Research of the aviation personnel vulnerability profile to social engineering attacks

In conditions of strengthening the informational component of aviation activity, the task of ensuring aviation cybersecurity becomes extremely urgent. Currently, a regulatory framework is being developed that regulates activities in this area, both on the part of the International Civil Aviation Organization and at the Russian Federation level. In the complex of aviation cybersecurity threats, which include deliberate attacks, errors of third-party companies, system errors, natural phenomena, the human factor occupies an important place. In this work, this negative phenomenon is considered from the point of view of the aviation personnel vulnerability to social engineering attacks. Such type of attack by an attacker involves a set of applied psychological and analytical techniques that facilitate the receipt of confidential information or the violation of information security rules by legitimate company employees. The existing approach to building a profile of user vulnerabilities to social engineering attacks involves a series of psychological tests, the results of which are used to predict the user vulnerability through its psychological characteristics. In this work a slightly different task is posed, the main idea is to restore the vulnerability profile of aviation personnel from activity data in a social network. This is due to the fact that studying the user profile of a social network will more quickly solve the problem of choosing the most vulnerable employee for a particular type of social engineering attack and introduce preventive measures. The research was conducted on the basis of JSC «Surgut International Airport». 36 aviation security inspectors were selected as the respondents. Empirical data have been obtained including profiles of social network user profiles and a number of psychological tests. Using factor analysis the problem of reducing dimensionality and choosing the most informative indicators characterizing the activity of a social network user has been solved. A discriminant model that allows predicting the vulnerability profile of personnel according to the social network has been developed. Possible types of social engineering attacks on aviation personnel are presented.

1. Kuznetsov, S.V. (2019). On-board heterogeneous information computer networks of perspective aircraft. Civil Aviation High Technologies, vol. 22, no. 2, pp. 16-27. DOI: 10.26467/2079-0619-2019-22-2-16-27. (in Russian)

2. Paganini, P. (2014). Cyberthreats against the aviation industry. Infosec. Available at: http://resources.infosecinstitute.com/cyber-threats-aviation-industry/ (accessed 25.01.2020).

3. Greenberg, A. (2013). Researcher says he's found hackable flaws in airplanes' navigation systems. Forbes, 10 April. Available at: http://www.forbes.com/sites/andygreenberg/2013/04/10/researcher-says-hes-found-hackable-flaws-in-airplanes-navigation-systems/#67f5622123b7 (accessed 25.01.2020).

4. Demin, D.S., Mashoshin, O.F., Nikitin, A.V., Solomentsev, V.V., Kolitiyevskiy, Yu.M. and Nikitin, I.V. (2018). Overview of the main threats key stakeholders of civil aviation infrastructure. Scientific Bulletin of the State Scientific Research Institute of Civil Aviation, GosNII GA, no. 22 (333), pp. 130-142. (in Russian)

5. Demin, D., Shapkin, V., Musin, S., Nikitin, A., Pleshakov, A. and Solomentsev, V. (2018). Aspects of cyber-security in civil aviation. International Journal of Civil Engineering and Technology (IJCIET), vol. 9, issue 9, pp. 182-189. (in Russian)

6. Bykova, V.V., Glukhov, G.Ye., Sharypov, A.N., Chernikov, P.Ye., Koval, S.V. and Konkov, A.Yu. (2019). Problems of vulnerability of information systems of aviation industry enterprises: analysis and classification of errors. Scientific Bulletin of the State Scientific Research Institute of Civil Aviation, GosNII GA, no. 27, pp. 56-65. (in Russian)

7. Azarov, A.A., Tulupeva, T.V., Suvorova, A.V., Tulupev, A.L., Abramov, M.V. and Yusupov, R.M. (2016). Social Engineering Attacks: the Problems of Analysis, in Yusupova R.M. (Ed.). St.Petersburg: Nauka, 349 p. (in Russian)

8. Tulupyeva, T.V., Tulupyev, A.L., Pashchenko, A.E., Azarov, A.A. and Stepashkin, M.V. (2010). Social psychological factors that influence the information system users vulnerability degree in regard of socio-engineering attacks. SPIIRAS Proceedings, no. 1 (12), pp. 200-214. (in Russian)

9. Abramov, M.V., Azarov, A.A., Tulupyeva, T.V. and Tulupyev, A.L. (2016). Model of malefactor competencies profile for analyzing information system personnel security from social engineering attacks. Management Information Systems, no. 4, pp. 77-84. DOI: 10.15217/issn1684-8853.2016.4.77. (in Russian)

10. Azarov, A.A., Abramov, M.V., Tulupyeva, T.V. and Tulupyev, A.L. (2015). The analysis of the information systems ''users'' groups protection analysis from the social engineering attacks: theprinciple and program implementation. Computer tools in education, no. 4, pp. 52-60. (in Russian)

11. Tulupyev, A.L., Pashchenko, A.E. and Azarov, A.A. (2010). Information model of the user, who may be under the threat of socioengineering attack. SPIIRAS Proceedings, no. 2 (13), pp. 143-155. (in Russian)

12. Raygorodsky, D.Ya. (Ed.). (2002). Prakticheskaya psikhodiagnostika: Metodiki i testy [Practical Psychodiagnostics: Methods and Tests]. Samara: BAKHRAKH-M, 667 p. (in Russian)

13. Meyer, J.P. and Allen, N.J. (1991). A three-component conceptualization of organizational commitment. Human Resource Management Review, vol. 1, issue 1, pp. 61-89. DOI: 10.1016/1053-4822(91)90011-Z