Estimating human resilience to social engineering attacks through computer configuration data

(1)

Estimating human resilience to

social engineering attacks through computer configuration data

A literature study on the state of social engineering vulnerabilities

MATIAS CARLANDER-REUTERFELT GALLO

KTH

SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP

(2)

datorkonfigurationsdata

c 2020 Matias Carlander-Reuterfelt Gallo

(3)

yet often being very simple in its form. Whereas for other forms of cyber- attack, tools like antivirus and antimalware are now industry standard, have proven to be reliable ways to keep safe private and confidential data, there is no such equivalent for social engineering attacks. There is not, as of this day, a trustworthy and precise way of estimating resilience to these attacks, while still keeping the private data private.

The purpose of this report is to compile the different aspects of a users computer data that have been proven to significantly indicative of their susceptibility to these kinds of attacks, and with them, devise a system that can, with some degree of precision, estimate the resilience to social engineering of the user.

This report is a literature study on the topic of social engineering and how it relates to computer program data, configuration and personality. The different phases of research each led to a more comprehensive way of linking the different pieces of data together and devising a rudimentary way of estimating human resilience to social engineering through the observation of a few configuration aspects.

For the purposes of this report, the data had to be reasonably accessible, respecting privacy, and being something that can be easily extrapolated from one user to another.

Based on findings, ranging from psychological data and behavioral patterns, to network configurations, we conclude that, even though there is data that supports the possibility of estimating resilience, there is, as of this day, no empirically proven way of doing so in a precise manner. An estimation model is provided by the end of the report, but the limitations of this project did not allow for an experiment to prove its validity beyond the theories it is based upon.

Keywords

Internet security, Social engineering, Phishing, Privacy, Computer configuration, Psychology.

(4)

(5)

i sig mycket enkel i sin form. Medans andra typer av cyberattacker kan skyddas med verktyg som antivirus och antimalware och tillförlitligt hålla privat och konfidentiell information säker så finns det inga motsvarande verktyg för att skydda sig mot Social Manipulering attacker. Det finns alltså inte idag ett pålitligt och säkert sätt att motstå Social Manipulering attacker och skydda personliga uppgifter och privat data.

Syftet med denna rapport är att visa olika aspekterna hur datoranvändares data är sårbarhet för dessa typer av attacker, och med dessa utforma ett system som med viss mån av precision kan mäta resiliens mot Social Manipulering.

Rapporten är ett resultat av studier av litteratur inom ämnet Social Manipulering och hur den relaterar sig till datorns data, konfiguration och personuppgifter.

De olika delarna av utredningen leder var och en till ett mer omfattande sätt att koppla samman de olika uppgifterna och utforma ett rudimentärt sätt att uppskatta en persons resiliens mot Social Manipulering, detta genom att observera olika aspekter av datorns konfiguration.

För syftet av rapporten så har uppgifterna varit rimligt tillgängliga, har respekterat integriteten och varit något som lätt kan anpassas från en användare till en annan.

Baserat på observationerna av psykologiska data, beteendemönster och nätverkskonfigurationer, så kan vi dra slutsatsen att även om det finns data som stöder möjligheten att uppskatta resiliens, finns det idag inget empiriskt bevisat sätt att göra det på ett exakt sätt. En exempel av modell för att uppskatta resiliens finns i slutet av rapporten. Ramen för detta projekt gjorde det inte möjligt att göra ett praktiskt experiment för att validera teorierna.

Nyckelord

Internet säkerhet, Social manipulering, Phishing, Integritet, Datorkonfiguration, Psykologi.

(6)

(7)

at KTH, Robert Lagerström for the ideas and feedback during the process of writing this thesis.

Stockholm, June 2020

Matias Carlander-Reuterfelt Gallo

(8)

(9)

Chapter 1 Introduction

This report is a literature study that looks intoSocial Engineering(SE) inIT and how it relates to the computer configuration of a user. This is done in order to find the links between what considered to be most relevant to the success of a social engineering attack and the how resilient a user might be. The goal of this project is to make this assessment from the computer configuration data of a user.

1.1 Background

At the start of the 21st century, there was a push for telephone access, as a means for development of societies. This would mean getting as many people to have somewhat easy access to a telephone line to better their quality of life [1]. This number reached a peak of fixed telephone lines in the year 2006 [2], and has since started declining, not out of lack of redundancy, but because of it being replaced by a much more versatile technology, the Internet. Today, in 2020, it is estimated that there are around 4.6 billion Internet users [3], a number which is still growing and will continue to do so for the foreseeable future.

Over these decades, our reliance on technology and digital mediums for the storing and transmission of information has increased, and in many countries things like healthcare records, social security, banking and vote counting for elections go through a digital database. This has made them more convenient and accessible for a lot of people, but with accessibility come some concerns.

Both personal and corporate computer systems and databases are vulnerable to some extent, ranging from a weak password or a very transparent network to a bug in the code. A commonly thrown around statistic is that every 40

(14)

seconds a cyber-attack is performed in the world [4]. Already in 2015, the estimated cost of cyber-attacks was about $3 trillion worldwide. 4 years later, in 2019, the estimate is around $5.2 trillion [5]. This number is expected to keep growing, and experts in the field say that system security is a matter of great concern that amounts to thousands of dollars of losses worldwide for businesses both big and small, as well as individuals.

The kind of cyber-attacks on computer systems can be categorized into two: technical-based attacks (hacks) and social engineering attacks (SEA).

• A hack is a means of gaining access to a computer network, system or device. This can be done remotely or locally, and requires technical skill to perform, as it mostly consists of exploiting vulnerabilities in the systems themselves. The main way of building resilience against such attacks is to have a more robust security framework.

• SEAs are those in which the attacker psychologically manipulates a user into performing an action or giving important information that can aid them in breaching the users security.

The SE approach with malicious intent has proved to be a lot more successful than hacks. Not only does it require less technical skill and resources, but it essentially can be performed by anyone with a phone. 98%

of cyber-attacks rely on SE [6]. As more people are getting access to the Internet and the telephone by the day, it is concerning to think that their lack of knowledge in these topics will be used against them.

While the latter form of attack has been used mostly on computer systems in recent years, they actually are as old as deception itself, to trick the target into giving away personal information, credit card or social security numbers, etc... It too has to be said that SEAs are often paired with technical skill in order to install malicious programs, trick the users into opening a vulnerability or backdoor. This combination will still be categorized asSEgoing forward, because it was the human fault that allowed the breach to happen. The attacks can range from a target getting a malicious email from a forged address, to a person claiming to beITsecurity and walking in and using an office computer.

