Affiliation:
1. Eindhoven University of Technology, Netherlands
Abstract
The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for the development and advancement of empirical SE research, making it particularly difficult to identify the space of open research questions that can be addressed empirically. This space encompasses questions on attack conditions, employed experimental methods, and interactions with underlying cognitive aspects. As a consequence, much potential in the breadth of existing empirical SE research and in its mapping to the actual cognitive processes it aims to measure is left untapped. In this work, we carry out a systematic review of 169 articles investigating overall 735 hypotheses in the field of empirical SE research, focusing on experimental characteristics and core cognitive features from both attacker and target perspectives. Our study reveals that experiments only partially reproduce real attacks and that the exploitable SE attack surface appears much larger than the coverage provided by the current body of research. Factors such as targets’ context and cognitive processes are often ignored or not explicitly considered in experimental designs. Similarly, the effects of different pretexts and varied targetization levels are overall marginally investigated. Our findings on current SE research dynamics provide insights into methodological shortcomings and help identify supplementary techniques that can open promising future research directions.
Funder
INTERSCT
SeReNity
Netherlands Organisation for Scientific Research
Publisher
Association for Computing Machinery (ACM)
Subject
Human-Computer Interaction
Reference268 articles.
1. Phishing susceptibility: The good, the bad, and the ugly
2. Impact of anti-phishing tool performance on attack success rates
3. Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies
4. Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proceedings of the USENIX Security Symposium. USENIX Association, 257–272. Retrieved from https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/akhawe
5. An examination of susceptibility to spear phishing cyber attacks in non-English speaking communities