Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

Organizations often suffer harm from individuals who bear no malice against them but whose actions unintentionally expose the organizations to risk-the unintentional insider threat (UIT). In this paper we examine UIT cases that derive from social engineering exploits. We report on our efforts to collect and analyze data from UIT social engineering incidents to identify possible behavioral and technical patterns and to inform future research and development of UIT mitigation strategies.

[1]  Thomas R. Peltier Social Engineering: Concepts and Solutions , 2006, Inf. Secur. J. A Glob. Perspect..

[2]  Diana Wright,et al.  Thinking in systems: a primer , 2012 .

[3]  Petra Wächter Thinking in systems – a primer , 2011 .

[4]  Theresa M. Mullin,et al.  Cognitive biases and time stress in team decision making , 1997, IEEE Trans. Syst. Man Cybern. Part A.

[5]  Juan Manuel González Nieto,et al.  Who is more susceptible to phishing emails? : a Saudi Arabian study , 2012 .

[6]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[7]  Michael S. Wogalter,et al.  Failure to Recognize Fake Internet Popup Warning Messages , 2008 .

[8]  J Swanson,et al.  Business Dynamics—Systems Thinking and Modeling for a Complex World , 2002, J. Oper. Res. Soc..

[9]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[10]  M. Loeb,et al.  The Psychology of Vigilance , 1982 .

[11]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[12]  J. M. Digman PERSONALITY STRUCTURE: EMERGENCE OF THE FIVE-FACTOR MODEL , 1990 .

[13]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[14]  G. Hockey Changes in operator efficiency as a function of environmental stress, fatigue, and circadian rhythms. , 1986 .

[15]  P. Wachtel,et al.  Anxiety, attention, and coping with threat. , 1968, Journal of abnormal psychology.

[16]  John D. Sterman,et al.  Business dynamics : systems thinking and modelling for acomplex world , 2002 .

[17]  Andrea J. Cullen,et al.  Social Engineering Detection Using Neural Networks , 2009, 2009 International Conference on CyberWorlds.

[18]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[19]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[20]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[21]  Lena Laribee,et al.  Development of Methodical Social Engineering Taxonomy Project , 2006 .

[22]  Barry M. Staw,et al.  Understanding Behavior in Escalation Situations , 1989, Science.

[23]  Nasir D. Memon,et al.  Phishing, Personality Traits and Facebook , 2013, ArXiv.

[24]  Sidney Dekker,et al.  The Field Guide to Human Error Investigations , 2006 .

[25]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[26]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[27]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[28]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[29]  A. Tversky,et al.  Prospect Theory : An Analysis of Decision under Risk Author ( s ) : , 2007 .

[30]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[31]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[32]  B. Kent Houston,et al.  Noise, task difficulty, and Stroop color-word performance. , 1969 .