Dates: April 2020 – March 2021

Lead researchers: Justin Hempson-Jones (Social Machines), Dr Adam Harvey, University of the West of England.

Overview: Attacks that take advantage of human operator behaviour to compromise cyber security are often described as socially engineered cyber-attacks. For example, these include phishing (using email or voice-over-internet-protocol channels) in order to prompt users to divulge information or perform another compromising behaviour; social network exploitation; waterholing – where victims are lured to compromised websites and exploited, and baiting (leaving compromised material to lure individuals into compromising systems).

This research is exploring what types of training will best protect users against different types of attack. Evidence assessed through a systematic review will be used to modify social engineering taxonomies to map our best current understandings of what works, where, how and why. This will be pulled through to create a ‘proof of concept’: a set of fictional but practical use cases demonstrating how the taxonomy can be used to generate practical training packages for users.

Policy implications: The work aims to support a more robust foundation for cyber protection training that will help organisations better to better optimise cyber security behaviours and cyber risk decision making amongst employees. It will create a foundation for cyber security training in order to encourage take-up of training solutions based on a robust, evidence-based approach to gamified training in this area.

Find out more:

Methods: Systematic literature review, taxonomy development and illustrated proof of concept

Funders: RISCS, NCSC

External collaborators:

Follow on work: Project still underway.