Tag: philosophy

Modelling Social Engineering Threats Based on Aijaz, M. and Nazir, M. (2024)

by Nikunj Bhalotia

1. What are the main challenges in modelling and evaluating the outcomes of Social Engineering Threats (SETs), and how does this study address them?

The primary challenge in modelling SETs is the inherent unpredictability of human behavior, which makes rigorous mathematical evaluation difficult. Unlike technical exploits, SETs rely on psychological manipulation, which is historically hard to quantify. The study addresses this by structuring SETs not as random events, but as systematic processes involving specific modalities (e.g., email, phone) and persuasion principles (e.g., authority, scarcity). By categorizing these variables, the authors are able to apply Markov Chain models to calculate the probability of an attack moving from one stage to the next.

2. How do persuasion principles and modalities contribute to the success of SETs?

Persuasion principles (derived from Cialdini’s framework, such as Reciprocity, Commitment, and Social Proof) act as the “exploit code” of a social engineering attack. The study highlights that the success of a SET depends heavily on the pairing of a Modality (the medium, e.g., social media) with the correct Persuasion Principle. Systematically analyzing these pairs is critical because certain combinations yield higher success rates; for example, “Authority” might be more effective via email, while “Liking” works better on social media. Understanding these combinations allows defenders to predict which specific scenarios pose the highest risk.

3. What role do the Attack Tree Model and Markov Chain Model play in estimating probabilities?

The study utilizes a hybrid approach to estimate risk:

  • Attack Tree Model: This is used to calculate the Attack Occurrence Probability (AOP). It maps the hierarchical structure of an attack, using frequency data to estimate how likely a specific attack path is to be attempted.
  • Markov Chain Model: This is used to calculate the Attack Success Probability (ASP). It models the attack as a sequence of states (e.g., Start > Medium > Persuasion > Compromise). The Markov model calculates the probability of transitioning from one state to the next based on the effectiveness of the chosen persuasion principle.

4. How can the findings support the development of effective policy frameworks?

By quantifying the ASP of specific attacks, organizations can move beyond generic “Security Awareness Training” to targeted interventions. For instance, if the model shows that the “Authority” principle delivered via “Email” has the highest success probability, policies can be adjusted to enforce strict verification for executive requests (e.g., mandatory voice confirmation for wire transfers). This allows resources to be allocated based on mathematical risk rankings rather than anecdotal evidence.

References

  • Aijaz, M. and Nazir, M. (2024) ‘Modelling and analysis of social engineering threats using the attack tree and the Markov model’, International Journal of Information Technology, 16(2), pp. 1231–1238. Available at: https://doi.org/10.1007/s41870-023-01540-z

Bayesian Risk Update (Think Bayes 2) Based on Downey (2022), Chapters 1 & 2

by Nikunj Bhalotia

I used Allen Downey’s ThinkBayes2 library to practice Diachronic Bayes, the process of updating a hypothesis ($H$) based on new data (D).

  • The Problem: I worked through the “Cookie Problem” and “Monty Hall Problem” to understand the mechanics of the formula: P(H|D) = (P(H)P(D|H))/(P(D)).
  • Application to Risk: I treated the “Prior” (P(H)) as our initial risk assessment (e.g., “There is a 10% chance of a breach”). I then calculated the “Likelihood” (P(D|H)) based on new evidence (e.g., “A firewall log showed 5 failed login attempts”).
  • Outcome: The calculation produced a “Posterior” probability, mathematically demonstrating that risk is dynamic. This highlighted a flaw in traditional “static” risk registers, which often fail to account for real-time threat intelligence.

Description: This script adapts the ‘Think Bayes’ methodology to a security context. It updates the probability of a specific threat (Hypothesis) being active after observing a specific indicator (Evidence).

# A simplified class structure based on Downey's 'Pmf' (Probability Mass Function)
class RiskHypothesis:
    def __init__(self, priors):
        """
        priors: Dictionary of {Hypothesis: Probability}
        e.g., {'High_Risk': 0.1, 'Low_Risk': 0.9}
        """
        self.hypotheses = priors
    def normalize(self):
        """Ensures all probabilities sum to 1.0"""
        total = sum(self.hypotheses.values())
        for hypo in self.hypotheses:
            self.hypotheses[hypo] /= total
    def update(self, evidence, likelihoods):
        """
        Bayes Theorem Application: P(H|E) = P(H) * P(E|H) / P(E)
        evidence: String name of the evidence observed
        likelihoods: Dictionary of {Hypothesis: Probability_of_Evidence}
        """
        for hypo in self.hypotheses:
            # 1. Get the Prior P(H)
            prior = self.hypotheses[hypo]
            
            # 2. Get the Likelihood P(E|H)
            # "If this hypothesis were true, how likely is this evidence?"
            likelihood = likelihoods[hypo]
            
            # 3. Calculate Un-normalized Posterior
            self.hypotheses[hypo] = prior * likelihood
            
        # 4. Normalize (dividing by P(E))
        self.normalize()
# --- USE CASE: INCIDENT RESPONSE ---
# Scenario: We see a failed login. Is it a Brute Force Attack or just a User Mistake?
# 1. ESTABLISH PRIORS (Baseline probability)
# We assume Brute Force attacks are rare (10%) compared to User Mistakes (90%)
priors = {'Brute_Force': 0.1, 'User_Mistake': 0.9}
risk_model = RiskHypothesis(priors)
print("--- PRIOR BELIEFS ---")
print(risk_model.hypotheses)
# 2. NEW EVIDENCE: 5 Failed Logins in 1 Minute
# Likelihood P(E|H):
# - If it IS a Brute Force attack, 5 fails in 1 min is very likely (90%)
# - If it IS a User Mistake, 5 fails in 1 min is rare (5%)
evidence_likelihoods = {
    'Brute_Force': 0.90,
    'User_Mistake': 0.05
}
# 3. UPDATE BELIEFS
risk_model.update(evidence="5_fails_1_min", likelihoods=evidence_likelihoods)
print("\n--- POSTERIOR BELIEFS (After Evidence) ---")
for hypo, prob in risk_model.hypotheses.items():
    print(f"{hypo}: {prob:.2%}")
# Result: The probability of 'Brute_Force' will jump significantly

References: