Skip to main content

Towards an Ontological Model Defining the Social Engineering Domain

  • Conference paper

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 431)

Abstract

The human is often the weak link in the attainment of Information Security due to their susceptibility to deception and manipulation. Social Engineering refers to the exploitation of humans in order to gain unauthorised access to sensitive information. Although Social Engineering is an important branch of Information Security, the discipline is not well defined; a number of different definitions appear in the literature. Several concepts in the domain of Social Engineering are defined in this paper. This paper also presents an ontological model for Social Engineering attack based on the analysis of existing definitions and taxonomies. An ontology enables the explicit, formal representation of the entities and their inter-relationships within a domain. The aim is both to contribute towards commonly accepted domain definitions, and to develop a representative model for a Social Engineering attack. In summary, this paper provides concrete definitions for Social Engineering, Social Engineering attack and social engineer.

Keywords

  • Bidirectional Communication
  • Compliance Principles
  • Indirect Communication
  • Ontology
  • Social Engineering Attack
  • Social Engineering Attack Ontology
  • Social Engineering Definitions
  • Social Engineering History
  • Taxonomy
  • Unidirectional Communication

References

  1. Winkler, I.S., Dealy, B.: Information security technology?.don’t rely on it: A case study in social engineering. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, SSYM 1995, Berkeley, CA, USA, vol. 5, p. 1. USENIX Association (1995)

    Google Scholar 

  2. Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. Wiley Publishing, Indianapolis (2002)

    Google Scholar 

  3. Uschold, M., Gruninger, M.: Ontologies and semantics for seamless connectivity. ACM Special Interest Group on Management of Data 33(4), 58–64 (2004)

    Google Scholar 

  4. Quann, J., Belford, P.: The hack attack - increasing computer system awareness of vulnerability threats. In: 3rd Applying Technology to Systems; Aerospace Computer Security Conference, United States, American Institute of Aeronautics and Astronautics, pp. 155–157 (December 1987)

    Google Scholar 

  5. Kluepfel, H.: Foiling the wiley hacker: more than analysis and containment. In: Proceedings of the 1989 International Carnahan Conference on Security Technology, pp. 15–21 (1989)

    Google Scholar 

  6. Kluepfel, H.: In search of the cuckoo’s nest [computer security]. In: Proceedings of the 25th Annual 1991 IEEE International Carnahan Conference on Security Technology, pp. 181–191 (1991)

    Google Scholar 

  7. Goldstein, E.: The Best of 2600, Collector’s Edition: A Hacker Odyssey. Wiley Publishing, Inc., Indianapolis (2009)

    Google Scholar 

  8. Voyager: Janitor privileges. 2600: The Hacker Quarterly 11(4), 36–36 (Winter 1994)

    Google Scholar 

  9. Thornburgh, T.: Social engineering: the “dark art”. In: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, InfoSecCD 2004, pp. 133–135. ACM, New York (2004)

    CrossRef  Google Scholar 

  10. Nohlberg, M.: Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks. PhD thesis, Stockholm University (2008)

    Google Scholar 

  11. Abraham, S., Chengalur-Smith, I.: An overview of social engineering malware: Trends, tactics, and implications. Technology in Society 32(3), 183–196 (2010)

    CrossRef  Google Scholar 

  12. Erbschloe, M.: Trojans, worms, and spyware: a computer security professional’s guide to malicious code. Butterworth-Heinemann (2004)

    Google Scholar 

  13. Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: The socialbot network: when bots socialize for fame and money. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 93–102. ACM, New York (2011)

    Google Scholar 

  14. Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Design and analysis of a social botnet. Computer Networks 57(2), 556–578 (2013), Botnet Activity: Analysis, Detection and Shutdown

    Google Scholar 

  15. Kvedar, D., Nettis, M., Fulton, S.P.: The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. Journal of Computing Sciences in Colleges 26(2), 80–87 (2010)

    Google Scholar 

  16. McDowell, M.: Cyber security tip st04-0141, avoiding social engineering and phishing attacks. Technical report, United States Computer Emergency Readiness Team (February 2013)

    Google Scholar 

  17. Cruz, J.A.A.: Social engineering and awareness training. Technical report, Walsh College (2010)

    Google Scholar 

  18. Culpepper, A.M.: Effectiveness of using red teams to identify maritime security vulnerabilities to terrorist attack. Master’s thesis, Naval Postgraduate School, Monterey, California (September 2004)

    Google Scholar 

  19. Mills, D.: Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 139–141. ACM, New York (2009)

    CrossRef  Google Scholar 

  20. Doctor, Q., Dulaney, E., Skandier, T.: CompTIA A+ Complete Study Guide. Wiley Publishing, Indianappolis (2007)

    Google Scholar 

  21. Hamill, J., Deckro, R.F., Kloeber Jr., J.M.: Evaluating information assurance strategies. Decision Support Systems 39(3), 463–484 (2005)

