Dissecting social engineering
- 25 February 2013
- journal article
- research article
- Published by Taylor & Francis Ltd in Behaviour & Information Technology
- Vol. 32 (10), 1014-1023
- https://doi.org/10.1080/0144929x.2013.763860
Abstract
In information security terms, social engineering (SE) refers to incidents in which an information system is penetrated through the use of social methods. The literature to date (40 texts), which was reviewed for this article, emphasises individual techniques in its description of SE. This leads to a very scattered, anecdotal, and vague notion of SE. In addition, due to the lack of analytical concepts, research conducted on SE encounters difficulties in explaining the success of SE. In such explanations, the victim's psychological traits are overemphasised, although this kind of explanation can cover only a small portion of SE cases. In this article, we have sought to elaborate the concept of SE through analysis of the functions of different techniques. In this way, we have been able to extrapolate three dimensions of SE: persuasion, fabrication, and data gathering. By utilising these dimensions, SE can be grasped in all its aspects instead of through individual techniques. Furthermore, research can benefit from our multidimensional approach as each of the dimensions pertains to a different theory. Therefore, the victim's personal traits cannot function as the only explanation. All in all, the analysis, understanding, and explanation of the success of SE can be furthered using our new approach.Keywords
This publication has 11 references indexed in Scilit:
- Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information securityJournal of the American Society for Information Science and Technology, 2007
- Gaining Access with Social Engineering: An Empirical Study of the ThreatInformation Systems Security, 2007
- Information systems security and human behaviourBehaviour & Information Technology, 2007
- Social engineering: attacks have evolved, but countermeasures have notComputer Fraud & Security, 2006
- A Framework for Conceptualizing Social Engineering AttacksLecture Notes in Computer Science, 2006
- Measuring Resistance to Social EngineeringLecture Notes in Computer Science, 2005
- Penetration testing and social engineering: Hacking the weakest linkInformation Security Technical Report, 2003
- Social engineering: A People Problem?Network Security, 2001
- Can you social engineer your way into your network?Computer Fraud & Security, 1998
- Ask and ye shall receiveACM SIGSAC Review, 1996