Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.
2008 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.

The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.

Place, publisher, year, edition, pages
Kista: Institutionen för data- och systemvetenskap (tills m KTH) , 2008. , 97 p.
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 09-001
National Category
Information Science
Research subject
Computer and Systems Sciences
Identifiers
URN: urn:nbn:se:su:diva-8379ISBN: 978-91-7155-786-5 (print)OAI: oai:DiVA.org:su-8379DiVA: diva2:200190
Public defence
2009-01-15, sal C, Forum, Isafjordsgatan 39, Kista, 13:00
Opponent
Supervisors
Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
List of papers
1. Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned
Open this publication in new window or tab >>Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned
2005 In: Proceedings of the 4th Security Conference, Las Vegas, 2005Chapter in book (Other academic) Published
Identifiers
urn:nbn:se:su:diva-25668 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
2. User-Centered Security Applied to the Development of a Management Information System
Open this publication in new window or tab >>User-Centered Security Applied to the Development of a Management Information System
2007 In: Information Management and Computer Security, ISSN 0968-5227, Vol. 15, no 5, 372-381 p.Article in journal (Refereed) Published
Identifiers
urn:nbn:se:su:diva-25669 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
3. Why Humans are the Weakest Link
Open this publication in new window or tab >>Why Humans are the Weakest Link
2008 In: Social and Human Elements in Information Security: Emerging Trends and Countermeasures, 2008, 15-26 p.Chapter in book (Other academic) Published
Identifiers
urn:nbn:se:su:diva-25670 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
4. The Cycle of Deception: A Model of Social Engineering Attacks, Defenses and Victims
Open this publication in new window or tab >>The Cycle of Deception: A Model of Social Engineering Attacks, Defenses and Victims
2008 In: Proceedings of the Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008), 2008, 1-11 p.Chapter in book (Other academic) Published
Identifiers
urn:nbn:se:su:diva-25671 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
5. Non-Invasive Social Engineering Penetration Testing in a Medical Environment
Open this publication in new window or tab >>Non-Invasive Social Engineering Penetration Testing in a Medical Environment
2008 In: Proceedings of the 7th Security Conference, 2008, 22.1 - 22.13 p.Chapter in book (Other academic) Published
Identifiers
urn:nbn:se:su:diva-25672 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
6. Measuring Readiness against Automated Social Engineering
Open this publication in new window or tab >>Measuring Readiness against Automated Social Engineering
2008 In: Proceedings of the 7th Security Conference, 2008, 20.1 - 20.13 p.Chapter in book (Other academic) Published
Identifiers
urn:nbn:se:su:diva-25673 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15Bibliographically approved
7. Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment
Open this publication in new window or tab >>Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment
Manuscript (Other academic)
Identifiers
urn:nbn:se:su:diva-25674 (URN)
Note
Part of urn:nbn:se:su:diva-8379Available from: 2008-12-18 Created: 2008-12-15 Last updated: 2010-01-13Bibliographically approved

Open Access in DiVA

fulltext(3518 kB)2856 downloads
File information
File name FULLTEXT01.pdfFile size 3518 kBChecksum SHA-1
344ee6af29ad9cdd9d0e4ee79c63a7187df62eb4b29e9f0c613ff473e663b535ba9ed7d5
Type fulltextMimetype application/pdf

By organisation
Department of Computer and Systems Sciences
Information Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 2856 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 4454 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf