Social Engineering – the psychological manipulation of people into performing undesired actions or disclosing confidential information – has existed almost as long as mankind itself. Technical means to automate such attacks in the form of (spear) phishing, vishing, and deep fakes have made this form of user-centered attack an omnipresent threat to any user of digital technology. It is estimated that today the highly professional cybercrime industry, which established itself over the past years, exploits human behavior in 70-90% of all successful attacks. And attackers are not at rest: they use a wide range of media (starting with email, to social media and video conferencing) and quickly exploit novel technologies (such as, recently, ChatGPT) to constantly come up with novel attack vectors.

At the same time, the defender side remains largely helpless. Novel approaches to attacks emerge faster than means to mitigate them can be developed; and educating users only partially addresses the issue as learning effects tend to wear off quickly. Yet, there is hope. Today we have a strong understanding of the techniques commonly employed by social engineers, of factors that contribute to susceptibility, and of cognitive vulnerabilities that are elicited and exploited by social engineers. For example, stress, high cognitive load, fatigue, misdirected attention, the circadian rhythm as well as context contribute to social engineering susceptibility. At the same time, ubiquitous technologies in the form of personal devices and wearables, such as smartphones, smartwatches, and smart glasses, allow such information to be assessed in real-time. Yet, we hardly see any approaches leveraging this knowledge so as to build strong means to protect against social engineering.

In this Dagstuhl Seminar, we seek to bring together researchers and practitioners with a broad variety of relevant backgrounds to create a research agenda for building user-centered techniques and technologies to mitigate social engineering attacks targeting cognitive vulnerabilities, including but not limited to approaches raising threat awareness, increasing security literacy, and protecting in real-time. Social psychologists will contribute their knowledge of human behavior. Human hackers will share how this behavior is being manipulated and exploited. Experts in ubiquitous computing will help identify technologies that can provide data characterizing social engineering situations. Data scientists and experts in affective computing will contribute knowledge on what to learn from this data. And experts in human-computer interaction and usable security will help clarify how novel user interfaces can be built to ultimately protect users.

Over three days, an esteemed selection of participants will engage with the problem of social engineering from a technical, psychological, and educational perspective. By looking at systems, users, and applications from an interdisciplinary perspective, we aim to produce a research agenda and blueprints for tools and systems that increase users’ perception and understanding of threats, foster security literacy, and support the habituation of secure behavior.

Creative Commons BY 4.0

Yomna Abdelrahman, Florian Alt, Tilman Dingler, Christopher Hadnagy, and Abbie Maroño