An innovative and comprehensive Framework for Social Vulnerability Assessment
iSpeech
At DeepSec 2014 Enrico Frumento (CEFRIEL Center of Excellence for Innovation, Research and Education in the field of ICT) held a presentation about a framework for social vulnerability assessment. He explains the motivation for and the content of his talk:
„As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most attacks. Even recent JP Morgan latest Chase data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail.Into this new scenario it is hence of paramount importance to consider the human factor into companies' risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?
These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec conference (https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf), we are working on the extension of traditional security assessment, going beyond the technology and including the "Social" context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.
This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.
In this talk, we will share our experience, describing of we do Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected.“
source
Gloss