Skip navigation

Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework

Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework

Heartfield, Ryan and Loukas, George (2018) Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework. Computers & Security, 76. pp. 101-127. ISSN 0167-4048 (doi:https://doi.org/10.1016/j.cose.2018.02.020)

[img]
Preview
PDF (Author Accepted Manuscript)
19331 LOUKAS_Detecting_Semantic_Social_Engineering_Attacks_2018.pdf - Accepted Version

Download (4MB) | Preview

Abstract

The notion that the human user is the weakest link in information security has been strongly, and, we argue, rightly contested in recent years. Here, we take a step further showing that the human user can in fact be the strongest link for detecting attacks that involve deception, such as application masquerading, spearphishing, WiFi evil twin and other types of semantic social engineering. Towards this direction, we have developed a human-as-a-security-sensor framework and a practical implementation in the form of Cogni-Sense, a Microsoft Windows prototype application, designed to allow and encourage users to actively detect and report semantic social engineering attacks against them. Experimental evaluation with 26 users of different profiles running Cogni-Sense on their personal computers for a period of 45 days has shown that human sensors can consistently outperform technical security systems. Making use of a machine learning based approach, we also show that the reliability of each report, and consequently the performance of each human sensor, can be predicted in a meaningful and practical manner. In an organisation that employs a human-as-a-security-sensor implementation, such as Cogni-Sense, an attack is considered to have been detected if at least one user has reported it. In our evaluation, a small organisation consisting only of the 26 participants of the experiment would have exhibited a missed detection rate below 10%, down from 81% if only technical security systems had been used. The results strongly point towards the need to actively involve the user not only in prevention through cyber hygiene and user-centric security design, but also in active cyber threat detection and reporting.

Item Type: Article
Uncontrolled Keywords: Cyber security, human-as-a-security-sensor, information security, computer security
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / Department / Research Group: Faculty of Architecture, Computing & Humanities
Faculty of Architecture, Computing & Humanities > Internet of Things and Security (ISEC)
Faculty of Architecture, Computing & Humanities > Department of Computing & Information Systems
Last Modified: 14 Mar 2019 01:38
Selected for GREAT 2016: None
Selected for GREAT 2017: None
Selected for GREAT 2018: GREAT e
Selected for GREAT 2019: None
URI: http://gala.gre.ac.uk/id/eprint/19331

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics