In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
» Openaccess proceedings » Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015)
Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015)
Title: Managing Social Engineering Attacks- Considering Human Factors and Security Investment
Author(s): Reza Alavi, Shareeful Islam, Haris Mouratidis, Sin Lee
Keywords: Social Engineering Attacks (SEAs), Human Factors, Security Investment (SI), Security incident, Return on Information Security Investment (ROISI).
Abstract: Soliciting and managing the protection of information assets has become a objective of paramount importance in an organizational context. Information Security Management System (ISMS) has the unique role of ensuring that adequate and appropriate security tools are in place in order to protect information assets. Security is always seen in three dimensions of technology, organization, and people. Undoubtedly, the socio-technical challenges have proven to be the most difficult ones to tackle. Social Engineering Attacks (SEAs) are a socio-technical challenge and considerably increase security risks by seeking access to information assets by exploiting the vulnerabilities in organizations as they target human frailties. Dealing effectively and adequately with SEAs requires practical security benchmarking together with control mechanism tools, which in turn requires investment to support security and ultimately organizational goals. This paper contributes in this area. In particular, the paper proposes a language for managing SEAs using several concepts such as actor, risks, goals, security investment and vulnerabilities. The language supports in-depth investigation of human factors as one of the main causes of SEAs. It also assists in the selection of appropriate mechanisms considering security investment to mitigate risks. Finally, the paper uses a real incident in a financial institution to demonstrate the applicability of the approach.
Download count: 1924
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.