Paper is devoted to the development of a method for analyzing changes in information system's protection level from social engineering attacks aimed at users of such system, in the event of users of information system changing (dismissal / skills development). The approach is based on a change in the degree of the user's vulnerabilities and corresponding recalculation of the success rates of the malefactor's social engineering attack influences on the information system's user and the overall level of security of the information system. In addition, possible losses of company's productivity are also considered, in case of the user's termination. This approach allows to determine the optimal structure of the user's social graph on the basis of changing information security level and in terms of changing the productivity level of office work in the company in case of users' dismissal or skills development.
In the modern world, digital technologies are being introduced everywhere. So, terms digital economy, digital industry, digital government have been appeared, even modern hospitals switch to electronic document circulation, allowing their patients to get access to their medical cards and even some types of services on-line. Such widespread introduction of digital technologies leads to a tremendous increase in the requirements for personal data of users’ protection. The same trends are observed in the corporate environment. The value of corporate data, which is largely composed of personal data, is also of a great value. Such challenges pose serious tasks for experts in information security. More and more advanced methods of data protection are being developed [8–10, 12, 13]. But often users of information systems, which are a potential source of information leakage, remain without due attention [11]. Causes of leakage can be both insider attacks, and the impact on users from outside, the purpose of which is to obtain confidential data. Such impacts can be combined by the term social engineering attack of the malefactor, and the individual impact is a malefactor’s social engineering attack action.
It is necessary to learn how to protect information from attacks of this kind (i.e. from socioengineering attacks). Besides, it is necessary to find out how to estimate the degree of protection (or security level) of the personnel of information systems against socio-engineering attacks. This kind of attacks aims at users of information systems as the main way for intrusion or attack propagation. That is why it is necessary to predict and measure user's vulnerabilities, and also to build the summary, aggregated indicators of the whole personnel security.
These indicators can serve as indices for estimating the degree of user's vulnerabilities implication as the response on the malefactor's attack activities (attacking action in the elementary case; series of attack actions — in more general case; set of attacks, which the malefactor can act due to his qualification and available resources — in the most general case). It is also possible to take into account actions that are made by the user in response to the malefactor's attack actions and the probability of these responses. What is more, if we know the probability of successful attack realization and criticality level of information resource, we will be able to estimate an expected damage.
Paper is devoted to the development of a method for analyzing changes in information system’s protection level from social engineering attacks aimed at users of such system, in the event of users of information system changing (dismissal / skills development). The approach is based on a change in the degree of the user’s vulnerabilities and corresponding recalculation of the success rates of the malefactor’s social engineering attack influences on the information system’s user and the overall level of security of the information system. In addition, possible losses of company’s productivity are also considered, in case of the user’s termination. This approach allows to determine the optimal structure of the user’s social graph on the basis of changing information security level and in terms of changing the productivity level of office work in the company in case of users’ dismissal or skills development.
Paper considers models previously proposed in [1-3]. The overall complex consists of a variety of models of the information system, including, in particular, the user’s model, the document’s model, the system’s structure model, the malefactor’s model, models of user’s social graph. In more detail, let's look at the user model, the parameters of which are user’s access to certain critical documents, the level of access to these documents, the relationships between users and user’s vulnerabilities profile. Based on the data on relationships between users, a user’s social graph with loaded bidirectional arcs and loaded vertices can be constructed. The weights of arcs are the probabilities of a user-to-user transition, based on the type of user relationships, it is obvious that the weights of user 1 to users 2 and user 2 to user 1 links are different. The weight of each vertex is the total probability of the malefactor’s social engineering attack impact on an information system’s user success, built on the strength of the severity of the user's vulnerabilities [13].
In the user’s model that has been outlined earlier, we also add a skill module, which can be represented in the form S S1, S1(v) ,..., Sn , Sn (v) , where each Si — is a user’s skill which may be useful in user’s routine, and Si (v) —the degree of user’s possession of Si skill.
Based on the user’s vulnerabilities profile, which is a part of user’s model, the full probability of malefactor’s social engineering attack impact on the user can be constructed. Then users with minimal security ratings are selected among all users of the information system. After that, the overall information system’s protection level is assessed.
In this paper, we estimate the change in the overall information system’s protection level when following one of two strategies Firing an employee and replacing him with a new employee; Training the employee, improving his skills with a corresponding increase in his protection level.
It is obvious that replacing an employee with a new one with a comparable level of vulnerability leads to an increase in the overall level of security (at least initially): the new employee has weaker communications, so the spread of the attack through him is characterized with less probabilities. But such a decision may be unprofitable in accordance with other criteria of the organization's activities. Even assuming that 1) the level of protection of the new employee is at least not lower than that of the person whom he replaces (it can be estimated in advance, before employment, based on assessments of psychological features followed by modeling user's vulnerabilities profile); 2) the new employee has the necessary skills to work (the evaluation of the competencies and skills of the employee can be carried out through professional testing or other assessments of the new employee's professional skills), it will be necessary to take into account that the employee will need time to get acquainted with the activities of the organization and the department, which will reduce its effectiveness. Moreover, weak links with other members of the team, as numerous studies shows, affect both the work of the corporate team as a whole and the effectiveness of this particular employee [6]. In particular, the metaanalysis carried out in [7] shows that the success of the employee is interrelated with his position in the social network of the organization and the number of links.
