See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/271932720

Dissecting social engineering

Article  in  Behaviour and Information Technology · October 2013

DOI: 10.1080/0144929X.2013.763860

CITATIONS READS
54 1,065

2 authors:

Pekka Tetri Jukka Vuorinen

University of Oulu University of Jyväskylä
6 PUBLICATIONS   87 CITATIONS    13 PUBLICATIONS   107 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Security controls and how the attackers use them against the defenders. View project

All content following this page was uploaded by Jukka Vuorinen on 28 November 2020.

The user has requested enhancement of the downloaded file.

This article was downloaded by: [Turku University]
On: 14 February 2014, At: 00:21
Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Behaviour & Information Technology

Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/tbit20

Dissecting social engineering

a b
Pekka Tetri & Jukka Vuorinen
a
The Department of Information Processing Science, University of Oulu, Oulu, Finland
b
Sociology, The Department of Social Research, University of Turku, Turku, Finland
Accepted author version posted online: 07 Jan 2013.Published online: 25 Feb 2013.

To cite this article: Pekka Tetri & Jukka Vuorinen (2013) Dissecting social engineering, Behaviour & Information Technology,
32:10, 1014-1023, DOI: 10.1080/0144929X.2013.763860

To link to this article: http://dx.doi.org/10.1080/0144929X.2013.763860

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
 Behaviour & Information Technology, 2013
Vol. 32, No. 10, 1014–1023, http://dx.doi.org/10.1080/0144929X.2013.763860

Dissecting social engineering

Pekka Tetria∗ and Jukka Vuorinenb∗
a The Department of Information Processing Science, University of Oulu, Oulu, Finland; b Sociology, The Department of Social
Research, University of Turku, Turku, Finland
(Received 12 January 2012; final version received 2 January 2013 )

In information security terms, social engineering (SE) refers to incidents in which an information system is penetrated
through the use of social methods. The literature to date (40 texts), which was reviewed for this article, emphasises individual
techniques in its description of SE. This leads to a very scattered, anecdotal, and vague notion of SE. In addition, due to
the lack of analytical concepts, research conducted on SE encounters difficulties in explaining the success of SE. In such
explanations, the victim’s psychological traits are overemphasised, although this kind of explanation can cover only a small
portion of SE cases. In this article, we have sought to elaborate the concept of SE through analysis of the functions of different
techniques. In this way, we have been able to extrapolate three dimensions of SE: persuasion, fabrication, and data gathering.
Downloaded by [Turku University] at 00:21 14 February 2014

By utilising these dimensions, SE can be grasped in all its aspects instead of through individual techniques. Furthermore,
research can benefit from our multidimensional approach as each of the dimensions pertains to a different theory. Therefore,
the victim’s personal traits cannot function as the only explanation. All in all, the analysis, understanding, and explanation
of the success of SE can be furthered using our new approach.
Keywords: social engineering; information security; intrusion; fabrication; persuasion; data gathering

1. Introduction Hadnagy 2011), manipulation (Gragg 2003, Manske 2000,

A man tries to access phone records (an information system)
through an online user account, but does not manage to com-
plete the online registration. He calls the phone company’s
customer service line. He gives the required identifica-
tion information and the service representative creates the
account. The man logs on to check the phone records. The
only problem is that he is not the individual he has claimed
to be but someone else pretending to be that man. This
is a case of impersonation, or ‘pretexting’. Someone has
gained access to somebody else’s private records. The tech-
nical information system has been penetrated – not merely
technically but through social methods. In other words, the
protected system has been socially engineered.1
Social engineering (SE) relates to cons and frauds taking
place in both the digital and analogue worlds simultane-
ously. In the example above, the digital account is intruded
upon in part through a conversation over the telephone.
Mitnick et al. (2003) have argued that SE uses the weak
human element to bypass technical protection. Even if SE
mixes the social and the technical in interesting ways, we
are still lacking a critical analysis of SE. Instead, what we
seem to have is a cloud of myths which linger over it. From
time to time, SE is seen as a magical event in which indi-
viduals suddenly find themselves to be mere puppets of
the attacker. For example, descriptions of SE techniques
such as neuro-linguistic programming (NLP) (Barrett 2003,
Allen 2006), and flirting (Schifreen 2006) contribute to per-
ceptions of the mystery and trickery behind SE. Mitnick et
al. (2003) reinforce the mystery of SE by entitling their
book on the subject The Art of Deception (cf. also Thorn-
burgh 2004). In a sense, SE is presented as the shadowy
art of mastering the secrets of manipulation. Furthermore,
there is also another side to the issue as it is claimed to be
a common occurrence (Power and Forte 2006). In addition,
the consequences of any given SE incident are clear, as SE
causes evident damage to companies – though again, the
exact value of the damage caused may often be difficult
to evaluate. Moreover, companies possess an insufficient
understanding of countermeasures, having little or no effec-
tive defence against SE (Power and Forte 2006). All in
all, this forms a peculiar equation combining fascinating
elements – manipulation, deception, information systems,
everyday life, and considerable damage – and it all takes
place in the realm of the global business world.
With the above in mind, we took as the starting point for
this article the question of what is known about SE: what has
been studied, how the events are depicted, what techniques
of intrusion – as described in the literature – social engineers
use, and in what ways the success of SE – i.e. why victims
fall for it – is explained in terms of theory. In order to find
previous studies on SE, we reviewed a body of literature we
found on the topic, including, journal articles, conference

