Психологические аспекты информационной безопасности организации в контексте социоинженерных атак

Целью данной обзорной статьи является определение подходов к решению имеющихся проблем в учете психологических аспектов информационной безопасности организации в контексте социоинженерных атак на основе анализа и систематизации источников по данной теме.

Методы. Для достижения поставленной цели выбраны два взаимодополняющих направления. Первое направление включало в себя изучение выбранных специализированных журналов. В рамках второго направления была проанализирована представленность данной проблемы в базе данных Scopus за последние 20 лет.

Результаты. Проведен анализ психологических аспектов ключевых элементов социоинженерной атаки: знания и умения злоумышленника, организационные условия, особенности сотрудника, который является частью автоматизированных информационных систем и направления обучения и профилактики. Предложена модель социоинженерной атаки с учетом психологических аспектов.

Выводы. Проведенное исследование показало, что разработанных сейчас подходов достаточно для того, чтобы они легли в основу пересмотра кадровых процессов в организации. Без подключения кадровых служб в части изменения кадровых процессов с учетом политик информационной безопасности проблема социоинженерных атак не может быть решена. Результаты данного исследования будут интересны специалистам в области управления персоналом, подготовки кадров, информационной безопасности, информационных технологий, искусственного интеллекта; руководителям, владельцам бизнеса, руководителям государственных и муниципальных органов.

1. 2021 Data Breach Investigations Report (DBIR) [Electronic resource]. URL: https://enterprise.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx/ (дата обращения: 20.12.2021).

2. Abraham S., Chengalur-Smith I. “An overview of social engineering malware: TRENDS, tactics, and implications” // Technology in Society. 2010. Vol. 32. N 3. P. 183–196.

3. Ahmad Z., Ong T.S., Liew T. H., Norhashim M. Security monitoring and information security assurance behaviour among employees: An empirical analysis // Information and Computer Security. 2019. Vol. 27. N 2. P. 165–188.

4. Algarni A., Xu Y., Chan T., Tian Y.-C. Social engineering in social networking sites: Affect-based model // Internet Technology and Secured Transactions (ICITST). 8th International Conference for. IEEE. 2013. P. 508–515.

5. Alohali M., Clarke N., Li F., Furnell S. Identifying and predicting the factors affecting end-users’ risk-taking behavior // Information and Computer Security. 2018. Vol. 26. N 3. P. 306–326.

6. Alshare K. A., Lane P. L., Lane M.R. Information security policy compliance: a higher education case study // Information and Computer Security.2018. Vol. 26. N 1. P. 91–108.

7. Alsharif M., Mishra S., AlShehri M. Impact of Human Vulnerabilities on Cybersecurity // Computer Systems Science and Engineering. 2022. Vol. 40 (3). P. 1153–1166.

8. Ashenden D. In their own words: employee attitudes towards information security // Information and Computer Security. 2018. Vol. 26. N 3. P. 327–337.

9. Bezuidenhout M., Mouton F., Venter H. Social engineering attack detection model: Seadm // Information Security for South Africa (ISSA), 2010. IEEE. 2010. P. 1–8.

10. Bullee J.-W., Junger M. How effective are social engineering interventions? A meta-analysis // Information and Computer Security.2020. Vol. 28. N 5. P. 801–830.

11. Camp L. J., Grobler M., Jang-Jaccard J., Probst C. at al. Measuring human resilience in the face of the global epidemiology of cyber attacks // Proceedings of the 52nd Hawaii International Conference on System Sciences. 2019.

12. Carlton M., Levy Y., Ramim M. Mitigating cyber attacks through the measurement of non-IT professionals’ cybersecurity skills // Information and Computer Security. 2019. Vol. 27. N 1. P. 101–121.

13. Cialdini R. B. Influence: Science and practice (5th ed.). Boston : Allyn & Bacon, 2009.

14. Da Veiga A. An information privacy culture instrument to measure consumer privacy expectations and confidence // Information and Computer Security.2018. Vol. 26. N 3. P. 338–364.

15. Evans M. G., He Y., Yevseyeva I., Janicke H. Published incidents and their proportions of human error // Information and Computer Security.2019. Vol. 27. N 3. P. 343–357.

16. Ghafir I., Prenosil V., Alhejailan A., Hammoudeh M. Social Engineering Attack Strategies and Defence Approaches // 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud). 2016. P. 145–149.

