Security Social Engineering: Systematic Literature Review

  • Muna Al Atebi

Student thesis: Master's Thesis

Abstract

Social Engineering (SE) deceptively penetrates the information system (IS) through low- or non-technical means [1], largely by manipulating authorized human users for illicit access. Many papers and publications discuss SE schemes using anecdotal evidence to depict its criticality. OBJECTIVE – This paper aims to fully synthesize extant literature regarding the SE concept, process, threats, implications, and solution strategies. METHOD – The systematic literature review examines 54 sources (conference papers, journal papers, articles, and ebook chapters) which are classified according to identifiable links to each research question posed. RESULTS – Seven conceptual models of SE are presented, featuring psychological to systemic elements. Different SE processes are specified by three main stages: planning, execution and exploitation. All possible motivations and targets for SE attacks are examined, with targets making up three different categories: organizational, systemic, and individual. SE infiltration techniques are described under four main methods: direct request, persuasion, fabrication, and data collection. Also, SE-related vulnerabilities and threats are identified and detailed as four types: human factors, organizational-management policies, information-security policies, and others. Direct and indirect SE implications are outlined. Finally, five sorts of solutions are featured: education, security policy, defense-in-depth, security assessment and technical controls. Education is most highly emphasized by primary studies (62%), followed by security policy (55%).
Date of AwardDec 2014
Original languageAmerican English
SupervisorDavor Svetinovic (Supervisor)

Keywords

  • Social Engineering
  • Information Systems
  • Information Security
  • Information and Communication Technology
  • Cyber-security.

Cite this

'