∗ Corresponding authors. Emails: juanvu@utu.fi, pekka.tetri@gmail.com

© 2013 Taylor & Francis

 Behaviour & Information Technology
papers, and white papers, in the timeframe 1996–2008. In
addition, we examined some of the more current texts to see
if they seemed to provide anything new to the corpus. As a
result, 40 SE articles and texts were found and analysed as
data.
All in all, this article has three goals. First, it seeks to
create an analytical and critical concept of SE and its socio-
material connections on the basis of what is said about SE.
The second goal is to gather all the individual acts – imag-
ined and real – that are mentioned in the literature to describe
the methods – the techniques of intrusion – used by the
attacker. We seek to analyse these techniques of intrusion
so that we can grasp the different aspects of SE. In order to
understand the multiplicity of SE, we need to identify the
functional dimensions which the techniques can manifest.
The third goal is to discover how SE has been studied; we are
particularly interested in the empirical evidence in SE stud-
Downloaded by [Turku University] at 00:21 14 February 2014
ies and the studies’ theoretical underpinnings. Moreover, we
seek to analyse the difficulties and significant pitfalls previ-
ous research has faced, and how it has failed to capture SE in
its entirety in the current design of its research and explana-
tion. Instead of discussing SE in terms of mere individual
techniques, an approach adopted by many other authors,
we need to acknowledge that each technique can carry out
different functions. It is these dimensional functions that
matter in explaining various kinds of attacks through differ-
ent theories. The functional dimensions – not the individual
techniques – require their own theoretical approaches in
order to be analysed and understood.
We will start with a conceptualisation of SE. This will
allow us to describe the stage at which SE takes place, and
some features of SE. We will then go deeper into the actual
techniques of SE – what the intruder’s toolkit looks like –
and construct the dimensions of these techniques. In Section
4, we will analyse theories and evidence used in previous
research in the light of our conceptualisation, which is based
on these dimensions. We will discuss problems relating to
the areas on which the emphasis has been placed previ-
ously and point out what is lacking in the current literature.
Finally, we will discuss the implications that our framework
has for SE research and propose future research paths.
2. The structures of an SE attack
SE has not been defined in sufficient detail. The literature
largely functions at the level of Mitnick et al. (2003, p.
xi) stating SE to be the act of ‘getting people to do things
they wouldn’t ordinarily do for a stranger’. Gonzalez et
al. (2006) recognise the lack of rigorous conceptualisa-
tion as problematic, as there is currently no straightforward
way to conceptualise SE attacks. They suggest that system
archetypes can be used in order to describe SE attacks in
terms of relations between the system, its countermeasures,
and the intruder. While this approach can take conceptu-
alisation to a higher level of abstraction, the explanatory
power of such analysis still remains questionable in terms
1015
of clarifying the role of different techniques used in attacks.
Since the attack is actualised through the use of different
techniques, we argue that it is important to examine the
techniques of SE and their dimensions. Thus, we seek to
provide a conceptualisation that will help to grasp the dif-
ferent dimensions of any SE event, which is crucial in terms
of studying the subject.
If we divide an SE event into different acts, we can
extract the different phases of the SE event for further analy-
sis. First, SE always involves an act of intrusion which is the
connecting line between the intruder and the target system
that the intruder seeks to penetrate. Second, the intrusion
is prepared and carried out ‘socially’, which indicates the
non-technical aspect of the attack: SE engages individu-
als through whom entrance to the target system is sought,
or leverages bits and pieces of information springing from
social agents within the system in order to gain access to the
target system.2 Third, SE pertains to acquiring something:
a system is infiltrated in order to attain an object, which
is usually a piece of information but which may also be a
thing, or simply the access to the system in question.3 In
what follows we shall dwell on these elements in order to
gain a deeper insight.
2.1. Target system
Information systems appear in various forms. For exam-
ple, mobile phones, databases within large organisations,
and web-based services are all information systems and
all require other information systems in order to function.
Information systems are usually entangled with each other
and have different interfaces. For example, an organisation’s
employee might use a web-based service acquired from a
third-party service provider, and all of this usage might take
place on a mobile phone. These different actors and their
constantly transforming and mutating combinations can be
approached theoretically – or methodologically – through
the concept of actor networks (Latour 2005). Within the
actor network each of the different actors – whether this is a
technical device or its user – gives its input, which enables
other actors to function in a particular manner (Latour 1999,
pp. 179, 182–183). The opening example of a phone call can
be used to demonstrate this on a concrete level. The man is
an actor and so is the phone. Together, they can make the
phone call: this would not be possible for either the man
without a phone or the phone without a user. In terms of
information systems, networks of actors are always required
for any information to be accessible. There are also therefore
multiple points of access: different gateways to information.
2.2. Social-level intrusion
The second claim is that SE intrusion is carried out partly
on the social level. As stated above, there are multiple gate-
ways to information within a system. SE uses the social
entry points of the system to access it illegitimately. In some
 1016 P. Tetri and J. Vuorinen
cases ‘social entry points’ refers to individuals who are
positioned within the actor network of the system. These
social entry points are often considered the weakest link in
the information security chain (Mitnick et al. 2003, Allen
2006, see also Trèek et al. 2007). There are different tech-
niques for ‘engineering’ the individual – the ‘dupe’ – at the
connection point. We will map these techniques in detail
later, in Section 3. SE can also utilise material that the sys-
tem ‘leaks’ intentionally or unintentionally. For example,
by gathering information from the web about a particular
employee, the intruder can enhance the subtlety of their
impersonation of that particular employee. If an intruder
knows enough about the organisation, they can pretend to
be someone in the organisation or an employee of a supplier,
in order to carry out an attack more successfully.4 The leak
is not understood by the company as an actual leak, since
the piece of information published is not considered secret
Downloaded by [Turku University] at 00:21 14 February 2014
– quite the opposite.
We extend the second claim to include not only indi-
viduals but also artefacts which are directly connected to
social entry points, and include information leaked from
those social entry points. We will go a step further and
claim that once these artefacts are connected to social entry
points, they become entry points themselves, including such
items as the rubbish bins (that may contain leaked informa-
tion such as classified documents, memos, and passwords),
company phone directories, or the company’s information
on social media (e.g. Facebook and Twitter) and the com-
pany’s website. In the first claim (Section 2.1) we implied
the system – the target of the attack – to be an entangle-
ment of actors, a complex hybrid meshwork, co-existing
and overlapping with the digital network. Following Latour
(2005) and actor-network theory, we consider all the agents,
including individuals and socially connected artefacts, to be
equal parts of the system (see also Vuorinen and Tetri 2012).
The artefacts in the system have connections through which
an intruder can travel smoothly without detection. The SE
event can now be seen in a more nuanced light: to socially
engineer is to use particular techniques in order to engi-
neer social entry points or to use artefacts connected to the
social entry points (e.g. bins and websites) within the hybrid
meshwork (in order to penetrate the system).
2.3. The object of the attack
The third part of the argument claims that the aim of the
attack is to acquire something (the object or goal of the
attack), usually a piece of information that is protected by
safeguards. In fact, gaining access to the system may con-
stitute a goal in itself. A single piece of information (e.g.
the name of a manager) might not always be enough to
launch a successful attack; however, enough such items and
information in combination (e.g. the name of the manager,
the manager’s employee badge, and knowledge about cur-
rent projects) can make for a powerful attack. So the items
and information attained during the attack can reveal addi-
tional targets or can be utilised to enhance the techniques
employed in the attack. In addition, attacks can combine
different techniques, using a multiphase (step-by-step) strat-
egy in which each individual step obtains another piece of
the puzzle. The pieces gained are not seen as valuable in
themselves but they can be used in constructing the weapon
of multiphase intrusion.
Now that we have conceptualised SE and its elements,
we can identify and analyse the relevant literature. While
the three elements discussed in this section described the