Therefore, in order to better assess the impact of a decision, it is necessary to take into account both changes in the evaluation of security, and changes in the overall effectiveness of the corporate team.
In this research a numerical experiment has been carried out as follows. Firstly, when simulating the replacement of an employee with a new one, it is necessary to make changes in the security indicators, the weight of the arcs that connect the replaced user to the rest of the user’s social graph, while the number of arcs remains unchanged. For simplicity, we choose weights for each arc randomly from a uniform distribution on the interval 0, ai , where ai is the weight of the corresponding arc of the previous employee. In general, the algorithm for choosing weights can be based on the minimum, average or maximum weight of arcs already contained in the user’s social graph.
Secondly, we calculate the generalized skill of the corporate team on the basis of the individual skills of its members. Some studies show that it is better to use simple metrics for aggregating the team's skills - average, median, minimum (i.e. weakest score), maximum (in situations where at least one participant is able to perform the task), swing, etc. [4, 5]. However, in our research it is more reasonable to estimate the generalized skill of the corporate team, taking into account the strength of the connections between the participants [4]. We will calculate the overall skill of the corporate team as a weighted average of individual skills, where the weighed in-degree of the vertexes user’s social graph will be used as weights.
Thirdly, we assume that training an employee reduces its vulnerability by bi %, where bi is chosen randomly from a uniform distribution on the interval [0, 100].
Comparing the significance of changes in the overall information system’s protection level and changes in the level of the company's ability to perform its functionality, it may be decided either to replace this employee with a new one or train an employee with minimal security assessments. After the formation of such assessments and the adoption of appropriate decisions, the analysis of the graph can be continued until the analyzed employee becomes either an employee previously analyzed or a new employee, who was added to the corporate infrastructure in the previous steps of analysis. Then, a new evaluation of the security of the entire information system can be obtained with the new parameters of the employees.
In this paper the following user’s social graph will be consider to evaluate numerical experiment and analyze the information system’s user’s security:
Probabilistic estimates of the vertices and arcs weights of a given graph can be represented in the form of a matrix P , which can be implemented as follows: 0.43, 0.65, 0.15, 0.60, 0.17, 0.87, 0.80, 0.01, 0.29, 0.07 .
The probability of failure of such information system in case of malefactor’s social engineering attack is 0.9872, due to the fact that the individual vulnerabilities of its users are very high (for example, a U6 user has vulnerability 0.7). The aggregated team skill score is 0.98. Firstly, user U6 and his influence on the informational systems’ protection level should be analyzed.
The results of the different effects of training are shown in figure 2 For example, if the degree of vulnerability is reduced by 25%, the total probability of failure of such information system in case of malefactor’s social engineering attack is will be 0.9797.
At the same time, the generalized skill of the corporate team will not change.
Let the probability of malefactor’s social engineering attack impact on the new user success will be 0.3, and skill will be 0.8 (similar to the skill of the previous employee). The strength of social connections between new user and other users is determined randomly according to the algorithm described in the previous section. We will repeat the procedure with the appointment of weights, calculations of security and aggregated skill 50 times. The average indicators then will be the following: the total probability of failure of such information system in case of malefactor’s social engineering attack is 0.9701, and the generalized skill of corporate team is 0.90. In figure 3 the changes in the generalized skill of corporate team with different skills of the new user is presented.
Let’s consider consistent replacement of all users, aggregated team skills change and the total probability of failure of such information system in case of malefactor’s social engineering attack. For modeling, we assume that the new user has the same skill level as the one he replaces. Users will be replaced in order of decreasing initial vulnerability indicators, i.e. U6 U7 U8 U4 U9 U3 U10 U2 U1 U5 .
The averages of 50 iterations are shown in figure 4. As we can see on this figure, when the user U10 is replaced, the common skill of corporate team falls sharply, even considering that we assume that the individual skills do not change during the replacement, while the total probability of failure of such information system in case of malefactor’s social engineering attack decreases more slowly.
Changes in aggregated team skills and the total probability of failure of such information system in case of malefactor’s social engineering attack while modeling training of all users are shown in figure 5. The common skill of corporate team stays at the same level, while total probability of failure of such information system in case of malefactor’s social engineering attack decreases slowly.
Paper considers method for analyzing changes in information system’s protection level from social engineering attacks aimed at users of such system, in the event of users of information system changing (dismissal / skills development). The approach is based on a change in the degree of the user’s vulnerabilities and corresponding recalculation of the success rates of the malefactor’s social engineering attack influences on the information system’s user and the overall level of security of the information system. In addition, possible losses of company’s productivity are also considered, in case of the user’s termination. This approach allows to determine the optimal structure of the user’s social graph on the basis of changing information security level and in terms of changing the productivity level of office work in the company in case of users’ dismissal or skills development. Paper also presents a numerical experiment.
Further development of this research is assumed as the calculation of not only changes in the level of common skill of corporate team, but also an assessment of the economic effects that will be received by the company in case of training new employees and additional training of old employees.