In today's conditions of increasing cyberattacks, in particular social engineering, the human factor remains one of the key elements of cybersecurity of organizations. The ability to counter such attacks largely depends on the level of user training and awareness (resilience) that is formed in the training process. The relevance of the study is justified taking into account the increasing role of the human factor and the spread of social engineering attacks, both on the basis of international standards and recommendations and on the basis of statistical data. Despite a significant number of studies, existing approaches (models), as a rule, do not explicitly take into account the level of user training and awareness (his resilience) as a variable that directly affects the ability to counter social engineering attacks. The article considers the issue of quantitative assessment of the impact of user training on the level of their resistance to social engineering attacks, in particular, phishing. A model for determining user resilience under the influence of learning and knowledge degradation due to forgetting or the emergence of new attack mechanisms is proposed, and modeling parameters are justified based on statistical and empirical data. In addition, the residual risk associated with the human factor for the system is determined. The modeling results confirm the adequacy of the proposed model to real processes of learning and knowledge loss by the user, in particular, due to the presence of the saturation effect and knowledge degradation. The results obtained can be used to determine priority risk groups, optimize the frequency of training, and take into account the residual risk associated with the human factor in models (methods) for assessing system risks.
Poberezhets et al. (Fri,) studied this question.