skip to main content
10.1145/3046055.3046061acmotherconferencesArticle/Chapter ViewAbstractPublication PagesstastConference Proceedingsconference-collections
research-article

Influence tokens: analysing adversarial behaviour change in coloured petri nets

Published: 05 December 2016 Publication History

Abstract

Social Engineers can use influential techniques to exploit human behaviour. For a security officer, simulating and analysing such attacks would provide useful insights towards possible countermeasures. We propose the notion of influence tokens, which a social engineer can exploit to change human behaviour. We model the relationship between agents and a social engineer using Coloured Petri Nets, which govern the behaviour of influence tokens. We then illustrate our results showing how influence tokens propagate, impact and alters a Social Engineers success rate in a tailgating scenario. In particular, we show that a specific combination of tokens will increase the adversaries success rate, whereas, investing in a different set of tokens yields no further rewards for the adversary.

References

[1]
G. Bella and L. Coles-Kemp. Layered analysis of security ceremonies. In IFIP International Information Security Conference, pages 273--286. Springer, 2012.
[2]
M. Bezuidenhout, F. Mouton, and H. S. Venter. Social engineering attack detection model: Seadm. In 2010 Information Security for South Africa, pages 1--8. IEEE, 2010.
[3]
J.-W. H. Bullée, L. Montoya, W. Pieters, M. Junger, and P. H. Hartel. The persuasion and security awareness experiment: reducing the success of social engineering attacks. Journal of experimental criminology, 11(1):97--115, 2015.
[4]
R. B. Cialdini and N. Garde. Influence. A. Michel, 1987.
[5]
R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581--590. ACM, 2006.
[6]
P. Dolan, M. Hallsworth, D. Halpern, D. King, R. Metcalfe, and I. Vlaev. Influencing behaviour: The mindspace way. Journal of Economic Psychology, 33(1):264--277, 2012.
[7]
K. E. Jacowitz and D. Kahneman. Measures of anchoring in estimation tasks. Personality and Social Psychology Bulletin, 21:1161--1166, 1995.
[8]
K. Jensen. Coloured Petri nets: basic concepts, analysis methods and practical use, volume 1. Springer Science & Business Media, 2013.
[9]
K. Jensen, L. M. Kristensen, and L. Wells. Coloured petri nets and cpn tools for modelling and validation of concurrent systems. International Journal on Software Tools for Technology Transfer, 9(3--4):213--254, 2007.
[10]
E. Jonsson and T. Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, 23(4):235--245, 1997.
[11]
K. Krombholz, H. Hobel, M. Huber, and E. Weippl. Advanced social engineering attacks. Journal of Information Security and applications, 22:113--122, 2015.
[12]
M. Kwiatkowska, G. Norman, and D. Parker. PRISM 4.0: Verification of probabilistic real-time systems. In G. Gopalakrishnan and S. Qadeer, editors, Proc. 23rd International Conference on Computer Aided Verification (CAV'11), volume 6806 of LNCS, pages 585--591. Springer, 2011.
[13]
G. Lenzini, S. Mauw, and S. Ouchani. Security analysis of socio-technical physical systems. Computers & electrical engineering, 47:258--274, 2015.
[14]
T. C. Leonard. Richard h. thaler, cass r. sunstein, nudge: Improving decisions about health, wealth, and happiness. Constitutional Political Economy, 19(4):356--360, 2008.
[15]
J. Long. No tech hacking: A guide to social engineering, dumpster diving, and shoulder surfing. Syngress, 2011.
[16]
S. Michie, M. M. van Stralen, and R. West. The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation Science, 6(1):42, 2011.
[17]
K. D. Mitnick and W. L. Simon. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.
[18]
C. Morisset, I. Yevseyeva, T. Groß, and A. van Moorsel. A formal model for soft enforcement: influencing the decision-maker. In Security and Trust Management, pages 113--128. Springer, 2014.
[19]
J. R. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. Wright, and M. Whitty. Understanding insider threat: A framework for characterising attacks. In Security and Privacy Workshops (SPW), 2014 IEEE, pages 214--228. IEEE, 2014.
[20]
J. Turland, L. Coventry, D. Jeske, P. Briggs, and A. van Moorsel. Nudging towards security: Developing an application for wireless network selection for android phones. In Proceedings of the 2015 British HCI conference, pages 193--201. ACM, 2015.
[21]
S. Uebelacker and S. Quiel. The social engineering personality framework. In 2014 Workshop on Socio-Technical Aspects in Security and Trust, pages 24--30. IEEE, 2014.
[22]
R. T. Wright, M. L. Jensen, J. B. Thatcher, M. Dinger, and K. Marett. Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance. Information systems research, 25(2):385--400, 2014.
[23]
F. Zhu, S. Carpenter, A. Kulkarni, and S. Kolimi. Reciprocity attacks. In Proceedings of the Seventh Symposium on Usable Privacy and Security, page 9. ACM, 2011.

Cited By

View all
  • (2018)Interventions over smart card swiping behaviourProceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust10.1145/3361331.3361333(1-11)Online publication date: 4-Dec-2018

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust
December 2016
101 pages
ISBN:9781450348263
DOI:10.1145/3046055
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

STAST '16
STAST '16: Socio-Technical Aspects in Security and Trust
December 5, 2016
California, Los Angeles

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)0
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Interventions over smart card swiping behaviourProceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust10.1145/3361331.3361333(1-11)Online publication date: 4-Dec-2018

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media