1. What are the main challenges in modelling and evaluating the outcomes of Social Engineering Threats (SETs), and how does this study address them?
The primary challenge in modelling SETs is the inherent unpredictability of human behavior, which makes rigorous mathematical evaluation difficult. Unlike technical exploits, SETs rely on psychological manipulation, which is historically hard to quantify. The study addresses this by structuring SETs not as random events, but as systematic processes involving specific modalities (e.g., email, phone) and persuasion principles (e.g., authority, scarcity). By categorizing these variables, the authors are able to apply Markov Chain models to calculate the probability of an attack moving from one stage to the next.
2. How do persuasion principles and modalities contribute to the success of SETs?
Persuasion principles (derived from Cialdini’s framework, such as Reciprocity, Commitment, and Social Proof) act as the “exploit code” of a social engineering attack. The study highlights that the success of a SET depends heavily on the pairing of a Modality (the medium, e.g., social media) with the correct Persuasion Principle. Systematically analyzing these pairs is critical because certain combinations yield higher success rates; for example, “Authority” might be more effective via email, while “Liking” works better on social media. Understanding these combinations allows defenders to predict which specific scenarios pose the highest risk.
3. What role do the Attack Tree Model and Markov Chain Model play in estimating probabilities?
The study utilizes a hybrid approach to estimate risk:
- Attack Tree Model: This is used to calculate the Attack Occurrence Probability (AOP). It maps the hierarchical structure of an attack, using frequency data to estimate how likely a specific attack path is to be attempted.
- Markov Chain Model: This is used to calculate the Attack Success Probability (ASP). It models the attack as a sequence of states (e.g., Start > Medium > Persuasion > Compromise). The Markov model calculates the probability of transitioning from one state to the next based on the effectiveness of the chosen persuasion principle.
4. How can the findings support the development of effective policy frameworks?
By quantifying the ASP of specific attacks, organizations can move beyond generic “Security Awareness Training” to targeted interventions. For instance, if the model shows that the “Authority” principle delivered via “Email” has the highest success probability, policies can be adjusted to enforce strict verification for executive requests (e.g., mandatory voice confirmation for wire transfers). This allows resources to be allocated based on mathematical risk rankings rather than anecdotal evidence.
References
- Aijaz, M. and Nazir, M. (2024) ‘Modelling and analysis of social engineering threats using the attack tree and the Markov model’, International Journal of Information Technology, 16(2), pp. 1231–1238. Available at: https://doi.org/10.1007/s41870-023-01540-z
Nikunj Bhalotia 