The key to these attacks is always the same: human error [7].

The main factors inSEare the type, channel and operator. Going forward, this report will be using the taxonomy laid out by the paper Advanced Social Engineering Attacks [8] with the structure as seen in Figure1.1which will be further explained in later sections. Phishing, for instance, is the most popular SEA, and in 2017, phishing attacks was considered the top security threat by

(15)

Figure 1.1 – Social Engineering Taxonomy [8]

56% percent ofIT decision makers [6]. This means that the human factor is a crucial aspect of system security nowadays for companies, and the personal nature of the attack makes it possible on ordinary people too. In 2017, spear- phishing is estimated to have been used in 91% of successful data breaches in businesses [6]. SEAare now known to increasingly being usingArtificial Intelligence (AI) to target [4], increasing both the range and effectiveness of each attack.

Because of the nature ofSEAs, there is no reliable or measurable way of increasing the resilience to them, that is, some of the measures one can take against attacks may not always be enough. There is no estimation as to how one user is protected, only about how many users are affected by an attack.

There is no antivirus equivalent forSEthat you can install on every terminal.

Because of how different the response can be for an attack from different people, it is difficult to find the weak-points, and thus, improve or reinforce the system. A common issue is that the type of SEA can change so much from one to the others that the deployment of a universal protection framework will not work across all types of attacks. The effects of technical attacks can be more easily ameliorated by a large scale deployment of software or protocols, while for social attacks these can almost exclusively be reduced by coaching staff, in business environments, and being cautious. The difference in operator, type and channel ofSEAs make it difficult to find the weak points and blind spots and defend them on a large scale effectively. An ITsecurity team can not use the same methods (be it blocking content, not providing specific information...) to prevent a breach attempt through the telephone in the same way as a phishing email. In these cases, caution equates more to advice rather than a protocol to be followed to increase awareness and prevent SEAs, which is what this report aims to facilitate. Security awareness has been given much importance by experts [9,10,11], and thus will be paid attention in the evaluation.

(16)

1.2 Problem

The fallibility and unpredictable nature of users of computer systems makes it difficult to, at a glance, estimate how likely one is to being the target of an attack or of being deceived by it. The focus of this report is on the latter, and occasionally uses data on the former in order to get some information as to why the attacks are made, and thus, give a better idea of the how.

Unlike with technical attacks and hacks, the predictability and structure of a system is lacking when human nature is concerned, for the most part, and cannot be dealt with easily. While antivirus are not perfect by any means, they have decent success rates overall [12], but for each person, the attacks are increasingly being specifically targeted. There has been an increase inAIuse for acquiring information on the targets and executing the attacks themselves [4]. So assuming a success rate in a group of people, a company, for instance, will only be a matter of estimating the success rate for the “weakest link”, but finding this can take precious time and resources. A random individual too, maybe cannot get access the training that can help increase the resilience to SEAs, so a more universal approach would be helpful.

1.3 Purpose

Because of how prevalent SEAs have become, this report aims to facilitate, through a somewhat structured protocol, a way to estimate in some capacity the resilience of a user toSEAs. In order to make it more universal, this will be done by evaluating the computer configuration of users. The idea is to have a set of parameters, that, by being contrasted with the data and statistics that are known aboutSE, can help to give an assessment on the resilience of a user’s computer configuration toSEA.

1.4 Goals

The goal of this report is to develop a comprehensible framework with which the computer configuration can be assessed in terms of how resilient that user might be to aSEA. The parameters used should be consistent with the aspects that are considered important in the relevant fields of such parameters and easily applicable to different the different ways a user interacts with computers.

In order to find this universality, then, a set of questions will be aimed at:

(17)

attacked persons (VAPs).

3. Would it be safe to assume that computer configuration can inform about a user or group of users resilience toSEAs? If so, to what extent?

In the problematic scenario that no consistent information was found or not enough data is considered important to give a definitive evaluation, general guidelines and the a list of important factors will be provided by the end.

1.5 Delimitations

Due to time constraints, this report will only focus on the more theoretical part and on assessing the information that has already been found by industry professionals. It will have to be a combination of both, and not based purely on results found and other statistics, because of how opaque some companies are and people with regards to these kinds of attack, be it because of shame or the reputation hit that it could have for certain people.

The range of what will be considered computer configuration also will affect how valid the assessment turns out to be. Because of the range of channels now one can be approached from with malicious intent, some aspects will overlap in tidier ways than others. This will be clarified in Section2.2.

1.6 Structure of the thesis

The rest of the report is followed by Chapter2, which goes through the main fields which are relevant toSE. Within these, the main aspects that have been found by the studies and literature related will be highlighted and further analyzed in Chapters4and5, including the most prevalent methods and forms ofSEAs.

Chapter3, the method, lists the literature studied, and what criteria were used to determine the relevance to this study and other parameters such as search terms and main sources. It also gives an overview on how the results were organized and the data analyzed, in order for them to be consistent with the aforementioned criteria regarding relevance.

(18)

Chapter4, the results, lays out the finalized version of the data, with the corresponding importance attached to it, judging the veracity of them, the shortcomings, and the overall reliability of the framework arrived at through this study.

Chapters5and 6, discussion, future work and conclusions, go into more detail on the shortcomings, the things that can be expanded upon, the things that could not be included and some things to consider that are related to the information from this report.

(19)

Chapter 2 Background

This report focuses mainly on computer configurations, and thus, it will look more closely at the Internet field when talking aboutSE.SEin itself has been around since before the Internet, so it is not exclusive to it, but because of the aim of this report, it makes the most sense to look at the Internet as the main channel. This section details the relevant background information used as a basis for the final assessment of the questions posed in Section1.2.

2.1 ICT security and SE

Social engineering, in the field of information security, is defined as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” (not to be confused with social engineering in the context of social sciences). With deception and manipulation as the main methods, some key factors can be observed to have a significant effect.

Professor Robert Cialdini of Psychology and Marketing at Arizona State University is an expert on the field of the psychology of persuasion, and the ground work laid out by him is one of the bases used when making claims about psychology in this report. Even though his work is mostly applied to the field of marketing, his principles are a good base for understanding manipulation and deception and they have been contrasted and compared to other similar models on the topic of SE [13]. Cialdini observed six key principles of persuasion: reciprocity, commitment and consistency, social proof, authority, liking, scarcity [14].

• Reciprocity: this refers to the fact that people tend to return the favor.

(20)

• Commitment or consistency: this refers to how people tend to honor the

“contracts” that they agreed to or that may have an effect on their image.

