The Art of Deception is about gaining someone's trust by lying to them and then abusing that trust for fun and profit. Hackers use the euphemism "social engineering" and hacker-guru Kevin Mitnick examines many example scenarios.After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk
Cited By
- Patterson L, Welch I, Ng B and Chard S Investigating Cybersecurity Risks and the Responses of Home Workers in Aotearoa New Zealand Proceedings of the 35th Australian Computer-Human Interaction Conference, (99-107)
- Tian C, Jensen M and Durcikova A (2023). Phishing susceptibility across industries, Computers and Security, 135:C, Online publication date: 1-Dec-2023.
- Frauenstein E, Flowerday S, Mishi S and Warkentin M (2023). Unraveling the behavioral influence of social media on phishing susceptibility, Information and Management, 60:7, Online publication date: 1-Nov-2023.
- Zieglmeier V, Loyola Daiqui G and Pretschner A (2023). Decentralized Inverse Transparency with Blockchain, Distributed Ledger Technologies: Research and Practice, 2:3, (1-28), Online publication date: 30-Sep-2023.
- Bera D, Ogbanufe O and Kim D (2023). Towards a thematic dimensional framework of online fraud, Decision Support Systems, 171:C, Online publication date: 1-Aug-2023.
- Bendler D and Felderer M (2022). Competency Models for Information Security and Cybersecurity Professionals: Analysis of Existing Work and a New Model, ACM Transactions on Computing Education, 23:2, (1-33), Online publication date: 30-Jun-2023.
- Rao S, Chen H and Aura T (2023). Threat modeling framework for mobile communication systems, Computers and Security, 125:C, Online publication date: 1-Feb-2023.
- Yoo J and Cho Y (2022). ICSA, Expert Systems with Applications: An International Journal, 207:C, Online publication date: 30-Nov-2022.
- Zieglmeier V and Loyola Daiqui G GDPR-Compliant Use of Blockchain for Secure Usage Logs Proceedings of the 25th International Conference on Evaluation and Assessment in Software Engineering, (313-320)
- AlKilani H and Qusef A OSINT Techniques Integration with Risk Assessment ISO/IEC 27001 International Conference on Data Science, E-learning and Information Systems 2021, (82-86)
- Lin C and Luo X (2021). Toward a Unified View of Dynamic Information Security Behaviors, ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 52:1, (65-90), Online publication date: 22-Jan-2021.
- Weber K, Schütz A, Fertig T and Müller N Exploiting the Human Factor: Social Engineering Attacks on Cryptocurrency Users Learning and Collaboration Technologies. Human and Technology Ecosystems, (650-668)
- Van Der Heijden A and Allodi L Cognitive triaging of phishing attacks Proceedings of the 28th USENIX Conference on Security Symposium, (1309-1326)
- Fertig T, Schütz A, Weber K and Müller N Measuring the Impact of E-Learning Platforms on Information Security Awareness Learning and Collaboration Technologies. Designing Learning Experiences, (26-37)
- Addae J, Sun X, Towey D and Radenkovic M (2019). Exploring user behavioral data for adaptive cybersecurity, User Modeling and User-Adapted Interaction, 29:3, (701-750), Online publication date: 1-Jul-2019.
- Ghafir I, Saleem J, Hammoudeh M, Faour H, Prenosil V, Jaf S, Jabbar S and Baker T (2018). Security threats to critical infrastructure, The Journal of Supercomputing, 74:10, (4986-5002), Online publication date: 1-Oct-2018.
- Ghafir I, Saleem J, Hammoudeh M, Faour H, Prenosil V, Jaf S, Jabbar S and Baker T (2018). Security threats to critical infrastructure: the human factor, The Journal of Supercomputing, 74:10, (4986-5002), Online publication date: 1-Oct-2018.
- Postnikoff B and Goldberg I Robot Social Engineering Companion of the 2018 ACM/IEEE International Conference on Human-Robot Interaction, (313-314)
- Ho S, Hancock J and Booth C (2017). Ethical dilemma, Journal of the Association for Information Science and Technology, 68:12, (2729-2742), Online publication date: 8-Nov-2017.
- Oliveira D, Rocha H, Yang H, Ellis D, Dommaraju S, Muradoglu M, Weir D, Soliman A, Lin T and Ebner N Dissecting Spear Phishing Emails for Older vs Young Adults Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, (6412-6424)
- Happ C, Melzer A and Steffgen G (2016). Trick with treat – Reciprocity increases the willingness to communicate personal data, Computers in Human Behavior, 61:C, (372-377), Online publication date: 1-Aug-2016.
- Arachchilage N, Love S and Beznosov K (2016). Phishing threat avoidance behaviour, Computers in Human Behavior, 60:C, (185-197), Online publication date: 1-Jul-2016.
- Mouton F, Leenen L and Venter H (2016). Social engineering attack examples, templates and scenarios, Computers and Security, 59:C, (186-209), Online publication date: 1-Jun-2016.
- Rocha Flores W and Ekstedt M (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness, Computers and Security, 59:C, (26-44), Online publication date: 1-Jun-2016.
