Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
0Activity
0 of .
Results for:
No results containing your search query
P. 1
Unintentional Insider Threats: Social Engineering

Unintentional Insider Threats: Social Engineering

Ratings: (0)|Views: 14|Likes:
The research documented in this report seeks to advance the understanding of the unintentional insider threat (UIT) that derives from social engineering. The goals of this research are to collect data on additional UIT social engineering incidents to build a set of cases for the Management and Education of the Risk of Insider Threat (MERIT) database and to analyze such cases to identify possible behavioral and technical patterns and precursors. The authors hope that this research will inform future research and development of UIT mitigation strategies.
The research documented in this report seeks to advance the understanding of the unintentional insider threat (UIT) that derives from social engineering. The goals of this research are to collect data on additional UIT social engineering incidents to build a set of cases for the Management and Education of the Risk of Insider Threat (MERIT) database and to analyze such cases to identify possible behavioral and technical patterns and precursors. The authors hope that this research will inform future research and development of UIT mitigation strategies.

More info:

Published by: Software Engineering Institute Publications on Jan 21, 2014
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

01/21/2014

pdf

text

original

 
 Unintentional Insider Threats: Social Engineering
The CERT
®
 Insider Threat Center Produced for Department of Homeland Security Federal Network Resilience Cybersecurity Assurance Branch
January 2014 TECHNICAL NOTE
CMU/SEI-2013-TN-024
CERT
 ® 
 Division
 
 
Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense. This report was prepared for the SEI Administrative Agent AFLCMC/PZM 20 Schilling Circle, Bldg 1305, 3rd floor Hanscom AFB, MA 01731-2125  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted,  provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at  permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. CERT
®
 is a registered mark of Carnegie Mellon University. DM-0000579
 
 
CMU/SEI-2013-TN-024
 
|
 
i
 
Table of Contents
Sponsor Information vii
 
Acknowledgments ix
 
Executive Summary xi
 
Abstract xv
 
1
 
Introduction 1
 
2
 
Background 3
 
2.1
 
Contributing
 
Factors
 
Described
 
in
 
Initial
 
Unintentional
 
Insider 
 
Threat
 
(UIT)
 
Study 3
 
2.2
 
Feature Model Developed in Initial UIT Study 4
 
2.3
 
Findings and Recommendations of Initial UIT Study 5
 
3
 
Defining and Characterizing UIT 6
 
3.1
 
Definition of UIT 6
 
3.2
 
Definition of Social Engineering 6
 
3.3
 
Social Engineering Taxonomy 7
 
4
 
Review of Research on Social Engineering UIT Incidents 11
 
4.1
 
Research on Demographic Factors 13
 
4.1.1
 
Gender 13
 
4.1.2
 
 Age 13
 
4.1.3
 
Personality Traits 14
 
4.1.4
 
Culture 16
 
4.1.5
 
Summary 16
 
4.2
 
Research on Organizational Factors 17
 
4.2.1
 
Inadequate Management and Management Systems 17
 
4.2.2
 
Insufficient Security Systems, Policies, and Practices 18
 
4.2.3
 
Job Pressure 19
 
4.2.4
 
Summary 19
 
4.3
 
Research on Human Factors 20
 
4.3.1
 
Lack of Attention 20
 
4.3.2
 
Lack of Knowledge and Memory Failure 21
 
4.3.3
 
Faulty Reasoning or Judgment 21
 
4.3.4
 
Risk Tolerance and Poor Risk Perception 22
 
4.3.5
 
Casual Values and Attitudes About Compliance 22
 
4.3.6
 
Stress and Anxiety 23
 
4.3.7
 
Physical Impairment 23
 
4.3.8
 
Summary 24
 
5
 
Summary of Collected Cases 26
 
5.1
 
Representative Cases 26
 
5.1.1
 
Single-Stage Phishing Attacks 27
 
5.1.2
 
Multiple-Stage Phishing Attacks 29
 
5.2
 
Characterization of Case Study Data 30
 
5.2.1
 
Demographic, Organizational, and Human Factors 30
 
5.2.2
 
Discussion and Implications of Sample Data Obtained to Date 31
 
6
 
Conceptual Models for Social Engineering Incidents 33
 
6.1
 
 Attack Progression Analysis 33
 

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->