Publication details

Home Publications Publication details

A Practical Assessment of Social Engineering Vulnerabilities
Bakhshi T, Papadaki M, Furnell SM
Proceedings of the Second International Symposium on Human Aspects of Information Security & Assurance (HAISA 2008), Plymouth, UK, pp12-23, 2008
Can be ordered on-line.
Download links:  Download PDF

Social engineering refers to the selection of techniques that exploit human weaknesses and manipulate people into breaking normal security procedures. This may involve convincing people to perform atypical actions or divulge confidential information. It remains a popular method of bypassing security because attacks focus on the weakest link in the security architecture: the staff of the organization, instead of directly targeting technical controls, such as firewalls or authentication systems. This paper investigates the level of susceptibility to social engineering amongst staff within a cooperating organisation. An email-based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security-aware users. In spite of a short window of operation for the experiment, the results revealed that 23% of recipients were successfully snared by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online.

Bakhshi T, Papadaki M, Furnell SM