Human beings are the weakest link in cybersecurity, and are, in fact, more vulnerable than computers. In recent years, countless major security incidents have succeeded because of human errors and the lack of appropriate security training and awareness. In this regard, although there is a wide range of cybersecurity products in the market to protect computers and networks, almost none or a few immature products exist for developing and training users in cybersecurity awareness. At present, organizations are still relying on hands-on workshops, online courses, and traditional training methods for cybersecurity awareness, which are ineffective and unscalable. In this regard, we have developed and patented a new multilayer technology for cybersecurity awareness training to help organizations understand and mitigate potential security risks associated with social engineering threats.
Our technology utilizes the principles of artificial intelligence, gamification theory and cybersecurity strategies for enabling organizations to implement a social engineering firewall. The system provides an estimation of potential social engineering threats for a given organization by measuring the digital footprint of the organization assets on public sources, including the Internet, social networks and media, among others. Based on the estimated social engineering threats, using deep reinforcement learning (RL) algorithms our technology constructs and executes an interactive anti-social engineering training program that combines both passive and active training. Our technology then creates and recommends a social engineering firewall security strategy that is used within the organization network to reduce and mitigate the risk of any potential social engineering threats. The main goal of this project is to develop a scalable prototype that gives a proof of concept that the reinforcement learning approach will craft and execute users-specific social engineering attacks. The RL prototype aims at interacting with the users by performing social engineering attacks via different types of media, including social/professional/research networks and/or emails.