Eliciting Expert Panel Perspective on Personal Information Exposure to Social Engineering

Abstract:

Research continues to warn of an increase of publicly available personal information, often attributed via social media, Website customization, online surveys, self-tracking via fitness and smartphones, as well as a plethora of other venues. Data breaches provide an additional source of personal information via public disclosure, Website distribution, and underground hacker markets. Publicly available personal information often facilitates the success of social engineering attacks on organizations, but little is known as to its availability, composition, or the level of exposure it represents.

Until now, the existence of a measure of exposure to social engineering due to publicly available personal information is relatively unexplored. To address exposure to social engineering due to publicly available personal information feedback was elicited from an expert panel via the Delphi method as to the weights and groupings of candidate components of personal information to develop a Social Engineering eXposure Index (SEXI) benchmarking instrument. A review of privacy research in the legal, information systems, marketing, psychology, and social engineering domains produced viable candidate components of personal information. Instrument items suggested and described by experts in leading journal articles, federal legislation, and from industry standards were consolidated as well as presented to a panel of experts who were asked to identify the level of exposure of a respective item – in and of itself. The feedback of the panel of experts provided weights as well as categorized the items as personal information that does not identify an individual (PUI), has the potential to identify an individual (PII), or that which will distinguish an individual (PDI).

This talk will provide an overview of personal information composition and categorization, while presenting the novel SEXI benchmarking instrument. This talk will outline the necessity of having three levels of privacy information categorization as well as a measurement of exposure to social engineering.

Additional Details:

Author(s)
W. Shawn Wilkerson, Yair Levy
Type
submission
Where
Black Hat USA 2018 (Black Hat USA 2018)
Year
WordCount
1039
Keywords
exposure, personal information, social engineering

Links:

Link
https://www.researchgate.net/publication/325487305_Eliciting_Expert_Panel_Perspective_on_Personal_Information_Exposure_to_Social_Engineering_Presentation_Outline?_sg=BTJbmh-AwqiwKQMlVhRZT18FmlRQSKTGThO0JJtAN0mpKlkwbrltK_cCWI8uyckKlMqTBGFstq6YX4vQVRooJ8trAx0rpGzVFH2cYJPQ.JAvxmuJZ-kUhI7o6uCAGWRZqkBUeXlnZ-0MZx0roXqyMG24yCN4VlsiO3vBNs-z8YTgK9_pn4O5FrAvBixFktA

Deliverable:

Photos

Eliciting Expert Panel Perspective on Personal Information Exposure to Social Engineering-event-01