Abstract

While many cyber security organizations urge the corporate world to use defence-in-depth to create vigilant network perimeters, the human factor is often overlooked. Security evaluation frameworks focus mostly on critical assets of an organization and technical aspects of prevailing risks. There is consequently no specific framework to identify, categorize, analyse and mitigate social engineering related risks. This paper identifies the requirement for such a framework through an in-depth investigation of an actual organization and extensive analysis of existing methodologies. On the basis of this a layered defence strategy SERA is developed, starting with the basic building blocks for social-engineering aware risk analysis. A chronological attack classification framework is presented as an enhancement of existing frameworks on social engineering.