A METHOD FOR EVALUATING THE PROBABILITY OF REALIZATION OF SOCIAL ENGINEERING ATTACK TRAJECTORIES IN CORPORATE INFORMATION SYSTEMS

Abstract

The article presents a method for assessing the probability of realization of trajectories of multi-stage
social engineering attacks (SEA) in corporate information systems (CIS). The developed approach is based
on mathematical modeling of interactions between users, which is a key factor in the spread of attacks in
the corporate environment. The study takes into account four main criteria: joint projects, communications,
hierarchical relationships, and shared access to information assets.
The proposed mathematical model allows to quantify the probability of an attack passing between
pairs of users using indicators of the intensity of their interaction. The graph of user interaction built on the
basis of the calculated probabilities reflects the potential trajectories of SEA spread in the CIS, allowing to
identify the most critical links and key nodes of the system, through which the probability of compromise
is highest.
The model is oriented and adapted to the specifics of the corporate environment, where attacks spread
through trust, work, and hierarchical interactions. The application of the method makes it possible to
identify vulnerable segments of the system, optimize response strategies, and develop preventive measures
aimed to minimize the likelihood of a successful SEA.

Keywords: social engineering, graph model, risk assessment, attack probability, information security

List of used literature:
1. Albladi S., Weir G.R.S. Predicting individuals’ vulnerability to social engineering in social
networks. Cybersecurity. 2020. Vol. 3. 7. URL: https://doi.org/10.1186/s42400-020-00047-5
2. Albladi S., Weir G.R.S. A conceptual model to predict social engineering victims. 2019 IEEE
12th International Conference on Global Security, Safety and Sustainability (ICGS3). London, UK.
2019. Р. 212-212. URL: https://doi.org/10.1109/ICGS3.2019.8688352
3. Beckers K., Krautsevich L., Yautsiukhin A. Using Attack Graphs to Analyze Social
Engineering Threats. International Journal of Secure Software Engineering (IJSSE). 2015. Vol. 6, №
2. Р. 47-69. URL: https://doi.org/10.4018/IJSSE.2015040103
4. Albladi S., Weir G.R.S. User characteristics that influence judgment of social engineering
attacks in social networks. Human-centric Computing and Information Sciences. 2018. Vol 8, № 1.
5. URL: https://doi.org/10.1186/s13673-018-0128-7
5. Khan N., Houghton R. J., Sharples S. Understanding factors that influence unintentional
insider threat: a framework to counteract unintentional risks. Cognition Technology and Work. 2022.
Vol. 24, № 3. P. 393-421. URL: https://doi.org/10.1007/s10111-021-00690-z
6. Haber, M.J. Insider and external threats. Privileged Attack Vectors. 2020. Apress, Berkeley,
CA. P. 117-125. URL: https://doi.org/10.1007/978-1-4842-5914-6_7
7. Zeffane R., Tipu S., Ryan J. Communication, commitment & trust: exploring the triad.
International Journal of Business and Management. 2011. Vol. 6, № 6. P. 77-87. URL:
https://doi.org/10.5539/ijbm.v6n6p77
8. Suman S., Srivastava, A. K. Antecedents of organisational commitment across hierarchical
levels. Psychology and Developing Societies. 2012. Vol. 24, № 1. Р. 61-83. URL:
https://doi.org/10.1177/097133361102400103
9. Halima Kure, Shareeful Islam. Assets focus risk management framework for critical
infrastructure cyber security risk management. IET Cyber-Physical Systems: Theory & Applications.
2019. Vol. 4, № 4. Р. 332-340. URL: https://doi.org/10.1049/iet-cps.2018.5079
10. Klünder J., Schneider K., Kortum F., Straube J., Handke L., Kauffeld S. Communication in
teams – an expression of social conflicts. 6th International Conference on Human-Centred Software
Engineering (HCSE) / 8th International Conference on Human Error, Safety, and System
Development (HESSD). Stockholm, Sweden. August 29-31, 2016. P. 111-129, URL:
https://doi.org/10.1007/978-3-319-44902-9_8