Victim Communication Stack (VCS): A flexible model to select the Human Attack Vector

Information security has rapidly grown to meet the requirements of today services. A solid discipline has been developed as far as technical security is concerned. However, the human layer plays an increasingly decisive role in the managing of Information Technology (IT) systems. The research field that studies the vulnerabilities of the human layer is referred to as Social Engineering, and has not received the same attention of its technical counterpart. We try to partially fill this gap by studying the selection of the Human Attack Vector (HAV), i.e., the path or the means that the attacker uses to compromise the human layer. To this aim, we propose a multilayer model, named Victim Communication Stack (VCS), that provides the key elements to facilitate the choice of the HAV. This work has been carried out under the DOGANA European project.

[1]  R. McCrae,et al.  An introduction to the five-factor model and its applications. , 1992, Journal of personality.

[2]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[3]  Michael F. Goodchild,et al.  Location-Based Services , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[4]  Christopher Hadnagy,et al.  Unmasking the Social Engineer: The Human Element of Security , 2014 .

[5]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[6]  Timothy J. Perfect,et al.  Reduction of environmental distraction to facilitate cognitive performance , 2014, Front. Psychol..

[7]  K. Wesnes,et al.  Relationship between Working Hours and Power of Attention, Memory, Fatigue, Depression and Self-Efficacy One Year after Diagnosis of Clinically Isolated Syndrome and Relapsing Remitting Multiple Sclerosis , 2014, PloS one.

[8]  Hein S. Venter,et al.  Social engineering attack framework , 2014, 2014 Information Security for South Africa.

[9]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[10]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[11]  Richard T. Watson,et al.  Location-based services , 2008, CACM.

[12]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[13]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[14]  Ana Ferreira,et al.  Principles of Persuasion in Social Engineering and Their Use in Phishing , 2015, HCI.

[15]  Russ Housley,et al.  Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) , 2004, RFC.

[16]  Gregory D. Abowd,et al.  Towards a Better Understanding of Context and Context-Awareness , 1999, HUC.

[17]  Ray Dawson,et al.  A Culture of Trust Threatens Security and Privacy in Qatar , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[18]  Juan Manuel González Nieto,et al.  Who is more susceptible to phishing emails? : a Saudi Arabian study , 2012 .

[19]  Hans J. Eysenck,et al.  The Eysenck Personality Inventory , 1965 .

[20]  Robert B. Cialdini,et al.  Yes!: 50 Scientifically Proven Ways to Be Persuasive , 2008 .

[21]  Richards J. Heuer,et al.  Psychology of Intelligence Analysis , 1999 .

[22]  H. Zimmermann,et al.  OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection , 1980, IEEE Transactions on Communications.

[23]  Manish J Gajjar Mobile Sensors and Context-Aware Computing , 2017 .

[24]  Diana Adler New Techniques Of Persuasion , 2016 .

[25]  Charles Liu,et al.  Network Effects and Data Breaches: Investigating the Impact of Information Sharing and the Cyber Black Market , 2015, ICIS.

[26]  Arun Vishwanath,et al.  Examining the Distinct Antecedents of E-Mail Habits and its Influence on the Outcomes of a Phishing Attack , 2015, J. Comput. Mediat. Commun..

[27]  V. Makosky Identifying Major Techniques of Persuasion , 1985 .

[28]  S. Lineberry The Human Element: The Weakest Link in Information Security , 2007 .

[29]  Fang Fang,et al.  Crowding alters the spatial distribution of attention modulation in human primary visual cortex. , 2008, Journal of vision.

[30]  Megan W. Gerhardt,et al.  Personality and leadership: a qualitative and quantitative review. , 2002, The Journal of applied psychology.

[31]  Shashikant Rai,et al.  BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES , 2013 .

[32]  Yue Xu,et al.  Social Engineering in Social Networking sites: How Good becomes evil , 2014, PACIS.

[33]  N. Akbar,et al.  Analysing Persuasion Principles in Phishing Emails , 2014 .

[34]  Nasir Memon,et al.  A pilot study of cyber security and privacy related behavior and personality traits , 2013, WWW.

[35]  Claudia Roda Human Attention in Digital Environments , 2014 .

[36]  Daniel Heller,et al.  Five-factor model of personality and job satisfaction: a meta-analysis. , 2002, The Journal of applied psychology.