Knowledge of Social Engineering is crucial to prevent potential attacks related to organizational Information Security. The objective of this paper aims to identify the most common social engineering techniques, success attack factors, and obstacles, as well as the good practices and frameworks that could be adopted concerning their mitigation. As an analysis methodology, a Systematic Literature Review was carried out. The findings revealed that the discussion about SE attacks has increased and that the most imminent threat is phishing. Exploiting human vulnerabilities is a growing threat when the attack is not carried out directly through technical means. There continue to be more technical attacks than non-technical attacks. Encouraging organizational security prevention, like training, education, technical controls, process development, defense in detail, and the development of security policies, should be considered mitigating factors for the negative impact of SE attacks. Most SE frameworks/models are focused on attack techniques and methods, mostly on technical components, decorating human factor. As a novelty, we found the opportunity to develop a new framework that could improve coverage of the gaps found, supported on security international standards, that could help and support researchers in developing their work, understanding open research topics, and providing a clearer understanding of this type of threat.

 

Doi: 10.28991/ESJ-2024-08-02-025

Full Text: PDF

Social Engineering; Framework; Attack Techniques; Information Security; Organizations; Prevention; Information Systems; Human Behavior; Human Vulnerabilities; Persuasion Factors.

Mitnick, K. D., & Simon, W. L. (2003). The art of deception: Controlling the human element of security. John Wiley & Sons, Hoboken, United States.

Wilcox, H., & Bhattacharya, M. (2016). A framework to mitigate social engineering through social media within the enterprise. Proceedings of the 2016 IEEE 11th Conference on Industrial Electronics and Applications, ICIEA 2016, 1039–1044. doi:10.1109/ICIEA.2016.7603735.

Kaushalya, S. A. D. T. P., Randeniya, R. M. R. S. B., & Liyanage, A. D. S. (2018). An Overview of Social Engineering in the Context of Information Security. 2018 IEEE 5th International Conference on Engineering Technologies and Applied Sciences, ICETAS 2018, Bangkok, Thailand. doi:10.1109/ICETAS.2018.8629126.

Patcha, A., & Park, J. M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer networks, 51(12), 3448-3470. doi:10.1016/j.comnet.2007.02.001.

Mouton, F., Nottingham, A., Leenen, L., & Venter, H. S. (2017). Underlying finite state machine for the social engineering attack detection model. Information Security for South Africa (ISSA), Johannesburg, South Africa. doi:10.1109/issa.2017.8251781.

Cullen, A., & Armitage, L. (2018). A human vulnerability assessment methodology. 2018 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, CyberSA 2018, 1–2. doi:10.1109/CyberSA.2018.8551371.

Leonov, P. Y., Vorobyev, A. V., Ezhova, A. A., Kotelyanets, O. S., Zavalishina, A. K., & Morozov, N. V. (2021). The Main Social Engineering Techniques Aimed at Hacking Information Systems. 2021 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT), Yekaterinburg, Russia. doi:10.1109/usbereit51232.2021.9455031.

Abeywardana, K. Y., Pfluegel, E., & Tunnicliffe, M. J. (2016). A layered defense mechanism for a social engineering aware perimeter. 2016 SAI Computing Conference (SAI), London, United Kingdom. doi:10.1109/sai.2016.7556108.

Gupta, S., Isha, Bhattacharya, A., & Gupta, H. (2021). Analysis of Social Engineering Attack on Cryptographic Algorithm. 2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions), ICRITO 2021, 1–5. doi:10.1109/ICRITO51393.2021.9596568.

Albladi, S. M., & Weir, G. R. S. (2018). User characteristics that influence judgment of social engineering attacks in social networks. Human-Centric Computing and Information Sciences, 8(1), 1–24. doi:10.1186/s13673-018-0128-7.

Hamoud, A., & Aïmeur, E. (2020). Handling User-Oriented Cyber-Attacks: STRIM, a User-Based Security Training Model. Frontiers in Computer Science, 2. doi:10.3389/fcomp.2020.00025.

Li, T., Wang, K., & Horkoff, J. (2019). Towards Effective Assessment for Social Engineering Attacks. 2019 IEEE 27th International Requirements Engineering Conference (RE), Jeju, Korea (South). doi:10.1109/re.2019.00051.

Yasin, A., Fatima, R., Liu, L., Wang, J., Ali, R., & Wei, Z. (2021). Understanding and deciphering of social engineering attack scenarios. Security and Privacy, 4(4), 1–17. doi:10.1002/spy2.161.

Aldawood, H., & Skinner, G. (2018). Educating and Raising Awareness on Cyber Security Social Engineering: A Literature Review. 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, NSW, Australia. doi:10.1109/tale.2018.8615162.

