SBE: Small: Technological Con-Artistry: An Analysis of Social Engineering

SBE：小：技术反艺术：社会工程分析

• 批准号: 1616804
• 负责人: Kevin Steinmetz
• 金额: $ 35.04万
• 依托单位: Kansas State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1616804&HistoricalAwards=false
• 关键词: SBE; Small; Technological; Con; Artistry

One of the most serious threats in the world today to the security of cyberspace is "social engineering" - the process by which people with access to critical information regarding information systems security are tricked or manipulated into surrendering such information to unauthorized persons, thereby allowing them access to otherwise secure systems. To date, little systematic research has been conducted on social engineering. This research will fill this void by examining who social engineers are, why they engage in social engineering, the processes they use to conceive of and implement social engineering projects, and how they view information privacy and security and justify their behavior. Further, to understand how organizations affected by social engineering cope with the threat it poses, this research also examines the perspectives on social engineering of IT professionals who oversee organizational computer systems and the security of potentially sensitive information. Through gaining a deeper and more accurate understanding of social engineering - a phenomenon currently shrouded in myth and misconception for many - this research will contribute to important advances in criminology and other fields with a vested interest in learning about the human dimensions of information security and inform the development of information security strategies. This study uses a cross-sectional, non-experimental research design that employs both qualitative and quantitative data. The qualitative component involves semi-structured interviews of social engineers "in the wild," security auditors, and IT professionals. Open-ended interview questions will be used to elicit this data. In addition, these interviews will be used to gather quantitative data to measure demographic, computer use, and other social characteristics of social engineers. A set of structured survey questions will be administered by the interviewer as part of the interview process. To select a sample of subjects, a nonprobability, purposive, "snowball" sampling design is used, which is well-suited for studying "hidden" populations such as social engineers. To analyze the qualitative data, grounded theory techniques are used which involve the transformation of data into concepts, which are then summarized into broader analytic categories, leading to the isolation of patterns in the data. Quantitative data will be analyzed through an assortment of univariate, bivariate, and multivariate techniques.

当今世界对网络空间安全最严重的威胁之一是“社会工程”，即通过欺骗或操纵有权访问有关信息系统安全的关键信息的人将此类信息交给未经授权的人员，从而允许他们访问其他安全系统的过程。 迄今为止，关于社会工程的系统研究还很少。 这项研究将通过检查谁是社会工程师、他们为何从事社会工程、他们用于构思和实施社会工程项目的流程，以及他们如何看待信息隐私和安全以及如何证明自己的行为合理性来填补这一空白。 此外，为了了解受社会工程影响的组织如何应对其构成的威胁，本研究还探讨了负责监督组织计算机系统和潜在敏感信息安全的 IT 专业人员对社会工程的看法。通过更深入、更准确地理解社会工程（一种目前被许多人笼罩在神话和误解中的现象），这项研究将有助于犯罪学和其他领域的重要进展，这些领域对了解信息安全的人性维度有既得利益，并为信息安全战略的发展提供信息。本研究采用横断面、非实验研究设计，采用定性和定量数据。定性部分涉及对“野外”社会工程师、安全审计员和 IT 专业人员的半结构化访谈。将使用开放式访谈问题来获取这些数据。此外，这些访谈将用于收集定量数据，以衡量社会工程师的人口统计、计算机使用和其他社会特征。作为面试过程的一部分，面试官将提出一组结构化调查问题。 为了选择受试者样本，采用了非概率、有目的的“滚雪球”抽样设计，该设计非常适合研究“隐藏”人群，例如社会工程师。为了分析定性数据，使用扎根理论技术，其中涉及将数据转换为概念，然后将概念归纳为更广泛的分析类别，从而隔离数据中的模式。定量数据将通过各种单变量、双变量和多变量技术进行分析。

项目成果

Decrypting Social Engineering: An Analysis of Conceptual Ambiguity

解密社会工程：概念歧义分析

• DOI: 10.1007/s10612-019-09461-9
• 发表时间: 2020
• 期刊: Critical Criminology
• 影响因子: 1.8
• 作者: Steinmetz, Kevin F.;Pimentel, Alexandra;Goe, W. Richard
• 通讯作者: Goe, W. Richard

The Identification of a Model Victim for Social Engineering: A Qualitative Analysis

社会工程模型受害者的识别：定性分析

• DOI: 10.1080/15564886.2020.1818658
• 发表时间: 2021
• 期刊: Victims & Offenders
• 影响因子: 2.2
• 作者: Steinmetz, Kevin F.