Paper Info
Title
A Serious Game for Eliciting Social Engineering Security Requirements
Abstract
Social engineering is the acquisition of information about computer systems by methods that deeply include nontechnical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of individual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Year
DOI
Venue
2016
10.1109/RE.2016.39
2016 IEEE 24th International Requirements Engineering Conference (RE)
Keywords
Field
DocType
security requirements elicitation,requirements prioritisation,threat analysis,gamification
Attack patterns,Security through obscurity,Computer science,Computer security,Security engineering,Social engineering (security),Software system,Exploit,Requirements elicitation,Vulnerability
Conference
ISSN
ISBN
Citations 
2332-6441
978-1-5090-4122-0
5
PageRank 
References 
Authors
0.59
0
2
Name
Order
Citations
PageRank
Kristian Beckers116431.93
Sebastian Pape21710.95