A Serious Game on Social Engineering
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap.
Traditional penetration testing approaches often focus on vulnerabilities in network or software systems.
Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks by employees remains low.
We propose to use a card game that all employees of a company can play to understand the threat and its countermeasures. The game considers the individual context of a company and presents underlying principles of
human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of students and professionals from industry.
Currently work by Kristian Beckers and Sebastian Pape is under submission/review.