ABSTRACT
End users present a key challenge for the protection of contemporary information security systems. The manipulation of people through deceit to gain access to sensitive information and otherwise secure systems is known to hackers, information security practitioners, and other technologists as “social engineering.” To date, little research has investigated the attributes that people who engage in such deception – so-called “social engineers” – associate with vulnerable targets. To address this gap, this study engages in a grounded theory-based analysis of interviews with nonprofessional and professional social engineers. The results describe six attributes of a “model victim” for social engineers, a hypothetical person considered particularly susceptible to social engineering deceptions: (1) prized, (2) uninformed, (3) unconcerned, (4) outgoing, (5) connected, and (6) controlled. Additionally, this study describes heuristic categories described by participants to help make decisions about target vulnerability which include target socio-demographic characteristics, social roles, and organizational positions. Implications for theory, future research, and policy are considered.