17. Glaspie H. W., Karwowski W. Human factors in information security culture: a literature review // Advances in Human Factors in Cybersecurity. 2018. Springer International Publishing. P. 269–280.

18. Hatzivasilis G., Ioannidis S., Smyrlis M., Spanoudakis G. at al. Modern aspects of cyber-security training and continuous adaptation of programmes to trainees // Applied Sciences. 2020. Vol. 10, N 16. P. 5702.

19. Heartfield R., Loukas G. Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework // Computers and Security. 2018. Vol. 76. P. 101–127.

20. Hong Y., Xu M. Autonomous Motivation and Information Security Policy Compliance: Role of Job Satisfaction, Responsibility, and Deterrence // Journal of Organizational and End User Computing (JOEUC). 2021. Vol. 33 (6). P. 1–17.

21. Hwang M. I., Helser S. Cybersecurity educational games: a theoretical framework // Information and Computer Securityю 2021. Vol. ahead-of-print N ahead-of-print. DOI: 10.1108/ICS-10- 2020-0173.

22. Jones K.S., Armstrong M. E., Tornblad M.K., Siami Namin A. How social engineers use persuasion principles during vishing attacks // Information and Computer Security. 2021. Vol. 29. N 2. P. 314–331.

23. Kajtazi M., Cavusoglu H., Benbasat I., Haftor D. Escalation of commitment as an antecedent to noncompliance with information security policy // Information and Computer Security. 2018. Vol. 26. N 2. P. 171–193.

24. Karlsson M., Denk T., Åström J. Perceptions of organizational culture and value conflicts in information security management // Information and Computer Security. 2018. Vol. 26. N 2. P. 213–229.

25. Kim H. L., Choi H.S., Han J. Leader power and employees’ information security policy compliance // Secur J. 2019. Vol. 32. P. 391–409.

26. Komura R., Yajima K. Security education using gamification theory // International Conference on Engineering, Applied Sciences, and Technology (ICEAST). 2018. P. 1–4.

27. Mahdi R. Alagheband, Atefeh Mashatan, Morteza Zihayat. Time-based Gap Analysis of Cybersecurity Trends in Academic and Digital Media // ACM Trans. Manage. Inf. Syst. 2020. Vol. 11. N 4. Art. 20 (December 2020). 20 p. DOI: 10.1145/3389684.

28. Mann M. I. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd., 2012.

29. McCormac A., Calic D., Parsons K., Butavicius M. at al. The effect of resilience and job stress on information security awareness // Information and Computer Security.2018. Vol. 26. N 3. P. 277–289.

30. Melzer A., Steffgen G. Trick with treat — reciprocity increases the willingness to communicate personal data // Computers in Human Behavior. 2016. Vol. 61. P. 372–377.

31. Messing Ph., Schram J., Golding B. Teen says he hacked CIA director’s AOL account [Electronic resource]. URL: https://nypost.com/2015/10/18/stoner-high-school-student-says-he-hackedthe-cia/ (дата обращения: 20.12.2021).

32. Micallef N., Arachchilage N. A. G. Security questions education: exploring gamified features and functionalities // Information and Computer Securityю 2018. Vol. 26. N 3. P. 365–378.

33. Mitnick K. D., Simon W. L. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.

34. Mouton F., Leenen L., Venter H. Social engineering attack examples, templates and scenarios // Comput. Secur. 2016, 59, 186–209.

35. Nicho M. A process model for implementing information systems security governance // Information and Computer Securityю 2018. Vol. 26. N 1. P. 10–38.

36. Oliseenko V. D., Abramov M. V., Tulupyev A. L. Identification of user accounts by image comparison: The phash-based approach // Scientific and Technical Journal of Information Technologies, Mechanics and Optics. 2021. Vol. 21 (4). P. 562–570.

37. Onumo A., Ullah-Awan I., Cullen A. Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures // ACM Trans. Manage. Inf. Syst. June 2021. Vol. 12. N 2. Art. 11. 29 p. DOI: 10.1145/3424282

38. Park Jiyong, Cho Daegon, Lee Jae Kyu, Lee Byungtae. The Economics of Cybercrime: The Role of Broadband and Socioeconomic Status // ACM Trans. Manage. Inf. Syst. December 2019. Vol. 10. N 4. Art. 13. 23 p. DOI: 10.1145/3351159

39. Parsons K., Calic D., Pattinson M., Butavicius M. at al. The human aspects of information security questionnaire (hais-q): two further validation studies // Computers and Security. 2017. Vol. 66. P. 40–51.

