Towards Effective Assessment for Social Engineering Attacks

Social engineering attacks have drawn more and more attention from both academia and industry, due to the serious threats they pose to information security via exploitation of human vulnerabilities. Unlike technology-based attacks, which have been investigated for decades, there is no efficient security requirements analysis approach for dealing with social engineering attacks. One major obstacle to this problem is the uncertainty of human behavior, making it difficult to effectively assess social engineering attacks. In this paper, we investigate the nature of social engineering attacks and identify their essential factors. Based on such findings, we formulate the problem of social engineering attack assessment, which can be quantitatively calculated using probabilistic model checking. Finally, we present a research agenda that details critical research directions and discusses corresponding challenges.

[1]  Andrea J. Cullen,et al.  The social engineering attack spiral (SEAS) , 2016, 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security).

[2]  Radha Gulati The Threat of Social Engineering and Your Defense Against It , 2003 .

[3]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[4]  Frank Ciesinski,et al.  On Probabilistic Computation Tree Logic , 2004, Validation of Stochastic Systems.

[5]  Marta Z. Kwiatkowska,et al.  PRISM: Probabilistic Symbolic Model Checker , 2002, Computer Performance Evaluation / TOOLS.

[6]  Xavier Franch,et al.  iStar 2.0 Language Guide , 2016, ArXiv.

[7]  John Mylopoulos,et al.  Taking goal models downstream: A systematic roadmap , 2014, 2014 IEEE Eighth International Conference on Research Challenges in Information Science (RCIS).

[8]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[9]  Tong Li,et al.  Paving Ontological Foundation for Social Engineering Analysis , 2019, CAiSE.

[10]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[11]  Hein S. Venter,et al.  Towards an Ontological Model Defining the Social Engineering Domain , 2014, HCC.

[12]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[13]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[14]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[15]  Kristian Beckers,et al.  A Serious Game for Eliciting Social Engineering Security Requirements , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[16]  Jennifer Horkoff,et al.  Dealing with Security Requirements for Socio-Technical Systems: A Holistic Approach , 2014, CAiSE.

[17]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[18]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).