Date of Award

5-2021

Document Type

Thesis - Open Access

Degree Name

Master of Science in Cybersecurity Engineering

Department

Electrical, Computer, Software, and Systems Engineering

Committee Chair

Laxima Niure Kandel, Ph.D.

First Committee Member

Houbing Song, Ph.D.

Second Committee Member

Richard S. Stansbury, Ph.D.

Abstract

Social engineering attacks (SE-attacks) in enterprises are hastily growing and are becoming increasingly sophisticated. Generally, SE-attacks involve the psychological manipulation of employees into revealing confidential and valuable company data to cybercriminals. The ramifications could bring devastating financial and irreparable reputation loss to the companies. Because SE-attacks involve a human element, preventing these attacks can be tricky and challenging and has become a topic of interest for many researchers and security experts. While methods exist for detecting SE-attacks, our literature review of existing methods identified many crucial factors such as the national cultural, organizational, and personality traits of employees that enable SE-attacks not considered by the other researchers. Thus, this thesis aims to address the gap by identifying and analyzing all the factors that make the SE-attack possible. We have developed a framework that operates in an enterprise environment and can detect the susceptibility of victims to SE-attacks. It relies on mapping Gragg’s psychological triggers of social engineering to three groups of factors, namely the national cultural factors, the organizational factors, and the personality traits of employees. Our analysis demonstrates that there is a correlation between the social engineering triggers and the three-layered factors that make employees susceptible to social engineering attacks. Thus, adding these factors in the proposed framework detects susceptibility of victims. Finally, we introduce a proposed framework that would detect and recognize weaknesses and susceptibility of employees in an organization which can be used for enhancing awareness and employee training to better recognize and prevent SE-attacks.

Share

COinS