Paving Ontological Foundation for Social Engineering Analysis

  • Tong LiEmail author
  • Yeming Ni
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11483)


System security analysis has been focusing on technology-based attacks, while paying less attention on social perspectives. As a result, social engineering are becoming more and more serious threats to socio-technical systems, in which human plays important roles. However, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering, with the purpose of prompting the fast development of this field. In particular, we first review and compare existing social engineering taxonomies in order to summarize the core concepts and boundaries of social engineering, as well as identify corresponding research challenges. We then define a comprehensive social engineering ontology, which is embedded with extensive knowledge from psychology and sociology, providing a full picture of social engineering. The ontology is built on top of existing security ontologies in order to align social engineering analysis with typical security analysis as much as possible. By formalizing such ontology using Description Logic, we provide unambiguous definitions for core concepts of social engineering, serving as a fundamental terminology to facilitate research within this field. Finally, our ontology is evaluated based on a collection of existing social engineering attacks, the results of which indicate good expressiveness of our ontology.


Social engineering Ontology Psychology Attacks 



This work is supported by National Key R&D Program of China (No. 2018YFB0804703, 2017YFC0803307), the National Natural Science of Foundation of China (No. 91546111, 91646201), International Research Cooperation Seed Fund of Beijing University of Technology (No. 2018B2), and Basic Research Funding of Beijing University of Technology (No. 040000546318516).


  1. 1.
    Foozy, F.M., Ahmad, R., Abdollah, M., Yusof, R., Mas’ud, M.: Generic taxonomy of social engineering attack. In: Malaysian Technical Universities International Conference on Engineering & Technology, pp. 1–7 (2011)Google Scholar
  2. 2.
    Gulati, R.: The threat of social engineering and your defense against it. SANS Reading Room (2003)Google Scholar
  3. 3.
    Harley, D.: Re-floating the titanic: dealing with social engineering attacks. European Institute for Computer Antivirus Research, pp. 4–29 (1998)Google Scholar
  4. 4.
    Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: International Conference on Information Resources Management, pp. 1–12. Centre for Information Technology, Organizations, and People (2011)Google Scholar
  5. 5.
    Janczewski, L.J., Fu, L.: Social engineering-based attacks: model and New Zealand perspective. In: Proceedings of the 2010 International Multiconference on Computer Science and Information Technology (IMCSIT), pp. 847–853. IEEE (2010)Google Scholar
  6. 6.
    Jürjens, J.: UMLsec: extending uml for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). Scholar
  7. 7.
    Kantor, M.: The psychopathy of everyday life (2006)Google Scholar
  8. 8.
    Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)Google Scholar
  9. 9.
    Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). Scholar
  10. 10.
    Li, T., Horkoff, J., Mylopoulos, J.: Holistic security requirements analysis for socio-technical systems. Softw. Syst. Model. 17(4), 1253–1285 (2018)CrossRefGoogle Scholar
  11. 11.
    Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)Google Scholar
  12. 12.
    Mouton, F., Leenen, L., Malan, M.M., Venter, H.S.: Towards an ontological model defining the social engineering domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds.) HCC 2014. IAICT, vol. 431, pp. 266–279. Springer, Heidelberg (2014). Scholar
  13. 13.
    Nyamsuren, E., Choi, H.-J.: Preventing social engineering in ubiquitous environment. In: Future Generation Communication and Networking (FGCN 2007), vol. 2, pp. 573–577. IEEE (2007)Google Scholar
  14. 14.
    Peltier, T.R.: Social engineering: concepts and solutions. Inf. Secur. J. 15(5), 13 (2006)Google Scholar
  15. 15.
    Roussey, C., Pinet, F., Kang, M.A., Corcho, O.: An introduction to ontologies and ontology engineering. In: Falquet, G., Métral, C., Teller, J., Tweed, C. (eds.) Ontologies in Urban Development Projects, vol. 1, pp. 9–38. Springer, London (2011). Scholar
  16. 16.
    Simon, G.K., Foley, K.: In Sheep’s Clothing: Understanding and Dealing with Manipulative People. Tantor Media, Incorporated, Old Saybrook (2011)Google Scholar
  17. 17.
    Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Beijing University of TechnologyBeijingChina

Personalised recommendations