Does Awareness of Social Engineering Make Employees More Secure
17 Feb 2020-International Journal of Computer Applications (Foundation of Computer Science (FCS), NY, USA)-Vol. 177, Iss: 38, pp 45-49
TL;DR: The results suggest that awareness of social engineering is a positive predictor of security-protective practices above and beyond the predictability power of possessing information security knowledge.
Abstract: Social engineering has become one of the biggest security threats facing organizations. Rather than relying upon information security technical-related shortcomings to break into computer networks, social engineers make use of employees’ individual and organizational traits to deceive them. In such a scenario, it is crucial for organizations to ensure that their employees not only possess sound knowledge about information security but also about the concept of social engineering and threats emerging from social engineering attacks. This study aims to test whether awareness of social engineering can predict and explain individuals’ securityprotective practices. We conducted a survey of 265 employees working in different organizations in Saudi Arabia. The results suggest that awareness of social engineering is a positive predictor of security-protective practices above and beyond the predictability power of possessing information security knowledge. Thus, to reduce the probability of potential consequences of social engineering attacks, our study suggests that organizations should not only strive to enhance employees’ security knowledge but should also invest in increasing employees’ awareness of social engineering.
Citations
More filters
TL;DR: This paper explores how discursive framings of individual versus collective security by cybersecurity experts redefine roles and responsibilities at the digitalized workplace and suggests a redistribution of institutional responsibility to the individual user through three distinct social engineering story lines.
Abstract: Today, social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems. Cybersecurity experts use the term “social engineerin...
19 citations
Cites background from "Does Awareness of Social Engineerin..."
...Employees are the most common target of social engineering attacks, as they have access to critical organizational systems (Aldawood, Alashoor, and Skinner 2020)....
[...]
TL;DR: The results of this qualitative study highlight that there is a positive relationship between social engineering and user awareness and is, therefore, one of the most effective mechanisms for managing social engineering.
Abstract: Social engineering is one of the biggest threats organizations face today, as more and more organizations are adopting digitalization. In the context of cyber security, social engineering is the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal. For better implementation methods against social engineering, this qualitative study will attempt to provide measures against information security challenges faced by organizations. The analysis is then provided by the answers of interviewed experts in the field of cyber security and social engineering. The research herein focuses on the human element of cyber security threats, recognizing that hackers exploit the vulnerabilities and lack of awareness of staff. Then using these issues to create security loopholes and engineer cyber-attacks that include the interruption or infection of information systems, transfer of unauthorized funds, and stealing of credentials. The results of this qualitative study highlight that there is a positive relationship between social engineering and user awareness. The findings build upon the researchers' ongoing work, which postulates that as an increase in contextual social engineering knowledge leads to a decrease in being victims of social engineering and is, therefore, one of the most effective mechanisms for managing social engineering.
14 citations
Cites background from "Does Awareness of Social Engineerin..."
...Networkbased attacks also include unauthorized access to organizational resources [4], [5]....
[...]
...Additionally, it has been confirmed in literature that various techniques of social engineering cause issues of cyber security threats in diverse environments [5]....
[...]
TL;DR: In this paper, the authors provide a measurement of social engineering awareness in the Saudi educational sector, which is one of the most inventive methods of gaining unauthorized access to information systems and obtaining sensitive information.
Abstract: Social engineering is one of the most inventive methods of gaining unauthorized access to information systems and obtaining sensitive information. This type of cybersecurity threat requires minimal technical knowledge because it relies on the organization’s human element. Social engineers use various techniques, such as phishing, to manipulate users into either granting them access to various systems or disclosing their private data and information. Social engineering attacks can cost organizations more than 100,000 USD per instance. Therefore, it is necessary for organizations to increase their users’ awareness of social engineering attacks to mitigate the problem. The aim of this study is to provide a measurement of social engineering awareness in the Saudi educational sector. To achieve the aim of this study, a questionnaire was developed and evaluated. A total of 465 respondents completed the survey and answered questions related to measuring their knowledge of social engineering. The results show that 34% of participants (158 participants) had previous knowledge of social engineering approaches. The results also indicate that there are significant differences between participants with prior knowledge of social engineering and those with no such knowledge in terms of their security practices and skills. The implication of this study is that training is an essential factor in increasing the awareness of social engineering attacks in the Saudi educational sector.
4 citations
15 Dec 2020
TL;DR: Kibernetinės atakos sudėtingėja ir tampa vis labiau rafinuotos as mentioned in this paper, siekiama apeiti informacijos apsaugos sistemas bei pavogti ir užvaldyti konfidencialią informacíą.