target system, the nature of the attack, and the object of the
attack, we will now dive deeper into the world of actual SE
techniques, to explore how, in detail, individual attacks are
carried out.
3. From the individual techniques of SE to the
dimensional approach
In working with the literature, we examined the data –
the discussion on SE – in search of ‘how SE attacks are
carried out’: in other words, ‘what techniques are used in
actualising the attacks’. We gathered all the literature cases
and extracted the techniques mentioned as a list, which is
presented in the Appendix with brief explanations.
From the Appendix, we can quickly see that the tech-
niques vary, but that in some cases they are very similar.
Dumpster diving differs from flirting, and lying is different
from shoulder surfing. However, establishing rapport, using
jargon, using lingo, and name-dropping are all very close
to each other. Analysing the list of techniques, we sought to
find the functions of each technique and where it is directed.
By this we mean that we examined the techniques in rela-
tion to questions such as whether the technique engages the
dupe directly or camouflages the intruder so that the dupe
is engaged passively, and whether the intruder makes an
inappropriate request in terms of information security, or
whether flaws in the system are exploited, as in the case
of dumpster diving. Through this method we were able
to extrapolate three different dimensions of SE techniques:
persuasion, fabrication, and data gathering.
3.1. Dimensions
3.1.1. Persuasion
The goal of techniques which manifest the dimension of
persuasion is to get a person to comply with an inappropri-
ate request: to make them do something which is against the
rules or a set of norms (e.g. an information security policy).
For example, the act of the intruder asking for a user name
and password using authority (Mitnick et al. 2003) is con-
sidered to manifest the dimension of persuasion. The same
request can be made in a stronger manner, as in cases of sub-
version, extortion, or threats. However, forcing someone to
do something through violence or the threat of violence
 Behaviour & Information Technology
is not as interesting to the researcher as cases involving a
more subtle approach. This is noted implicitly in Perloff
(2003), where persuasion is defined as including the free
will of the target. In most cases of persuasion it is claimed
that there is a psychological feature – e.g. greed, laziness
(Hasle et al. 2005), trust, or fear (Workman 2007) – that
is exploited. Specific techniques which meet the require-
ment of getting the target to carry out a specific improper
action and are based on utilising certain psychological fea-
tures of the target are seen as manifesting the dimension of
persuasion.5 Persuasion has two particular features. Firstly,
it takes place in direct interaction in which the request is
stated. This might be a conversation over the phone, an
email message, or a request made face-to-face, for exam-
ple. Secondly, the intruder engages the target actively: the
intruder has the initiative and seeks to ‘engineer’ the dupe
into carrying out the desired action. As the dupe is aware
Downloaded by [Turku University] at 00:21 14 February 2014
of the norm-violating nature of the request, the situation
involves a strong set of persuasive acts on the part of the
intruder. Techniques such as authority, appealing to emo-
tions, being likeable, establishing rapport, reciprocation,
social validation, and subversion can strongly manifest the
dimension of persuasion.
3.1.2. Fabrication
Some of the techniques, such as impersonation, name-
dropping, jargon, piggybacking, and using false ID, involve
providing misleading cues to the target in order to affect the
dupe’s interpretation of what is going on in the situation.
In sociology (as well as in psychology and philosophy), it
is common knowledge that situations never merely appear
to individuals directly but are always interpreted – or that
there are constellations of discourses that influence the inter-
pretation (see e.g. Foucault 2003, Latour 2005). This can
be understood by thinking of what Goffman (1986, p. 8)
writes: ‘when individuals attend to any current situation,
they face the question: “what is it that’s going on here?”’ The
answer to the question depends on how individuals inter-
pret the situation – what their ‘frames’ are, in Goffmanian
terms. These interpretations, the frames, are based on the
different knowledge (or culture, if you will), experience,
and cues (real or fake) in the situation (see Goffman 1986).
The actualisation of a fabrication technique is an attempt to
manipulate these frames not by engaging the dupe directly
but by setting up a fake role for the intruder or other-
wise setting up (framing) the situation (Goffman 1986).
Fabrication can be soft (e.g. spoken words or messages)
or hard (concrete props, e.g. uniforms, badges which con-
struct the role).6 The techniques of impersonation seek to
build a particular role through which it is easier to get
inside the system (see Goffman 1990, pp. 141–142). For
instance, name-dropping and using jargon (Arthurs 2001,
Gragg 2003, Dolan 2004, Jones 2004, Lafrance 2004) imply
that the intruder is an insider who knows people; in piggy-
backing the impression of belonging to the group is created;
1017
and wearing a fake ID badge (Manske 2000, Dubin 2002,
Robinson 2003, Dolan 2004, Long et al. 2008) or a stolen
uniform involve obvious indicators of position. Fabrica-
tion does not have to relate solely to the role that the
intruder seeks to play: an event may also be fabricated.
Mitnick et al. (2003) provide an apt example, in which an
intruder can cause problems with a network, in order then
to appear at the site as a helpful repairman. Pretending to be
a repairman opens up the opportunity to move around quite
freely.
In comparison with the dimension of persuasion, fabri-
cation stands out as a deceptive and less obvious dimension
from the dupe’s perspective. If a request is made, it is
made from a position in which it can be stated legiti-
mately. For example, in the opening example, the intruder
makes a seemingly legitimate request from the position of
a customer. In persuasion, the dupe is well aware of the
inappropriate nature of the intruder’s request (e.g. ‘give me
your password’ or ‘could you please help me and keep that
door open for me?’). Fabrication, on the other hand, does
not tempt directly or shout out demands as persuasion does.
The techniques that strongly manifest the dimension of per-
suasion require the intruder as an actor to throw himself
onto the stage. Fabrication, in terms of visibility, can be
about becoming a chameleon that can roam freely, look-
ing and sounding like a co-worker or anyone who belongs
there. In other words, a fabricator can creep quietly onto
the scene veiled in shadows, props, and set dressing, not
drawing active attention to himself; if he did he would be
in danger of being spotted. This provides, in a deceitful
manner, a quasi-legitimate position.
3.1.3. Data gathering
Every attack requires knowledge about the target (at the
least, knowledge about where to attack). Generally, acquir-
ing data prior to the attack is a crucial part of SE. Techniques
that are aimed at getting information for further intru-
sion and are not based on direct interaction involve the
dimension of data gathering. Techniques such as using
open source information, dumpster diving, shoulder surf-
ing, stealing, eavesdropping, phishing, loggers, and pho-
tography, among others, manifest the dimension of data
gathering. It should be noted that data gathering techniques
could in themselves lead to the final goal. For example,
the valuable asset sought by the attacker might be found
on a stolen laptop or in a dumpster (Hancock 1998, Gulati
2003, Allen 2006, Nyamsuren and Choi 2007, Schiller et
al. 2007), the intruder might hit the jackpot simply by lis-
tening to people talk (Gragg 2003, Mitnick et al. 2003,
Jones 2004, Lively 2004, Long et al. 2008), or a success-
fully installed key logger might record and send employee
passwords via the internet (Robinson 2003, Schiller et al.
2007). Although data gathering can in this way itself lead
to a successful attack, it usually takes place in a separate
phase, prior to a later attack, primarily in order to reduce the
 1018 P. Tetri and J. Vuorinen
risk of getting caught during that attack. While the dimen-
sions examined previously could be approached from the
perspective of personal interactions and individuals’ inter-
pretation of the situation, the techniques in this dimension
avoid direct interaction and act from a relative distance. In
brief, the successful intruder gathers all the data needed to
launch a later SE attack by enhancing the detail of his or
her fabrication or the effectiveness of his or her persuasion.
3.2. Multidimensionality
At this point, we have a number of techniques listed in
Appendix which all manifest the three dimensions with dif-
fering intensities. We argue that these dimensions rarely
appear alone in a technique, but it is in fact more likely
that a technique will manifest all the dimensions simultane-
ously. Consider a naïve example in which an inappropriate
Downloaded by [Turku University] at 00:21 14 February 2014
request is made at a help desk – for example, ‘please assign
me a new password even though I don’t have my ID with
me. Please, I’ll get in trouble if I don’t access my email right
away’. This is persuasion (the presentation of an inappro-
priate request using the technique of appealing to emotions)
but it is also a fabrication, as the intruder does not own the
email account in question. In addition, the dimension of data
gathering has preceded the scene. Hence, all the dimensions
are present.
Multidimensionality has consequences in terms of
research. For example, it is almost impossible to infer any-
thing useful from the use of a single technique if the wider