• Social proof: based around the likelihood of people to replicate or follow other persons behavior.

• Authority: people tend to follow authority figures or perceived authority.

• Liking: people tend to be more trusting of people they like.

• Scarcity: perceived scarcity generates demand, and people are more unlikely to think their actions through when under pressure or emotional unbalance.

As expected, these principles are followed and have been referred to as being utilized forSEAs [15]. Specifically in the case ofICT, the lack of direct contact between the attacker and the victim makes it easier for the perpetrator to, for instance, impersonate an some kind authority or institution or even a familiar or acquaintance in some cases. Through ICT, SEAs can take the form of e-mails, instant messages, advertising, browser tabs and pop-ups and seemingly innocuous files.

For reference, Figure 1.1 shows the three main axes (channel, type and operator) that differentiate the process of the attacks. SEAs follow the same structure for the most part, regardless of the channel:

• Finding a target: According to a 2019 Proofpoint report [16], very attacked persons (VAPs), contrary to popular belief, are not mainly constituted by VIPs, that is, high-profile individuals. The most significant factor common to 36% of the identified VAPs, was the availability of their online identity. This includes contact information, so, telephones, email, social media profiles, place of work and so forth. Within the identifiedVAPs, who also happened to beVIPs, Proofpoint found that for 23% of them, their email address could be found by a simple Google search.

During the process of finding targets, two main approaches can be taken, which correlate to the operator of the SEA. Targets can be chosen manually, by an attacker trying to target a specific person, be it directly for their position and potential benefit, or indirectly, where the target is associated to a person with a more valuable profile. The people that are targeted can also be part of the result of an automated system that spreads the attack indiscriminately through a set of addresses [4].

(21)

where the actions of the user may compromise their information through deception, falsification of real websites or pop-up advertisements.

• Engaging target: Wherein activeSEAs also exploit human error, passive attacks are the ones in which human error is the most obvious. Lack of understanding or awareness can create a situation where; where a cautious user probably would not, for example, mistake a forged website for the real one; a more careless user may unintentionally give information or in the worst cases even surrender control of their terminal to a malicious source. Active attacks, however, are ones that exploit errors in more tailored ways, because usually these are targeted to some extent. Thus, because a minimum of knowledge about the target (for example, email addresses or Facebook profiles) is required for the attack to even take place, the manipulation tactics are usually more successful, but still, as seen in the Proofpoint report, more than 99% of attacks will require human interaction to be effective. Studies have also shown that the number of steps that have to be taken have a direct correlation with the likelihood of success, specifically, the more steps one has to take, the less likely they are to go be completely deceived [17], this is why, as explained later, some very common and successful attacks are very simple in execution.

• Using acquired information: This is what happens once the attack is complete. The ultimate goal ofSEAs can vary. While some attacks are done only for reputation and notoriety in some circles, most of them have some sort of monetary incentive, either directly or indirectly. Stolen data can be used for blackmail, scamming, identity theft, espionage, getting payment information and stealing money or to be sold in the dark web.

As previously mentioned, not allVAPs wereVIPs, which means that in many instances the people that are attacked are just a means of reaching a bigger target or infiltrating a bigger infrastructure. Finance is the sector that is most attacked, which supports the assumption that monetary gain is the ultimate goal.

(22)

2.1.1 Types of SEAs

These are the most common and notorious forms of SEA.

• Phishing: By far the most common form of SE. It has proven to be effective and versatile, while also being one of the simplest. Phishing consists of, through text-based communication such as e-mail and instant messaging, attaching a malicious file or link, that can either directly compromise information, or lead to the victim unknowingly give up private information on a forged webpage, for example. This is usually done by impersonating a company or person in the message and creating a convincing recreation of a plausible message. This attacks take advantage of the lack of awareness and knowledge, technical or otherwise, of the victims. The way one can get targeted can be random, but some attacks are tailored for specific people. These are known as spear-phishing, and even go as far as to impersonate an acquaintance, friend or relative, in order to make them more plausible. Another form of phishing known as whaling shares most of the characteristics, but the choice of targets are considered more valuable (“bigger fish”).

In recent years social media has been used extensively both for acquiring the necessary information to reach a target and for reaching them directly. The popularity of this type of attack can probably be attributed to how simple it is to perform, and how easy it is to get the information necessary to engage the target. This usually takes advantage of the scarcity principle described by Cialdini, where a “too good to be true”,

“once in a lifetime” deal may pop-up, tempting the user to click, out of curiosity, urgency or greed. It is no coincidence either that the subjects of the most successful phishing emails are "Payment",

"Request", "Urgent", "Firing", "Bonus" [16,17], since they elicit a sense of urgency. It is no coincidence that the most successfull disguise for malware attacks in phishing is a fake bill or invoice [17].

• Vishing: Vishing (Voice phishing) can be considered the equivalent of phishing, but for telephone communication, where the attacker tricks or manipulates the victim into surrendering private or confidential information for fraudulent purposes and scams. It is based human interaction and the impersonation or manufacturing of a supposed authority or institution. Like with most SEAs, it takes advantage of the lack of knowledge of its victims, but its success relies more on the attackers person-to-person skills.

(23)

malicious program or steal information. The same can be said about QR codes and NFC devices, which can be easily placed somewhere public (or not), with the hope of baiting a victim into reaching a malicious source of malware or fake websites that then install malware [18].

Other kinds of baiting also take the form of ads or pop-ups, where users might mistake them for a legitimate source, or lead them to download some program or software. The human flaw that these attacks primarily exploit is curiosity and carelessness.

• Scareware: Also known as fraudware, deception software and rogue scanners, these attacks can take several forms, but at the core they follow the same principle. In a similar way to baiting, scareware attacks take advantage of the sense of urgency that they intend to cause on their victims. Its name comes from the fact that they usually take the form of a pop-up or window, that gives some sort of alert or warning, usually regarding a fake security breach, account management or privacy. These messages are usually followed with a proposed “solution”, which usually comes in the form of installing a malicious tool or program, or paying the supposed attacker to take it out [19]. It can also take the form of messages or emails, where the message displays a message from a popular website, prompting the target to follow a link and enter some credentials to “fix” the problem or “improve security”. These attacks sometimes use legitimate information, such asIPaddresses and names to further improve their credibility.

• Reverse social engineering: Rather than approaching the victim directly, these attacks try to deceive the targets into believing that they are a trusted source or institution, where they can offer a solution to a problem.

Often times, the problem was manufactured by the attackers as well, and they conveniently happen to have and offer the solution.

