Dissecting social engineering

In information security terms, social engineering (SE) refers to incidents in which an information system is penetrated through the use of social methods. The literature to date (40 texts), which was reviewed for this article, emphasises individual techniques in its description of SE. This leads to a very scattered, anecdotal, and vague notion of SE. In addition, due to the lack of analytical concepts, research conducted on SE encounters difficulties in explaining the success of SE. In such explanations, the victim's psychological traits are overemphasised, although this kind of explanation can cover only a small portion of SE cases. In this article, we have sought to elaborate the concept of SE through analysis of the functions of different techniques. In this way, we have been able to extrapolate three dimensions of SE: persuasion, fabrication, and data gathering. By utilising these dimensions, SE can be grasped in all its aspects instead of through individual techniques. Furthermore, research can benefit from our multidimensional approach as each of the dimensions pertains to a different theory. Therefore, the victim's personal traits cannot function as the only explanation. All in all, the analysis, understanding, and explanation of the success of SE can be furthered using our new approach.

[1]  H. V. Jagadish,et al.  Information warfare and security , 1998, SGMD.

[2]  Bill Hancock Can you social engineer your way into your network , 1998 .

[3]  Radha Gulati The Threat of Social Engineering and Your Defense Against It , 2003 .

[4]  Richard Barber Feature: Social engineering: A People Problem? , 2001 .

[5]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[6]  Ira S. Winkler,et al.  CASE STUDY OF INDUSTRIAL ESPIONAGE THROUGH SOCIAL ENGINEERING , 1996 .

[7]  Ho-Jin Choi,et al.  Preventing Social Engineering in Ubiquitous Environment , 2007, Future Generation Communication and Networking (FGCN 2007).

[8]  Tim Thornburgh Social engineering: the "Dark Art" , 2004, InfoSecCD '04.

[9]  Kurt Manske An Introduction to Social Engineering , 2000, Inf. Secur. J. A Glob. Perspect..

[10]  Einar Snekkenes,et al.  Measuring Resistance to Social Engineering , 2005, ISPEC.

[11]  Douglas Thomas Hacker Culture , 2002 .

[12]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[13]  W. Tolman,et al.  Social Engineering , 2014, Encyclopedia of Social Network Analysis and Mining.

[14]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[15]  Istvan Winkler,et al.  Spies Among Us: How to Stop the Spies , 2005 .

[16]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[17]  John J. McGonagle Corporate espionage: What it is, why it's happening in your company, what you must do about it , 1997 .

[18]  Martin Guha,et al.  The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets without Compromising Employee Privacy or Trust , 2008 .

[19]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[20]  Marcus K. Rogers,et al.  Detecting Social Engineering , 2005, IFIP Int. Conf. Digital Forensics.

[21]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.

[22]  Tony Greening Ask and ye shall receive: a study in “social engineering” , 1996, SGSC.

[23]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[24]  Richard Power,et al.  Social engineering: attacks have evolved, but countermeasures have not , 2006 .

[25]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[26]  D. Gragg A Multi-Level Defense Against Social Engineering , 2003 .

[27]  Jurij F. Tasic,et al.  Information systems security and human behaviour , 2007, Behav. Inf. Technol..

[28]  Gabrielle Durepos Reassembling the Social: An Introduction to Actor‐Network‐Theory , 2008 .

[29]  Douglas P. Twitchell Social engineering in information assurance curricula , 2006, InfoSecCD '06.

[30]  G. Gutting The archaeology of knowledge , 1989 .

[31]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[32]  R. Perloff The Dynamics of Persuasion: Communication and Attitudes in the 21st Century , 1993 .

[33]  Robert Schifreen Defeating the Hacker: A non-technical guide to computer security , 2006 .

[34]  Jukka Vuorinen,et al.  The Order Machine - The Ontology of Information Security , 2012, J. Assoc. Inf. Syst..

[35]  Mark D. Ryan Ben Smyth GuilinWang Information Security Practice and Experience , 2012, Lecture Notes in Computer Science.

[36]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[37]  E. Goffman Frame analysis: An essay on the organization of experience , 1974 .

[38]  Michel Serres,et al.  Malfeasance: Appropriation Through Pollution? , 2010 .

[39]  James C. Foster,et al.  InfoSecurity 2008 Threat Analysis , 2007 .

[40]  E. Goffman The Presentation of Self in Everyday Life , 1959 .

[41]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[42]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[43]  Jose J. Gonzalez,et al.  A Framework for Conceptualizing Social Engineering Attacks , 2006, CRITIS.