You are here: Home Contents V7 N2 V7N2_Nohlberg.html
Personal tools

A Conceptual Model of Social Engineering



Full text

Journal of Information System Security
Volume 7, Number 2 (2011)
Pages 313
ISSN 1551-0123
Marcus Nohlberg — University of Skövde, Sweden
Benkt Wangler — University of Skövde, Sweden
Stewart Kowalski — Stockholm University, Sweden
Information Institute Publishing, Washington DC, USA




Social engineering is a term used for techniques to trick, or con, users into giving out information to someone that should not have it. In this paper we discuss and model various notions related to social engineering. By using a broad, cross disciplinary approach, we present a conceptual model of the different kinds of social engineering attacks, and their preparation, the victim and the perpetrator, as well as the cultural aspects. By using this approach a better general understanding of social engineering can be reached. The model is also a good tool for teaching about and protecting against social engineering attacks.




Social Engineering, Information Security, Conceptual Model, Phishing




Adams A. & Sasse M. (1999). Users are not the Enemy: Why users compromise computer security mechanisms and how to take remedial measures, Communications of the ACM, 42(12): 40-46.

Barret, N. (2003). Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report. 8(4): 56–64.

Brostoff S., Sasse A. & Weirich D. (2002). Transforming the ”weakest link”: A Human-computer Interaction Approach to Usable and Effective Security, BT Technology Journal 19(3): 122-131.

Cialdini, R. (1993). Influence: the psychology of persuasion. New York, USA: Quill.

Dalrymple, M. (2005). Auditors Find IRS Workers Prone to Hackers. [Online]. AP. Available from:, 10 Feb 2010.

DeMelo, D. (2007). Sutherland's Differential Association. [Online]. Available from:, 10 Feb 2010.

Ferrell, J. (1995). Culture, Crime, and Cultural Criminology. Journal of Criminal Justice and Popular Culture, 3(2): 25-42.

Gragg, D. (2002). A Multi-Level Defense Against Social Engineering [Online]. SANS Institute. Available from:, 20 Nov 2008.

Granger, S. (2001). Social Engineering Fundamentals [Online]. Security Focus. Available from:, 10 Feb 2010.

Gulati, R. (2003). The Threat of Social Engineering and Your Defense Against I t [Online]. SANS Institute. Available from:, 20 Nov 2008.

Gupta, A. (2002). The Art of Social Engineering [Online]. InformIT. Available from:, 10 Feb 2010.

Hansell, S. (2004). Organized crime may be behind Phishing. [Online]. New York Times. Available from:, 10 Feb 2010.

Hasle, H., Kristiansen, Y., Kintel, K. & Snekkenes, E. (2005). Measuring Resistance to Social Engineering. In Information Security Practice and Experience: First International Conference, ISPEC 2005, Singapore, April 11-14 (2005), vol. 3439 of Lecture Notes in Computer Science, Springer: 132-143.

Inglehart, R. (2006) Inglehart-Welzel Cultural Map of the World. [Online] . World Value Survey. Available from: http: //, 10 Feb 2010.

ISO/IEC (1999). Information Technology Security Techniques: Evaluation Criteria for IT Security, Parts 1 – 3 (No. 15408-1:1999). Geneva, ISO/IEC.

Jakobsson, M. (2005). Modeling and Preventing Phishing Attacks. [Online]. School of Informatics & Dept. of Computer Science, Indiana University. Available from:, 10 Feb 2010.

Jones, C. (2003). Social Engineering: Understanding and Auditing [Online]. SANS Institute. Available from:, 10 Feb 2010.

Krebs, B. (2005). Paris Hilton Hack Started With Old-Fashioned Con [Online]. Washington Post. Available from:, 10 Feb 2010.

Kowalski, S. (1994). IT Insecurity: A Multi-disciplinary Inquiry. PhD Thesis, Department of Computer and Systems Sciences, University of Stockholm and Royal Institute of Technology, Stockholm, Sweden.

Mitnick, K. & Simon, W. (2002). The Art of deception: Controlling the Human Element of Security. Indianapolis, USA: Wiley Publishing, Inc.

Nohlberg, M. (2005) Social Engineering Audits Using Anonymous Surveys – Conning the Users in Order to Know if They Can Be Conned. In CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30–31 March 2005.

Nohlberg, M. (2008) Why Humans Are The Weakest Link, in Gupta, M. and Sharman, R. Social and Human Elements in Information Security: Emerging Trends and Countermeasures, IGI Global, Hershey, USA

Nohlberg, M., Kowalski, S. (2008) The cycle of deception - a model of social engineering attacks, defenses and victims. In Proceedings of HAISA 2008.

Nohlberg, M. (2009). Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks. PhD Thesis, Department of Computer and Systems Sciences, University of Stockholm and Royal Institute of Technology, Stockholm, Sweden.

O’Brien, T. (2005). Gone Spear-Phishin'. [Online]. The New York Times. Available from:, 10 Feb 2010.

Ollmann, G. (2004). The Phishing Guide [Online]. Next Generation Security Software Ltd. Available from:, 10 Feb 2010.

Orgill, G., Romney, G., Bailey, M., Orgill, P. (2004) The Urgency for Effective User Privacy-education to Counter Social Engineering Attacks on Secure Computer Systems, In Proceedings of SIGITE Conference'2004: 177-181.

Pfleeger, C. & Pfleeger, S. (2003). Security in Computing (3rd ed). Upper Saddle River, USA: Prentice Hall.

Rogers, M. (2000). A New Hacker Taxonomy [Online]. University of Manitoba. Available from, 10 Feb 2010.

Trend Micro (2005). Hook, Line and Sinker [Online]. Trend Micro. Available from:, 20 Nov 2008.

Wagner, M. (2004) Will Trade Passwords For Chocolate. [Online]. Security Pipeline. Available from:, 2 Mar 2006.

Wilson, T. (2007). Eight Faces of a Hacker. [Online]. Darkreading. Available from:, 10 Feb 2010.

Winkler, I. & Dealt, B. (1995). Information Security Technology? … Don’t rely on it A case Study in Social Engineering. [Online]. Proceedings of the Fifth USENIX UNIX Security Symposium. Available at:, 10 Feb 2010.