Eliciting Expert Panel Perspective on Personal Information Exposure to Social Engineering
Research continues to warn of an increase of publicly available personal information, often attributed via social media, Website customization, online surveys, self-tracking via fitness and smartphones, as well as a plethora of other venues. Data breaches provide an additional source of personal information via public disclosure, Website distribution, and underground hacker markets. Publicly available personal information often facilitates the success of social engineering attacks on organizations, but little is known as to its availability, composition, or the level of exposure it represents.
Until now, the existence of a measure of exposure to social engineering due to publicly available personal information is relatively unexplored. To address exposure to social engineering due to publicly available personal information feedback was elicited from an expert panel via the Delphi method as to the weights and groupings of candidate components of personal information to develop a Social Engineering eXposure Index (SEXI) benchmarking instrument. A review of privacy research in the legal, information systems, marketing, psychology, and social engineering domains produced viable candidate components of personal information. Instrument items suggested and described by experts in leading journal articles, federal legislation, and from industry standards were consolidated as well as presented to a panel of experts who were asked to identify the level of exposure of a respective item – in and of itself. The feedback of the panel of experts provided weights as well as categorized the items as personal information that does not identify an individual (PUI), has the potential to identify an individual (PII), or that which will distinguish an individual (PDI).
This talk will provide an overview of personal information composition and categorization, while presenting the novel SEXI benchmarking instrument. This talk will outline the necessity of having three levels of privacy information categorization as well as a measurement of exposure to social engineering.