ABSTRACT
In the world of information technology (IT), four years is akin to an eternity. To say that there have been
changes in the last four years would be an understatement. Looking back at the previous chapter a
colleague and I wrote on the topic of social engineering (SE) back in 2002, there have been few changes in
some regards and many changes in others, not all for the good. In 2006, SE is still a topic for discussion
and efforts continue to come to terms with the risks that it poses. There has been no satisfying answer
reached on how to mitigate the risk, no meaningful or valid statistics related specifically to SE exist, and
most organizations have opted for the ostrich approach-burying their heads in the sand and hoping it
will all go away. Sadly, this is the same landscape that existed in 2002 and prompted the original chapter
on this topic. One thing that has changed, however, is the fact that attacks using SE have skyrocketed
(e.g., identity theft, phishing). This chapter is a call to arms, of sorts. If proactive steps in dealing with SE
are not taken (and not just throwing more technology at the problem), its impact will become even
greater than it is today.