Abstract
System security analysis has been focusing on technology-based attacks, while paying less attention on social perspectives. As a result, social engineering are becoming more and more serious threats to socio-technical systems, in which human plays important roles. However, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering, with the purpose of prompting the fast development of this field. In particular, we first review and compare existing social engineering taxonomies in order to summarize the core concepts and boundaries of social engineering, as well as identify corresponding research challenges. We then define a comprehensive social engineering ontology, which is embedded with extensive knowledge from psychology and sociology, providing a full picture of social engineering. The ontology is built on top of existing security ontologies in order to align social engineering analysis with typical security analysis as much as possible. By formalizing such ontology using Description Logic, we provide unambiguous definitions for core concepts of social engineering, serving as a fundamental terminology to facilitate research within this field. Finally, our ontology is evaluated based on a collection of existing social engineering attacks, the results of which indicate good expressiveness of our ontology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Foozy, F.M., Ahmad, R., Abdollah, M., Yusof, R., Mas’ud, M.: Generic taxonomy of social engineering attack. In: Malaysian Technical Universities International Conference on Engineering & Technology, pp. 1–7 (2011)
Gulati, R.: The threat of social engineering and your defense against it. SANS Reading Room (2003)
Harley, D.: Re-floating the titanic: dealing with social engineering attacks. European Institute for Computer Antivirus Research, pp. 4–29 (1998)
Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: International Conference on Information Resources Management, pp. 1–12. Centre for Information Technology, Organizations, and People (2011)
Janczewski, L.J., Fu, L.: Social engineering-based attacks: model and New Zealand perspective. In: Proceedings of the 2010 International Multiconference on Computer Science and Information Technology (IMCSIT), pp. 847–853. IEEE (2010)
Jürjens, J.: UMLsec: extending uml for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32
Kantor, M.: The psychopathy of everyday life (2006)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07881-6_20
Li, T., Horkoff, J., Mylopoulos, J.: Holistic security requirements analysis for socio-technical systems. Softw. Syst. Model. 17(4), 1253–1285 (2018)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)
Mouton, F., Leenen, L., Malan, M.M., Venter, H.S.: Towards an ontological model defining the social engineering domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds.) HCC 2014. IAICT, vol. 431, pp. 266–279. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44208-1_22
Nyamsuren, E., Choi, H.-J.: Preventing social engineering in ubiquitous environment. In: Future Generation Communication and Networking (FGCN 2007), vol. 2, pp. 573–577. IEEE (2007)
Peltier, T.R.: Social engineering: concepts and solutions. Inf. Secur. J. 15(5), 13 (2006)
Roussey, C., Pinet, F., Kang, M.A., Corcho, O.: An introduction to ontologies and ontology engineering. In: Falquet, G., Métral, C., Teller, J., Tweed, C. (eds.) Ontologies in Urban Development Projects, vol. 1, pp. 9–38. Springer, London (2011). https://doi.org/10.1007/978-0-85729-724-2_2
Simon, G.K., Foley, K.: In Sheep’s Clothing: Understanding and Dealing with Manipulative People. Tantor Media, Incorporated, Old Saybrook (2011)
Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31069-0_5
Acknowledgements
This work is supported by National Key R&D Program of China (No. 2018YFB0804703, 2017YFC0803307), the National Natural Science of Foundation of China (No. 91546111, 91646201), International Research Cooperation Seed Fund of Beijing University of Technology (No. 2018B2), and Basic Research Funding of Beijing University of Technology (No. 040000546318516).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, T., Ni, Y. (2019). Paving Ontological Foundation for Social Engineering Analysis. In: Giorgini, P., Weber, B. (eds) Advanced Information Systems Engineering. CAiSE 2019. Lecture Notes in Computer Science(), vol 11483. Springer, Cham. https://doi.org/10.1007/978-3-030-21290-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-21290-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21289-6
Online ISBN: 978-3-030-21290-2
eBook Packages: Computer ScienceComputer Science (R0)