Abstract
Social engineering (SE) is the name used for a bag of tricks used by adversaries to manipulate victims to make them say or do something they otherwise wouldn’t have. Typically this includes making the victims disclose passwords, or give the adversary illegitimate access to buildings or privileged information. The book Art of Deception: Controlling the Human Element of Security by Kevin Mitnick gives several examples of potential attacks. Clearly, countermeasures are needed. Countermeasures may include special hardware, software, improved user interfaces, routines, procedures and staff training. However, in order to assess the effectiveness of these countermeasures, we need a SE resistance metric. This paper de.nes such a metric. We have also implemented software to obtain metric test data. A real life SE experiment involving 120 participants has been completed. The experiment suggests that SE may indeed represent an Achilles heel.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aftenposten. Dataforeningen raser mot nettovervåking, http://www.aftenposten.no/nyheter/nett/article.jhtml?articleID=663692
Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st Conference on Computer and Communications Security (1993)
World Medical Association. World medical association declaration of Helsinki, http://www.wma.net/e/policy/b3.htm
Augostinos, M., Walker, I.: Social cogntition. an integrated Introduction. SAGE publications Ltd, 6 Bonhill Street, London, Reprinted (2002)
Barrett, N.: Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report 8(4), 56–64 (2003)
Berghel, H.: Digital village - Malware month. Communications of the ACM 46(12) (December 2003)
The National Committee for Research Ethics in the Social Sciences and the Humanities. Guidelines for research ethics in the social sciences, law and the humanities, www.etikkom.no/retningslinjer/NESHretningslinjer/NESHretningslinjer/Eng%elsk
Gordon, S.: Social engineering: Techniques and prevention. In: Proceedings of the 12th World Conference on Computer Security, Audit & Control, Westminster, UK, October 1995, pp. 445–451 (1995)
Henning, R.R.: Security service level agreements: Quantifiable security for the enterprise? In: Proceedings of the 1999 workshop on New security paradigms Caledon Hills, Ontario, Canada, pp. 54–60 (1999), ISBN: 1-58113-149-6 doi.acm.org/10.1145/335169.335194
Hatch, B., Lee, J., Kurtz, G.: Hacking Linux exposed: Linux security secrets & solutions. Osborne/McGraw-Hill, New York (2001), ISBN: 0-07-212773-2
Kienzle, D., Elder, M.C.: Recent worms: A survey and trends. In: Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington, DC, USA, pp. 1–10 (2003), ISBN: 1-58113-785-0
McClure, J., Ames, W.I., McGraw, T.F., Gouin, J.L.: A system and method for enhanced psychophysiological detection of deception. In: Proceedings of the 36th Annual 2002 International Carnahan Conference on Security Technology, pp. 50–59 (2002)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Chichester (2003)
Aftenposten Nettutgave. Nettstedet vet at du er der, http://www.aftenposten.no/nyheter/iriks/article.jhtml?articleID=662796
Payne, S.C.: A guide to security metrics (July 2001), rr.sans.org/audit/metrics.php
Poulsen, K.: Mitnick to lawmakers: People, phones and weakest links (2000) Available from, http://www.politechbot.com/p-00969.html
Rienzi, G.: All university computer users need to protect passwords. The Gazette Online — The newspaper of the Johns Hopkins University 29(7) (October 1999), www.jhu.edu/~gazette/1999/oct1199/11warns.html
Rubin, A.D.: Security considerations for remote electronic voting. In: 29th Research Conference on Communication, Information and Internet Policy, TPRC 2001 (2001)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)
Smith, R.M.: The web bug faq. Electronic Frontier Foundation (1999)
Vaughn, R., Henning, R., Siraj, A.: Information assurance measures and metrics — state of practice and proposed taxonomy. A revised version will be presented at the Thirty-Sixth Hawaii International Conference on System Sciences (HICSS-36) to be held January 6–9 (2003), http://www.cs.jmu.edu/users/prietorx/HICSS36/Minitrack14/FullPapers/InfoAssura%nceMesureMetricsFinalVaughn.pdf
Vigilante.com. Vigilante home, http://Vigilante.com
Winkler, I.: Case study of industrial espionage through social engineering. In: Proceedings of 19th National Information Systems Security Conference (1996), citeseer.ist.psu.edu/320204.html
Winkler, I.: Corporate Espionage: what it is, why it is happening your company, what you must do about it. Prima Publishing, CA (1997), ISBN: 0761508406
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 12–18. ACM Press, New York (2003), ISBN: 1-58113-785-0 doi.acm.org/10.1145/948187.948190
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hasle, H., Kristiansen, Y., Kintel, K., Snekkenes, E. (2005). Measuring Resistance to Social Engineering. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-31979-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25584-0
Online ISBN: 978-3-540-31979-5
eBook Packages: Computer ScienceComputer Science (R0)