Dagstuhl Seminar 23462
Defining and Fortifying Against Cognitive Vulnerabilities in Social Engineering
( Nov 12 – Nov 15, 2023 )
(Click in the middle of the image to enlarge)
Permalink
Please use the following short url to reference this page:
https://www.dagstuhl.de/23462
Organizers
- Yomna Abdelrahman (European Universities in Egypt - Cairo, EG)
- Florian Alt (Universität der Bundeswehr München, DE)
- Tilman Dingler (The University of Melbourne, AU)
- Christopher Hadnagy (Social-Engineer - Orlando, US)
- Abbie Maroño (Social-Engineer - Orlando, US)
Contact
- Marsha Kleinbauer (for scientific matters)
- Christina Schwarz (for administrative matters)
Shared Documents
- Dagstuhl Materials Page (Use personal credentials as created in DOOR to log in)
Schedule
Social engineering which is defined as "any act that influences a person to take an action that may or may not be in their best interests". In regards to when social engineering is being used by threat actors it is used as psychological manipulation of people into performing actions or disclosing confidential information. Sadly, this form of attack has existed for almost as long as mankind itself. With the advent of AI tools, this form of attack reached a new quality, posing a threat to any online user. Prominent forms of social engineering are phishing attacks and their various subforms (vishing, twishing, QRishing, etc.), physical attacks (dumpster diving, tailgating), and, more recently, deep fakes.
This three-day Dagstuhl Seminar on "Defining and Fortifying Against Cognitive Vulnerabilities in Social Engineering" brought together experts in (user-centered) security, psychology, HCI, computer science, and ethics to identify grand challenges and identify a research roadmap for mitigating social engineering threats. Over the course of the seminar, participants developed an in-depth understanding of the seminar topic. This was achieved by focusing on different aspects of social engineering, discussing how it links to the users' vulnerabilities, namely cognitive vulnerabilities, and how mitigation approaches can be developed.
Day 1 began by introducing the seminar topic, focus, and goals. Afterwards, all participants introduced themselves and their areas of expertise. Each participant contributed and described reading material related to the seminar topic. The material was made accessible to all seminar participants and is attached as a reading list to this report. Following the introductions, day one featured a keynote by Prof. Angela Sasse, entitled "Manipulation, Deception, and Self-Deceit - Broadening Our Perspective of Social Engineering". It highlighted how and why the digital environment makes us so susceptible to social engineering. It took a critical perspective on state-of-the-art approaches to address social engineering. The second talk of day one was given by Chris Hadnagy, who presented important and practical insights into the strategies of modern hackers. Both talks gave a compelling overview of social engineering attacks, an understanding of the most commonly targeted vulnerabilities, and a sense of why it is difficult to mitigate them. Participants then worked in groups to identify grand challenges in social engineering from both researchers' and practitioners' perspectives. Dr. Thomas Kosch and Dr. Yomna Abdelrahman jointly led the last session of day one. It focused on detecting cognitive vulnerabilities and provided an overview of sensing technologies and users' internal states to be inferred, e.g., fatigue, cognitive load, etc. Day one concluded with a group work activity on what we can learn from modern sensors and how to design systems and methods to help mitigate social engineering attacks.
Day two started with a keynote by Mary D'Angelo, addressing the complex topic of understanding and tracing threat actors and social engineers on the dark web. It highlighted the need for collaborative efforts to understand this evolving threat better. Mary D'Angelo and Chris Hadnagy led an open discussion: on the one hand, it focused on the role of practitioners and industry in providing realistic data sets and insights from real-life attacks. On the other hand, the question of how researchers could use those datasets to (a) better understand attacks and (b) design mitigating techniques was discussed. The second activity on day two was a walk to the ruins, during which participants, led by Claude Kirchner, discussed the ethical aspects of the seminar topic. The afternoon of day two was a group work activity led by Dr. Mohamed Khamis in which participants worked towards addressing the previously identified grand challenges. Breakout groups focused on the different attack phases. Day two ended by transforming the proposed solutions into concrete research projects and agendas.
Day three started with a keynote by Alia Saad, which demonstrated different approaches to addressing human-centered security issues from a technical perspective, using examples from current research. Participants followed up on the proposed research projects in the second session of the day, led by Prof. Florian Alt and Prof. Tilman Dingler. They worked together on refining their ideas and identifying potential collaborations.
This Dagstuhl Seminar provided a platform for interdisciplinary collaboration, fostering a deeper understanding of social engineering and its cognitive vulnerabilities. The identified grand challenges and proposed research projects underscore the importance of collaborative efforts between researchers and practitioners in fortifying against evolving social engineering threats. The insights of this seminar lay the foundation for future research and initiatives in the ongoing battle against malicious psychological manipulation in the digital age.
