Abstract
The human is often the weak link in the attainment of Information Security due to their susceptibility to deception and manipulation. Social Engineering refers to the exploitation of humans in order to gain unauthorised access to sensitive information. Although Social Engineering is an important branch of Information Security, the discipline is not well defined; a number of different definitions appear in the literature. Several concepts in the domain of Social Engineering are defined in this paper. This paper also presents an ontological model for Social Engineering attack based on the analysis of existing definitions and taxonomies. An ontology enables the explicit, formal representation of the entities and their inter-relationships within a domain. The aim is both to contribute towards commonly accepted domain definitions, and to develop a representative model for a Social Engineering attack. In summary, this paper provides concrete definitions for Social Engineering, Social Engineering attack and social engineer.
Chapter PDF
Similar content being viewed by others
Keywords
References
Winkler, I.S., Dealy, B.: Information security technology?.don’t rely on it: A case study in social engineering. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, SSYM 1995, Berkeley, CA, USA, vol. 5, p. 1. USENIX Association (1995)
Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. Wiley Publishing, Indianapolis (2002)
Uschold, M., Gruninger, M.: Ontologies and semantics for seamless connectivity. ACM Special Interest Group on Management of Data 33(4), 58–64 (2004)
Quann, J., Belford, P.: The hack attack - increasing computer system awareness of vulnerability threats. In: 3rd Applying Technology to Systems; Aerospace Computer Security Conference, United States, American Institute of Aeronautics and Astronautics, pp. 155–157 (December 1987)
Kluepfel, H.: Foiling the wiley hacker: more than analysis and containment. In: Proceedings of the 1989 International Carnahan Conference on Security Technology, pp. 15–21 (1989)
Kluepfel, H.: In search of the cuckoo’s nest [computer security]. In: Proceedings of the 25th Annual 1991 IEEE International Carnahan Conference on Security Technology, pp. 181–191 (1991)
Goldstein, E.: The Best of 2600, Collector’s Edition: A Hacker Odyssey. Wiley Publishing, Inc., Indianapolis (2009)
Voyager: Janitor privileges. 2600: The Hacker Quarterly 11(4), 36–36 (Winter 1994)
Thornburgh, T.: Social engineering: the “dark art”. In: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, InfoSecCD 2004, pp. 133–135. ACM, New York (2004)
Nohlberg, M.: Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks. PhD thesis, Stockholm University (2008)
Abraham, S., Chengalur-Smith, I.: An overview of social engineering malware: Trends, tactics, and implications. Technology in Society 32(3), 183–196 (2010)
Erbschloe, M.: Trojans, worms, and spyware: a computer security professional’s guide to malicious code. Butterworth-Heinemann (2004)
Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: The socialbot network: when bots socialize for fame and money. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 93–102. ACM, New York (2011)
Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Design and analysis of a social botnet. Computer Networks 57(2), 556–578 (2013), Botnet Activity: Analysis, Detection and Shutdown
Kvedar, D., Nettis, M., Fulton, S.P.: The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. Journal of Computing Sciences in Colleges 26(2), 80–87 (2010)
McDowell, M.: Cyber security tip st04-0141, avoiding social engineering and phishing attacks. Technical report, United States Computer Emergency Readiness Team (February 2013)
Cruz, J.A.A.: Social engineering and awareness training. Technical report, Walsh College (2010)
Culpepper, A.M.: Effectiveness of using red teams to identify maritime security vulnerabilities to terrorist attack. Master’s thesis, Naval Postgraduate School, Monterey, California (September 2004)
Mills, D.: Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 139–141. ACM, New York (2009)
Doctor, Q., Dulaney, E., Skandier, T.: CompTIA A+ Complete Study Guide. Wiley Publishing, Indianappolis (2007)
Hamill, J., Deckro, R.F., Kloeber Jr., J.M.: Evaluating information assurance strategies. Decision Support Systems 39(3), 463–484 (2005)