40. Public Administration Data Breaches [Electronic resource]. URL: https://www.verizon.com/business/resources/reports/dbir/2021/data-breach-statistics-by-industry/public-administrationdata-breaches/ (дата обращения: 20.12.2021).

41. Qin Chuan, Zhu Hengshu, Xu Tong, Zhu Chen at al. An Enhanced Neural Network Approach to Person-Job Fit in Talent Recruitment // ACM Trans. Inf. Syst. March 2020. Vol. 38. N 2. Art. 15. 33 p. DOI: 10.1145/3376927.

42. Roy Arindam, Sural Shamik, Majumdar Arun Kumar, Vaidya Jaideep at al. Optimal Employee Recruitment in Organizations under Attribute-Based Access Control // ACM Trans. Manage. Inf. Syst. March 2021. Vol. 12. N 1. Art. 6. 24 p. DOI: 10.1145/3403950

43. Salahdine F., Kaabouch N. Social Engineering Attacks: A Survey // Future Internet. 2019. Vol. 11. N 89. DOI: 10.3390/fi11040089. 4

44. Samtani S., Kantarcioglu M., Chen Hsinchun. Trailblazing the Artificial Intelligence for Cybersecurity Discipline: A Multi-Disciplinary Research Roadmap // ACM Trans. Manage. Inf. Syst. December 2020. Vol. 11. N 4. Art. 17. 19 p. DOI: 10.1145/3430360

45. Silic M., Lowry P.B. Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance // Journal of Management Information Systems. 2020. Vol. 37. N 1. P. 129–161.

46. Snyman D. P., Kruger H., Kearney W. D. I shall, we shall, and all others will: paradoxical information security behavior // Information and Computer Security. 2018. Vol. 26. N 3. P. 290–305.

47. Stoliarova V. F., Tulupyev A. L. Regression Model for the Problem of Parameter Estimation in the Gamma Poisson Model of Behavior: An Application to the Online Social Media Posting Data // Proceedings of 2021 24th International Conference on Soft Computing and Measurements. 2021. N 9507187. P. 24–27.

48. Tambe Ebot A. Using stage theorizing to make anti-phishing recommendations more effective // Information and Computer Security. 2018. Vol. 26. N 4. P. 401–419.

49. Tu C. Z., Yuan Y., Archer N., Connelly C. E. Strategic value alignment for information security management: a critical success factor analysis // Information and Computer Security. 2018. Vol. 26. N 2. P. 150–170.

50. Tulupieva T. V., Abramov M. V., Tulupiev A. L. Model of Social Influence in Analysis of Socioengineering Attacks // Administrative Consulting. 2021. Vol. 8. P. 97–107. (In Russ.)

51. von Solms B., von Solms R. Cybersecurity and information security — what goes where? // Information and Computer Security. 2018. Vol. 26. N 1. P. 2–9.

52. Wang Z., Zhu H., Sun L. Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods // IEEE Access. 2021. Vol. 9. P. 11895–11910.

53. Wang Z., Zhu H., Liu P. et al. Social engineering in cybersecurity: a domain ontology and knowledge graph application examples // Cybersecur. 2021. Vol. 4. N 31.

54. Wiafe I., Koranteng F. N., Wiafe A., Obeng E. N. at al. The role of norms in information security policy compliance // Information and Computer Security. 2020. Vol. 28. N 5. P. 743–761.

55. Winkler I.S., Dealy B. Information security technology? Don’t rely on it a case study in social engineering // 5th USENIX Security Symposium. 1995.

56. Winkler Ira S. Non-technical threat to computing systems // Computing systems. 1996. Vol. 9. N 1. P. 3–14.

57. Ye Z., Guo Y., Ju A., Wei F. at al. A Risk Analysis Framework for Social Engineering Attack Based on User Profiling // Journal of Organizational and End User Computing (JOEUC). 2020. Vol. 32. N 3. P. 37–49.

58. Zhu Chen, Zhu Hengshu, Xiong Hui, Ma Chao at al. Person-Job Fit: Adapting the Right Talent for the Right Job with Joint Representation Learning // ACM Trans. Manage. Inf. Syst. November 2018. Vol. 9. N 3. Art. 12. 17 p. DOI: 10.1145/3234465