Most organizations are structured as a hierarchy composed of senior management, operational management, and staff. In terms of access control, this hierarchical structure implies that a higher-level employee should have all the access rights that a lower-level employee has, plus some additional rights. A skilled social engineer can exploit this assumption by posing as a high-level executive and then target a lower-level member of the support staff. Support staff members are trained to be helpful, and the target may be intimidated by someone he or she assumes is a high-level executive. These natural tendencies represent an easy opportunity for a social engineering attack. All the social engineer has to do is call the help desk and claim to be the executive or the executive’s assistant and ask the support person to create an account on a sensitive system. Assuming the executive must be authorized on any system, the help desk employee creates the account without question, and the attacker has all the access he or she needs.

An access control model based on organizational structure is designed to prevent social engineering attacks. Rather than giving high-level employees high-level access to sensitive resources, employees are given access based on the tasks they must complete as part of their job. Access rules are based on the balance of confidentiality and necessity. In this sense, an organizational structure model is similar to the role-based access control (RBAC) model.

The organizational structure model adds consideration for the two-way flow of information in an organization. Managers communicate information downward to their departments and teams, and employees communicate information upward to their managers. Unfortunately, if all members of an organization are not well trained in information security, this two-way communication can result in unintentional breaches of confidential information. For example, a manager who was not aware of information flow might mention to employee A that employee B is highly favored to receive a promotion because of B’s excellent productivity. On the other hand, employee C, who knows that employee D is planning to leave the organization, might mention during a project planning meeting that they’ll need to be sure that D’s replacement is up to speed before the project launch, inadvertently informing the entire team and the manager that employee D is planning to resign.