Theodore Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2203.08302

2022-03-15

Cryptography and Security

Abstract:Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.

Rosana Montañez Rodriguez,Adham Atyabi,Shouhuai

DOI: https://doi.org/10.48550/arXiv.2203.04813

2022-03-09

Cryptography and Security

Abstract:Social engineering attacks are phenomena that are equally applicable to both the physical world and cyberspace. These attacks in the physical world have been studied for a much longer time than their counterpart in cyberspace. This motivates us to investigate how social engineering attacks in the physical world and cyberspace relate to each other, including their common characteristics and unique features. For this purpose, we propose a methodology to unify social engineering attacks and defenses in the physical world and cyberspace into a single framework, including: (i) a systematic model based on psychological principles for describing these attacks; (ii) a systematization of these attacks; and (iii) a systematization of defenses against them. Our study leads to several insights, which shed light on future research directions towards adequately defending against social engineering attacks in cyberspace.

Pavlo Burda,Luca Allodi,Nicola Zannone

DOI: https://doi.org/10.1145/3635149

IF: 4.106

2023-11-30

ACM Transactions on Computer-Human Interaction

Abstract:The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for the development and advancement of empirical SE research, making it particularly difficult to identify the space of open research questions that can be addressed empirically. This space encompasses questions on attack conditions, employed experimental methods, and interactions with underlying cognitive aspects. As a consequence, much potential in the breadth of existing empirical SE research and in its mapping to the actual cognitive processes it aims to measure is left untapped. In this work, we carry out a systematic review of 169 articles investigating overall 735 hypotheses in the field of empirical SE research, focusing on experimental characteristics and core cognitive features from both attacker and target perspectives. Our study reveals that experiments only partially reproduce real attacks and that the exploitable SE attack surface appears much larger than the coverage provided by the current body of research. Factors such as targets’ context and cognitive processes are often ignored or not explicitly considered in experimental designs. Similarly, the effects of different pretexts and varied targetization levels are overall marginally investigated. Our findings on current SE research dynamics provide insights into methodological shortcomings and help identify supplementary techniques that can open promising future research directions.

computer science, information systems, cybernetics

Theodore Tangie Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.1109/jproc.2024.3379855

IF: 20.6

2024-05-03

Proceedings of the IEEE

Abstract:Internet-based social engineering (SE) attacks are a major cyber threat. These attacks often serve as the first step in a sophisticated sequence of attacks that target, among other things, victims' credentials and can cause financial losses. The problem has received mounting attention in recent years, with many publications proposing defenses against SE attacks. Despite this, the situation has not improved. In this article, we aim to understand and explain this phenomenon by investigating the root cause of the problem. To this end, we examine Internet-based SE attacks and defenses through a unique lens based on psychological factors (PFs) and psychological techniques (PTs). We find that there is a key discrepancy between attacks and defenses: SE attacks have deliberately exploited 46 PFs and 16 PTs in total, but existing defenses have only leveraged 16 PFs and seven PTs in total. This discrepancy may explain why existing defenses have achieved limited success and prompt us to propose a systematic roadmap for future research.

engineering, electrical & electronic

Amrut Kajave,Shazny Ahmed Hussain Nismy

DOI: https://doi.org/10.48550/arXiv.2212.12309

2022-12-08

Abstract:Social engineering is described as the art of manipulation. Cybercriminal use manipulation to victims their targets using psychological principles to change their behavior to make unconscious decisions. This study identifies the attack and techniques used by cybercriminal to conduct social engineering attacks within an organization. This study evaluate how social engineering attacks are delivered, techniques used and highlights how attackers take advantage Compromised systems. Lastly this study will also evaluate and provide the best solutions to help mitigate social engineering attacks with an organization