context is not sufficiently considered. A phishing email is
always by definition a fabrication, but it is usually persua-
sive: the email can be made to seem important and urgent
and can demand a fast response, or it could appeal to the
emotions. Moreover, depending on the case, a single tech-
nique can function on particular dimensions with different
levels of intensity. For example, in one case a phishing
email might be based strongly on the technique of appeal-
ing to emotions, whereas in another case the same technique
might be ignored. Again, each technique can be situated in
a relationship with all three dimensions.
In addition, the dimensions provide a viewpoint from
which similarities and striking differences in techniques can
be perceived. In short, techniques that differ radically from
each other – such as dumpster diving and impersonation –
have little overlap in the dimensions they manifest, whereas
the strong similarities between other techniques – such as
between name-dropping and the use of jargon – are due to
the fact that the techniques manifest the same dimension
the most strongly.
Although we are using the terms ‘dimension’ and ‘inten-
sity’, which may be associated with quantitative research,
our intention here is not to attempt to develop a research
model that would be immediately transferable into quanti-
tative research. Rather, through these dimensions, we can
understand how attacks function. The concept provides an
opportunity to evaluate the explanations and theory behind
existing SE analysis, which we will deal with next.
4. What is lacking in the current approach to SE?
4.1. Studying and explaining the success of SE
Empirical data and explicit theoretical views regarding SE
are generally scarce in the literature. In the following, we
will briefly go through the studies which include empiri-
cal data and analyse them according to our concept. Only
five studies out of the 40 articles and texts we found con-
ducted some kind of analysis on empirical data, and all of
these proved that SE can be very successful (Greening 1996,
Orgill et al. 2004, Hasle et al. 2005, Workman 2007, 2008).
Out of these five studies, only two had explicit underlying
theories (Workman 2007, 2008). Nevertheless, all the cases
must include some theoretical assumptions, but these are
not spelled out.
Greening (1996) conducted an experiment in which
students were tricked into giving out their passwords in
response to an unauthorised request. In parallel with this
experiment, Hasle et al. (2005) conducted a phishing exper-
iment with results that indicate SE to be a serious intrusion
method, as they were able to obtain user names and pass-
words. In Orgill et al.’s (2004, p. 178) study design, an
auditor was set up ‘to determine the ease with which a social
engineer could obtain information giving him unauthorised
access to a network’. The auditor gathered open source
information, learning the relevant jargon, names and depart-
ments, as well as the layouts of the facility. After a period
of such data gathering, the auditor had enough informa-
tion for an infiltration, enabling physical entry. Once inside,
the auditor successfully presented a fake survey, requesting
user names and passwords. Workman’s theory-driven stud-
ies (Workman 2007, 2008) used phishing and pretexting
successfully in terms of getting sufficient information for a
potential intrusion.
The way the success of SE is explained remains at the
level of general assumptions except in Workman’s stud-
ies (Workman 2007, 2008). The absence of explicit theory
drives the three other studies (Greening 1996, Orgill et al.
2004, Hasle et al. 2005) to explain their results in terms of
the general human traits of the dupe. SE is seen as exploiting
human traits such as greed and laziness (Hasle et al. 2005),
submission to authority (Greening 1996), and the perception
of threat severity, trust, fear, and commitment (Workman
2007). Workman (2008), grounding his approach in the-
ories such as cognitive dissonance theory and reactance
theory, argues quite similarly that individuals with certain
traits – such as high normative commitment and strong reac-
tance – are more likely to fall for SE. All in all, the studies
treat SE as a problem of human error and of the weak-
ness of the dupe: most of the persuasion techniques were
treated as attacks based on psychology, exploiting people’s
psychological characteristics.
 Behaviour & Information Technology
4.2. The framework of SE
Explaining the success of SE through the psychological
features of the dupe causes problems. First, it involves
psychological theories being transferred to another field,
coupled to another setting without considering whether the
theories are valid in the new network of connections. For
example, Cialdini’s (1993) book on influence is widely used
in the SE literature (see e.g. Mitnick et al. 2003, Hadnagy
2011). The book might be a popular hit among salesmen
but its principles are rather difficult to transfer directly to
the world of information security. There is quite a difference
between promoting – how to make a product desirable – and
violating information security policy – how to talk someone
into providing access to a restricted network. For example,
a car salesman might make a sale using the principle of
scarcity (‘only 100 cars like this have ever been made’) (cf.
Cialdini 1993). The principle itself, scarcity, works well
Downloaded by [Turku University] at 00:21 14 February 2014
in the original context; however, it is highly questionable
overall whether theories from this field are transferable to
SE in explaining the fundamentally different event of an SE
attack.
Second, appealing to psychological features does not
cover SE in its entirety. In the opening example, the cus-
tomer service representative does nothing wrong in terms
of information security policy. The success of SE cannot be
explained through psychological traits in this case. In other
words, the dimension of fabrication – which plays a major
part in the opening example – cannot be assessed using the
psychological features of the dupe because the fabrication
itself takes place outside the dupe’s awareness.
The problem with the SE literature is that it does not
contain analytical concepts, and the entire field is scattered.
For example, the range of techniques which appear in the
literature (see Appendix) have been analysed only in rela-
tion to the dupe and, occasionally, to information security
policies (Mitnick et al. 2003); these techniques have not
been analysed in relation to each other. This means that
the dimensions of the techniques have not been presented
prior to this article. In other words, in the literature SE is
treated for the most part as consisting of information secu-
rity incidents which resemble each other to a greater or
lesser degree, but the phenomenon in its entirety remains
in the shadows. For example, information security policies
are mentioned frequently in Mitnick et al. (2003), indicat-
ing that the success of SE depends, in some cases, on the
organisational setting. But most of the literature ignores
information security policies, organisational settings, how
employees – the potential dupes – are educated, what they
think of information security policies, and how committed
to the organisation and policies they are.
In spite of the scattered nature of the techniques and the
lack of binding concepts and weak theoretical background,
there is a striking pattern that is present in practically every
SE text. This dominant framework is based on the relation
between two opposing positions: intruder and dupe. The
1019
Figure 1. The elements of SE.
relation between the oppositions is based on the technique
used. This framework of intruder–technique–dupe has an
essential but interfering feature: it seems that the framework
makes it possible to ignore everything else around it. It is
almost as if the framework existed in a void: the organisa-
tional settings and other actors are jettisoned the moment the
framework enters the scene. As everything else is forgotten,
the success of SE is sought within the framework. First, it is
easy to blame the dupe through psychological traits even if
elements of fabrication were present in the particular case.
It is simpler and more intuitively plausible to explain falling
for a phishing email by blaming the dupe’s psychological
traits than by focusing on the elements of fabrication and
those relating to the organisation. It is convenient to ignore
fabrication, as without it, as shown above, it is tempting and
simple to blame the dupe within this framework. In other
words, when explaining the success of SE, the relation of
intruder and dupe is treated as if it were constituted purely of
persuasion, and fabrication and data gathering elements are
ignored in the process of explanation. Thus, the framework
could be described as intruder–persuasion–dupe. Second,
the dominant framework makes possible the glorification
and mystification of the social engineer as a great magician
and manipulator. Contrary to what the literature suggests,
we believe that social engineers should get more credit for
spotting organisational weaknesses from the outside rather
than being celebrated as great persuaders.
In Figure 1, we have gathered the results of our analysis,
displaying the overemphasised elements of the literature in
black. The grey elements refer to elements that are only
implicitly present in the literature, or are more or less
ignored when the framework of intruder–persuasion–dupe
is presented. In our view, the entire framework presented in
Figure 1 is key to grasping SE.
Figure 1 also explicates the need for a multidimensional
view. None of the above can be ignored when examin-
ing SE. In other words, we require a multidimensional
approach rather than one which considers only one dimen-
sion (intruder–persuasion–dupe). We do not claim that
this would cover all there is to say about SE. Instead we
 1020 P. Tetri and J. Vuorinen