• Dumpster diving, quid pro quo and shoulder surfing. These types of attacks are commonly used in combination with one another, as well as more technical-based attacks, such as advanced persistent threats and

(24)

malware. Figure2.1shows how the attacks defined above relate to the taxonomy used in Section1.1.

Figure 2.1 – Social engineering taxonomy

The wide range of types of attacks use different tactics to their advantage.

The main principles a social engineer uses during an attack are further explained in Section2.1.

2.2 Computer configuration

Computer configuration is what, in this report, is analyzed in an attempt to estimateSEAresilience. This is, however, a broad term, so, for compartmentalization purposes three categories of things that are taken in consideration when talking about computer configuration for the analysis of results. These categories vary in complexity, accessibility and relevance, but all have aspects that are relevant to the channel or type of attack. The categories are: device and operating system, programs and applications and configuration and information. For the devices the three main categories are PC, laptop and smartphone. All of them have in common that they have Internet connections, but their use cases differ significantly enough for it there to be a distinction. Operating systems are mostly tied to the hardware, so the ones considered are the five biggest consumer-grade OSs: Linux, MacOS, Windows, Android and iOS.

For programs and applications, this is about their use and behavior. From

(25)

Configuration and information is everything else. These are the settings and information stored on the computer. For practical purposes, int this report the information and data of a computer is not analyzed. As for the configuration, it happens to be the area that has the most effect on SEAs overall. This includes the security settings (biometrics, password use, two- factor authentication...), network settings (having publicSSIDs stored,VPNs and firewalls, ad blockers...), location services and overall device privileges and administration.

2.3 Psychology as a parameter

Due to human behavior being at the core of the issue of security and privacy regarding SE, observations and conclusions on an individual level cannot be dissociated with the psychology and personality of the partakers. In this case, because this focuses on targets and victims, the report looks at the factors that have some correlation with the propensity to being deceived or manipulated. For the purposes of this report when talking about psychology, the Five Factor Model (FFM) will be used. This is a model that groups the personality traits into five categories, which are organized among a series of statistically independent factors: Openness, Conscientiousness, Extroversion, Agreeableness and Neuroticism.

• Openness to experience measures creativity and curiosity, as opposed to caution and consistency.

• Conscientiousness measures how organized or rigid one is, as opposed to careless.

• Extroversion refers to how open and interactive one is with other people.

• Agreeableness reflects friendliness, kindness and empathy, as opposed to manipulation and lack of cooperation.

• Neuroticism is correlated with stress, nervousness, anger and frustration as well as other kinds of negative emotion.

(26)

TheFFMis not, however, without its faults. It has been subject to criticism from its detractors for two main reasons: its limited scope and it statistically based analysis, rather than a more rigorous psychological study. For the purposes of this report, neither criticism is significant enough for the model to be disregarded, especially since it is still used so widely.

The reason this model was chosen is twofold. On the one hand, because of the wide range of studies and demographic research and data that use it, which is helpful when speaking in broad terms about psychology, and on the other hand, because of its simplicity. This is not a psychological study, and the main focus of the report is withinICTandSE. The relevance of psychology in this report does not outweigh the fact that at the core, it is just a means of linking someICTdata to a person or group. Onwards, this report links the statistical data on personality, manipulation and deception, to the data regardingVAPs, SEAmethods and computer configurations.

The similarities and relationships between Cialdini’s principles andFFM have been studied, mainly due to the popularity of both in their respective fields. Both systems are widely regarded to be good indicators for the topics they set out to describe, and both use psychology terminology that makes it clearer. A more detailed explanation is given in Section 4.1. Personality traits have been observed to indicate an increase in susceptibility to SE using Cialdini’s principles of persuasion, so, while there are explanations and information about psychological factors, Chapter 4 is the result of linking those findings of experts in the field of psychology with specifically computer configuration.

(27)

Chapter 3 Method

This chapter describes the method and process used to collect and organize information, and in which ways it was considered to be of more or less importance to the purposes of this report going forward.

3.1 Paradigm

Because of the formal nature of how computers work, quantitative results and analyses have already been done in order to assess threats and estimate the reliability of the security of a computer system. The permeability of the channels of attack, as well as the overall robustness of its systems are a good indicator of how good a system will be at rejecting an attack. However, when it comes to faults in a system, or the compromise of confidential or private information, human error is not accounted for.

It is not uncommon for OSs to issue security updates, which usually address these kinds of technical, hardware-based attacks, but, for SE there is no such thing, the closest analogue would be frequent security awareness training, which has proven to be useful [18,20], but the efficacy is not easy to measure. The analysis of a system infrastructure or configuration itself, to this day, gives no information about the resilience of the system overall (counting its user as part of that system).

3.2 Literature study and data collection

The contents of this report have been collected from academic studies, reports from security companies and articles.

(28)

Table 3.1 – Search terms used

ICT& security Social engineering & psychology Configuration Manipulation

Data Deception

Attack Mistake

Hack Phishing

Email Big Five Model

Virus Scam

Cyber Personality

Cybercrime Victim

Digital Statistics

In Table3.1are the keywords used to find the information of the sources.

These words were used in different combinations, giving results that were more or less specific to the information needed.

Figure 3.1 shows the outline of the steps of the literature study and evaluation of results.

In the first phase of the study,ICTsecurity and social engineering were the major targets. Studies and articles were found analyzing the different methods and channels. Some companies, specialized in the field, also have resources available and free access to statistics and insight from people working in the subject area of ICT security and some even inSE. Some early studies regarding SE were on the subject of the process and methods. These placed special attention to the ways in which victims were manipulated and the things taken advantage of by attackers. SE, however, is not exclusive to ICT, the methods employed overlap with those of scams, where only the channel is significantly different. Scams have been around for millennia, so the idea of manipulation and deception precedes that of behavior in front of computers. thus, the main subject areas of this phase were, broadly, psychology and cybersecurity.

On the second phase, having now more context about both ICT and SE security, the target information was narrowed down and subsequently organized in their respective categories. For ICT, the security of devices and OSs was one part, programs and applications installed was another, and the last one was the settings and configuration. In SE, the information regarding SEand manipulation had two main insightful bases: Cialdini’s principles of persuasion, and theFFM.

TheICTsection was about grouping into categories useful for analyzing the information assembled from computer configurations in similar ways. The

(29)

Figure 3.1 – Project phases

three parts have a range of common characteristics, both between and within user groups, that make them easier to compare with one another. For instance, having the same OScan give an insight into the whole group of people that use it, just by virtue of having it, while the use of a service may just be the result of its popularity. The psychology section was finding robust model for analyzing psychological information about habits and behaviors, preferably in such a way that made the relationships easy to understand and visualize.

