Social Engineering – Facts, Myths and Countermeasures
Eakan Gopalakrishnan
School of Electronics and Computer Science, University of Southampton
eg5g09@ecs.soton.ac.uk
Abstract
There are several ways of stealing information;
most of them done by exploiting the technical factors of
security and some by exploiting the non-technical
factors. Social Engineering is a hacking technique that
relies on weaknesses in humans rather than software
systems. This literary search provides a summary of
the research that has been done in this field and
countermeasures that can be taken to deal with it.
The detailed description of the methods and
solutions is out of scope of this literary search and will
be looked into in detail in the technical report.
1. Introduction
Not many reviewed technical papers or books are
available in the field of Social engineering. This is
probably because it is something which we have started
to put focus on recently. This very fact has been stated
in the paper by M. Dontamsetti, A. Narayanan [5].
According to them threats to information are mainly
of three types: technical, physical and human in nature.
Today, we are in the third generation of the information
security evolution, which has evolved from its initial
focus being on security on technology, to focus on
process related security and to the current focus on the
human element that manages or uses the technologies
and processes in place. “This shift in focus has only
happened because of the realization that technology
and processes are only as good as the humans that use
them” [5].
In simple words Social Engineering can be called
“human hacking”. This particular method of hacking
was made famous by Kevin Mitnick. His book [15]
describes various methods of human hacking through a
series of anecdotes. Very few researchers like J.M
Sarriegi, J.J Gonzales have tried to conceptualize social
engineering attacks [2].
Winkler provides a case study of such an attack on
a large US Corporation [21] and several other case
studies on social engineering in [14]. A good amount of
statistics and information about computer crimes can be
seen in [41] and [42]. All this evidence suggests that
social engineering truly a very good method of
hacking.
2. Impacts of Social Engineering
Social engineering attacks mostly results in network
outage like denial of service, fraud, identity theft and
industrial espionage [12]. If a company gets infiltrated
and confidential information is stolen and this
information goes public, customers or potential
customers of that company lose confidence on the
company and this could cause the company to run out
of business in the long run. Many different types of the
threats and impacts have been analyzed by R. Gulati in
[43].
In Business Communications Review 2005, p46, it
has been given that in United States alone the estimated
loss due to phishing attacks resulted in a 1.2 billion
dollars for the year 2003, and 500 million dollars in
consumer losses. This means that small to medium
sized companies could go bankrupt due to such attacks.
3. Methods of Attack
Most social engineering techniques involve a lot of
background study of the target organization or
individual. A lot of the background information can be
gathered from the internet itself. Other sources can be
done through spying or eavesdropping or dumpster-
diving which means going through trash that includes,
telephone directories, organizational charts, memos,
post-its, manuals, calendars, improperly disposed
confidential documents etc to fetch information of an
individual or individuals inside an organization.
Technical expertise can be used along with
impersonation or disguise which could very effectively
be used in techniques like support staff or voice of
authority. Many of the tactics used by social engineers
can be found in the article by S. Granger [19].
L. Laribee has classified social engineering attacks
into different categories in her thesis [12]. The different
methods and strategies can also be found in [13], [1],
[18].
4. Previous Models of Social Engineering
The closest research work associated in this area is
in the area of Trust. Trust is subjective. The decision to
trust someone or not may be intentional, or