argue that in comparison to the literature we reviewed,
this article’s approach gives a more holistic, explicit, and
nuanced point of view from which to grasp SE, and offers
a starting point for future research. Moreover, this arti-
cle, and Figure 1 in particular, provides a perspective from
which to inspect the argument that ‘the human is the weak-
est link in information security’. The opening example,
when considered through a multidimensional framework,
demonstrates beautifully how information security policy,
in that particular case, was the weakest link, not the human
element.
5. Discussion and conclusions: implications for SE
research
In the SE literature, SE has hitherto been presented in a
Downloaded by [Turku University] at 00:21 14 February 2014
In our conceptualisation, persuasion relates to talking a
dupe into carrying out an inappropriate action upon request.
Therefore one should ask whether the action which the dupe
has carried out is illegitimate according to the terms of
the information security policy. Furthermore, was the dupe
approached directly and actively? Fabrication pertains to
utilising and manipulating a dupe’s interpretation of the sit-
uation. Thus, it could be a good idea to investigate the dupe’s
interpretation – was the dupe even aware of the SE attack?
Data gathering concerns any information an intruder can
get from the target (prior to or during the attack). One could
ask what information has made the attack possible and how
that information or actors were accessed or approached.
It should also be remembered that techniques and attacks
are practically always multidimensional; thus one should
analyse how these dimensions are present.
As we can see in Table 1, we also found troubling the

