A Mamdani Type Fuzzy Inference System to Calculate Employee Susceptibility to Phishing Attacks

Abstract

It is a well known fact that the weakest link in a cyber secure system is the people who configure, manage or use it. Security breaches are persistently being attributed to human error. Social engineered based attacks are becoming more sophisticated to such an extent where they are becoming increasingly more difficult to detect. Companies implement strong security policies as well as provide specific training for employees to minimise phishing attacks, however these practices rely on the individual adhering to them. This paper explores fuzzy logic and in particular a Mamdani type fuzzy inference system to determine an employees susceptibility to phishing attacks. To negate and identify the susceptibility levels of employees to social engineering attacks a Fuzzy Inference System FIS was created through the use of fuzzy logic. The utilisation of fuzzy logic is a novel way in determining susceptibility due to its ability to resemble human reasoning in order to solve complex inputs, or its Interpretability and simplicity to be able to compute with words. This proposed fuzzy inference system is based on a number of criteria which focuses on attributes relating to the individual employee as well as a companies practices and procedures and through this an extensive rule base was designed. The proposed scoring mechanism is a first attempt towards a holistic solution. To accurately predict an employees susceptibility to phishing attacks will in any future system require a more robust and relatable set of human characteristics in relation to the employee and the employer.