Social engineering has been increasingly used during the past few years. Social engineering attacks have resulted in great financial losses. Research on social engineering models and frameworks is still in its elementary stage. An appropriate social engineering framework can interpret all the attack components and their relationships clearly, which will contribute to the defense of social engineering attacks. In this tutorial paper, existing social engineering models and frameworks are

more »

... d and a new social engineering framework is proposed involving the concept of the session and dialogue. An entire social engineering attack is defined as a social engineering session (SES). A social engineering dialogue (SED) refers to a specific attack phase, which is included in a SES. A SES contains several well-organized SEDs. Then, the attack graph is used to formalize the proposed social engineering framework. The SED is treated as an atomic attack during the whole SES. The human weaknesses that an attacker can exploit are described as vulnerabilities, the information, and trust that an attacker owns as permissions. Finally, three real-world social engineering cases are analyzed using the proposed framework and attack graph. The analyses illustrate the usability of the proposed framework and provide a better understanding of various social engineering attacks. INDEX TERMS Social engineering, social engineering session (SES), social engineering dialogue (SED), attack graph, information security.