subconsciously taken. The Click and Whirr approach
[26], [27], [28] is an easy method of manipulating trust.
This has also been elaborated by Laribee in her thesis
[12] and trust and the factors that influence trust have
also been described in detail. A person’s compliance to
another person’s request can be understood in terms of
human tendency to shortcut response [25]. This makes
humans truly the weakest links. Various other methods
of influence and attaining others trust has been
elaborated by Cialdini in [28]. A summary of these
models is given in
5. Why it still works?
A social engineer utilizes the psychological
weaknesses of their victims [17]. Even now
technologies like firewall are given more than required
attention while people and processes are being
overlooked partially or completely. Mitnick sums it up
nicely as “You could spend a fortune purchasing
technology and services...and your network
infrastructure could still remain vulnerable to old-
fashioned manipulation.” This vulnerability is mostly
due to lack of awareness among employees of
organization, mainly due to organizations
underestimating social engineering in their employee
security awareness programs. Hasler et-al attempted to
formulate a method to measure the resistance to social
engineering in [20].
The weaknesses in humans that are exploited by
social engineers have been analyzed and listed out in
[4], [3], [5], [6], [8]. Obedience to authority, self
preservation and ‘need to be liked’ are some
psychological aspects quoted in [5]. According to
Mayhorn et-al “humans tend to act or take decisions
according to three factors, the user, the technology and
the environment/context in which the interaction takes
place [6]. They have also researched into the
psychological factors like credibility, pressure,
inattention etc. that make a user to become a victim
6. Countermeasures
D. Cragg has developed a multi-level defense
mechanism against social engineering attacks in [24].
Recognition is the first step to preventing social
engineering attacks. The importance of creating
awareness about social engineering is pointed out as a
countermeasure in [12]. There is no particular security
patch that can be applied to prevent social engineering
attacks, thus educating people about the different types
of attacks and building a good security policy would be
some of the good countermeasures. Additional methods
to safeguard against social engineering has been given
in [16] by C. Rhodes.
Mayhorn et-al has also suggested that THERP be
used by security designers in [6]. THERP stands for
technique for human error rate prediction.
7. Further Reading
Business communication review articles are a good
read for being aware of the current issues in the field of
information technology. Persuasion, thought systems
and argument quality psychological factors that also
involves factors that affect decisions and responses
have been researched by Petty and Wegener [27].
The social and cultural aspects of social engineering
have been explored in [7], [8], [9], [10] and [11].
8. References
[1] P. O. Onkeyi, T.J. Owens, “On the Anatomy of Human
Hacking”, Information Security Systems, Vol. 16, no.6, pp.
302-314, Nov 2007
[2] Sarriegi, J.M. and Gonzalez, J.J. (2008) ‘Conceptualising
social engineering attacks through system archetypes’, Int. J.
system of Systems Engineering, Vol. 1, Nos. 1/2, pp.111–
127.
[3] D. S. Carstens, “Human and Social Aspects of Password
Authentication”, Social and Human Elements of Information
Security: Emerging Trends and Countermeasures,
Information Science Reference, Section 1, Chapter 1, pp. 1-
14.
[4] M. Nohlberg, “Why Humans are the Weakest Link”,
Social and Human Elements of Information Security:
Emerging Trends and Countermeasures, Information
Science Reference, Section 1, Chapter 1, pp. 15-26.
[5] M. Dontamsetti, A. Narayanan, “Impact of Human
Element on Information Security”, Social and Human
Elements of Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 1,
Chapter 3, pp. 27-42.
[6] R. West, C. Mayhorn, J. Hardee, J. Mendel, “The
Weakest Link: A Psychological Perspective on Why Users
Make Poor Security”, Social and Human Elements of
Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 1,
Chapter 4, pp. 43-60.