Joint Chiefs of Staff: Information assurance: Legal, regulatory, policy and organizational legal, regulatory, policy and organizational considerations. Technical Report Fourth Edition, Department of Defense, Pentagon, Washington (August 1999)
Hamill, J.T.: Modeling information assurance: A value focused thinking approach. Master’s thesis, Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio (March 2000)
Braverman, M.: Behavioural modelling of social engineering-based malicious software. In: Virus Bulletin Conf. (2006)
Åhlfeldt, R.M., Backlund, P., Wangler, B., Söderström, E.: Security issues in health care process integration? a research-in-progress report. In: EMOI-INTEROP (2005)
Granger, S.: Social engineering fundamentals, part i: Hacker tactics (December 2001)
Schoeman, A., Irwin, B., Richter, J.: Social recruiting: a next generation social engineering attack. In: Uses in Warfare and the Safeguarding of Peace (2012)
Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley Publishing, Inc. (2010)
Espinhara, J., Albuquerque, U.: Using online activity as digital fingerprints to create a better spear phisher. Technical report, Trustwave SpiderLabs (2013)
Nemati, H.: Pervasive Information Security and Privacy Developments: Trends and Advancements, 1st edn. Information Science Reference (July 2010)
McQuade III, S.C.: Understanding and managing cybercrime. Prentice Hall, Boston (2006)
Spinapolice, M.: Mitigating the risk of social engineering attacks. Master’s thesis, Rochester Institute of Technology B. Thomas Golisano College (2011)
Lenkart, J.J.: The vulnerability of social networking media and the insider threat new eyes for bad guys. Master’s thesis, Naval Postgraduate School, Monterey, California (2011)
Bezuidenhout, M., Mouton, F., Venter, H.: Social engineering attack detection model: Seadm. In: Information Security for South Africa, pp. 1–8 (2010)
Mouton, F., Malan, M., Venter, H.: Development of cognitive functioning psychological measures for the seadm. In: Human Aspects of Information Security & Assurance (2012)
Mouton, F., Malan, M.M., Venter, H.S.: Social engineering from a normative ethics perspective. In: Information Security for South Africa, pp. 1–8 (2013)
Kingsley Ezechi, A.: Detecting and combating malware. Master’s thesis, University of Debrecen, Hungary (June 2011)
Harley, D.: Re-floating the titanic: Dealing with social engineering attacks. In: European Institute for Computer Antivirus Research (1998)
Laribee, L.: Development of methodical social engineering taxonomy project. Msc, Naval Postgraduate School, Monterey, California (June 2006)
Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: Grant, G. (ed.) International Conference on Information Resources Management, Centre for Information Technology, Organizations, and People (June 2011)
Mohd Foozy, F., Ahmad, R., Abdollah, M., Yusof, R., Mas’ud, M.: Generic taxonomy of social engineering attack. In: Malaysian Technical Universities International Conference on Engineering & Technology, Batu Pahat, Johor (November 2011)
Tetri, P., Vuorinen, J.: Dissecting social engineering. Behaviour & Information Technology 32(10), 1014–1023 (2013)
Van Rees, R.: Clarity in the usage of the terms ontology, taxonomy and classification. CIB REPORT 284(432), 1–8 (2003)
Gruber, T.R.: A translation approach to portable ontology specifications. Knowledge Acquisition - Special Issue: Current Issues in Knowledge Modeling 5(2), 199–220 (1993)
Noy, N.F., McGuinness, D.L.: Ontology development 101: A guide to creating your first ontology. Technical report ksl-01-05, Stanford Knowledge Systems Laboratory (March 2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Mouton, F., Leenen, L., Malan, M.M., Venter, H.S. (2014). Towards an Ontological Model Defining the Social Engineering Domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds) ICT and Society. HCC 2014. IFIP Advances in Information and Communication Technology, vol 431. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44208-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-662-44208-1_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44207-4
Online ISBN: 978-3-662-44208-1
eBook Packages: Computer ScienceComputer Science (R0)