    CrossRef  Google Scholar 

  22. Joint Chiefs of Staff: Information assurance: Legal, regulatory, policy and organizational legal, regulatory, policy and organizational considerations. Technical Report Fourth Edition, Department of Defense, Pentagon, Washington (August 1999)

    Google Scholar 

  23. Hamill, J.T.: Modeling information assurance: A value focused thinking approach. Master’s thesis, Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio (March 2000)

    Google Scholar 

  24. Braverman, M.: Behavioural modelling of social engineering-based malicious software. In: Virus Bulletin Conf. (2006)

    Google Scholar 

  25. Åhlfeldt, R.M., Backlund, P., Wangler, B., Söderström, E.: Security issues in health care process integration? a research-in-progress report. In: EMOI-INTEROP (2005)

    Google Scholar 

  26. Granger, S.: Social engineering fundamentals, part i: Hacker tactics (December 2001)

    Google Scholar 

  27. Schoeman, A., Irwin, B., Richter, J.: Social recruiting: a next generation social engineering attack. In: Uses in Warfare and the Safeguarding of Peace (2012)

    Google Scholar 

  28. Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley Publishing, Inc. (2010)

    Google Scholar 

  29. Espinhara, J., Albuquerque, U.: Using online activity as digital fingerprints to create a better spear phisher. Technical report, Trustwave SpiderLabs (2013)

    Google Scholar 

  30. Nemati, H.: Pervasive Information Security and Privacy Developments: Trends and Advancements, 1st edn. Information Science Reference (July 2010)

    Google Scholar 

  31. McQuade III, S.C.: Understanding and managing cybercrime. Prentice Hall, Boston (2006)

    Google Scholar 

  32. Spinapolice, M.: Mitigating the risk of social engineering attacks. Master’s thesis, Rochester Institute of Technology B. Thomas Golisano College (2011)

    Google Scholar 

  33. Lenkart, J.J.: The vulnerability of social networking media and the insider threat new eyes for bad guys. Master’s thesis, Naval Postgraduate School, Monterey, California (2011)

    Google Scholar 

  34. Bezuidenhout, M., Mouton, F., Venter, H.: Social engineering attack detection model: Seadm. In: Information Security for South Africa, pp. 1–8 (2010)

    Google Scholar 

  35. Mouton, F., Malan, M., Venter, H.: Development of cognitive functioning psychological measures for the seadm. In: Human Aspects of Information Security & Assurance (2012)

    Google Scholar 

  36. Mouton, F., Malan, M.M., Venter, H.S.: Social engineering from a normative ethics perspective. In: Information Security for South Africa, pp. 1–8 (2013)

    Google Scholar 

  37. Kingsley Ezechi, A.: Detecting and combating malware. Master’s thesis, University of Debrecen, Hungary (June 2011)

    Google Scholar 

  38. Harley, D.: Re-floating the titanic: Dealing with social engineering attacks. In: European Institute for Computer Antivirus Research (1998)

    Google Scholar 

  39. Laribee, L.: Development of methodical social engineering taxonomy project. Msc, Naval Postgraduate School, Monterey, California (June 2006)

    Google Scholar 

  40. Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: Grant, G. (ed.) International Conference on Information Resources Management, Centre for Information Technology, Organizations, and People (June 2011)

    Google Scholar 

  41. Mohd Foozy, F., Ahmad, R., Abdollah, M., Yusof, R., Mas’ud, M.: Generic taxonomy of social engineering attack. In: Malaysian Technical Universities International Conference on Engineering & Technology, Batu Pahat, Johor (November 2011)

    Google Scholar 

  42. Tetri, P., Vuorinen, J.: Dissecting social engineering. Behaviour & Information Technology 32(10), 1014–1023 (2013)

    CrossRef  Google Scholar 

  43. Van Rees, R.: Clarity in the usage of the terms ontology, taxonomy and classification. CIB REPORT 284(432), 1–8 (2003)

    Google Scholar 

  44. Gruber, T.R.: A translation approach to portable ontology specifications. Knowledge Acquisition - Special Issue: Current Issues in Knowledge Modeling 5(2), 199–220 (1993)

    Google Scholar 

  45. Noy, N.F., McGuinness, D.L.: Ontology development 101: A guide to creating your first ontology. Technical report ksl-01-05, Stanford Knowledge Systems Laboratory (March 2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 IFIP International Federation for Information Processing

About this paper

Cite this paper

Mouton, F., Leenen, L., Malan, M.M., Venter, H.S. (2014). Towards an Ontological Model Defining the Social Engineering Domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds) ICT and Society. HCC 2014. IFIP Advances in Information and Communication Technology, vol 431. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44208-1_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-44208-1_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44207-4

  • Online ISBN: 978-3-662-44208-1

  • eBook Packages: Computer ScienceComputer Science (R0)