Social engineering attacks: an augmentation of the socio-technical systems framework

Abstract

Social engineering attacks pose huge security threats to companies today. These attacks have succeeded mainly because they come from weaknesses that combine the social engineering practices that exploit the human vulnerabilities, with technical skills to bypass the defences of information systems. This paper is founded on the premise that social engineering attacks result from interdependent yet interrelating factors that combine to give an attacker the ability to compromise an individual or organisation’s information. We analyse social engineering attacks as a Socio-technical System because it recognises the interaction between people and technology in a work environment. In the case of social engineering attacks, the social subsystem would encompass the people (both victim and attacker), the environmental subsystem would be the environment in which the social engineering attack occurs and the technical subsystem would be the technology used to perform the social engineering attack. The Socio-technical subsystems are further mapped against an existing framework known as the Socio-technical systems framework. This paper applies the currently existing Sociotechnical systems framework along with the Socio-technical subsystems mappings to analyse a social engineering attack case study to help identify the underlying factors that made the attack successful. The case study is a popular attack known as ‘The Francophone attack’, which is an attack that was carried out on a French bank. Through the analysis of the case study, the researchers found that in order to analyse a social engineering attack using the framework, it is pivotal to augment the framework by adding an Information node in the environmental subsystem as one of the aims of any social engineering attacks is to trick you into handing over passwords or other sensitive financial and personal information. The outcome of this research is twofold – firstly, it aims to provide an in-depth perspective into the factors that can allow a social engineering attack to be successful and secondly, to augment the socio-technical systems framework to suit analysis of social engineering attacks when identifying socio-technical system factors.