social engineering; principles of persuasion; phishing
Abstract :
[en] Research on marketing and deception has identified principles of persuasion that in influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini's principles of influence, Gragg's psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on
peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original
taxonomies.
Research center :
SnT
Disciplines :
Engineering, computing & technology: Multidisciplinary, general & others
Author, co-author :
Ferreira, Ana ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Conventry, Lynne
External co-authors :
yes
Language :
English
Title :
Principles of Persuasion in Social Engineering and Their Use in Phishing
Publication date :
2015
Event name :
Human Aspects of Information Security, Privacy, and Trust
Event organizer :
Human Computer Interaction International
Event place :
Los Angeles, United States
Event date :
from 02-08-2015 to 07-08-2015
Audience :
International
Main work title :
Human Aspects of Information Security, Privacy, and Trust Third International Conference, HAS 2015
Mitnick, K., Simon, W.: The Art of Deception. Wiley Publishing Inc., New York (2002)
Cialdini, R.B.: Influence: The Psychology of Persuasion (Revision Edition). Harper Business, Dunmore (2007)
Quiel, S., Uebelacker, S.: The social engineering personality framework. In: Proceedings of 4th Workshop on Socio-Technical Aspects in Security and Trust (STAST 2014), Vienna, Austria, 18 July 2014, pp. 24–30 (2014)
Akbar, N.: Analysing persuasion principles in phishing emails. Ph.D. dissertation, Master Thesis, University of Twente, The Netherlands, October 2014
Gragg, D.: A multi-level defense against social engineering. Technical Report, SANS Institute - InfoSec Reading Room (2003)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)
Scheeres, J.W., Mills, R.F., Grimaila, M.R.: Establishing the human firewall: reducing an individual’s engineering attacks. In: Proceedings of the 3rd International Conference on Information Warfare and Security (ICIW), Omaha, USA, 24–25 April 2008
Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th Interenational Conference on World Wide Web (WWW 2007), Banff, AB, Canada, 8–12 May 2008, pp. 649–656. ACM (2007)
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10(2), 1–31 (2010)
Blythe, M., Petrie, H., Clark, J.A.: F for fake: four studies on how we fall for phish. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2011), Vancouver, BC, Canada, 7–12 May 2011, pp. 3469–3478. ACM (2011)
Martin, S.J., Goldstein, N., Cialdini, R.B.: The Small BIG: Small Changes that Spark Big Influence. Grand Central Publishing, New York (2014)
Arnheim, R.: The gestalt theory of expression. Psychol. Rev. 56, 156–171 (1945)
Geremek, A., Greenlee, M., Magnussen, S.: Perception Beyond Gestalt: Progress in Vision Research. Psychology Press, New York (2013)