Esparza, J., Caporusso, N., Walters, A. (2020). Addressing Human Factors in the Design of Cyber Hygiene Self-assessment Tools. Advances in Human Factors in Cybersecurity. AHFE 2020. Advances in Intelligent Systems and Computing, 1219. Springer, Cham, Switzerland. doi:10.1007/978-3-030-52581-1_12.

Kitchenham, B. (2004). Procedures for performing systematic reviews. NICTA technical Report 0400011T.1, Keele University, Keele, United Kingdom.

Bryant, B. R., & Seok, S. (2017). Introduction to the special series: Technology and disabilities in education. Assistive Technology, 29(3), 121–122. doi:10.1080/10400435.2016.1230154.

de Freitas, M. P., Piai, V. A., Farias, R. H., Fernandes, A. M. R., de Moraes Rossetto, A. G., & Leithardt, V. R. Q. (2022). Artificial Intelligence of Things Applied to Assistive Technology: A Systematic Literature Review. Sensors, 22(21), 8531. doi:10.3390/s22218531.

Kitchenham, B. A., Charters, S. M. (2007). Guidelines for performing systematic literature reviews in software engineering. EBSE Technical Report, EBSE-2007-01, Keele University, Keele, United Kingdom.

Banijamali, A., Pakanen, O. P., Kuvaja, P., & Oivo, M. (2020). Software architectures of the convergence of cloud computing and the Internet of Things: A systematic literature review. Information and Software Technology, 122, 106271. doi:10.1016/j.infsof.2020.106271.

Hijji, M., & Alam, G. (2021). A Multivocal Literature Review on Growing Social Engineering Based Cyber-Attacks/Threats during the COVID-19 Pandemic: Challenges and Prospective Solutions. IEEE Access, 9, 7152–7169. doi:10.1109/ACCESS.2020.3048839.

Yasin, A., Fatima, R., Liu, L., Yasin, A., & Wang, J. (2019). Contemplating social engineering studies and attack scenarios: A review study. Security and Privacy, 2(4). doi:10.1002/spy2.73.

Borkovich, D. J., & Skovira, R. J. (2019). Cybersecurity Inertia and Social Engineering: Who’s Worse, Employees or Hackers? Issues in Information Systems, 20(3), 139–150. doi:10.48009/3_iis_2019_139-150.

Wang, Z., Sun, L., & Zhu, H. (2020). Defining Social Engineering in Cybersecurity. IEEE Access, 8, 85094–85115. doi:10.1109/ACCESS.2020.2992807.

Alharthi, D.N., Regan, A.C. (2020). Social Engineering Defense Mechanisms: A Taxonomy and a Survey of Employees’ Awareness Level. Intelligent Computing. SAI 2020, Advances in Intelligent Systems and Computing, 1228, Springer, Cham, Switzerland. doi:10.1007/978-3-030-52249-0_35.

Chetioui, K., Bah, B., Alami, A. O., & Bahnasse, A. (2022). Overview of social engineering attacks on social networks. Procedia Computer Science, 198, 656-661. doi:10.1016/j.procs.2021.12.302.

Rege, A., Williams, K., & Mendlein, A. (2019). A Social Engineering Course Project for Undergraduate Students Across Multiple Disciplines. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Oxford, United Kingdom. doi:10.1109/cybersecpods.2019.8885085.

Rege, A., Nguyen, T., & Bleiman, R. (2020). A social engineering awareness and training workshop for STEM students and practitioners. IEEE Integrated STEM Education Conference, Princeton, United States. doi:10.1109/isec49744.2020.9280596.

Alharthi, D.N., Hammad, M.M., Regan, A.C. (2020). A Taxonomy of Social Engineering Defense Mechanisms. Advances in Information and Communication. FICC 2020. Advances in Intelligent Systems and Computing, 1130, Springer, Cham, Switzerland. doi:10.1007/978-3-030-39442-4_3.

Hadnagy, C., & Fincher, M. (2015). Phishing dark waters: The offensive and defensive sides of malicious Emails. John Wiley & Sons, Hoboken, United States. doi:10.1002/9781119183624.

PÎRNĂU, M. (2017). Considerations on preventing social engineering over the internet. Memoirs of the Scientific Sections of the Romanian Academy, Tome XL.

Conteh, N. Y., & Schmick, P. J. (2021). Cybersecurity Risks, Vulnerabilities, and Countermeasures to Prevent Social Engineering Attacks. Advances in Information Security, Privacy, and Ethics, 19–31, IGI Global, Pennsylvania, United States. doi:10.4018/978-1-7998-6504-9.ch002.

Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future Internet, 11(4), 89. doi:10.3390/FI11040089.

Wang, Z., Zhu, H., & Sun, L. (2021). Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods. IEEE Access, 9, 11895–11910. doi:10.1109/ACCESS.2021.3051633.

Wang, Z., Zhu, H., Liu, P., & Sun, L. (2021). Social engineering in cybersecurity: a domain ontology and knowledge graph application examples. Cybersecurity, 4(1), 1–21. doi:10.1186/s42400-021-00094-6.

Fan, W., Lwakatare, K., & Rong, R. (2017). Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations. International Journal of Computer Network and Information Security, 9(1), 1–11. doi:10.5815/ijcnis.2017.01.01.

Mattera, M., & Chowdhury, M. M. (2021). Social Engineering: The Looming Threat. 2021 IEEE International Conference on Electro Information Technology (EIT), Michigan, United States. doi:10.1109/eit51626.2021.9491884.

Kamruzzaman, A., Thakur, K., Ismat, S., Ali, M. L., Huang, K., & Thakur, H. N. (2023). Social Engineering Incidents and Preventions. 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, United States. doi:10.1109/ccwc57344.2023.10099202.

Gupta, S., Singhal, A., & Kapoor, A. (2016). A literature survey on social engineering attacks: Phishing attack. 2016 International Conference on Computing, Communication and Automation (ICCCA), Greater Noida, India. doi:10.1109/ccaa.2016.7813778.

Heartfield, R., & Loukas, G. (2015). A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Computing Surveys, 48(3), 1-39. doi:10.1145/2835375.

Ye, Z., Guo, Y., Ju, A., Wei, F., Zhang, R., & Ma, J. (2020). A risk analysis framework for social engineering attack based on user profiling. Journal of Organizational and End User Computing, 32(3), 37–49. doi:10.4018/JOEUC.2020070104.

Arya, B., Chandrasekaran, K. (2016). A client-side anti-pharming (CSAP) approach. Proceedings of the 2016 IEEE International Conference on Circuit, Power and Computing Technologies (ICCPCT), 23–24 November 2015, Nagercoil, India.

Zheng, K., Wu, T., Wang, X., Wu, B., & Wu, C. (2019). A Session and Dialogue-Based Social Engineering Framework. IEEE Access, 7, 67781–67794. doi:10.1109/ACCESS.2019.2919150.

Obuhuma, J., & Zivuku, S. (2020, May). Social engineering based cyber-attacks in Kenya. 2020 IST-Africa Conference (IST-Africa), 18-22 May, 2020, Kampala, Uganda.

Mattera, M., & Chowdhury, M. M. (2021). Social Engineering: The Looming Threat. 2021 IEEE International Conference on Electro Information Technology (EIT), Michigan, United States. doi:10.1109/eit51626.2021.9491884.

Alyahya, A., & Weir, G. R. S. (2021). Understanding Responses to Phishing in Saudi Arabia via the Theory of Planned Behaviour. 2021 National Computing Colleges Conference (NCCC), Taif, Saudi Arabia. doi:10.1109/nccc49330.2021.9428823.

Gomes, V. A. N. (2019). Social Engineering and the Dangers of Phishing. Master Thesis, ISCTE-Instituto Universitario de Lisboa, Lisbon, Portugal. (In Portuguese).

Ozkaya, E. (2018). Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert. Packt Publishing Ltd, Birmingham, United Kingdom.

Ferreira, A. (2018). Why Ransomware Needs A Human Touch. 2018 International Carnahan Conference on Security Technology (ICCST), Montreal, QC, Canada. doi:10.1109/ccst.2018.8585650.

Tu, H., Doupe, A., Zhao, Z., & Ahn, G.-J. (2016). SoK: Everyone Hates Robocalls: A Survey of Techniques Against Telephone Spam. 2016 IEEE Symposium on Security and Privacy (SP), San Jose, United States. doi:10.1109/sp.2016.27.

Duarte, N., Coelho, N., Guarda, T. (2021). Social Engineering: The Art of Attacks. Advanced Research in Technologies, Information, Innovation and Sustainability. ARTIIS 2021. Communications in Computer and Information Science, Volume 1485. Springer, Cham, Switzerland. doi:10.1007/978-3-030-90241-4_36.

Cardoso, W. R., Silva, J. M., & Ribeiro, A. R. L. (2023). An Expert System as an Awareness Tool to Prevent Social Engineering Attacks in Public Organizations. International Journal on Cybernetics & Informatics, 12(5), 61–70. doi:10.5121/ijci.2023.120506.