disorganised manner: the phenomenon has been described
through a number of individual cases and techniques which
– without any overarching analysis – have then been placed
under the fuzzy concept of SE. In this article, we have sought
to bring order to the concept, and so enable research to be
improved. In Table 1, we have summarised the key contri-
butions of this article in relation to the SE literature. The
column on the left lists the elements that we have problema-
tised in this article. The top row describes the angles from
which each element is examined.
We have found that individual techniques were mislead-
ing as an attempt to grasp the diversity of SE in its entirety.
By analysing the SE literature, we have been able to extrap-
olate three dimensions – persuasion, fabrication, and data
gathering – from the individual techniques. Each dimension
performs a different function, and this could not have been
perceived if attention was paid solely to a single technique.
Understanding dimensionality is crucial in terms of validity
of research as each dimension relates to different elements
and objects and thus to different theoretical families (see
Sections 3 and 4). This implies that an SE case being studied
should be examined in relation to the questions presented
in Section 3.
simplified relation between intruder and dupe, which is
overemphasised in the literature. We argue that the relation
is anything but simple because it includes more elements
than the two obvious actors. For example, the organisation
(through employment, information security policy, and edu-
cation) partly produces the relation between the two obvious
actors. In the opening example, the information security pol-
icy makes the attack possible. Thus, the information security
policy is a relevant actor to be considered when analysing
the case. Therefore, in future research, all the actors that are
involved in the attack (even education in information secu-
rity policy) should be considered as appropriate objects for
closer study. The organisation under attack is always com-
plicated (see Section 2) and it can be very challenging to find
all the relevant actors. In any case, it is crucial to examine
actors beyond the dupe and the intruder.
In terms of theory, the advantage of a multidimen-
sional approach is also demonstrated when SE studies are
reviewed. The research tends to overemphasise the dupe’s
role and ends up explaining the success of SE in terms of the
psychological features of the dupe. This type of explanation
covers, at best, the dimension of persuasion, but not fabri-
cation or data gathering as these two dimensions have very

