Social　engineering　attacks　have　drawn　more　and　more　attention　from　both　academia　and　industry,　due　to　the　serious　threats　they　pose　to　information　security　via　exploitation　of　human　vulnerabilities.　Unlike　technology-based　attacks,　which　have　been　investigated　for　decades,　there　is　no　efficient　security　requirements　analysis　approach　for　dealing　with　social　engineering　attacks.　One　major　obstacle　to　this　problem　is　the　uncertainty　of　human　behavior,　making　it　difficult　to　effectively　assess　social　engineering　attacks.　In　this　paper,　we　investigate　the　nature　of　social　engineering　attacks　and　identify　their　essential　factors.　Based　on　such　findings,　we　formulate　the　problem　of　social　engineering　attack　assessment,　which　can　be　quantitatively　calculated　using　probabilistic　model　checking.　Finally,　we　present　a　research　agenda　that　details　critical　research　directions　and　discusses　corresponding　challenges.