Alzahrani, A. (2020). Coronavirus social engineering attacks: Issues and recommendations. International Journal of Advanced Computer Science and Applications, 11(5), 154–161. doi:10.14569/IJACSA.2020.0110523.

Li, T., Wang, X., & Ni, Y. (2022). Aligning social concerns with information system security: A fundamental ontology for social engineering. Information Systems, 104. doi:10.1016/j.is.2020.101699.

Hadnagy, C. (2010). Social engineering: The art of human hacking. John Wiley & Sons, Hoboken, United States.

Mitnick, K. D., & Simon, W. L. (2003). The art of deception: Controlling the human element of security. John Wiley & Sons, Hoboken, United States.

Bezuidenhout, M., Mouton, F., & Venter, H. S. (2010). Social engineering attack detection model: SEADM. 2010 Information Security for South Africa, Johannesburg, South Africa. doi:10.1109/issa.2010.5588500.

Boyd, D. M., & Ellison, N. B. (2007). Social network sites: Definition, history, and scholarship. Journal of Computer-Mediated Communication, 13(1), 210–230. doi:10.1111/j.1083-6101.2007.00393.x.

Rosenblum, D. (2007). What anyone can know: The privacy risks of social networking sites. IEEE Security and Privacy, 5(3), 40–49. doi:10.1109/MSP.2007.75.

Osuagwu, E. U., Chukwudebe, G. A., Salihu, T., & Chukwudebe, V. N. (2015). Mitigating social engineering for improved cybersecurity. 2015 International Conference on Cyberspace (CYBER), Abuja, Nigeria. doi:10.1109/cyber-abuja.2015.7360515.

Foozy, C. F. M., Ahmad, R., Abdollah, M. F., Yusof, R., & Mas’ud, M. Z. (2011, November). Generic taxonomy of social engineering attack and defence mechanism for handheld computer study. Malaysian Technical Universities International Conference on Engineering & Technology, 13-15 November, 2011, Batu Pahat, Johor.

Cullen, A., & Armitage, L. (2016). The social engineering attack spiral (SEAS). 2016 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), London, United Kingdom. doi:10.1109/cybersecpods.2016.7502347.

Aldawood, H., & Skinner, G. (2019). An academic review of current industrial and commercial cyber security social engineering solutions. Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, 110-115. doi:10.1145/3309074.3309083.

Saleem, J., & Hammoudeh, M. (2017). Defense methods against social engineering attacks. Computer and Network Security Essentials, Springer International Publishing, 603–618. doi:10.1007/978-3-319-58424-9_35.

Vishwanath, A., Neo, L. S., Goh, P., Lee, S., Khader, M., Ong, G., & Chin, J. (2020). Cyber hygiene: The concept, its measure, and its initial tests. Decision Support Systems, 128, 113160. doi:10.1016/j.dss.2019.113160.

Aldawood, H., & Skinner, G. (2019). Challenges of Implementing Training and Awareness Programs Targeting Cyber Security Social Engineering. Cybersecurity and Cyber forensics Conference (CCC), Melbourne, Australia. doi:10.1109/ccc.2019.00004

Bakhshi, T. (2017). Social engineering: Revisiting end-user awareness and susceptibility to classic attack vectors. 2017 13th International Conference on Emerging Technologies (ICET), Islamabad, Pakistan. doi:10.1109/icet.2017.8281653.

Elmrabit, N. (2018). A multiple-perspective approach for insider-threat risk prediction in cyber-security. Ph.D. Thesis, Loughborough University, Loughborough, United Kingdom.

Grant, R. L. (2017). Exploring effects of organizational culture upon implementation of information security awareness and training programs within the defense industry located in the Tennessee valley region. Ph.D. Thesis, Florida Institute of Technology, Melbourne, United States.

Washo, A. H. (2021). An interdisciplinary view of social engineering: A call to action for research. Computers in Human Behavior Reports, 4. doi:10.1016/j.chbr.2021.100126.

Duman, Ş. A., Hayran, R., & Sogukpinar, İ. (2023). Impact Analysis and Performance Model of Social Engineering Techniques. 2023 11th International Symposium on Digital Forensics and Security (ISDFS), Chattanooga, United States. doi:10.1109/isdfs58141.2023.10131771.

Öztürk, A., Koza, E., & Willer, M. (2023). Social Engineering Penetration Testing within the OODCA Cycle – Approaches to Detect and Remediate Human Vulnerabilities and Risks in Information Security. AHFE International, Volume 91, United States. doi:10.54941/ahfe1003721.

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2023). A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Computer Science Review, 50. doi:10.1016/j.cosrev.2023.100592.