  Yosef Lehrman The Weakest Link: The Risks Associated with Social Networking Websites , 2010 .

[16]  Gürsel Serpen,et al.  Measuring similarity in feature space of knowledge entailed by two separate rule sets , 2006, Knowl. Based Syst..

[17]  R. Cialdini Influence: Science and Practice , 1984 .

[18]  Wan Haslina Hassan,et al.  WIRELESS NETWORKS: DEVELOPMENTS, THREATS AND COUNTERMEASURES , 2013 .

[19]  Iwan Gulenko Social against social engineering: Concept and development of a Facebook application to raise security and risk awareness , 2013, Inf. Manag. Comput. Secur..

[20]  Michaelle L. Browers Piecemeal Reform in Plato's Laws , 1995 .

[21]  Edgar R. Weippl,et al.  Social engineering attacks on the knowledge worker , 2013, SIN.

[22]  Karl R. Popper,et al.  The Open Society and Its Enemies , 1952 .

[23]  Norafida Ithnin,et al.  People Are the Answer to Security: Establishing a Sustainable Information Security Awareness Training (ISAT) Program in Organization , 2013, ArXiv.

[24]  T. Veblen Some Neglected Points in the Theory of Socialism , 1891 .

[25]  Marilyn M. Helms,et al.  Shielding your company against information compromise , 2000, Inf. Manag. Comput. Secur..

[26]  Alvin M. Weinberg,et al.  Can technology replace social engineering , 1966 .

[27]  Z. Bauman Chasing Elusive Society , 2006 .

[28]  Bill Hancock,et al.  Feature: Simple social engineering , 1995 .

[29]  Deepak Sharma,et al.  Study of Automated Social Engineering, its Vulnerabilities, Threats and Suggested Countermeasures , 2013 .

[30]  F. Salamone The Methodological Significance of the Lying Informant , 1977 .

[31]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[32]  Hardik Jhaveri,et al.  Sybil Attack and its Proposed Solution , 2014 .

[33]  Art Gilliland Understanding the IM Security Threat , 2006, Inf. Secur. J. A Glob. Perspect..

[34]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[35]  W. Tolman,et al.  Social Engineering , 2014, Encyclopedia of Social Network Analysis and Mining.

[36]  Harold Joseph Highland,et al.  Authorship analysis: Identifying the author of a program , 1995 .

[37]  W. L. Felstiner PLEA CONTRACTS IN WEST GERMANY , 1979 .

[38]  Martin S. Bressler,et al.  New Global Cybercrime Calls for High Tech Cyber-Cops , 2016 .

[39]  P. Urbach Progress and Degeneration in the ‘IQ Debate’ (II) , 1974, The British Journal for the Philosophy of Science.

[40]  Harold Joseph Highland,et al.  Social engineering; The only real test of information systems security plans: Ira S. Winkler, Science Applications International Corporation, Annapolis, MD, USA , 1995 .

[41]  Jeffrey C. Carver,et al.  Requirements, Human Values, and the Development Technology Landscape , 2017, IEEE Softw..

[42]  Rong Rong,et al.  Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations , 2017 .

[43]  A. Montagu ANTHROPOLOGY AND SOCIAL ENGINEERING , 1946 .

[44]  E. Rabinovitch Securing your Internet connection: a sequel , 2002 .

[45]  Eddie Rabinovitch Staying Protected from "Social Engineering" , 2007, IEEE Communications Magazine.

[46]  Chiang Ku Fan,et al.  Risk Management Strategies for the Use of Cloud Computing , 2012 .

[47]  Helen Collinson Abstracts of recent articles and literature: Anti-virus software , 1995 .

[48]  L. Akila,et al.  Intrusion Response System for Relational Database To Avoid Anomalous Request , 2011 .

[49]  Frank Stajano,et al.  Understanding scam victims , 2011, Commun. ACM.

[50]  Matt Bowles,et al.  The business of hacking and birth of an industry , 2012, Bell Labs Technical Journal.

[51]  Hein S. Venter,et al.  Social engineering attack examples, templates and scenarios , 2016, Comput. Secur..

[52]  L. Harper The English navigation laws : a seventeenth-century experiment in social engineering , 1940 .

[53]  Jerome B. Kernan Marketing's Coming of Age , 1973 .

[54]  Hein S. Venter,et al.  Social engineering attack framework , 2014, 2014 Information Security for South Africa.

[55]  H. Zetterberg,et al.  Social Theory and Social Practice , 1962 .

[56]  Samik Ghosh,et al.  Social engineering for virtual 'big science' in systems biology. , 2011, Nature chemical biology.

