sepf
play

SEPF The Social Engineering Personality Framework . Sven belacker - PowerPoint PPT Presentation

Sep 01, 2022 •343 likes •545 views

SEPF The Social Engineering Personality Framework . Sven belacker Security in Distributed Applications Hamburg University of Technology 2015-01-12 Usability Colloquium, TU Berlin . 2 Our background Sven belacker and information

  1. SEPF The Social Engineering Personality Framework . Sven Übelacker Security in Distributed Applications Hamburg University of Technology 2015-01-12 Usability Colloquium, TU Berlin .

  2. 2 Our background Sven Übelacker and information security on information security and data protection; four of them at DFN-CERT (CSIRT and PKI of Germany's national research and education network) (Dieter Gollmann), Hamburg University of Technology, contributing to FP7 funded EU project TRE S PASS ▶ degree in mathematical economics, focus on actuarial science ▶ ten years of experience in academic computer centres, focus ▶ since March 2013: Security in Distributed Applications

  3. 3 about TRE S PASS information security risks in dynamic organisations, as well as possible countermeasures opportunities are possible and most pressing, and which countermeasures are most effective ▶ EU funded FP7 integrated project (2012--2016) ▶ covering three security domains ▶ technical/physical, digital, and social/organisational ▶ grounded on three case studies ▶ cloud computing, telco, and customer privacy protection ▶ to develop methods and tools to analyse and visualise ▶ to build "attack navigators" to identify which attack

  4. 4 One of Many Attack Tree Visualisations Figure : LUST's visualisation of an ATree displaying different attribute domains in TRE S PASS D4.2.1 [23] (cf. ADTool by University of Luxembourg [14])

  5. 5 Outline 1st approach: Social Engineering Personality Framework traits of a "victim" (employee) 2nd step: find influential factors 3rd step: questionnaire attacker (social engineer) ← SE → "victim" (social target) ▶ e.g. attacker profiles (via expert knowledge / questionnaires) ▶ social engineering (SE) techniques ▶ e.g. "victim" profiling ▶ susceptibility to specific SE attacks mapped to personality ▶ with Susanne Quiel ▶ incorporating SE scenarios and other factors

  6. 6 What is Social Engineering (SE)? Hadnagy's definition [10] "the act of manipulating a person to take an action that may or may not be in the target’s best interest. This may include obtaining information, gaining access, or getting the target to take certain action." Moral Sentiments", 1759: passions and the impartial spectator (loss aversion, overconfidence, altruism, …) [1] access to the digital security domain [16] collected and provided by human sources." (NATO NSA) [17] ▶ Social Engineering is nothing new ▶ Adam Smith's theory of human behaviour in "The Theory of ▶ Kevin Mitnick was the first widely known to use SE for gaining ▶ HUMINT: "a category of intelligence derived from information

  7. 7 Social Engineering (SE) Categorisation of Social Engineering Attacks Proof, Liking, Scarcity victims [22] (cf. "The Real Hustle") ▶ Gragg's Psychological Triggers of SE [8] ▶ re-use of Cialdini's Six Principles of Influence [4] ▶ Authority , Reciprocity, Commitment and Consistency, Social ▶ Scheeres [20] mapped Gragg's trigger to these principles ▶ Stajano/Wilson's seven principles for understanding scam

  8. 8 Why Do People Succumb to SE Attacks? ▶ socio-demographics [5] ▶ knowledge (awareness) of SE attacks / attacker's intentions [6] ▶ personality traits [18] ▶ stressors ▶ impulsiveness ▶ freedom of action ▶ proficiency/affinity towards technology/internet ▶ cultural background (e.g. uncertainty avoidance) [12] ▶ evolutionary flaws in risk perception and assessment [21] ▶ human information processing ▶ peripheral/heuristic vs. central route processing [13] ▶ Dual Process Model of Persuasion [9]

