Social Engineering Penetration Testing within the OODCA Cycle – Approaches to Detect and Remediate Human Vulnerabilities and Risks in Information Security
Authors: Asiye Öztürk, Erfan Koza, Michael Willer
Abstract: In more than 95% of all successfully conducted cyberattacks, the human factor is exploited as a vulnerability point. The following principle applies. Whenever a hacker uses external attack vectors and thus does not directly use the Internet as a medium, employees become the target of the attack. As a result, the current technical and intelligent defense mechanisms can only contribute to a limited extent to the increase the resilience of IT systems, as these technological approaches do not fully account for the behavioral, cognitive, and heterogeneous motivations that lead to human error in the security causal chain of information security using social engineering (SE) methods. In this paper, we present a strategic and iterative analysis tool to detect SE threats through systemic monitoring, to train and successfully defend against them. For this purpose, we use the so-called Course of Actions to practically check the security-compliant behavior of employees and to initialize the feedback processes for reactivating the human firewall based on the knowledge gained. This approach is already being applied to various types of organizations and critical infrastructure and can be seamlessly integrated into existing training and auditing programs.
Keywords: cybersecurity, human factors, social engineering
Cite this paper: