Model of Malefactor Competencies Profile for Analyzing Information System Personnel Security from Social Engineering Attacks
Abstract
Introduction: The increased complexity of computer networks and security mechanisms, the growing number of users’ vulnerabilities and various ways to organize attacks cause the need to develop powerful automated tools and systems for vulnerability analysis. The technical (software and hardware) problems are mostly solved; there are many software systems for security analysis. However, these systems usually do not include or include only partially the users’ behavior analysis, while an essential part of information security violations are caused now by social engineering attacks. The general purpose of the current research is to estimate the rate of information system personnel protection from social engineering attacks. Purpose: A formal model of a malefactor should be developed, including a model of malefactor’s competencies profile. It will be a basis for multifactorial estimates of the probability of a success of malefactor’s attack on the user. Results: A formal model of a malefactor was developed in this article. It consists of the profile of malefactor's competencies in paired format (a competence and its intensity), resources available for the malefactor, his/her basic knowledge about the system architecture, the set of users vulnerable for the attack, and malefactor's goals. On the basis of this model, a method of multi-factor assessment of malefactor's attack success probability was proposed. Practical relevance: The developed model allows you to evaluate how well information systems are protected from social engineering attacks, to identify the most vulnerable parts of the system and to promptly take necessary measures to ensure information security.Published
2016-08-19
How to Cite
Abramov, M., Azarov, A., Tulupyeva, T., & Tulupyev, A. (2016). Model of Malefactor Competencies Profile for Analyzing Information System Personnel Security from Social Engineering Attacks. Information and Control Systems, (4), 77-84. https://doi.org/10.15217/issn1684-8853.2016.4.77
Issue
Section
Information security