Measuring Resistance to Social Engineering

  • Hågen Hasle
  • Yngve Kristiansen
  • Ketil Kintel
  • Einar Snekkenes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3439)


Social engineering (SE) is the name used for a bag of tricks used by adversaries to manipulate victims to make them say or do something they otherwise wouldn’t have. Typically this includes making the victims disclose passwords, or give the adversary illegitimate access to buildings or privileged information. The book Art of Deception: Controlling the Human Element of Security by Kevin Mitnick gives several examples of potential attacks. Clearly, countermeasures are needed. Countermeasures may include special hardware, software, improved user interfaces, routines, procedures and staff training. However, in order to assess the effectiveness of these countermeasures, we need a SE resistance metric. This paper de.nes such a metric. We have also implemented software to obtain metric test data. A real life SE experiment involving 120 participants has been completed. The experiment suggests that SE may indeed represent an Achilles heel.


Information security Social engineering Vulnerability analysis Security metrics Security testing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Aft]
    Aftenposten. Dataforeningen raser mot nettovervåking,
  2. [And93]
    Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st Conference on Computer and Communications Security (1993)Google Scholar
  3. [Ass]
    World Medical Association. World medical association declaration of Helsinki,
  4. [AW02]
    Augostinos, M., Walker, I.: Social cogntition. an integrated Introduction. SAGE publications Ltd, 6 Bonhill Street, London, Reprinted (2002)Google Scholar
  5. [Bar03]
    Barrett, N.: Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report 8(4), 56–64 (2003)CrossRefGoogle Scholar
  6. [Ber03]
    Berghel, H.: Digital village - Malware month. Communications of the ACM 46(12) (December 2003)Google Scholar
  7. [fREitSStH]
    The National Committee for Research Ethics in the Social Sciences and the Humanities. Guidelines for research ethics in the social sciences, law and the humanities,
  8. [Gor95]
    Gordon, S.: Social engineering: Techniques and prevention. In: Proceedings of the 12th World Conference on Computer Security, Audit & Control, Westminster, UK, October 1995, pp. 445–451 (1995)Google Scholar
  9. [Hen99]
    Henning, R.R.: Security service level agreements: Quantifiable security for the enterprise? In: Proceedings of the 1999 workshop on New security paradigms Caledon Hills, Ontario, Canada, pp. 54–60 (1999), ISBN: 1-58113-149-6
  10. [HLK01]
    Hatch, B., Lee, J., Kurtz, G.: Hacking Linux exposed: Linux security secrets & solutions. Osborne/McGraw-Hill, New York (2001), ISBN: 0-07-212773-2Google Scholar
  11. [KE03]
    Kienzle, D., Elder, M.C.: Recent worms: A survey and trends. In: Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington, DC, USA, pp. 1–10 (2003), ISBN: 1-58113-785-0Google Scholar
  12. [MAMG02]
    McClure, J., Ames, W.I., McGraw, T.F., Gouin, J.L.: A system and method for enhanced psychophysiological detection of deception. In: Proceedings of the 36th Annual 2002 International Carnahan Conference on Security Technology, pp. 50–59 (2002)Google Scholar
  13. [MS03]
    Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Chichester (2003)Google Scholar
  14. [Net]
    Aftenposten Nettutgave. Nettstedet vet at du er der,
  15. [Pay01]
    Payne, S.C.: A guide to security metrics (July 2001),
  16. [Pou00]
    Poulsen, K.: Mitnick to lawmakers: People, phones and weakest links (2000) Available from,
  17. [Rie99]
    Rienzi, G.: All university computer users need to protect passwords. The Gazette Online — The newspaper of the Johns Hopkins University 29(7) (October 1999),
  18. [Rub01]
    Rubin, A.D.: Security considerations for remote electronic voting. In: 29th Research Conference on Communication, Information and Internet Policy, TPRC 2001 (2001)Google Scholar
  19. [Sch00]
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)Google Scholar
  20. [Smi99]
    Smith, R.M.: The web bug faq. Electronic Frontier Foundation (1999)Google Scholar
  21. [VHS]
    Vaughn, R., Henning, R., Siraj, A.: Information assurance measures and metrics — state of practice and proposed taxonomy. A revised version will be presented at the Thirty-Sixth Hawaii International Conference on System Sciences (HICSS-36) to be held January 6–9 (2003),
  22. [Vig] Vigilante home,
  23. [Win96]
    Winkler, I.: Case study of industrial espionage through social engineering. In: Proceedings of 19th National Information Systems Security Conference (1996),
  24. [Win97]
    Winkler, I.: Corporate Espionage: what it is, why it is happening your company, what you must do about it. Prima Publishing, CA (1997), ISBN: 0761508406Google Scholar
  25. [WPSC03]
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 12–18. ACM Press, New York (2003), ISBN: 1-58113-785-0 Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Hågen Hasle
    • 1
  • Yngve Kristiansen
    • 1
  • Ketil Kintel
    • 1
  • Einar Snekkenes
    • 1
  1. 1.Gjøvik University CollegeGjøvikNorway

Personalised recommendations