On the third phase the different categories and factors were further read into, in an attempt to find the links between them and how they relate to each other. Within the categories (psychology and computer configuration) the relationships where more apparent than between categories. Cialdini’s principles have been studied to have correlations with theFFM [21] and the parts of a computer system all have relationships with each other. After this, three main points where used for the assessment ofSEresilience: psychology, computer configuration and position. These points are what one can observe, infer or deduct from looking at a given users computer configuration. Because SE in this report is a combination of the technical and psycho-social, the relationships with each other dictate the weight that they will hold when it comes to estimating resilience toSEAs in the final evaluation framework.

3.3 Data analysis

Resilience toSEAs will be defined, for the analysis and results sections of this report, as the level of susceptibility and likelihood of a target of going through with an attack up until they have interacted with the attacker in the way that

(30)

Figure 3.2 – Most-targeted sectors, 4Q 2019 [22]

they want. The data was analysed with two main factors in mind: universality and availability of the data. Universality will judge if a given pattern can be extrapolated between groups of people with similar characteristics, or otherwise be exclusive to an individual in an environment. Availability will value how easy it is to access data without overstepping ethical boundaries and disrespecting a users privacy. Resilience to SE, understood as susceptibility and likelihood of being deceived by an attacker will be evaluated by:

• Psychology: this refers to the personality traits that are most telling about a given users resilience to social engineering attacks. This consists of a combination of Cialdini’s principles, which determine the weak- spots and methods, and theFFM, which, through statistical evidence, can narrow down a persons traits into understandable categories that can indicate susceptibility to specific principles.

• Configuration: the set of tools, programs, applications and settings that make up the computers digital fingerprint. Habits and good practices can be observed from the settings of a user, and the examination of some can give hints into how prone those habits are to lead the user to make a mistake under aSEA.

• Position: these are the external factors that make up the users routines,

(31)

of the likelihood of being attacked, as seen in Proofpoint’s research [16]. Spear-phishing and whaling are attacks known to target specific positions and fields of work, as seen in Figure3.2 and consistent with the aforementioned report by Proofpoint. Position within an industry is also related to the individuals personality through the FFM, but the overlap will be further explained in Section 4.1. Position is the most indicative of likelihood of being attacked, but the hardest to find any good motivation for an estimation of resilience.

3.4 Evaluation framework

As explained in Section2.1, more than 99% of attacks require human interaction to be effective. What this will mean is that whatever is most effective at getting the interaction the attacker wants out of the target, will lead to a successful attack. Resilience will depend mostly on the how and the if a target will carry out the action that the attacker wants. This will depend on some traits. These are either external or internal, that is, for a given user, the internal traits are the ones that they will carry with them, regardless of circumstance and terminal, while the external ones, are dependent on the environment the user is in.

Because of the high significance of these interactions, the most weight will be given to the psychology of the user, as this will determine if they are more susceptible to perform more poorly in them. This is also, because it is an internal trait, and thus, better represents the user, regardless of the environment he/she is in. Also, a 99% of cases requirement means that psychology works most significantly as the if question, which in turn is the deciding factor, and the rest is more of an exponent of this.

As for the configuration, the way this can be set up can make a difference, especially when considering the surface attack. Configuration does not take the terminals settings alone into account, but also the environment. Depending on local network settings some types of communication might not get access, and the use of packet blockers for example, could block attempts at sending malicious files. This can also happen depending on the services one uses, such as mail providers, VPNs, cloud services and so forth. Mail providers, for instance, may hinder the success of a SEAattempt by placing suspicious

(32)

emails on the junk folder, or even blacklisting and rejecting them altogether, making a system sager against those attacks.

The position of a user has been decided to use as a factor for one main reason. In most sectors, it is increasingly the case thatBring Your Own Device (BYOD) policies have been put in place. This means that personal terminals are used for work as well, sharing their space in the same machine. In some attacks such as spear-phishing, because of BYOD, the chance of being targeted in your personal device, may not just be a consequence of you yourself being of interest, but because even through your personal device, you may be able to grant access to the confidential and private information of another person, or of your organization. It is not uncommon for attackers to find information about targets online, from sources like LinkedIn [23], for example, and the number of sources keeps growing [24]. In the same way an attacker may target an individual for access to an organization, the same can happen the other way around, as many as 30% of attacks target generic email address names (like sales@company.com or salesteam@company.com) [25], which could in turn lead to an individual compromising their own information or device because they use the same for both work and personal use. This is, however, not such a deciding factor as the others above, but it serves as a way through which a user might unintentionally increase their vulnerable surface of attack.

(33)

Chapter 4 Results and analysis

This section analyses the main pieces of information that resemble a pattern that may point to the possibility of estimating a given users resilience toSEAs in a particular environment through computer configuration data. Section4.1 reports the findings related to the indirect estimation of resilience, through the study of personality and other personal traits.

4.1 The missing links

To reiterate from Section 2.1, a bigger than 99% requirement of human interaction in an SEA means that the deciding factor for its success is dependent on the human itself. The analysis of human behavior and thoughts is psychology, so the links between a given users configuration data and their personality have to be established. Likewise, a relation has to be established between certain personality traits and SE. No direct links can be observed between SE and computer configurations besides the possible channels of attack, so a series of steps have to be taken for a conclusion to be drawn, with differing degrees of reliability.

4.1.1 Data to personality

In computer systems, the main ways of interacting with content are web and application-based. The digital fingerprint and install profile of a user has been observed to be a good indicator for the users activity and behavior online.

Regarding application usage, there is an overlap of web-based activities with that of applications depending on the device, for example, social media

(34)

is mostly browser-based on PCs and laptops, while they have an application version for mobile app stores.

The main piece of information regarding personality and computer data comes from a 2015 field study [26]. The main findings from this research are outlined in Table4.1, where a negative relation between personality trait and number of applications of a given type means that adoption of the latter is an indicator of a high level of that trait, and a positive relation means high levels of both. In this report, a sample is surveyed with a 44-part questionnaire in order to categorize them into the different personality traits used in theFFM.

This was followed by a collection of information from the users about their app behavior and adoption categorized into different types. This was done all through an Android app. This app did both the personality test and the data collection. A series of criteria were followed to generate reliable estimations, such as excluding pre-installed apps and other indicators that do not reflect the users behavior. A machine-learning algorithm was the run in order to outline the relationships between personality traits and personal usage. Machine- learning algorithms have proven to be very accurate ways of measuring these relationships [26, 27, 20] but in this study they may not have been a faithful representation of reality due to the parameters and other conditions.

