Research

My area of research is within the human element of security, specifically a technique called social engineering.

I also have general interests in security, especially the “softer” side (which is the hardest). Management, education, training and such. Below is an abstract of my Ph.D. thesis, which you can download in the “Publications” section.

Abstract
Social engineering denotes, within the realm of security, a type of attack
against the human element during which the assailant induces the victim to
release information or perform actions they should not. Our research on so-
cial engineering is divided into three areas: understanding, measuring and
protecting. Understanding deals with finding out more about what social
engineering is, and how it works. This is achieved through the study of pre-
vious work in information security as well as other relevant research areas.
The measuring area is about trying to find methods and approaches that put
numbers on an organization’s vulnerability to social engineering attacks.
Protecting covers the ways an organization can use to try to prevent attacks.
A common approach is to educate the users on typical attacks, assailants,
and their manipulative techniques. In many cases there are no preventive
techniques, dealing with the human element of security, in place.
The results show that social engineering is a technique with a high probabili-
ty of success. Furthermore, defense strategies against it are complicated, and
susceptibility to it is difficult to measure. Important contributions are a mod-
el describing social engineering attacks and defenses, referred to as the
Cycle of Deception, together with a thorough discussion on why and how
social engineering works. We also propose new ways of conducting social
engineering penetration testing and outline a set of recommendations for
protection. It is crucial to involve managers more, but also to train the users
with practical exercises instead of theoretical education, for example, by
combining measuring exercises and penetration testing with training. We
also discuss the future threat of Automated Social Engineering, in which
software with a simple form of artificial intelligence can be used to act as
humans using social engineering techniques online, making it quite hard for
Internet users to trust anyone they communicate with online.

Advertisement