Table 1. Addressing the issues of SE research.

Emphasis in the Authors’ How to apply the

Problematisation SE literature approach proposed approach?

Techniques Individual techniques Multidimensional approach Techniques should be examined in

(persuasion, fabrication, and
data gathering) (Section 3)
Actors in an SE attack Simplified relation of Multi-actor approach (Sections 2
intruder and dupe and 3)
Theory Psychological theories Psychological theories can only
be applied to persuasion
(Section 4)
relation to the questions discussed in
Section 3
More elements, from employee
education to the design of information
security policies should be considered
as part of an attack (cf. Sections 2
and 4)
Frame analysis and actor-network
theory approaches could be used (cf.
Sections 2 and 3)
 Behaviour & Information Technology
little to do with the dupe’s psychological traits. The studies
we reviewed which included empirical evidence explained
the success of SE attacks through personal traits, but these
attacks should have been analysed from a multidimensional
viewpoint rather than treated as merely one-dimensional
attacks (using the dimension of persuasion). In this manner,
our multidimensional approach provides an opportunity to
reconsider and a chance to elaborate on the explanations of
the studies.
Therefore, the theoretical basis needs to be expanded
in order to cover all the dimensions. We have very briefly
discussed Goffman’s frame analysis (Section 3) and actor-
network theory (Section 2). However, even at this stage,
they have proven to be useful as the frame analysis has
encouraged us to pay attention to the dupe’s interpretation
of the situation and actor-network theory has led us to think
of actors beyond the intruder and dupe. Evidently, these
Downloaded by [Turku University] at 00:21 14 February 2014
theories need to be explored more closely in terms of SE
research. Still, they have already shown themselves to be
useful.
Furthermore, in future research, the variety of SE should
be recognised: attention should be paid to all the dimen-
sions and all the phases in the attack as a whole, or these
should at least all be acknowledged. In addition, future
research could, for example, study how an organisation
can develop better work flows and technology that allows
the user to comply with the security policy without, for
example, having to compromise the organisation’s focus on
customer service. Any form of SE analysis which uses our
multidimensional approach and understands that the event
usually involves more than a mere intruder–persuasion–
dupe framework will then provide more insight than one
in which the dupe is seen as the weakest link.
Notes
1. This is a real case describing an event in which a phone
company’s system was infiltrated. For details see http://i.n.com.
com/pdf/ne/2006/perkins_letter.pdf?tag=content;col1. See
also http://www.wired.com/gadgetlab/2012/08/apple-amazon-
mat-honan-hacking/all/ for quite a similar case.
2. It should still be noted that SE is never purely social in the sense of
being not material or technical. Technical devices – such as the phone
in the opening example – may be used, but the exploitation relates
to the behaviour of human agents which are part of an information
system.
3. The process of acquiring a certain object or result can be driven by
various motivations. For example, simply proving that the intruder
is able to gain access to the information system can be motivation
enough.
4. For example, knowing the name, position, phone number, or even
personal information such as the hobbies of the employee that the
intruder is impersonating makes for a more convincing attack. In this
sense systems ‘leak’ information, enhancing the intruder’s chances
of a successful attack.
5. At this point, it is worth noting that we do not know (and it is outside
the focus of our interest) whether the utilisation of psychological traits
really works or not. Thus, the construction of this dimension is based
on the literature, in which this is not tested but only assumed as a
given.
1021
6. The terms ‘soft’ and ‘hard’ roughly follow Serres’s (2011, pp. 39–42)
use of the words.
References
Allen, M., 2006. Social engineering: a means to violate a computer
system. SANS Institute. Available from: http://www.sans.
org/reading_room/whitepapers/engineering/529.php
[Accessed 19 November 2008].
Arthurs, W., 2001. A proactive defence to social engineer-
ing. SANS Institute. Available from: http://www.sans.org/
reading_room/whitepapers/engineering/511.php [Accessed
24 November 2008].
Barber, R., 2001. Social engineering: a people problem? Network
Security, 2001 (7), 9–11.
Barrett, N., 2003. Penetration testing and social engineering: hack-
ing the weakest link. Information Security Technical Report,
8 (4), 56–64.
Bishop, M., 2002. Computer security: art and science. Boston,
MA: Addison Wesley.
Cialdini, R.B., 1993. Influence: the psychology of persuasion. New
York: William Morrow.
Denning, D.E., 1999. Information warfare and security. Boston,
MA: Addison Wesley.
Dhillon, G., 2007. Principles of information systems security: texts
and cases. Hoboken, NJ: John Wiley & Sons.
Dolan, A., 2004. Social engineering. SANS Institute. Avail-
able from: http://www.sans.org/reading_room/whitepapers/
engineering/1365.php [Accessed 19 November 2008].
Dubin, L., 2002. The enemy within: a system administrator’s look
at network security. SANS Institute. Available from: http://
www.sans.org/reading_room/whitepapers/engineering/530.
php [Accessed 19 November 2008].
Foucault, M., 2003. The archaeology of knowledge. London:
Routledge.
Goffman, E., 1986. Frame analysis: an essay on the organization
of experience. Boston, MA: Northeastern University Press.
Goffman, E., 1990. The presentation of self in everyday life.
London: Penguin Books.
Gonzalez, J.J., Sarriegi, J.M., and Gurrutxaga, A., 2006. A frame-
work for conceptualizing social engineering attacks. In:
J. Lopez, ed. Critical information infrastructures security.
Berlin: Springer, 79–90.
Gragg, D., 2003. A multi-level defense against social engineer-
ing. SANS Institute. Available from: https://www2.sans.org/
reading_room/whitepapers/engineering/920.php [Accessed
24 November 2008].
Greening, T., 1996. Ask and ye shall receive: a study in ‘social
engineering’. ACM SIGSAC Review, 14 (2), 8–14.
Gulati, R., 2003. The threat of social engineering and your defense
against it. SANS Institute. Available from: http://www.
sans.org/reading_room/whitepapers/engineering/1232.php
[Accessed 19 November 2008].
Hadnagy, C., 2011. Social engineering: the art of human hacking.
Indianapolis, IN: Wiley.
Hancock, B., 1998. Can you social engineer your way into your
network? Computer Fraud & Security, 1998 (11), 12–13.
Hasle, H., et al., 2005. Measuring resistance to social engineering.
In: R. Deng, F. Bao, H. Pang, and J. Zhou, eds. Information
security practice and experience. Berlin: Springer, 132–143.
Hoeschele, M. and Rogers, M., 2005. Detecting social engineer-
ing. In: M. Pollitt and S. Shenoi, eds. Advances in digital
forensics. Boston, MA: Springer, 67–77.
Jones, C., 2004. Social engineering: understanding and audit-
ing. SANS Institute. Available from: http://www.sans.org/
 1022 P. Tetri and J. Vuorinen
reading_room/whitepapers/engineering/1332.php [Accessed
19 November 2008].
Lafrance, Y., 2004. Psychology: a precious security tool. SANS
Institute. Available from: http://www.sans.org/reading_room/
whitepapers/engineering/1409.php [Accessed 24 November
2008].
Latour, B., 1999. Pandora’s hope. Essays on the reality of scientific
studies. Cambridge, MA: Harvard University Press.
Latour, B., 2005. Reassembling the social. An introduction to
actor-network-theory. Oxford: Oxford University Press.
Lively, C.E., Jr., 2004. Psychological based social engineer-
ing. SANS Institute. Available from: http://www.giac.org/
certified_professionals/practicals/gsec/3547.php [Accessed
19 November 2008].
Long, J., Wiles, J., and Mitnick, K.D., 2008. No tech hacking: a
guide to social engineering, dumpster diving, and shoulder
surfing. Burlington, MA: Syngress.
Manske, K., 2000. An introduction to social engineering. Infor-
mation Security Journal: A Global Perspective, 9 (5), 1–7.
Mitnick, K.D., Simon, D., and Wozniak, S., 2003. The art of decep-
tion: controlling the human element of security. Indianapolis,
Downloaded by [Turku University] at 00:21 14 February 2014
IN: John Wiley & Sons.
Nyamsuren, E. and Choi, H., 2007. Preventing social engineering
in ubiquitous environment. In: Proceedings of Future Gen-
eration Communication and Networking, Workshop papers,
Volume 2, 6–8 December 2007, Jeju Island, Korea. Los
Alamitos, CA: IEEE Computer Society, 573–577.
Orgill, G.L., et al., 2004. The urgency for effective user privacy-
education to counter social engineering attacks on secure
computer systems. In: Proceedings of the 5th conference on
information technology education, 28–30 October 2004, Salt
Lake City, UT, USA. New York: ACM, 177–181.
Perloff, R.M., 2003. The dynamics of persuasion: communica-
tion and attitudes in the 21st century. New York: Lawrence
Erlbaum.
Power, R. and Forte, D., 2006. Social engineering: attacks have
evolved, but countermeasures have not. Computer Fraud &
Security, 2006 (10), 17–20.
Robinson, J., 2001. Internal threat – risks and countermea-
sures. SANS Institute. Available from: http://www.sans.org/
reading_room/whitepapers/threats/475.php [Accessed 19
November 2008].
Robinson, S.W., 2003. Corporate Espionage 101. SANS Institute.
Available from: http://www1.stpt.usf.edu/gkearns/Articles_
Fraud/corporate%20espionage.pdf [Accessed 19 November
2008].
Schifreen, R., 2006. Defeating the hacker: a non-technical
guide to computer security. Hoboken NJ: John Wiley &
Sons.
Schiller, C., et al., 2007. InfoSecurity 2008 threat analysis.
Burlington, MA: Syngress.
Schneier, B., 2004. Secrets and lies: digital security in a networked
world. New York: John Wiley & Sons.
Serres, M., 2011. Malfeasance: appropriation through pollution?
Stanford, CA: Stanford University Press.
Stanton, J. and Stam, K., 2006. The visible employee: using work-
place monitoring and surveillance to protect information
assets. Medford, NJ: Information Today.
Trèek, D., et al., 2007. Information systems security and human
behaviour. Behaviour & Information Technology, 26 (2),
113–118.
Thomas, D., 2003. Hacker culture. Minneapolis, MN: University
of Minnesota Press.
Thornburgh, T., 2004. Social engineering: the “Dark Art”. In: Pro-
ceedings of the 1st annual conference on Information security
curriculum development, 17–18 September 2004, Kennesaw
GA. New York: ACM, 133–135.
Twitchell, D.P., 2006. Social engineering in information assur-
ance curricula. In: Proceedings of the 3rd annual confer-
ence on information security curriculum development, 22–23
September 2006, Kennesaw GA. New York: ACM, 191–193.
Vuorinen, J. and Tetri, P. 2012. The order machine – the ontol-
ogy of information security. Journal of the Association for
Information Systems, 13 (9), 695–713.
Winkler, I., 1996. Case study of industrial espionage through social
engineering. In: Proceedings of 19th national information
systems security conference. Available from: http://www-08.
nist.gov/nissc/1996/papers/NISSC96/paper040/WINKLER.
PDF [Accessed 24 November 2008].
Winkler, I., 1997. Corporate espionage: what it is, why it’s hap-
pening in your company, what you must do about it. Rocklin,
CA: Prima Publishing.
Winkler, I., 2005. Spies among us. How to stop spies, terrorists,
hackers, and criminals you don’t even know you encounter
every day. Indianapolis, IN: Wiley.
Workman, M., 2007. Gaining access with social engineering: an
empirical study of the threat. Information Security Journal:
A Global Perspective, 16 (6), 315–331.
Workman, M., 2008. Wisecrackers: a theory-grounded investi-
gation of phishing and pretext social engineering threats to
information security. Journal of the American Society for
Information Science and Technology, 59 (4), 662–674.
 Behaviour & Information Technology 1023

