Social engineering defence mechanisms and counteracting training strategies

Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.

[1]  Malcolm Robert Pattinson,et al.  Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails , 2016, ACIS.

[2]  A. Gouldner THE NORM OF RECIPROCITY: A PRELIMINARY STATEMENT * , 1960 .

[3]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[4]  Kristian Beckers,et al.  HATCH: Hack And Trick Capricious Humans - A Serious Game on Social Engineering , 2016, BCS HCI.

[5]  Derek D. Rucker,et al.  Naïve theories about persuasion: implications for information processing and consumer attitude change , 2015 .

[6]  P. Todd,et al.  Simple Heuristics That Make Us Smart , 1999 .

[7]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[8]  A. D. Jones,et al.  Obedience to Authority , 1974 .

[9]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[10]  S. Milgram BEHAVIORAL STUDY OF OBEDIENCE. , 1963, Journal of abnormal psychology.

[11]  N. Weinstein Unrealistic optimism about future life events , 1980 .

[12]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[13]  Young-Woon Min Understanding and Auditing It Systems, Volume 2 , 2009 .

[14]  Ana Ferreira,et al.  Principles of Persuasion in Social Engineering and Their Use in Phishing , 2015, HCI.

[15]  Ross D. Petty,et al.  “It could have been you”: How states exploit counterfactual thought to market lotteries , 2000 .

[16]  Radha Gulati The Threat of Social Engineering and Your Defense Against It , 2003 .

[17]  Michael Lynn,et al.  Scarcity effects on desirability: mediated by assumed expensiveness? , 1989 .

[18]  Mariki M. Eloff,et al.  Psychosocial risks: Can their effects on the security of information systems really be ignored? , 2013, Inf. Manag. Comput. Secur..

[19]  K. Stanovich,et al.  Heuristics and Biases: Individual Differences in Reasoning: Implications for the Rationality Debate? , 2002 .

[20]  Edith G. Smit,et al.  Strategies and motives for resistance to persuasion: an integrative framework , 2015, Front. Psychol..

[21]  Ilirjana Veseli,et al.  Measuring the Effectiveness of Information Security Awareness Program , 2011 .

[22]  Brad J. Sagarin,et al.  Dispelling the illusion of invulnerability: the motivations and mechanisms of resistance to persuasion. , 2002, Journal of personality and social psychology.

[23]  Kurt Manske An Introduction to Social Engineering , 2000, Inf. Secur. J. A Glob. Perspect..

[24]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[25]  Kristian Beckers,et al.  A Serious Game for Eliciting Social Engineering Security Requirements , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[26]  J. Cacioppo,et al.  Attitudes and Persuasion: Classic and Contemporary Approaches , 1981 .

[27]  A. Lott,et al.  Group cohesiveness as interpersonal attraction: a review of relationships with antecedent and consequent variables. , 1965, Psychological bulletin.

[28]  Frank Stajano,et al.  Understanding scam victims , 2011, Commun. ACM.

[29]  Michael Lardschneider,et al.  Social Engineering , 2008, Datenschutz und Datensicherheit - DuD.

[30]  Michael Ross,et al.  Bolstering Attitudes by Autobiographical Recall , 1988, Personality & social psychology bulletin.

[31]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[32]  D. Gragg A Multi-Level Defense Against Social Engineering , 2003 .

[33]  Larry Gragg Chapter Two. First Impressions , 2003 .

[34]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[35]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[36]  D. Kahneman A perspective on judgment and choice: mapping bounded rationality. , 2003, The American psychologist.

[37]  Maria Papadaki,et al.  A Practical Assessment of Social Engineering Vulnerabilities , 2008, HAISA.

[38]  Claude H. Miller,et al.  Boosting the Potency of Resistance: Combining the Motivational Forces of Inoculation and Psychological Reactance. , 2013 .

[39]  R. Meijer,et al.  A trial studying approach to predict college achievement , 2015, Front. Psychol..

[40]  Ira S. Winkler,et al.  Information Security Technology? Don't Rely on It. A Case Study in Social Engineering , 1995, USENIX Security Symposium.

[41]  Peter Wright,et al.  Persuasion Knowledge , 2022 .

[42]  Tim Thornburgh Social engineering: the "Dark Art" , 2004, InfoSecCD '04.

[43]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[44]  J. Brehm A theory of psychological reactance. , 1981 .

[45]  Jamison W Scheeres Establishing the Human Firewall: Reducing an Individual's Vulnerability to Social Engineering Attacks , 2012 .

[46]  Robert S. Wyer,et al.  The Role of Bolstering and Counterarguing Mind-Sets in Persuasion , 2012 .

[47]  D. Gilbert Heuristics and Biases: Inferential Correction , 2002 .

[48]  C. F. Kao,et al.  Central and peripheral routes to persuasion: An individual difference perspective. , 1986 .