Table 4.1 – Summarized results [26]

Personality trait Application type # Relation

Extraversion Gaming Negative

Neuroticism Photography Positive Neuroticism Personalization Positive Agreeableness Personalization Negative Conscientiousness Music and video Negative Conscientiousness Photography Negative Conscientiousness Personalization Negative

These predictors are the result of a series of concessions. The first is that the application used only tracked application installs, but not usage, so an installed but seldom used app may give a deceitful results. The other is that because of how the information was organized, each trait was categorized into only high or low rather than having a medium level, which means that this model would put an average person in one trait in the same category as one of the extremes. This was one of the first studies on the matter, which meant that the sample size could have been bigger and that it was not as spread so as to represent a more universal model for prediction. Over 75% of the samples were female, and under 30 years of age. Overall this model’s predictions saw

(35)

of smartphone usage and digital footprint [27], mostly from social media, again, with higher precision from analysis of computers rather than that of people. However, it appears that, as of now, no literature links other forms of configuration data and information to the personality traits of the user. This makes it more difficult for an estimation to be done with more easily accessible data like locally stored information in a users device, rather than on third party platforms. On the other hand, the tools used to analyze the information from digital footprint appear to have given better estimations of personality traits than another human would have given, which makes those methods insightful on their own right.

4.1.2 Personal traits to SE resilience

The most influential research found on the topic of SE was that of Cialdini.

There, he details the main principles that attackers follow to take advantage of their victims. His work has been extensively covered and reviewed and is frequently cited on the topic ofSE. This will also be contrasted with the work of Understanding Scam Victims [28] for better understanding.

A summary of the main findings from the Social Engineering Personality Framework (SEPF) [21] are in Figure 4.1, which shows the relationships between Cialdini’s principles and theFFM, where the arrows show what the data indicates about susceptibility (high, both, low) to SE. The solid arrows linking the principles to the traits indicate an increase in susceptibility, while the dotted arrows indicate a decrease.

More detailed and specific the findings of theSEPFfor the different traits are as follows:

High conscientiousness has been found to increase vulnerability toSE. It is tied to continued commitment and the willingness of high conscientiousness individuals to give up privacy for convenience has a negative effect onSE.

High extraversion in individuals is tied to the violation of rules and regulations, thus making them more susceptible to, against security policies, comply with malicious requests. However, traits that display low extraversion, such as loneliness and and anti-social behavior have been shown to make a user less susceptible to the commitment and consistency principle.

(36)

Figure 4.1 – SEPF: Personality traits on the right, according to the FFM.

Cialdini’s principles of influence [21] on the left

High levels of agreeableness is probably the best indicator ofSEsusceptibility.

One of the sub-traits of agreeableness is trust, which in high levels is a source of security risks [17], especially inSE, where attackers take the most advantage of the naivety of their victims. However, other characteristics of low levels of this trait are tied to the disobedience of rules [21].

High openness to experience is also tied toSEvulnerability. People with this traits usually underestimate risks, thus making them less vigilant and lowering their awareness levels. As far as the principles of persuasion, by far the one that presents the most risk is scarcity, mainly because of how likely a highly open individual is to go out of their way in order to seek new experiences. The scarcity principle is also notorious and frequently used, which means that open individuals present not only risk, but also likelihoods of being attacked.

High neuroticism individuals are the more risk-averse of a group. Their fear and sensitivity to negative emotion make them unlikely to take risks, such as the disclosing of private or confidential information, thus, high neuroticism is a good indicator for low susceptibility toSE.

Other estimations also result with agreeableness as the best indicator for

(37)

be used to devise a model wherein resilience is measured to specific attack types, rather than just an overview.

4.2 Major results

After the literature study and research, I have found no conclusive evidence for a way of estimating the resilience of a user toSEAs only through computer configurations, as described in Section2.2, not in any direct way at least. This is unfortunate, considering that for the data analysis, availability of the data was considered to be an important factor.

In spite of how inconclusive the literature study was with regards to a direct way of estimating resilience with local data, some studies seem to point to somewhat reliable methods of, most notably, predicting personality. What has, too, been observed are the relationships betweenSEand personality, discussed through Section 4.1.2. Even though this is not a direct way of tying SE to computer configuration, the results from this estimations seem to be reliable to a decent extent.

Looking at the findings of this report, no appropriate balance was found between availability and universality. The findings regarding psychology were insightful, but potentially at the cost of trespassing ethical and privacy boundaries, hindering its possible availability. It would be ironic for a system to have to look at social media data in order to find indicators against SEAs, when, just in 2018, 2.5 billion social media records were targets and successfully breached by SEAs themselves [6]. Ideally, conclusions could have been drawn from a simpler form of digital footprint similar to what www.amiunique.com compiles, instead of that of social media and personal information. This website looks to the data, available from your browser, and suggests a level of "uniqueness". When looking for data regarding more available sources of information, such as locally stored data and configurations, not much information was found. The study that had the most information concluded with acknowledgment of the limitations of their methods, mainly because of their focus solely on mobile applications and small, homogeneous sample [26]. While I believe that some aspects of their findings could be extrapolated to the use of applications on laptops and

(38)

desktopPCs, the lack of conclusive findings makes me hesitant to do so, and can be left for future work.

Training in security awareness is mentioned several times [18,20], but they proceed to suggest changes in behavior, software like antivirus and motivate good practices, neither of which are thought to be good indicators for SE susceptibility. I found no evidence of a model that measures how secure the practices of a user are from their configuration data alone. Unfortunately, most information on resilience to cyber-attacks are regarding what happens after the user has already been deceived during aSEA, and gives little attention to what happens during the engagement phase, except to address the channel of attack.

4.2.1 Lessons learned and reliability analysis

Good indicators, according to the findings, were related to ease of access.

SEAs triumph in simple mediums, and studies seem to point specifically at the number of steps to be taken as something that raises suspicion the more there are [17]. Having these steps into account, it would be safe to assume that any configuration that increases the number of steps, or at least does not decrease them, can make it so a user is less susceptible toSEAs. This can take the form of two-factor authentication, where a login takes more than just a username and password to complete, this also goes for biometrics, where a middle-step can be put in place to make it less appealing to keep going. Password auto- complete also reduces the number of steps, often making it automatic for the password fields to fill in.