Abstract: Kibernetinės atakos sudėtingėja ir tampa vis labiau rafinuotos. Vis daugiau kibernetinių incidentų paremti manipuliavimu žmonėmis, jų silpnybėmis, siekiama apeiti informacijos apsaugos sistemas bei pavogti ir užvaldyti konfidencialią informaciją. Pastebimas socialinės inžinerijos metodais paremtų kibernetinių incidentų skaiciaus didėjimas. Tokia statistika vercia organizacijas reaguoti į pokycius ir prisitaikyti prie vyraujancio institucinio lauko, tobulinti esamą teisinį reguliavimą. Straipsnio tikslas – isanalizavus socialinės inžinerijos sąvokos turinį ir tokio tipo kibernetinių atakų atsiradimo prielaidas bei kibernetinių incidentų valdymo reglamentavimą nacionalinėje teisėje, pateikti isvadas ir rekomendacijas kibernetinio saugumo reguliavimo tobulinimui institucinio izomorfizmo kontekste. Atlikta analizė atskleidė, jog siuo metu Lietuvoje socialinės inžinerijos institucinis izomorfizmas nukreiptas tik į techninius kibernetinį saugumą užtikrinancius veiksnius, o žmogiskajam faktoriui skiriama nepakankamai dėmesio. Siekiant įveikti socialinės inžinerijos keliamus issūkius isauga darbuotojų svietimo kibernetinio saugumo tematika poreikis. Augant socialinės inžinerijos rūsies kibernetiniams incidentams taip pat svarbu vadovautis gerąja praktika, kuri kartu su nacionalinės teisės aktais būtų įtvirtinta organizacijų kibernetinio saugumo politikoje, numatant aiskią kibernetinių incidentų valdymo procedūrą.
2 citations
1 citations
References
More filters
10 Apr 2010
TL;DR: The results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptibility to phishers than other age groups.
Abstract: In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti-phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.
583 citations
"Does Awareness of Social Engineerin..." refers background in this paper
...[17] who concluded in their study that education level is not related to social engineering susceptibility....
[...]
TL;DR: This paper provides an in-depth survey about the social engineering attacks, their classifications, detection strategies, and prevention procedures.
Abstract: The advancements in digital communication technology have made communication between humans more accessible and instant. However, personal and sensitive information may be available online through social networks and online services that lack the security measures to protect this information. Communication systems are vulnerable and can easily be penetrated by malicious users through social engineering attacks. These attacks aim at tricking individuals or enterprises into accomplishing actions that benefit attackers or providing them with sensitive data such as social security number, health records, and passwords. Social engineering is one of the biggest challenges facing network security because it exploits the natural human tendency to trust. This paper provides an in-depth survey about the social engineering attacks, their classifications, detection strategies, and prevention procedures.
200 citations
"Does Awareness of Social Engineerin..." refers background in this paper
...In all attack vectors, attackers use social engineering in order to manipulate people, infect information systems, steal credentials and transfer data [2]....
[...]
TL;DR: The measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor.
141 citations
"Does Awareness of Social Engineerin..." refers background in this paper
...48 threats, which supports previous findings [18, 19]....
[...]
...[19] Hadlington, L. Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours....
[...]
...In another study, Hadlington [19] found that individuals who have high Internet experience are much more susceptible to social engineering attacks as compared to those who are not....
[...]
TL;DR: Gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well.
Abstract: Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek to contribute to the field by highlighting key factors that influence individuals' susceptibility to phishing attacks. For our investigation, we conducted a web-based study with 382 participants which focused specifically on identifying factors that help or hinder Internet users in distinguishing phishing pages from legitimate pages. We considered relationships between demographic characteristics of individuals and their ability to correctly detect a phishing attack, as well as time-related factors. Moreover, participants' cursor movement data was gathered and used to provide additional insight. In summary, our results suggest that: gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well. Given that only 25 % of our participants attained a detection score of over 75 %, we conclude that many people are still at a high risk of falling victim to phishing attacks but, that a careful combination of automated tools, training and more effective awareness campaigns, could significantly help towards preventing such attacks.
74 citations
"Does Awareness of Social Engineerin..." refers background in this paper
...[18] assert that excessive Internet usage causes users to be overly confident, leading to risky security behaviors....
[...]
...48 threats, which supports previous findings [18, 19]....
[...]
01 Dec 2018
TL;DR: How innovative information security education programs can effectively increase user/employee awareness and ultimately reduce cyber security incidents is detailed.
Abstract: Social engineering, due in part to the increasing popularity and advancements in information technology and ubiquity of devices, has emerged as one of the most challenging cyber security threats in the contemporary age. In the context of cyber security, social engineering is the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal. This literature review identifies various social engineering cyber security threats in diverse environments. Exploiting humans as the weakest security link in such environments, as opposed to technical vulnerabilities and system protocols, has led to increased calls for raising information security awareness among users. One of the most straightforward solutions is through effective training and education programs. As such, the paper details how innovative information security education programs can effectively increase user/employee awareness and ultimately reduce cyber security incidents.
73 citations
"Does Awareness of Social Engineerin..." refers background in this paper
...Given the fact that social engineering threats are dynamic and constantly evolving, developing a mitigation strategy becomes a top priority for organizations, including training employees to counter such attacks [7, 10]....
[...]