This seminar had several outcomes. First, it established a community of researchers and practitioners with a common understanding of emerging security threats through social engineering. Second, grand challenges were identified that led to a roadmap for social engineering research, including various research questions addressing theoretical, practical, and methodological aspects. Third, ideas for joint research projects emerged, for several of which an initial consortium was established. Among these projects is the idea of establishing a European Research Center on Awareness, Detection, and Mitigation of Social Engineering, the utilization of a dark web dataset that provides insights into the behaviors of threat actors that lead up to an attack, the utilisation of AI to detect sensitive information in unwanted data disclosures (e.g., via social media shares), and an approach to detecting threats in audio conversations based on voice features and conversation behaviours.
Creative Commons BY 4.0
Yomna Abdelrahman, Florian Alt, Tilman Dingler, Christopher Hadnagy, and Abbie Maroño
Social Engineering – the psychological manipulation of people into performing undesired actions or disclosing confidential information – has existed almost as long as mankind itself. Technical means to automate such attacks in the form of (spear) phishing, vishing, and deep fakes have made this form of user-centered attack an omnipresent threat to any user of digital technology. It is estimated that today the highly professional cybercrime industry, which established itself over the past years, exploits human behavior in 70-90% of all successful attacks. And attackers are not at rest: they use a wide range of media (starting with email, to social media and video conferencing) and quickly exploit novel technologies (such as, recently, ChatGPT) to constantly come up with novel attack vectors.
At the same time, the defender side remains largely helpless. Novel approaches to attacks emerge faster than means to mitigate them can be developed; and educating users only partially addresses the issue as learning effects tend to wear off quickly. Yet, there is hope. Today we have a strong understanding of the techniques commonly employed by social engineers, of factors that contribute to susceptibility, and of cognitive vulnerabilities that are elicited and exploited by social engineers. For example, stress, high cognitive load, fatigue, misdirected attention, the circadian rhythm as well as context contribute to social engineering susceptibility. At the same time, ubiquitous technologies in the form of personal devices and wearables, such as smartphones, smartwatches, and smart glasses, allow such information to be assessed in real-time. Yet, we hardly see any approaches leveraging this knowledge so as to build strong means to protect against social engineering.
In this Dagstuhl Seminar, we seek to bring together researchers and practitioners with a broad variety of relevant backgrounds to create a research agenda for building user-centered techniques and technologies to mitigate social engineering attacks targeting cognitive vulnerabilities, including but not limited to approaches raising threat awareness, increasing security literacy, and protecting in real-time. Social psychologists will contribute their knowledge of human behavior. Human hackers will share how this behavior is being manipulated and exploited. Experts in ubiquitous computing will help identify technologies that can provide data characterizing social engineering situations. Data scientists and experts in affective computing will contribute knowledge on what to learn from this data. And experts in human-computer interaction and usable security will help clarify how novel user interfaces can be built to ultimately protect users.
Over three days, an esteemed selection of participants will engage with the problem of social engineering from a technical, psychological, and educational perspective. By looking at systems, users, and applications from an interdisciplinary perspective, we aim to produce a research agenda and blueprints for tools and systems that increase users’ perception and understanding of threats, foster security literacy, and support the habituation of secure behavior.
Yomna Abdelrahman, Florian Alt, Tilman Dingler, Christopher Hadnagy, and Abbie Maroño
- Yomna Abdelrahman (European Universities in Egypt - Cairo, EG)
- Luca Allodi (TU Eindhoven, NL) [dblp]
- Florian Alt (Universität der Bundeswehr München, DE) [dblp]
- Nathan Berry (Nexus - Leeds, GB)
- Jan-Willem Bullee (University of Twente, NL) [dblp]
- Mary D'Angelo (Searchlight Cyber - Washington, DC, US)
- Felix Dietz (Universität der Bundeswehr München, DE) [dblp]
- Tilman Dingler (The University of Melbourne, AU) [dblp]
- Verena Distler (Universität der Bundeswehr München, DE) [dblp]
- Abdallah El Ali (CWI - Amsterdam, NL) [dblp]
- Jerry Färdigs (Swedish Armed Forces - Uppsala, SE)
- Ann Fernström (Swedish Armed Forces - Uppsala, SE)
- Matteo Große-Kampmann (AWARE7 GmbH - Gelsenkirchen, DE) [dblp]
- Christopher Hadnagy (Social-Engineer - Orlando, US)
- Mohamed Khamis (University of Glasgow, GB) [dblp]
- Claude Kirchner (CCNE - Paris, FR & INRIA - Rocquencourt, FR) [dblp]
- Thomas Kosch (HU Berlin, DE) [dblp]
- Karola Marky (Ruhr-Universität Bochum, DE) [dblp]
- Abbie Maroño (Social-Engineer - Orlando, US)
- Alexander Nussbaum (Universität der Bundeswehr München, DE) [dblp]
- Alia Saad (Universität Duisburg-Essen, DE) [dblp]
- Martina Angela Sasse (Ruhr-Universität Bochum, DE) [dblp]
- Florian Schaub (University of Michigan - Ann Arbor, US) [dblp]
- Christina Schneegass (TU Delft, NL) [dblp]
Classification
- Computers and Society
- Human-Computer Interaction
Keywords
- HCI
- Social Engineering Attacks
- Cognitive Security
- Sensors
