Using machine learning algorithms to predict individuals’ tendency to be victim of social engineering attacks

Abstract

In information security context, social engineering is defined as malicious activities caused by cybercriminals by means of human interactions. It is mainly a psychological manipulation technique which gets benefit of human error to reach private information. This study used machine learning algorithms to predict individuals’ susceptibility to be tricked by social engineering attacks. Simulated scenarios were presented to study participants, and they were asked to identify whether each scenario was a social engineering attack or not. Different kinds of attacks related to various industries were integrated to social engineering simulations. For each participant, different types of social engineering scores were calculated according to their responses. Besides simulations, questionnaires related to demographics, technology usage, and personality traits were filled out by the participants. All of these collected data were used in building predictive classification and regression machine learning models. Through regression and classification models, it was aimed to proactively predict individuals’ social engineering risk levels and classify them into different risk groups in terms of different attack types. This research revealed that it is possible to predetermine the social engineering risk levels of individuals. This important finding means that possible attacks can be prevented by raising awareness before the attack occurs. Within the scope of this study, a social engineering risk detection mobile application has also been developed to give practitioners and policy makers an idea of what kind of systems can be developed in order to determine the risk levels of individuals and then to educate them about various attacks. The ones who need to take action against social engineering attacks will get benefit from findings of this research.