For avoiding baits, more specifically, having NFC andQR code reading disabled by default can also indicate more resilience. This would be by dissuading a user from, unless out of absolute necessity, trying to read or access a potential source of an attack and that they otherwise would not have gone through the trouble of enabling the settings to access. Other examples are public WiFi network scanning and Bluetooth. These are known to occasionally be sources malicious software, and WiFi "evil-twin" attacks are commonplace for publicWLANs. For the latter, these often use legitimateSSIDs [30], which makes it so that, if a user already has it saved on their device, they would automatically connect to a malicious host.

While the use of VPNs and firewalls alone only serve to reduce the area of attack ofSE, they themselves are not directly tied to the susceptibility of a user toSEAs. However, studies on security point to awareness and education onICTas something that lowers susceptibility [9,10,11] and the use of some configurations can indicate how knowledgeable a user is. The level of expertise

(39)

Figure 4.2 – Relationships between the indicators

of a user has been linked to how much they tinker with their devices [31], which includes the use of some more unconventional settings that are most likely those that are not on by default.

The closest thing to resilience indicators that I could compile is summarized by Table4.2, with indicators I1 to I5, with their relationships with resilience and computer configuration presented in4.2. The reliability and caveats of the different forms of analysis are outlined in Table4.2.

• I1: Behavior: Explains the relation between practices and use of computer toSEsusceptibility [31]. This relates to Position as described in Chapter3.3.

• I2: App install information: Studies relation between application use to personality [26].

• I3: SEPF: This method describes the links between the personality traits of theFFMandSEprinciples [21,29].

• I4: Automatic access settings: Describes the settings that may reduce the number of steps. Lower number of steps means higherSEsusceptibility [17].

• I5: Social media information: this is the prediction of personality through social media information [27].

4.3 Validity Analysis

This section goes through the factors of universality and availability from Section 3.3. Some findings have universal qualities, but there are too many factors that are not accounted for. Following subsections will evaluate the Indicators as presented in Table4.2to, together with Figure4.2further explain the things to keep in mind when applying them according to the mindset established in Chapter3.

(40)

Table 4.2 – Model indicators

Indicator Reliability Issues

I1 High Not linked to specific configuration Little privacy

I2 Medium Focused only on mobile

Small sample size

I3 High -

I4 Low Theoretical

I5 High Little privacy

4.3.1 Universality

The indicators that are clearly more universal are the ones based on the decades of psychological study. These are I3, I4 and I5. The models for I3 and I5 (mainly theFFM) are solid, and for the I4, although there is no empirical proof, the principle around which its based (namely the link between the number of steps of an attack and the targets susceptibility) has been proven to be of significance regardingSEin Section2.1.

As for I1, its main problem is that there is insufficient clarity regarding the parameters used in order to evaluate its validity on a large scale. Considering I2, the study itself acknowledges that the sample for the experiment was relatively small and homogeneous, with more than 75% female participants and 70% younger than 30 [26]. This is a problem for its validity, considering that the average gender differences in personality traits are significant, especially for the extraversion and conscientiousness traits [32, 33], which were proved in Section4.1.2to be of major importance when evaluating susceptibility to SE.

4.3.2 Availability

Availability considers two fronts, the ease of access to information itself, and the ethical implications of actually accessing it or/and making use of it. Both are of upmost important if a method is to be established, especially considering privacy concerns. This subsection evaluates primarily the indicators that are related to data collection in some way.

• I1 and I4: are highly dependable on the parameters used. In the previous section I mentioned the lack of clarity of I1, which makes the ease of access to the information hard to evaluate, and because of how unspecific they are, it is not possible to judge the its how ethical the

(41)

exactly on the same level as collecting more sensitive private data.

• I5: Probably the biggest offender. Nowadays it is frowned upon for a social network to make use information for purposes other than the services that the site explicitly offers (or advertisements). Though it may be convenient, given that you have the means to get access to the necessary information, it is, nonetheless, deliberately making use of private and public information for something other than the services themselves.

4.4 Estimation model

The bases for the indicators from Section4.2.1have all been reached through different forms empiric research and systems like theFFMhave been around for years now. Though not everything have been proven to be significant in its entirety, the bases have. With this in mind, this section will use those findings to inform examples of how an estimation onSEresilience making use of them can be achieved.

Starting simple, from analyzing the configuration of a given device, storing multipleSSIDs can be both seen as part of what is described in Section4.2.1, wherein "tinkering" can equate to disabling the joining public networks setting by the default in binary form: either the user has it enabled or not, and as an indicator of agreeableness, where trust is a notable subtrait. Trust is correlated withSEsusceptibility, so we could conclude that having scanning and access to public networks enabled is an indicator both because of its ties to trait agreeableness and because it implies low tinkering, as described in I1. More on the topic of wireless networks, if I were to have to put a number on the minimum number of networks saved and correlate it to SE susceptibility it would be two. Because of theBYODhabit, it is expected for a user to have at least two wireless networks that they use regularly on the same device, home and work. Because of the risks present in public wireless networks, I would expect the susceptibility toSEto increase for users with more than twoSSIDs stored on their device.

(42)

Following up on the tinkering, awareness and knowledge on ICT meant lower susceptibility, so having a device with network tools, VPN, firewalls and other programs related to what we can call anITworkflow, could serve as an indicator. The tinkering level could also be understood as the distance distance from the default settings of a system.

More thoroughly examining the contents of a device, one can look into the kinds of applications and programs to find a pattern that may indicate particular vulnerability to SE. Research on this topic is mostly focused on mobile [26], but I believe for it to be possible to relate it toPC/laptop programs as well. As examined by theSEPFand its equivalents, high trait agreeableness was found to have direct correlation with susceptibility as is the same with high openness. The same can be said with neuroticism but with an inverse relation, that is, high neuroticism is tied to low susceptibility. With that in mind, we can take the results as presented from Section4.1.1to draw conclusions for those specific traits. We could then assume, from the information from Table 4.1, that photography and personalization apps can be expected to act as indicators of low susceptibility, with the personalization app factor supported by its link to low agreeableness.

This is a compilation of examples of how the data found could be used for an estimation, disregarding that which includes more personal data because it does not serve the purpose of this report. As shown in these examples, there are ways of making assessments on susceptibility by linking pieces of data to the different frameworks of analysis that have been proven, with evidence, to be of substance.

(43)

Chapter 5 Discussions and future work

5.1 Limitations

The results could have been more insightful and conclusive had there been time for a decently-scaled test to measure the results and determine the validity of the theories posed in Chapter 4. Without proper empiric research, having a solid model is not possible, but the basis behind much of the data is solid, and the overlaps and links between the different pieces of evidence in their respective areas look promising.