- Mouton F, Malan M, Kimppa K and Venter H (2015). Necessity for ethics in social engineering research, Computers and Security, 55:C, (114-127), Online publication date: 1-Nov-2015.
- Cavusoglu H, Cavusoglu H, Son J and Benbasat I (2015). Institutional pressures in security management, Information and Management, 52:4, (385-400), Online publication date: 1-Jun-2015.
- Han D, Dai Y, Han T and Dai X (2015). Explore awareness of information security, Computational Intelligence and Neuroscience, 2015, (11-11), Online publication date: 1-Jan-2015.
- Arachchilage N and Love S (2014). Security awareness of computer users, Computers in Human Behavior, 38, (304-312), Online publication date: 1-Sep-2014.
- Heimo O, Kimppa K, Helle S, Korkalainen T and Lehtonen T Augmented reality Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and Technology, (1-7)
- Braun B, Johns M, Koestler J and Posegga J PhishSafe Proceedings of the 4th ACM conference on Data and application security and privacy, (61-72)
- Krombholz K, Hobel H, Huber M and Weippl E Social engineering attacks on the knowledge worker Proceedings of the 6th International Conference on Security of Information and Networks, (28-35)
- LeClair J, Abraham S and Shih L An Interdisciplinary Approach to Educating an Effective Cyber Security Workforce Proceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference, (71-78)
- Emms M, Arief B and Moorsel A Electronic Footprints in the Sand Revised Selected Papers of the First Annual Privacy Forum on Privacy Technologies and Policy - Volume 8319, (203-214)
- Biddle R, Chiasson S and Van Oorschot P (2012). Graphical passwords, ACM Computing Surveys, 44:4, (1-41), Online publication date: 1-Aug-2012.
- Irani D, Balduzzi M, Balzarotti D, Kirda E and Pu C Reverse social engineering attacks in online social networks Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment, (55-74)
- Luo X, Brody R, Seazzu A and Burd S (2011). Social Engineering, Information Resources Management Journal, 24:3, (1-8), Online publication date: 1-Jul-2011.
- Dimkov T, Pieters W and Hartel P Training students to steal Proceedings of the 42nd ACM technical symposium on Computer science education, (21-26)
- Stajano F and Wilson P (2011). Understanding scam victims, Communications of the ACM, 54:3, (70-75), Online publication date: 1-Mar-2011.
- Sanders B, Chen V, Zahra D, Dowland P, Atkinson S, Papadaki M and Furnell S Online addiction Proceedings of the International Conference on Management of Emergent Digital EcoSystems, (114-121)
- Chatmon C, Chi H and Davis W Active learning approaches to teaching information assurance 2010 Information Security Curriculum Development Conference, (1-7)
- Raskin V, Taylor J and Hempelmann C Ontological semantic technology for detecting insider threat and social engineering Proceedings of the 2010 New Security Paradigms Workshop, (115-128)
- Androulidakis I (2009). On the importance of securing telephony systems, WSEAS TRANSACTIONS on COMMUNICATIONS, 8:1, (102-111), Online publication date: 1-Jan-2009.
- Singh A, Liu L and Ahamad M (2008). Privacy analysis and enhancements for data sharing in *nix systems, International Journal of Information and Computer Security, 2:4, (376-410), Online publication date: 1-Jan-2009.
- Palmer A (2008). Criteria to evaluate Automated Personal Identification Mechanisms, Computers and Security, 27:7-8, (260-284), Online publication date: 1-Dec-2008.
- Androulidakis I, Christou V, Karametis A and Papanikolaou C Modern telephony threats & countermeasures Proceedings of the 12th WSEAS international conference on Communications, (106-109)
- Eusgeld I References Dependability metrics, (267-300)
- Brainard J, Juels A, Rivest R, Szydlo M and Yung M Fourth-factor authentication Proceedings of the 13th ACM conference on Computer and communications security, (168-178)
- Ma X, Pang H and Tan K (2006). Masking page reference patterns in encryption databases on untrusted storage, Data & Knowledge Engineering, 58:3, (466-483), Online publication date: 1-Sep-2006.
- Tari F, Ozok A and Holden S A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords Proceedings of the second symposium on Usable privacy and security, (56-66)
- Glisson W, McDonald A and Welland R Web engineering security Proceedings of the 6th international conference on Web engineering, (257-264)
- Gross R and Acquisti A Information revelation and privacy in online social networks Proceedings of the 2005 ACM workshop on Privacy in the electronic society, (71-80)
- Nolan J and Levesque M (2005). Hacking human, ACM SIGGROUP Bulletin, 25:2, (33-37), Online publication date: 1-Feb-2005.
- Thornburgh T Social engineering Proceedings of the 1st annual conference on Information security curriculum development, (133-135)
- Flinn S and Stoyles S Omnivore Proceedings of the 2004 workshop on New security paradigms, (97-105)
- Flechais I, Sasse M and Hailes S Bringing security home Proceedings of the 2003 workshop on New security paradigms, (49-57)
Index Terms
- The Art of Deception: Controlling the Human Element of Security