Cryptography and Security

Heidi Wilcox,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.2005.04049

2020-05-08

Cryptography and Security

Abstract:Social engineering through social media channels targeting organizational employees is emerging as one of the most challenging information security threats. Social engineering defies traditional security efforts due to the method of attack relying on human naivet\'e or error. The vast amount of information now made available to social engineers through online social networks is facilitating methods of attack which rely on some form of human error to enable infiltration into company networks. While, paramount to organisational information security objectives is the introduction of relevant comprehensive policy and guideline, perspectives and practices vary from global region to region. This paper identifies such regional variations and then presents a detailed investigation on information security outlooks and practices, surrounding social media, in Australian organisations (both public and private). Results detected disparate views and practices, suggesting further work is needed to achieve effective protection against security threats arsing due to social media adoption.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wanga

DOI: https://doi.org/10.1016/s1361-3723(21)00108-1

2021-01-01

Computer Fraud & Security

Abstract:Social engineers are very successful at exploiting human weaknesses, gathering information, communicating with people and creating creative storylines attacking people's psychological needs and weaknesses. And that is why people, who are among the weakest links in the information security chain, remain susceptible to social engineering attacks.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.2301.05920

2023-01-14

Cryptography and Security

Abstract:Human cognitive capacities and the needs of human-centric solutions for "Industry 5.0" make humans an indispensable component in Cyber-Physical Systems (CPSs), referred to as Human-Cyber-Physical Systems (HCPSs), where AI-powered technologies are incorporated to assist and augment humans. The close integration between humans and technologies in Section 1.1 and cognitive attacks in Section 1.2.4 poses emerging security challenges, where attacks can exploit vulnerabilities of human cognitive processes, affect their behaviors, and ultimately damage the HCPS. Defending HCPSs against cognitive attacks requires a new security paradigm, which we refer to as "cognitive security" in Section 1.2.5. The vulnerabilities of human cognitive systems and the associated methods of exploitation distinguish cognitive security from "cognitive reliability" and give rise to a distinctive CIA triad, as shown in Sections 1.2.5.1 and 1.2.5.2, respectively. Section 1.2.5.3 introduces cognitive and technical defense methods that deter the kill chain of cognitive attacks and achieve cognitive security. System scientific perspectives in Section 1.3 offer a promising direction to address the new challenges of cognitive security by developing quantitative, modular, multi-scale, and transferable solutions.

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

Vladislav D. Veksler,Norbou Buchler,Blaine E. Hoffman,Daniel N. Cassenti,Char Sample,Shridat Sugrim

DOI: https://doi.org/10.3389/fpsyg.2018.00691

IF: 3.8

2018-05-15

Frontiers in Psychology

Abstract:Computational models of cognitive processes may be employed in cyber-security tools, experiments, and simulations to address human agency and effective decision-making in keeping computational networks secure. Cognitive modeling can addresses multi-disciplinary cyber-security challenges requiring cross-cutting approaches over the human and computational sciences such as the following: (a) adversarial reasoning and behavioral game theory to predict attacker subjective utilities and decision likelihood distributions, (b) human factors of cyber tools to address human system integration challenges, estimation of defender cognitive states, and opportunities for automation, (c) dynamic simulations involving attacker, defender, and user models to enhance studies of cyber epidemiology and cyber hygiene, and (d) training effectiveness research and training scenarios to address human cyber-security performance, maturation of cyber-security skill sets, and effective decision-making. Models may be initially constructed at the group-level based on mean tendencies of each subject's subgroup, based on known statistics such as specific skill proficiencies, demographic characteristics, and cultural factors. For more precise and accurate predictions, cognitive models may be fine-tuned to each individual attacker, defender, or user profile, and updated over time (based on recorded behavior) via techniques such as model tracing and dynamic parameter fitting.

