Abstract
Humans have become the weakest point in the information security chain, and social engineers take advantage of that fact. Social engineers manipulate people psychologically to convince them to divulge sensitive information or to perform malicious acts. Social engineering security attacks can be severe and difficult to detect. Therefore, to prevent these attacks, employees and their organizations should be aware of relevant defense mechanisms. This research develops a taxonomy of social engineering defense mechanisms that can be used to develop educational materials for use in various kinds of organizations. To develop the taxonomy, the authors conducted a systematic literature review of related research efforts and extracted the main target points of social engineers and the defense mechanisms regarding each target point.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Verizon 2018. 2018 data breach investigations report (2018)
Aldawood, H., Skinner, G.: An academic review of current industrial and commercial cyber security social engineering solutions. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, pp. 110–115. ACM (2019)
Applegate, S.D.: Social engineering: hacking the wetware! Inf. Secur. J.: Glob. Perspect. 18(1), 40–46 (2009)
Arachchilage, N.A.G., Love, S.: Security awareness of computer users: a phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312 (2014)
Aviv, A.J., Gibson, K.L., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. Woot 10, 1–7 (2010)
Bakhshi, T., Papadaki, M., Furnell, S.: A practical assessment of social engineering vulnerabilities. In: HAISA, pp. 12–23 (2008)
Berg, A.: Cracking a social engineer. LAN times (1995)
Beuran, R., Chinen, K., Tan, Y., Shinoda, Y.: Towards effective cybersecurity education and training (2016)
Chitrey, A., Singh, D., Singh, V.: A comprehensive study of social engineering based attacks in india to develop a conceptual model. Int. J. Inf. Netw. Secur. 1(2), 45 (2012)
Choi, M., Levy, Y., Hovav, A.: The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In: Proceedings of the Pre-International Conference of Information Systems (ICIS) SIGSEC–Workshop on Information Security and Privacy (WISP) (2013)
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN security policy: correctness, conflict detection, and resolution. In: International Workshop on Policies for Distributed Systems and Networks, pp. 39–56. Springer, Heidelberg (2001)
Garba, A.B., Armarego, J., Murray, D., Kenworthy, W.: Review of the information security and privacy challenges in bring your own device (BYOD) environments. J. Inf. Privacy Secur. 11(1), 38–54 (2015)
Ghafir, I., Prenosil, V., Alhejailan, A., Hammoudeh, M.: Social engineering attack strategies and defence approaches. In: 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), pp. 145–149. IEEE (2016)
Granger, S.: Social engineering fundamentals, part i: Hacker tactics. Security Focus, 18 December 2001
Greening, T.: Ask and ye shall receive: a study in “social engineering”. ACM SIGSAC Rev. 14(2), 8–14 (1996)
Gupta, M., Sharman, R.: Social network theoretic framework for organizational social engineering susceptibility index. In: AMCIS 2006 Proceedings, p. 408 (2006)
Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley, Indianapolis (2010)
Happ, C., Melzer, A., Steffgen, G.: Trick with treat-reciprocity increases the willingness to communicate personal data. Comput. Hum. Behav. 61, 372–377 (2016)
Heartfield, R., Loukas, G.: A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv. (CSUR) 48(3), 37 (2016)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Supp. Syst. 47(2), 154–165 (2009)
Karakasiliotis, A., Furnell, S.M., Papadaki, M.: Assessing end-user awareness of social engineering and phishing (2006)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Manske, K.: An introduction to social engineering. Inf. Syst. Secur. 9(5), 1–7 (2000)
Medlin, B.D., Cazier, J.A., Foulk, D.P.: Analyzing the vulnerability of us hospitals to social engineering attacks: how many of your employees would share their password? Int. J. Inf. Secur. Privacy (IJISP), 2(3), 71–83 (2008)
Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: 2014 Information Security for South Africa, pp. 1–9. IEEE (2014)
Okoli, C., Schabram, K.: A guide to conducting a systematic literature review of information systems research (2010)
Orgill, G.L., Romney, G.W., Bailey, M.G., Orgill, P.M.: The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. In: Proceedings of the 5th Conference on Information Technology Education, pp. 177–181. ACM (2004)
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)
Shane, S., Schmidt, M.S.: Hillary clinton emails take long path to controversy. The New York Times (2015)
Siponen, M.T., Iivari, J.: Is security design theory framework and six approaches to the application of ISPS and guidelines. J. Assoc. Inf. Syst. 7(7), 445–472 (2006)
Stoner, J.A.F.: Risky and cautious shifts in group decisions: the influence of widely held values. J. Exp. Soc. Psychol. 4(4), 442–459 (1968)
Thapar, A.: Social engineering: An attack vector most intricate to tackle. CISSP: Infosec Writers (2007)
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1421–1434. ACM (2017)
Workman, M.: A test of interventions for security threats from social engineering. Inf. Manage. Comput. Secur. 16(5), 463–483 (2008)
Acknowledgment
The first author was supported by a generous fellowship from Shaqra University, Saudi Arabia. All errors and omissions are the responsibility of the authors alone.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Alharthi, D.N., Hammad, M.M., Regan, A.C. (2020). A Taxonomy of Social Engineering Defense Mechanisms. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Advances in Information and Communication. FICC 2020. Advances in Intelligent Systems and Computing, vol 1130. Springer, Cham. https://doi.org/10.1007/978-3-030-39442-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-39442-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39441-7
Online ISBN: 978-3-030-39442-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)