„Das perfekte Opfer“ – eine Analyse sicherheitsbezogener Einstellungen und Verhaltensweisen im Internet in Abhängigkeit der Nutzerpersönlichkeit

Staar, Henning, Wilms, Rafael, Hinrichs, Judith

30 April 2019

Jüngere theoretische Beiträge und empirische Studien zur Informations- und Datensicherheit widmen sich diesem Themenbereich des Social Engineering verstärkt interdisziplinär und rücken dabei neben täterbezogenen Analysen (z.B. Watson, Holz & Mueller, 2008) vor allem gruppen- bzw. kulturbezogenen Aspekte (Flores, Holm, Nohlberg & Ekstedt, 2014; Tembe et al., 2014) als auch individuelle Charakteristika wie Persönlichkeitsmerkmale der (potentiellen) Opfer in den Fokus (z.B. Uebelacker & Quiel, 2014; Pattinson, Jerram, Parsons, McCormac & Butavicius, 2012;Vishwanath, Herath, Chen, Wang & Raghav Rao, 2011). Trotz der gegenwärtigen intensiven Beschäftigung mit dem Thema fehlen jedoch weiterhin eindeutige bedingungs- und personenbezogene Handlungsimplikationen zum Umgang mit den genannten Formen des Datendiebstahls (Gupta, Tewari, Jain & Agrawal, 2017). Ein möglicher Grund mag in der vergleichsweise häufigen Reduktion individueller Charakteristika auf die zentralen Persönlichkeitsmerkmale („Big 5“; Rammstedt, Kemper, Klein, Beierlein & Kovalena, 2012) liegen. Zugrundeliegende Motive oder Werte von Personen werden hingegen bislang unzureichend betrachtet (Fazio, Blascovich & Driscoll, 1992). Darüber hinaus beziehen bislang nur wenige Studien sowohl umfassende psychologische Befragungsinventare zu sicherheitsbezogenen Einstellungen, Verhaltensweisen und individuellen Personenmerkmalen als auch die Beurteilung von E-Mails oder Websites hinsichtlich der Vertrauenswürdigkeit und Handlungsbereitschaft in ihre Analysen ein. Der vorliegende Beitrag verfolgt mit einem entsprechenden Studiendesign das Ziel, diese Lücke weiter zu schließen und Erkenntnisse zu personenbezogenen Einflüssen auf die Informations- und Datensicherheit zu generieren. [Aus der Einleitung.]

info:eu-repo/classification/ddc/330

ddc:330

Awareness-Raising and Prevention Methods of Social Engineering for Businesses and Individuals

Harth, Dominik, Duernberger, Emanuel

January 2022

A system is only as secure as the weakest link in the chain. Humans are the binding link between IT (information technology) security and physical secu-rity. In general, the human is often considered as the weakest link in the chain, so social engineering attacks are used to manipulate or trick people to accom-plish the goal of bypassing security systems. Within this master thesis, we answer several research questions related to social engineering. Most im-portant is to find out why humans are considered as the weakest link and why existing guidelines are failing, as well as to achieve the goal of raising aware-ness and starting education at a young age. For this, we examine existing lit-erature on the subject and create experiments, an interview, a campaign eval-uation, and a survey. Our systematic work begins with an introduction, the methodology, a definition of social engineering and explanations of state-of-the-art social engineering methods. The theoretical part of this thesis also in-cludes ethical and psychological aspects and an evaluation of existing guide-lines with a review of why they are not successful.Furthermore, we continue with the practical part. An interview with a profes-sional security consultant focusing on social engineering from our collabora-tion company TÜV TRUST IT GmbH (TÜV AUSTRIA Group)1 is con-ducted. A significant part here deals with awareness-raising overall, espe-cially at a younger age. Additionally, the countermeasures against each dif-ferent social engineering method are analysed. Another practical part is the evaluation of existing social engineering campaigns2 from TÜV TRUST IT GmbH TÜV AUSTRIA Group to see how dangerous and effective social en-gineering has been in the past. From experience gained in this thesis, guide-lines on dealing with social engineering are discussed before the thesis is fi-nalized with results, the conclusion and possible future work.

IT security

social engineering

bypass security systems

ethics & psychology

guidelines

phishing

human hacking

information security

Computer and Information Sciences

Data- och informationsvetenskap

Resolving the Password Security Purgatory in the Contexts of Technology, Security and Human Factors

Adeka, Muhammad I., Shepherd, Simon J., Abd-Alhameed, Raed

22 January 2013

Yes / Passwords are the most popular and constitute the first line of defence in computer-based security systems; despite the existence of more attack-resistant authentication schemes. In order to enhance password security, it is imperative to strike a balance between having enough rules to maintain good security and not having too many rules that would compel users to take evasive actions which would, in turn, compromise security. It is noted that the human factor is the most critical element in the security system for at least three possible reasons; it is the weakest link, the only factor that exercises initiatives, as well as the factor that transcends all the other elements of the entire system. This illustrates the significance of social engineering in security designs, and the fact that security is indeed a function of both technology and human factors; bearing in mind the fact that there can be no technical hacking in vacuum. This paper examines the current divergence among security engineers as regards the rules governing best practices in the use of passwords: should they be written down or memorized; changed frequently or remain permanent? It also attempts to elucidate the facts surrounding some of the myths associated with computer security. This paper posits that destitution of requisite balance between the factors of technology and factors of humanity is responsible for the purgatory posture of password security related problems. It is thus recommended that, in the handling of password security issues, human factors should be given priority over technological factors. The paper proposes the use of the (k, n)-Threshold Scheme, such as the Shamir’s secret-sharing scheme, to enhance the security of the password repository. This presupposes an inclination towards writing down the password: after all, Diamond, Platinum, Gold and Silver are not memorised; they are stored. / Petroleum Technology Development Fund

Guidelines

Internet

Education

Human factors

Computer crime

Purgatory

Technology

Cryptography

Computer security

Social engineering

Human hacking

Socio-cryptanalysis

Password

Password repository