[57]  Neil Pollock,et al.  Generification Work in the Production of Organizational Software Packages , 2022 .

[58]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[59]  Anne Layne-Farrar,et al.  The Law and Economics of Software Security , 2006 .

[60]  Victor Jose Delascio Space Explorations and Space Law , 1962 .

[61]  Jim Reid Plugging the holes in host-based authentication , 1996, Comput. Secur..

[62]  D. Mann,et al.  NETCRIME More Change in the Organization of Thieving , 1998 .

[63]  Jose María Sarriegi,et al.  Conceptualising social engineering attacks through system archetypes , 2008, Int. J. Syst. Syst. Eng..

[64]  John P. Burgess,et al.  Logic and time , 1979, Journal of Symbolic Logic.

[65]  Eddie Rabinovitch Protect your users against the latest web-based threat: malicious code on caching servers [Your Internet Connection] , 2007, IEEE Communications Magazine.

[66]  Richard Barber Feature: Social engineering: A People Problem? , 2001 .

[67]  W.H. Kohl The Human Element in Research and Industry , 1951, Proceedings of the IRE.

[68]  P. Conklin The vision of Elwood Mead. , 1960 .

[69]  Norbert Wiener,et al.  Cybernetics. , 1948, Scientific American.

[70]  H. R. Northrup The Negro in Aerospace Work , 1969 .

[71]  Johnny S. Wong,et al.  Anomalous intrusion detection system for hostile Java applets , 2001, J. Syst. Softw..

[72]  Donna Post Guillen,et al.  Process control systems in the chemical industry: Safety vs. security , 2006 .

[73]  I. Douven,et al.  Truth Approximation, Social Epistemology, and Opinion Dynamics , 2011 .

[74]  Allan R. Wilks,et al.  Fraud Detection in Telecommunications: History and Lessons Learned , 2010, Technometrics.

[75]  Peter Krieg The human face of cybernetics: Heinz von Foerster and the history of a movement that failed… , 2005 .

[76]  Mthulisi Velempini,et al.  Data protection laws and privacy on Facebook , 2015 .

[77]  Pradeep P. Barua INVENTING RACE: THE BRITISH AND INDIA'S MARTIAL RACES , 1995 .

[78]  Stephen Flowers,et al.  Harnessing the hackers: The emergence and exploitation of Outlaw Innovation , 2008 .

[79]  Alistair S. Duff,et al.  Social Engineering in the Information Age , 2005, Inf. Soc..

[80]  Ronggong Song,et al.  An analysis of online gaming crime characteristics , 2005, Internet Res..

[81]  Hank Wolfe Encountering encryption , 2003, Comput. Secur..

[82]  Helen Collinson Cracking a social engineer , 1995 .

[83]  Dorothy E. Denning,et al.  The United States vs. Craig Neidorf: A debate on electronic publishing, Constitutional rights and hacking , 1991, CACM.

[84]  Peng Liu,et al.  New threats to health data privacy , 2011, BMC Bioinformatics.

[85]  David Griffiths,et al.  An explanatory framework for understanding teachers resistance to adopting educational technology , 2015, Kybernetes.

[86]  Wolter Pieters,et al.  Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace , 2015, Science and Engineering Ethics.

[87]  B. Davis PREPARE: seeking systemic solutions for technological crisis management , 2005 .

[88]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[89]  Aristidis Protopsaltis,et al.  E-commerce transactions in a virtual environment: virtual transactions , 2012, Electron. Commer. Res..

[90]  J. Keynes The Economic Possibilities of Our Grandchildren , 1987 .

[91]  Aelita Skaržauskienė,et al.  Defining social technologies: evaluation of social collaboration tools and technologies , 2013 .

[92]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[93]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[94]  Aikaterini Mitrokotsa,et al.  Classifying RFID attacks and defenses , 2010, Inf. Syst. Frontiers.

[95]  Rolfe Tomlinson,et al.  The Personality of O.R. Workers—Are They Different? , 1986 .

[96]  Shamkant B. Navathe,et al.  A Management Perspective on Risk of Security Threats to Information Systems , 2005, Inf. Technol. Manag..

[97]  Cecil. Woodham-Smith,et al.  The Great Hunger: Ireland 1845-1849 , 1962 .

[98]  Law and psychology , 1929 .

[99]  O. Șerban,et al.  Social Engineering a General Approach , 2014 .

[100]  Sameera Mubarak,et al.  Significance of Information Security Awareness in the Higher Education Sector , 2012 .