5.2 Future work

If I were to continue the research and devise an experiment, I would try to narrow down specifically which kinds of settings (both forPCand mobile) are the most indicative of its user having a profile more likely to be deceived by SEAs. Most of the actual research that looks at the behavior on computers uses parameters that are rather abstract, so I think that focus should be on the specifics of the different areas, rather than on general terms, mainly because the general basis has already been established.

I am optimistic for the prospect of a tested and reliable model for the estimation of resilience to SEwithout overstepping the privacy and possible ethical boundaries. The major unknown at the moment is to narrow down the specific configurations with their respective levels of significance. Though I would not use the model from Section 4.4 (at least not all parts of it) to draw any definitive conclusions around SE resilience, I believe it can serve as orientation for future work in terms of what information is missing if one chooses to focus more on local data, rather than the more personal (namely that

(44)

from social media) one a user, as other work already has. A good prospect that can be taken from these is, however, that they prove the power and reliability of properly configured machine-learning algorithms, which will sure be useful for future work. I hope the examples from Section4.4can serve as inspiration as to how the paths can be drawn to link the frameworks of analysis to computer configuration andSEresilience.

(45)

Chapter 6 Conclusion

Though the results were not as conclusive as initially had hoped for, at least the report serves as a summary and condensation of the risks and precautions that can be taken against these attacks, and how some aspects of a users fingerprint are indicative of their vulnerability toSEAs. While the model is not complete by any means, and not proven to be precise, it can serve to orient and inform on some aspects that might be necessary to have in mind.

The examined literature’s validity is analyzed in Section 4.3, where the caveats and details of each piece of information were evaluated, as well as their relationships, in order to inform the model that is later described. Though not abundant, the data has a reasonably robust so as to be useful for the purposes of this report.

As for the questions posed in Section1.4, all of them were answered, each with varying degrees of conclusiveness:

1. Which are the relevant factors that could influence the success of an attack?

The different sources, as presented in Sections 2.3 and 4.1, describe the different systems through which to find something that resembles a pattern.

2. How are the aforementioned related to personality and proneness to being manipulated?

Section4.1goes in-depth into the individual qualities of the indicators and how they are linked. The sources and models used have historically yielded good results in their respective fields when it comes to empirical evidence.

(46)

3. Would it be safe to assume that computer configuration can inform about a user or group of users resilience toSEAs?

Yes, but, unfortunately, focus is mostly placed away from local data, and more on other forms of information about users. Any method that makes more extensive use of computer configuration for estimation purposes will have to be more precise and tested for it to be considered reliable and useful, but such a model seems like a real possibility when looking at current data on the subject.

(47)

References

[1] “The missing link: Report of the independent commission for world wide telecommunications development,” ITU, Tech. Rep., 1985. [Online].

Available: https://www.itu.int/en/history/Pages/MaitlandReport.aspx [2] “Number of fixed telephone lines worldwide 2000-2019,”

2019. [Online]. Available: https://www.statista.com/statistics/273014/

number-of-fixed-telephone-lines-worldwide-since-2000/

[3] “World internet users and 2020 population stats,” 2020. [Online].

Available: https://www.internetworldstats.com/stats.htm

[4] M. Cukier, “Study: Hackers attack every 39 seconds,” University of Maryland, 2007. [Online]. Available: https://eng.umd.edu/news/story/

study-hackers-attack-every-39-seconds

[5] S. Morgan, “Cybercrime damages $6 trillion by 2021,” Cybercrime Magazine, 2017. [Online]. Available: https://cybersecurityventures.

com/hackerpocalypse-cybercrime-report-2016/

[6] Purplesec, “The ultimate list of cyber security statistics for 2019,”

Tech. Rep., 2019. [Online]. Available: https://purplesec.us/resources/

cyber-security-statistics/

[7] R. von Solms and B. von Solms, “From policies to culture,”

Computers & Security, vol. 23, no. 4, pp. 275–279, 2004. doi:

https://doi.org/10.1016/j.cose.2004.01.013. [Online]. Available: http:

//www.sciencedirect.com/science/article/pii/S0167404804000331 [8] K. Krombholz, H. Hobel, M. Huber, and E. Weippl, “Advanced social

engineering attacks,” Journal of Information Security and Applications, vol. 22, no. C, p. 113–122, 2015. doi: 10.1016/j.jisa.2014.09.005.

[Online]. Available: https://doi.org/10.1016/j.jisa.2014.09.005

(48)

[9] P. Puhakainen, P. Puhakainen, C. Design, and R. Ahonen, “Design theory for information security awareness,” Department of information processing science, university of oulu, Tech. Rep., 2006.

[10] M. Thomson and R. von Solms, “Information security awareness: educating your users effectively,” Information Management & Computer Security, vol. 6, no. 4, pp.

167–173, 1998. doi: https://doi.org/10.1108/09685229810227649.

[Online]. Available: https://www.emerald.com/insight/content/doi/10.

1108/09685229810227649/full/html

[11] M. Siponen, “A conceptual foundation for organizational information security awareness,” Information Management

& Computer Security, vol. 8, no. 1, pp. 31–41, 2000. doi: https://doi.org/10.1108/09685220010371394. [Online].

Available: https://www.emerald.com/insight/content/doi/10.1108/

09685220010371394/full/html

[12] AV-Comparatives, “Malware protection test march 2019,”

2019. [Online]. Available: https://www.av-comparatives.org/tests/

malware-protection-test-march-2019/

[13] A. Ferreira, L. Coventry, and G. Lenzini, “Principles of persuasion in social engineering and their use in phishing,” in Human Aspects of Information Security, Privacy, and Trust, T. Tryfonas and I. Askoxylakis, Eds., 2015, pp. 36–47.

[14] R. B. Cialdini, “Influence: The psychology of persuasion,” 1993.

[15] D. Gragg, “A multi-level defense against social engineering,” 2003.

[16] Proofpoint, “Human factor report 2019,” Tech. Rep., 2019. [Online].

Available: https://www.proofpoint.com/us/resources/threat-reports/

human-factor

[17] P. Technologies, “Social engineering: how the human factor puts your company at risk,” Tech. Rep., 2018. [Online]. Available:

https://www.ptsecurity.com/ww-en/analytics/social-engineering-2018/

[18] S. Abraham and I. Chengalur-Smith, “An overview of social engineering malware: Trends, tactics, and implications,”

Technology in Society, vol. 32, no. 3, pp. 183–196, 2010.

Estimating human resilience to social engineering attacks through computer configuration data