Keywords: social engineering, critical infrastructures, pattern recognition, system archetypes, system dynamics, information security, attacks, multilayered defence, critical information infrastructures
Conceptualising social engineering attacks through system archetypes
At the highest abstraction level, an attempt by a social engineer to exploit a victim organisation either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximise an outcome, such as to disable the organisation by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling ('balancing') feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defence in control processes or in escalating ('reinforcing') processes of resistance. The possible combinations of the two modes of attack and the two modes of defence yield four archetypes of exploit and natural defence. Predictably, the social engineer would seek to outsmart the first line of defence; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multilayered defence against social engineering attacks.