  9. 9 of Victim . Agreeableness . Openness . Neuroticism . . . Personality Traits . . . . . Figure : SEPF : Specific personality traits of a "victim" increase (solid line) or decrease (dashed line) the susceptibility to Cialdini's principles of influence which are used for attacks by a social engineer. General personality assumptions about Social Engineering Personality Framework Extraversion Conscientiousness . . . Authority . Commitment & Consistency . Reciprocity . Liking . Social Proof . Scarcity . used by Social Engineer . Principles of Influence ↕ ↕ ↑ ↕ ↓ susceptibility (higher, lower, or both) for each trait are depicted by corresponding arrows ( ↑ , ↓ , ↕ ).

  10. 10 . m . . Motivational System Nokia N95 smartphones [3] Personality Traits s which refine each trait further . A greeableness, and N euroticism O penness to Experience, C onscientiousness, E xtraversion, Five-Factor Model (FFM) or the "Big 5" [15] their FFM personality traits [11] ▶ five empirically derived personality dimensions ▶ model widely used in psychology since the 1950's [15] ▶ consists of subtraits ▶ questionnaires exist, e.g. NEO-FFI, TIPI [7] ▶ gathering trait information via user behaviour, e.g. shown with ▶ Hirsh et al. describe what individuals motivate depending on

  11. 11 . . . ment seeking s positive emotions, sociability, dominance, ambitions, excite- . E xtraversion m achievement, order, efficiency . ness, following standards/rules FFM s competence, self-discipline, self-control, persistence, dutiful- . C onscientiousness m otivational system . . s ubtraits & . . m reward, social attention

  12. 12 SEPF Agenda 2. our more specific suggestions on how to map personality traits to the principles of influence [19] 3. preliminary coping strategies [24] 4. gathering empiric data via online questionnaires incl. feasible SE scenarios [2] per personality trait, SE attack, and domain 5. designing coping strategies against these specific SE scenarios 1. our approach based on comprehensive literature review [19]

  13. 13 SEPF: Example Attack Scenarios & Coping Strategies [24] attack scenario for extraverted "victims" E "A social engineer attends a social event on a conference in order to attack an extroverted individual to reveal sensitive information. To receive social attention and become a member of a social group the employee gives in and acts against official company policies." coping strategy for extraverted "victims" E "Rewards for achieved awareness trainings, for instance showing success rate in awareness learning system on company's internal social network (visible to all employees). Establish a system where employees suggest improvements for security policies and procedures -- number of submitted suggestions per employee will be displayed on internal social networking site."

  14. 14 Outlook not personality traits more holistically ▶ refined SEPF relations need empiric ground ▶ empiric research is on the way ▶ via scenario-based questionnaires derived from SE attacks and ▶ enhanced by other influential factors to shed light on this topic

  15. 15 Thank you! Questions? Contact Sven Übelacker <uebelacker@tuhh.de> Security in Distributed Applications Hamburg University of Technology, Germany https://www.sva.tuhh.de/ Acknowledgement The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TRE S PASS). This publication reflects only the author's view and the European Union is not liable for any use that may be made of the information contained herein.

  16. 16 Robert B. Cialdini. A very brief measure of the big-five personality domains. Samuel D Gosling, Peter J Rentfrow, and William B Swann Jr. Journal of consumer research , page 1–31, 1994. The Persuasion Knowledge Model: How People Cope with Persuasion Attempts. M. Friestad and P. Wright. In Computer Systems and Industrial Informatics (ICCSII), 2012 International Conference on , page 1–5, 2012. Towards Understanding Phishing Victims' Profile. A. Darwish, A.E. Zarka, and F. Aloul. HarperCollins, 2007. Influence: The Psychology of Persuasion . Personal and Ubiquitous Computing , 17(3):433--450, 2013. Literature I Mining Large-Scale Smartphone Data for Personality Studies. Gokul Chittaranjan, Jan Blom, and Daniel Gatica-Perez. 3051, 1999. In HICSS'99: Proceedings of the Thirty-Second Annual Hawaii International Conference on System Sciences, 3 , volume Five Reasons for Scenario-Based Design. John M Carroll. http://authors.library.caltech.edu/21998/2/089533005774357897%5B1%5D.pdf . Journal of Economic Perspectives , pages 131--145, 2005. Adam Smith, Behavioral Economist. Nava Ashraf, Colin F Camerer, and George Loewenstein. Journal of Research in personality , 37(6):504--528, 2003.

