Social Engineering Threat Assessment Using a Multi-Layered Graph-Based Model

International audienceDuring this last decade, there have been major improvements in technological and operational security measures for the protection of information systems. This makes attacking the physical or technological infrastructure of an information system much more difficult than targeting humans operating them. The set of attacks that focus on deceiving humans is called social engineering. These attacks are rarely accounted for in vulnerability assessment models which usually focus on representing the internal states of information systems, while social engineering attack makes use of channels outside the gates of an information system (email, forums, on-line social networks, etc.). This paper introduces a comprehensive social engineering threat assessment model that represents different channels leveraged in social engineering attacks. It presents case studies where the model is used for assessing threats from specific attacks and from interactions on social media. In the first case study, a threat assessment method that relies on the presented model is introduced and used to detect malicious credit card resellers. The second case study concerns the assessment of threats from a recommendation based attack and a cross cite profile cloning attack. The last case study concerns the detection of vulnerable social media users based on their activities on two different platforms