[7] R. Kuusisto, T. Kuusisto, “Information Security Culture
as a Social System: Some Notes of Information Availability
and Sharing”, Social and Human Elements of Information
Security: Emerging Trends and Countermeasures,
Information Science Reference, Section 2, Chapter 6, pp. 77-
97.
[8] P. Drake, S. Clarke, “Social Aspects of Information
Security: An International Perspective”, Social and Human
Elements of Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 2,
Chapter 7, pp. 98-115.
[9] M. Carr, “Social and Human Elements of Information
Security: A Case Study”, Social and Human Elements of
Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 2,
Chapter 8, pp. 116-132.
[10] B. Hoanka, K. Mock, “Effects of Digital Convergence
on Social Engineering Attack Channels”, Social and Human
Elements of Information Security: Emerging Trends and
Countermeasures, Information Science Reference, Section 2,
Chapter 9, pp. 133-147.
[11] E. Yu, L. Liu, J. Mylopoulos, “A Social Ontology for
Integrating Security and Software Engineering”, Social and
Human Elements of Information Security: Emerging Trends
and Countermeasures, Information Science Reference,
Section 2, Chapter 10, pp. 148-177.
[12] L. Laribee, “Development of Methodical Social
Engineering Taxonomy Project”, Thesis at Naval
Postgraduate School, Monterey, California, June 2006
[13] J. Baker, B. Lee, “The Impact of Social Engineering
Attacks on Organizations: A differentiated Study”, Florida
Atlantic University,
http://itom.fau.edu/jgoo/fa05/ISM4320/SocialEng.pdf
[14] I.S. Winkler, B. Dealy, “Information Security
Technology?...Don’t Rely on It. A Case Study in Social
Engineering”, Science Applications International
Corporation, 5th USENIX UNIX Security Symposium, Salt
Lake City, Utah, June 1995
[15] K. Mitnick, W.L. Simon, “The Art of Deception:
Controlling the Human Element of Security”, John Wiley
and Sons, October 2002
[16] C. Rhodes, “Safeguarding against Social Engineering”,
East Carolina University, 2007,
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83
.5142&rep=rep1&type=pdf
[17] M Nohlberg, “Social Engineering: Understanding,
Measuring and Protecting Against Attacks”, Thesis Proposal,
University of Skovde, Sweden, June 2007.
[18] R. Gulati, “Threat of Social Engineering and your
defense against it”, GIAC Security Essentials Certification
Practical Assignment, SANS Institute 2003,
“http://cnscenter.future.co.kr/resource/security/hacking/1232.
pdf”
[19] Granger, S. (2001) “Social engineering fundamentals,
Part I: Hacker tactics”, Cited on 9 November
2009, “http://www.securityfocus.com/infocus/1527”
[20] H. Hasle, Y. Kristiansen, K. Kintel, E. Snekkenes,
“Measuring Resistance to Social Engineering”, Information
Security Practice and Experience, First International
Conference, ISPEC 2005, Singapore, April 2005,
Proceedings, pp 132-143.
[21] IS Winkler, “Case Study of Industrial Espionage
through Social Engineering”, 19th National Information
Systems Security Conference 1996,
“http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.3
6.115&rep=rep1&type=pdf”
[22] A. Katz, “Computers: The Changing face of
Criminality”, Unpublished Dissertation: Michigan State
University, 1995,
“http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=17
3511”
[23] K Bagchi, G. Udo, “An Analysis of the Growth of
Computer and Internet Security Breaches”, CAIS Volume 12
2003,
“http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1
38.2439&rep=rep1&type=pdf”
[24] D. Gragg, “A Multi-Level Defense against Social
Engineering”, SANS Reading Room, 2003,
“http://southwestans.com/Resources/docs/social/A%20Multi-
Level%20Defense%20Against%20Social%20Engineering.pd
f”
[25] P. Sztompka, “Trust: A Sociological Theory”,
Cambridge University Press, 1999
[26] S. Chen, S. Chaiken, K. Duckworth, “Motivated
Heuristics and Systematic Processing”, Psychological
Inquiry, Vol 10, No.1, 1999,
“http://www.jstor.org/pss/1449522”
[27] R.E. Petty, D.T. Wegener,”Thought Systems, Argument
Quality and Persuasion”, Advances in Social Cognition :
Content, Structure, Operation of Thought Systems, Vol. 4,
LEA, Chapter 8, pp. 147-162
[28] R.B. Cialdini, “Influence: Science and Practice”,
“http://www.influenceatwork.com/Media/RBC/Influence_SP
.pdf”, 2001
9. Bibliography
[29] C. Pfleeger, S. Pfleeger, Security in Computing, 4th
Edition, Pearson Education Inc, 2006.

[30] S. McClure, J. Scambray, G. Kurtz, Hacking Exposed 6

: Network Security Secrets and Solutions, McGraw Hill
Publishers, 2009.

[31] K. Mitnick, W. Simon, The Art of Intrusion – The real

stories behind the Exploits of Hackers, Intruders and
Deceivers, Wiley Publishing, 2006.

[32] G. Notoatmodjo, “Exploring the Weakest Link: A study

of personal password security”, Thesis submitted at
University of Auckland, New Zealand, December 2007

[33] J. Rusch, “The ‘social engineering’ of Internet fraud”,

Paper presented at the 1999 Internet Society's INET'99
conference,“http://www.isoc.org/isoc/conferences/inet/99/pro
ceedings/3g/3g_2.htm”

[34] M. Gupta, R. Sharman, Social and Human Elements of

Information Security: Emerging Trends and
Countermeasures, Information Science Reference, 2009.