Appendix. Brief explanations of techniques

Technique Explanation Authors

Appealing to emotions
Being likeable
Dumpster diving or trashing
Eavesdropping
Establishing rapport
Flirting
Guessing a password
Downloaded by [Turku University] at 00:21 14 February 2014
Acting in such a way that emotion (such as greed, Bishop (2002) and Hasle et al.
sympathy, empathy, or helpfulness) is somehow (2005)
‘summoned’ to the surface within the dupe.
Pretending to be in serious trouble may evoke
empathy in the dupe
People generally respond positively to other people Barber (2001) and Workman (2007)
who are likeable
Obtaining information (e.g. documents) from rubbish Allen (2006) and Dubin (2002)
bins
Secretly listening to a conversation. For example, an Gragg (2003) and Gulati (2003)
intruder might listen to employees’ conversations
taking place in the break room or even outside the
company premises
Adopting the style of communication of the dupe in Barrett (2003) and Denning (1999)
order to have more influence over him or her
Appealing to emotions Schifreen (2006)
Self-explanatory Schiller et al. (2007) and Barrett
(2003)

Impersonation (and Self-explanatory Arthurs (2001) and Robinson (2001)

pretexting)
Lying Self-explanatory Hancock (1998) and Hoeschele and
Rogers (2005)
Manipulation or deception Gaining the dupe’s compliance using social influence Dhillon (2007) and Gonzalez et al.
concealing the intruder’s true intention (2006)
Name-dropping Mentioning names that are familiar to the dupe in Dolan (2004) and Jones (2004)
order to gain credibility. Name-dropping can also
be used to gain authority by mentioning people in
power
NLP Using language, tone of voice, and particular words Schifreen (2006)
to gain the dupe’s compliance. NLP is based on the
argument that the human mind is very receptive to
suggestions if they are presented in a certain way
Phishing Typically carried out in an email designed to look Manske (2000) and Power and Forte
legitimate, with the aim of obtaining sensitive (2006)
information such as credit card details or passwords
Piggybacking or tailgating Following someone or a group through the door while Lively (2004) and Long et al. (2008)
it is open, fitting in with the crowd
Reciprocation In the context of this article, this refers to a situation Schifreen (2006) and Orgill et al.
in which an intruder gives something to the dupe (2004)
(for example, a gift, a rumour, or information) in
order to get something (usually information) in
return
Shoulder surfing Gaining information by making secret, direct Thornburgh (2004) and Winkler
observations. For example, an intruder might watch (1996, 1997, 2005)
an employee’s keystrokes as she or he accesses her
or his computer
Social validation Inducing a feeling of belonging (to a group). In SE, an Mitnick et al. (2003) and Schiller
intruder might impersonate a co-worker, offering et al. (2007)
social validation
Stealing Self-explanatory Arthurs (2001) and Lively (2004)
Subversion, extortion, or Pressuring the dupe with threats of violence or similar Stanton and Stam (2006); Schifreen
threats consequences in order to gain compliance (2006)
Using authority Establishing and using authority to gain compliance Greening (1996) and Thomas (2003)
Using fake ID Using a stolen identification card or making one for Dubin (2002) and Robinson (2003)
the purposes of impersonation
Using jargon or lingo Using company-related terminology that only other Lafrance (2004) and Twitchell
co-workers use to gain credibility (2006)
Using loggers Using a logger, a programme, or device which records Robison (2003) and Schiller et al.
the user’s keystrokes (2007)
Using open source Using information that is publicly available Nyamsuren and Choi (2007);
information Schneier (2004)

View publication stats