Social Network Theoretic Framework for Organizational Social Engineering Susceptibility Index

摘要

Social Engineering is an undeniable and pervasive threat to the security of information systems of an organization due to its reliance on social nature of human beings. Social engineering uses dynamic art of manipulating social behavior of human relationships to obtain unauthorized and privileged information. Corporations have pressing need to design and implement reasonable countermeasures and controls to effectively mitigate social engineering attacks. In this paper, we propose a framework for development of social engineering susceptibility index (SESI) that reveals real risks from social engineering attack that an organization's employees are exposed to. Risk managers can compute the SESI index, which is based on social network theory propositions, to understand risk exposure of a critical group of individuals or organizational departments to proactively engage in elevating security measures. The framework equips risk managers with an understanding to design better security decisions and proper policies and measures to reduce risk.