psychology, multidisciplinary

Mohamed Zaoui,Belfaik Yousra,Sadqi Yassine,Maleh Yassine,Ouazzane Karim

DOI: https://doi.org/10.1109/access.2024.3403197

IF: 3.9

2024-05-28

IEEE Access

Abstract:Social engineering (SE) attacks are a growing concern for organizations that rely on technology to protect sensitive data. Identifying and preventing these attacks can be challenging, as they frequently rely on manipulating human behavior rather than exploiting technical vulnerabilities. Although various studies have explored SE attacks and their defense mechanisms, there remains a gap in the literature concerning the holistic and layered classification of these threats and countermeasures. To address this, we conducted a comprehensive literature survey to understand existing taxonomies and subsequently identified areas that required a more structured and exhaustive categorization. Based on the survey results, we propose a comprehensive taxonomy of SE attacks, classifying them based on three levels: environment, approaches, and mediums. Additionally, we present a taxonomy of social engineering countermeasures, encompassing both technical and non-technical solutions. The proposed taxonomies serve as a foundation for future research and offer organizations a valuable framework for developing effective strategies to detect, prevent, and respond to social engineering incidents.

computer science, information systems,telecommunications,engineering, electrical & electronic

Christine Vitiello,David Uzcha,L. Fenstermacher,S. Shellman,Katie Larson

DOI: https://doi.org/10.1117/12.2666777

2023-06-14

Abstract:Cognitive warfare is not new. Weaker parties in an asymmetric conflict have manipulated information and ideas to convince stronger opponents to not fight (e.g., the Trojan Horse). What is new is the extent to which technologies enable cognitive warfare – resulting in the delegitimization of governments by sowing discord and creating division in order to compel acceptance of political will Information sharing tools enable adversaries to interfere more directly than ever with national political processes as well as citizens minds3. Cognitive warfare is considered a new domain of warfare, along with land, maritime, air, space and cyber (technical). The goal of cognitive warfare attacks is to alter or mislead the thoughts of leaders and operators, of members of entire social or professional classes, of the men and women in an army, or on a larger scale, of an entire population in a given region, country or group of countries and impact territory, influence, service interruptions, transportation, etc. The means could be social cyber, cyber technical, electronic warfare, and broadcast, etc. Senior officers and strategists in the Chinese People’s Liberation Army (PLA) claim that AI, neuroscience, and digital applications (e.g., social media) will be able to influence enemies by affecting human cognition directly, Russia’s Gerasimov doctrine talks of the “battlespace of the mind”, Pocheptsov provides examples including creation of fake events and objects and organizing protest actions in Ukraine. Dr Giordano stated, “the brain is the battlefield of the future”. This paper will highlight current examples of cognitive warfare, touch on enabling technologies and relevant social science principles of influence (cognitive and social), highlight existing analytics, introduce the “House model” which identifies pillars of relevant fields of knowledge as well as operationally relevant aspects related to the pillars as potentially helpful framework for thinking about cognitive warfare and identifying needed research.

Political Science,Engineering

Bhagwant Singh,Dr. Sikander Singh Cheema

DOI: https://doi.org/10.35444/ijana.2024.16108

2024-01-01

International Journal of Advanced Networking and Applications

Abstract:This paper explores the link between psychology and cybersecurity, focusing on the vital role of cognitive shields in strengthening digital security. In the rapidly changing cyberspace, understanding and using psychological defenses are crucial for dealing with evolving threats. This paper stressing the need for a holistic cybersecurity approach that considers the human factor. By investigating how human thinking connects with cyber threats, this study builds a basic understanding of the complex landscape. The core of the review looks into cognitive shields, categorizing and explaining their various aspects. From the impact of cognitive biases to the use of threat intelligence guided by psychological principles, the study explores different applications of cognitive shields. Despite their importance, the paper acknowledges challenges in implementing cognitive shields and highlights the ongoing need for innovation.