  17. 17 Wiley, 2010. Thinking, Fast and Slow . Daniel Kahneman. http://geert-hofstede.com/national-culture.html last visited on April 27th, 2014. 2014. National Cultural Dimensions. Hofstede Center. Psychological Science , 23(6):578--581, 2012. Personalized Persuasion Tailoring Persuasive Appeals to Recipients' Personality Traits. J. B. Hirsh, S. K. Kang, and G. V. Bodenhausen. Social Engineering: The Art of Human Hacking . Literature II C. Hadnagy. The Social Net: Human Behavior in Cyberspace , pages 91--113, 2005. Online Persuasion and Compliance: Social Influence on the Internet and Beyond. R. Guadagno and R. B. Cialdini. multi-level-defense-social-engineering-920 . https://www.sans.org/reading-room/whitepapers/engineering/ SANS Reading Room , 13, 12 2002. A Multi-Level Defense against Social Engineering. David Gragg. Penguin Books, 2011.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou

You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou

You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou ou Find Out! ou Viy ind Out! iyd Euk Euk! ! Tim Sanden VP of Informa0on Technology, CIO Cass County

811 views • 66 slides
Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming

Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming

Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming Josh Bloch Charlie Garrod School of Computer Science 15-214 1 Administrivia Homework 4b due next Thursday HW 3 feedback pushed this

594 views • 36 slides
MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r e E n c r y p t i o n 2 0 0 9 1 U n i v e r s i t y o f C o l o r a d o , B o u l d e r 2 G o o g l e I n c . Outline Problem setting -

750 views • 38 slides
Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex

Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex

Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex Abatzoglou, Alice Silverberg, Andrew V. Sutherland, Angela Wong Tenth Algorithmic Number Theory Symposium University of California, San Diego July 9, 2012

630 views • 43 slides
Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work

Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work

Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work with Gunter Malle) Blocks and Beyond (birthday conference for B. K ulshammer) Jena July 25th, 2015 1 As usual, ( K , R, F ) is a p -modular

231 views • 12 slides
Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am

Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am

Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am I? What is Mapbox ? What are we going to do today? BEFORE WE START: Did you register for an account at www.mapbox.com? Have you downloaded

601 views • 42 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers,

Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers,

Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers, Perfect Secrecy, One-Time Pad Probability Theory 2 Renate Scheidler Department of Mathematics &amp; Statistics Perfect Secrecy 3 Department of

281 views • 10 slides
M A R K E T S , P U B L I C P O L I C Y, &amp; P U B L I C A D M I N I S T R AT I O N MPA

M A R K E T S , P U B L I C P O L I C Y, &amp; P U B L I C A D M I N I S T R AT I O N MPA

M A R K E T S , P U B L I C P O L I C Y, &amp; P U B L I C A D M I N I S T R AT I O N MPA 612: Economy, Society, and Public Policy April 17, 2019 Fill out your reading report on Learning Suite P L A N F O R T O D A Y What the h*ck did

624 views • 26 slides
Learning network Three Resilience, Transformational Personal Branding and Progressing Career

Learning network Three Resilience, Transformational Personal Branding and Progressing Career

Learning network Three Resilience, Transformational Personal Branding and Progressing Career Pathways Thursday 13 February 2020 Moving up BAME leadership programme The Skills for Care welcomes you to: Learning Network 3 Resilience,

1.02k views • 76 slides
and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on

and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on

Games with Sequential Backtracking and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on Logical Dialogue games Thursday, June 29, 2015, Wien Stefano Berardi C.S. Dept., Turin University,

595 views • 27 slides
How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6,

How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6,

How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6, 14 A papers impact on your career Lots of impact Effect on your career nothing Bad Ok Pretty good Creative, original and good. Paper

1.13k views • 81 slides
NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC)

NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC)

Andre.Cormier@ps-sp.gc.ca Robert.Pitcher@ps-sp.gc.ca NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC) Located in the nations capital of Ottawa, the CCIRC is the national focal point for dealing

1.26k views • 96 slides
Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj

Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj

Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj Rohatgi Claudia Keser pau@us.ibm.com rohatgi@us.ibm.com ckeser@us.ibm.com IBM Thomas J. Watson Research Center January 3, 2007 Abstract The goal

466 views • 11 slides
AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT

AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT

AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT Bombay AE-705 Introduction to Flight Introductory Lecture Welcome Aboard ! AE-705 Introduction to Flight Introductory Lecture Let us see what's in

1.11k views • 34 slides
Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA

Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA

Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA guidance In 2006 we reviewed the NRLS and identified three themes: No observations made for a prolonged period and therefore changes in a patients

574 views • 30 slides
Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt

Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt

* * * * * * * * * * * Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt prevention) Greg Simon Group Health Research Institute UH2 AT007755 Pragmatic trial of population-based programs

864 views • 40 slides
The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet,

The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet,

The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet, PhD Mike Hogan, PhD August 28, 2014 Moderator and Presenters Mike Hogan, PhD Julie Goldstein Grumet, PhD Sarah A. Bernes, MPH, MSW Research

951 views • 57 slides
A few warning signs of suicide: Aggressive behavior Withdrawal from friends, family and

A few warning signs of suicide: Aggressive behavior Withdrawal from friends, family and

September is National Suicide Prevention Awareness Montha time to share resources and stories on this topic. This is the time to reach out to those affected by suicide, raise awareness and encourage individuals with suicidal ideation seek

259 views • 4 slides
Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign

Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign

Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign www.suicideispreventable.org www.my3app.org November 19 th , 2014 Presenter: Theresa Ly (tly@edc.org) 1 Questions? Type them in! You are in

376 views • 24 slides
Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part

Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part

Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part by Cooperative Agreement Numbers UG7MC28482 and UG7MC31831 from the US Department of Health and Human Services (HHS), Health Resources and Services

378 views • 33 slides
Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION

Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION

Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION An independent construction industry charity Supported by employers and unions in the industry Working on suicide prevention in

515 views • 39 slides
Overview Malpractice issues Suicide Risk Assessment and Malpractice Prevention Suicide

Overview Malpractice issues Suicide Risk Assessment and Malpractice Prevention Suicide

Overview Malpractice issues Suicide Risk Assessment and Malpractice Prevention Suicide risk factors Suicide assessment Suicide in diagnoses Phillip J. Resnick, MD Video exercise Professor of Psychiatry Case Western

413 views • 10 slides
Advocacy and Policy Best Practices and Programs for School Age Youth 4.30.19 Sarah Davidon

Advocacy and Policy Best Practices and Programs for School Age Youth 4.30.19 Sarah Davidon

Advocacy and Policy Best Practices and Programs for School Age Youth 4.30.19 Sarah Davidon Research Director, Mental Health Colorado Ben Harrington CEO, MHA of East Tennessee and RPC Representative Moderated by: Debbie Plotnick Vice

572 views • 30 slides
TEEN MENTAL HEALTH: In their own words CSL in Session, February 2020 Cameron Riesenberger, Pikes

TEEN MENTAL HEALTH: In their own words CSL in Session, February 2020 Cameron Riesenberger, Pikes

TEEN MENTAL HEALTH: In their own words CSL in Session, February 2020 Cameron Riesenberger, Pikes Peak Library District Christine Kreger, Colorado State Library Beth Crist, Colorado State Library Number of suicides per year in Colorado,

400 views • 17 slides

More recommend