USER PROFILING TO INCREASE RESILIENCE OF CRITICAL INFRASTRUCTURE PERSONNEL TO CYBER ATTACKS USING THE HUMAN FACTOR
DOI:
https://doi.org/10.32782/IT/2024-3-17Keywords:
resilience, critical infrastructure, cyber attacks, social engineering, cybersecurityAbstract
The work is devoted to issues of increasing the resistance of employees of critical infrastructure objects to cybernetic attacks, the success of which is determined by the use of human factor weaknesses. Each social engineering attack, which is usually the key to the success of a subsequent cyber attack, exploits certain traits inherent in the individual. It also exploits flaws in enterprise-specific security policies that make users more vulnerable. The purpose of this work is to enrich the means of increasing the resistance of personnel of critical infrastructure objects to social engineering attacks, in terms of diagnostic profiling tools combined with training functions based on user surveys. The novelty of the work. An approach to the prevention of social engineering attacks is proposed, based on the identification of features that make the user vulnerable to such attacks. A set of factors, the presence of which can be diagnosed on the basis of a survey, is identified, a methodology and a corresponding software tool are proposed. Based on the factors, Boolean functions have been built that can be used to determine whether the user belongs to the appropriate profile. Methodology. An expert method was used to form the questionnaire. Vulnerabilities (factors) that are exploited by cyberattacks on critical infrastructure are determined as a result of the generalization of existing developments in the field of research. The developed software uses the questionnaire in a flexible format, based on it creating a communication interface with the user, and based on the user’s answers, forming the result of his profiling and analyzing the cases present in the survey. Main results. The proposed software and the corresponding methodology support preventive measures and security measures of the enterprise, can be used both as a tool for diagnosing vulnerabilities and as a training tool. Boolean functions that determine belonging to a certain profile can be used when building a formalized model of an internal violator. Conclusions. Testing of employees of critical infrastructure facilities according to the developed methodology made it possible to identify among the interviewed groups of users who are vulnerable to social engineering attacks of certain types, despite a high level of knowledge in information technologies. The tools proposed in the work are helpful in the tasks of increasing the resistance of personnel of critical infrastructure objects to cyber attacks using the human factor.
References
Cofense. Phishing security awareness training. 2024. URL: https://cofense.com/
Knowbe4. New-School Security Awareness Training. 2024. URL: https://www.knowbe4.com/
Barracuda Networks. Barracuda Phishline. 2019. URL: https://assets.barracuda.com/assets/docs/dms/Barracuda_PhishLine_DS_US.pdf
DataArt. Social Engineering Test. 2024. URL:https://www.dataart.com/services/security/socialengineering-test
T. Mataracioglu, S. Ozkan. 2011. User awareness measurement for phishing attacks. Information Management & Computer Security, 19(4), 315-327. URL: arXiv:1108.2149
N. A. Gamagedara Arachchilagea, S. Love. Security awareness of computer users: A phishing threat avoidance perspective. 2014. DOI:10.1016/j.chb.2014.05.046
С. Hadnagy. The Science of Human Hacking. John Wiley & Sons, Inc., Indianapolis, USA. 2018.
F. Mouton, L. Leenen, & H. S. Venter. Social engineering attack framework. Proceedings of the South African Institute of Computer Scientists and Information Technologists Conference. ACM, New York, NY, USA. 2016. DOI:10.1109/ISSA.2014.6950510
P. Bhakta, M. A. Harris. Semantic analysis of dialogs to detect social engineering attacks. 2015. DOI:10.1109/ICOSC.2015.7050843
Shevchenko G., Stopochkina I., Babenko I., Peculiarities of phishing threats and preventive measures in the conditions of war in Ukraine // Theoretical and Applied Cybersecurity, Vol. 4 No. 1. 2022. https://doi.org/10.20535/tacs.2664-29132022.1.
Г. I. Кузьмiн, I. В. Стьопочкiна, К. I. Iльїн. Розробка фреймворка для тестування спiвробiтникiв критичної iнфраструктури на вразливостi до атаксоцiальної iнженерiї. Матеріали Всеукраїнської науково-практичної конференції студентів, аспірантів та молодих вчених вчених «Теоретичнi i прикладнi проблеми фiзики, математики та інформатики», 13-17 травня 2024, м. Київ. С. 147–150. URL: conf.ipt.kpi.ua.
R. M. Lee, M. J. Assante, T. Conway. Analysis of the Cyber Attack on the Ukrainian Power Grid. SANS Industrial Control Systems. 2016. URL: https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf
K. Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown Publishing Group. 2014. 433 p.
S. Gallagher. Ransomware locks up San Francisco public transportation ticket machines. Ars Technica. 2016. URL: https://arstechnica.com/information-technology/2016/11/san-francisco-muni-hit-by-black-fridayransomware-attack/
A. Liptak. Hackers are holding San Francisco’s light-rail system for ransom. The Verge. 2016. URL: https://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomwarecybersecurity-muni
D.E. Sanger, C. Krauss, N. Perlroth. Cyberattack Forces a Shutdown of a Top U.S. Pipeline. The New York Times. 2021. https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
J. Tidy. Colonial hack: How did cyber-attackers shut off pipeline? BBC News. 2021. https://www.bbc.com/news/technology-57063636
D. Merecz, M. Drabek, A. Mościcka-Teske. Aggression at the workplace – psychological consequences of abusive ecounter with coworkers and clients. International journal of occupational medicine and environmental health. 2009. № 22. P.243–260. DOI:10.2478/v10001-009-0027-2.
C. A. Andersen, B. J. Bushman. Human aggression. 2002. DOI:10.1146/annurev.psych.53.100901.135231
R. Kersten, T. Greitemeyer. Human aggression in everyday life: An empirical test of the general aggression model. 2024. https://doi.org/10.1111/bjso.12718
T.-T-D. Vo, C. Chen, K. Tuliao. Work Motivation: The Roles of Individual Needs and Social Conditions. Behavioral Sciences. 2022. 12(2):49. DOI: 10.3390/bs12020049
E. E. Bustamante, C. L. Davis, D. X. Marquez. A Test of Learned Industriousness in the Physical Activity Domain. 2014. DOI:10.5539/ijps.v6n4p12
Test Partnership. Simone Sample. 2023. TPAQ-45 Complete Profile. Full Report. URL: https://www.testpartnership.com/samplereports/sample-report-personality.pdf
PE Konsult Ltd. Personal Work-Related Responsibility Test (WRT). 2016. URL: https://www.pekonsult.ee/testid/Vastutus.pdf
H. Parvez. ‘Am I selfish?’ Quiz (Selfishness score). 2024. URL: https://www.psychmechanics.com/am-iselfish-quiz/
I. Ghafir, J. Saleem, M. Hammoudeh, H. Faour et al. Security threats to critical infrastructure: the human factor. 2018. DOI:10.1007/s11227-018-2337-2
K. Krombholtz. Social Engineering Attacks on the Knowledge Worker. Proceedings of the 6th International Conference on Security of Information and Networks. 2013. URL: https://publications.sba-research.org/publications/sig-alternate.pdf
B. Kronberg, J. Swanlund, H. Jeppsson. Social Engineering. A study in awareness and measures. 2015. URL: https://lup.lub.lu.se/luur/download?func=downloadFile&recordOId=5474076&fileOId=5474079