Tong Li,Xiaowei Wang,Yeming Ni

DOI: https://doi.org/10.1016/j.is.2020.101699

IF: 3.18

2022-02-01

Information Systems

Abstract:<p>Along with the rapid development of socio-technical systems, people are playing an increasingly important role in information system and have actually become an essential system component. However, unlike technology-based attacks that have been investigated for decades, social engineering attacks have not been efficiently addressed. In particular, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering based on a systematic review of existing social engineering taxonomies and ontologies in order to provide a theoretical foundation for social engineering analysis. The essential contributions of this paper include: (1) propose a comprehensive ontology of social engineering and precisely specify ontological definitions of its essential concepts based on Situation Calculus; (2) enumerate and summarize a set of social engineering techniques and present their fine-grained classification based on the proposed ontology; (3) incorporate psychology and sociology knowledge into social engineering analysis, encapsulating such knowledge in terms of a formalized ontology. We have evaluated our ontology based on a set of real social engineering attacks, the results of which show the usefulness of our proposal.</p>

computer science, information systems

Affan Yasin,Rubia Fatima,Lin Liu,Awaid Yasin,Jianmin Wang

DOI: https://doi.org/10.1002/spy2.73

2019-01-01

Abstract:The previous year has seen an enormous increase in the studies related to social engineering. This increase is partly due to increasing number of social engineering attacks and partly due to people's inability to identify the attack. Thus, it is of great importance to find solutions which are helpful for human to understand the social engineering attacks and scenarios. To address this, we have performed a literature review of studies (on social engineering) in top-notch journals and conferences. In this paper, we have enlisted the types of attacks, and the persuasion techniques used by social engineers as listed in the literature. We also combined different theories which researchers tried to use to explain various activities of social engineers. Furthermore, we have mentioned that a better understanding of the social engineering attack scenarios can be done using thematic and game-based analysis techniques. Preliminary empirical evaluation of the proposed game based method shows overall neutral results. Future extension and evaluation is needed for the proposed methods.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wang,Raian Ali,Ziqi Wei

DOI: https://doi.org/10.1002/spy2.161

2021-01-01

Security and Privacy

Abstract:Malicious scammers and social engineers are causing great harms to modern society, as they have led to the loss of data, information, money, and many more for individuals and companies. Knowledge about social engineering (SE) is wide‐spread and it exits in non‐academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources, guided by academic principles around SE, and solicit existing SE scenarios from public awareness education materials, news stories, research literature, official advisories to public departments. We adopted grounded theory to extract the general knowledge behind SE, such as, attacking cycles, information gathering strategies, psychological principles, attack vectors, and so on. In this article, we aim to review and synthesize a body of knowledge (rationale and motivation of social engineers). The study aims to: (a) understand the rationale of social engineers; (b) capture the knowledge of SE attacks and extract important information from the sources; (c) propose an activity for counteracting SE attacks, and how it can be used in security education.

Edward A. Cranford,Cleotilde Gonzalez,Palvi Aggarwal,Milind Tambe,Sarah Cooney,Christian Lebiere

DOI: https://doi.org/10.1111/cogs.13013

IF: 2.617

2021-07-01

Cognitive Science

Abstract:<p>This work is an initial step toward developing a cognitive theory of cyber deception. While widely studied, the psychology of deception has largely focused on physical cues of deception. Given that present-day communication among humans is largely electronic, we focus on the cyber domain where physical cues are unavailable and for which there is less psychological research. To improve cyber defense, researchers have used signaling theory to extended algorithms developed for the optimal allocation of limited defense resources by using deceptive signals to trick the human mind. However, the algorithms are designed to protect against adversaries that make perfectly rational decisions. In behavioral experiments using an abstract cybersecurity game (i.e., Insider Attack Game), we examined human decision-making when paired against the defense algorithm. We developed an instance-based learning (IBL) model of an attacker using the Adaptive Control of Thought-Rational (ACT-R) cognitive architecture to investigate how humans make decisions under deception in cyber-attack scenarios. Our results show that the defense algorithm is more effective at reducing the probability of attack and protecting assets when using deceptive signaling, compared to no signaling, but is less effective than predicted against a perfectly rational adversary. Also, the IBL model replicates human attack decisions accurately. The IBL model shows how human decisions arise from experience, and how memory retrieval dynamics can give rise to cognitive biases, such as confirmation bias. The implications of these findings are discussed in the perspective of informing theories of deception and designing more effective signaling schemes that consider human bounded rationality.</p>

