A growing number of hacking attacks use social engineering techniques to exploit the human factor of computer systems. They include versatile sophisticated approaches like reciprocity, authority or manipulation techniques to capitalize on in general positives of humans such as helpfulness. These attacking techniques are used in the private as well as in the business context. In the latter they form a main tool for industrial espionage. While there exist evaluation standards for security critical software and hardware as well as their operational environment, due to our knowledge there is no evaluation standard available in order to evaluate vulnerability of organizations with respect to social engineering. This paper will present a framework to evaluate this kind of vulnerability. This framework includes white-box as well as black-box tests. The framework enables organizations to elaborate the level of resistance as well as to identify concrete vulnerabilities. These can be used to implement concrete measures to improve the situation, i.e. the level of resistance.
展开▼
