Modeling the user’s security profile to determine his potential vulnerability to social engineering attacks

Abstract

The evolving threats of social engineering attacks (SEA) in the context of the active use of digital technologies impose new requirements for the protection of corporate information systems (IS). The article presents the mathematical model of the user's security profile, which is designed to evaluate his potential vulnerability to SEA. The proposed model is based on the integration of four key factors psychological, organizational, technical and informational impact, which enables a comprehensive risk analysis. The existing approaches to assessing user vulnerability have been reviewed and their limitations have been identified, in particular, the limited consideration of the complex interaction of factors. The proposed model solves these limitations, allowing to assess the vulnerability of users in a dynamic environment, taking into account changing external environment and users' individual characteristics. The approach is based on modeling the SEA process, divided into three key stages: delivery of attacking content, user interaction with this content, and avoidance of attack detection. For each stage, the corresponding mathematical dependencies have been developed that take into account the interaction of these factors. The results of the modeling allow to identify groups of vulnerable users and critical stages at which a user or a system is most vulnerable to attacks. The proposed approach also allows to adapt protection measures to the real conditions of corporate environments, ensuring consistency between risk assessment and protection needs. The model can be used to develop targeted SEA prevention measures and improve the overall state of information security. Thus, the proposed user security profile model is a universal tool for predicting SEA risks in corporate IS. It provides the ability to analyze and prevent attacks by quantifying individual and external factors that determine user behavior. In addition, the model allows to optimize the development of protection strategies, ensuring their flexibility and adaptability to changes in the information environment. This ensures a systematic approach to risk assessment and minimizes the vulnerability of IS to social engineering threats.

Keywords: social engineering risks, information security, corporate systems, information impact, mathematical modeling, adaptive protection, vulnerability assessment, risk prediction.

References

1. Albladi S., Weir G. Predicting individuals’ vulnerability to social engineering in social networks. Cybersecurity. 2020. № 3. 7.
2. Ye Z., Guo Y., Ju A., Wei F., Zhang R., Ma J. A risk analysis framework for social engineering attack based on user profiling. Journal of Organizational and End User Computing. 2020. Vol. 32, № 3. Р. 37-49.
3. Huseynov F., Ozdenizci Kose B. Using machine learning algorithms to predict individuals’ tendency to be victim of social engineering attacks. Information Development. 2024. Vol. 40, № 2. Р. 298-318.
4. Бохонько О., Лисенко С. Методи виявлення кібератак соціальної інженерії. Вісник Хмельницького національного університету. Технічні науки. 2023. Том 327, № 5(2). С. 231-236.
5. Aijaz M., Nazir M. Modelling and analysis of social engineering threats using the attack tree and the Markov model. International Journal of Information Technology. 2024. № 16. P. 1231-1238.
6. Fakhouri H.N., Alhadidi B., Omar K., Makhadmeh S.N., Hamad F., Halalsheh N.Z. AI-driven solutions for social engineering attacks: detection, prevention, and response. 2024 2nd International Conference on Cyber Resilience (ICCR). Dubai, United Arab Emirates. 2024. P. 1-8.
7. Wang Z., Sun L., Zhu H. Defining Social Engineering in Cybersecurity. IEEE Access. 2020. Vol. 8, P. 85094-85115.
8. Hadnagy C. Social engineering. The science of human hacking. Indiana: John Wiley & Sons, Inc. 2018.
9. Siponen M., Vance A. Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly. 2010. Vol. 34, № 3. Р. 487-502.
10. Russia’s Cyber Tactics: Lessons Learned 2022 – аналітичний звіт Держспецзвʼязку про рік повномасштабної кібервійни росії проти України. ДССЗЗІ України.