psychology, experimental

Marshall S. Rich

DOI: https://doi.org/10.3390/analytics2030035

2023-08-11

Analytics

Abstract:The rapid proliferation of cyberthreats necessitates a robust understanding of their evolution and associated tactics, as found in this study. A longitudinal analysis of these threats was conducted, utilizing a six-year data set obtained from a deception network, which emphasized its significance in the study’s primary aim: the exhaustive exploration of the tactics and strategies utilized by cybercriminals and how these tactics and techniques evolved in sophistication and target specificity over time. Different cyberattack instances were dissected and interpreted, with the patterns behind target selection shown. The focus was on unveiling patterns behind target selection and highlighting recurring techniques and emerging trends. The study’s methodological design incorporated data preprocessing, exploratory data analysis, clustering and anomaly detection, temporal analysis, and cross-referencing. The validation process underscored the reliability and robustness of the findings, providing evidence of increasingly sophisticated, targeted cyberattacks. The work identified three distinct network traffic behavior clusters and temporal attack patterns. A validated scoring mechanism provided a benchmark for network anomalies, applicable for predictive analysis and facilitating comparative study of network behaviors. This benchmarking aids organizations in proactively identifying and responding to potential threats. The study significantly contributed to the cybersecurity discourse, offering insights that could guide the development of more effective defense strategies. The need for further investigation into the nature of detected anomalies was acknowledged, advocating for continuous research and proactive defense strategies in the face of the constantly evolving landscape of cyberthreats.

Rebekah Rousi

DOI: https://doi.org/10.48550/arXiv.2304.06825

IF: 6.4588

2023-04-13

Human-Computer Interaction

Abstract:In an ever more connected world, awareness has grown towards the hazards and vulnerabilities that the networking on sensitive digitized information pose for all parties involved. This vulnerability rests in a number of factors, both human and technical.From an ethical perspective, this means people seeking to maximise their own gain, and accomplish their goals through exploiting information existing in cyber space at the expense of other individuals and parties. One matter that is yet to be fully explored is the eventuality of not only financial information and other sensitive material being globally connected on the information highways, but also the people themselves as physical beings. Humans are natural born cyborgs who have integrated technology into their being throughout history. Issues of cyber security are extended to cybernetic security, which not only has severe ethical implications for how we, policy makers, academics, scientists, designers etc., define ethics in relation to humanity and human rights, but also the security and safety of merged organic and artificial systems and ecosystems.

Zuoguang Wang,Hongsong Zhu,Peipei Liu,Limin Sun

DOI: https://doi.org/10.1186/s42400-021-00094-6

2021-08-02

Abstract:Abstract Social engineering has posed a serious threat to cyberspace security. To protect against social engineering attacks, a fundamental work is to know what constitutes social engineering. This paper first develops a domain ontology of social engineering in cybersecurity and conducts ontology evaluation by its knowledge graph application. The domain ontology defines 11 concepts of core entities that significantly constitute or affect social engineering domain, together with 22 kinds of relations describing how these entities related to each other. It provides a formal and explicit knowledge schema to understand, analyze, reuse and share domain knowledge of social engineering. Furthermore, this paper builds a knowledge graph based on 15 social engineering attack incidents and scenarios. 7 knowledge graph application examples (in 6 analysis patterns) demonstrate that the ontology together with knowledge graph is useful to 1) understand and analyze social engineering attack scenario and incident, 2) find the top ranked social engineering threat elements (e.g. the most exploited human vulnerabilities and most used attack mediums), 3) find potential social engineering threats to victims, 4) find potential targets for social engineering attackers, 5) find potential attack paths from specific attacker to specific target, and 6) analyze the same origin attacks.

computer science, information systems, interdisciplinary applications, software engineering