Strengthening Human Resilience: The Role of Education in Preventing Social Engineering Attacks
Article Sidebar
Main Article Content
With the rapid growth of information technology and the widespread use of digital devices, social engineering has become one of the most pressing challenges in today’s cybersecurity landscape. In simple terms, social engineering involves manipulating people by exploiting human psychology to carry out harmful activities. This review explores different types of social engineering threats across various environments, emphasizing how people rather than systems or technologies are often the weakest link in security. As a result, there's a growing need to boost awareness among users. One of the most effective ways to tackle this issue is through targeted training and educational programs. This paper discusses how creative and well-structured information security education can significantly improve user awareness and help reduce the number of cyber incidents.
Downloads
References
D. Sarathchandra, K. Haltinner, and N. Lichtenberg, “College students' cybersecurity risk perceptions, awareness, and practices,” in Proc. Cybersecurity 3rd Symp. (CYBERSEC ’16), Coeur d’Alene, ID, 2016, pp. 68–73.
S. S. Tirumala, H. Sathu, and V. Naidu, “Analysis and prevention of account hijacking based incidents in cloud environment,” in Proc. Int. Conf. Information Technology (ICIT ‘15), Singapore, 2015, pp. 124–129.
B. Lebek, J. Uffen, M. H. Breitner, M. Neumann, and B. Hohler, “Employees’ information security awareness and behavior: A literature review,” in Proc. 46th Hawaii Int. Conf. System Sciences (HICSS ’13), Wailea, HI, 2013, pp. 2978–2987.
F. L. Greitzer, J. R. Strozer, S. Cohen, A. P. Moore, D. Mundie, and J. Cowley, “Analysis of unintentional insider threats deriving from social engineering exploits,” in Proc. IEEE Security and Privacy Workshops (SPW ’14), San Jose, CA, 2014, pp. 236–250.
N. Sohrabi Safa, R. Von Solms, and S. Furnell, “Information security policy compliance model in organizations,” Comput. & Security, vol. 56, pp. 70–82, Feb. 2016.
A. Tsohou, M. Karyda, and S. Kokolakis, “Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs,” Comput. & Security, vol. 52, pp. 128–141, Jul. 2015.
F. Mouton, M. M. Malan, L. Leenen, and H. S. Venter, “Social engineering attack framework,” in Information Security for South Africa (ISSA ’14), Johannesburg, South Africa, 2014, pp. 1–9.
S. Uebelacker and S. Quiel, “The social engineering personality framework,” in Proc. 8th Workshop on Socio–Technical Aspects in Security and Trust (STAST ’14), San Juan, PR, 2014, pp. 24–30.
J.–W. H. Bullée, L. Montoya, W. Pieters, M. Junger, and P. H. Hartel, “The persuasion and security awareness experiment: reducing the success of social engineering attacks,” J. Experimental Criminology, vol. 11, no. 1, pp. 97–115, Jan. 2015.
W. Kearney and H. Kruger, “Considering the influence of human trust in practical social engineering exercises, in Proc. Information Security for South Africa (ISSA ’14), Johannesburg, South Africa, 2014, pp. 1–6.
S. Mohammed and E. Apeh, “A model for social engineering awareness program for schools,” in Proc. 10th Int. Conf. Software, Knowledge, Information Management & Applications (SKIMA ’16), Chengdu, China, 2016, pp. 392–397.
Y. Chen, K. Ramamurthy, and K.–W. Wen, “Impacts of comprehensive information security programs on information security culture,” J. Comput. Inform. Syst., vol. 55, no. 3, pp. 11–19, Dec. 2015.
K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram, “Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q),” Comput. & Security, vol. 42, pp. 165–176, May 2014.
M. M. Al-Daeef, N. Basir, and M. M. Saudi, “Security awareness training: A review,” in Lecture Notes in Engineering and Computer Science, 2017, vol. 2229, pp. 446–451.
E. Amankwa, M. Loock, and E. Kritzinger, “A conceptual analysis of information security education, information security training and information security awareness definitions,” in Proc. 9th Int. Conf. Internet Technology and Secured Transactions (ICITST ’14), London, UK, 2014, pp. 248–252.
N. A. G. Arachchilage and S. Love, “Security awareness of computer users: a phishing threat avoidance perspective,” Comput. Human Behavior, vol. 38, pp. 304–312, Sep. 2014.
W. Ashford, “Lack of cyber security awareness putting UK organisations at risk,” ComputerWeekly.com, Mar. 2016.
B. K. Eyong, “Recommendations for information security awareness training for college students,” Inform. Manage. & Comput. Security, vol. 22, no. 1, pp. 115–126, 2014.
G. L. Orgill, G. W. Romney, M. G. Bailey, and P. M. Orgill, “The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems,” in Proc. 5th Conf. Information Technology Education (CITC5 ’04), Salt Lake City, UT, 2004.
Z. L. Svehla, I. Sedinić, and L. Pauk, “Going white hat: Security check by hacking employees using social engineering techniques,” in Proc. 39th Int. Conv. Information and Communication Technology, Electronics and Microelectronics (MIPRO ’16), Opatija, Croatia, 2016, pp. 1419–1422.
A. Farooq, J. Isoaho, S. Virtanen, and J. Isoaho, “Information security awareness in educational institution: an analysis of students’ individual factors,” in Proc. 13th IEEE Int. Symp. Parallel and Distributed Processing with Applications (ISPA ’15), Helsinki, Finland, Aug. 2015, vol. 1, pp. 352–359.
H. Wilcox and M. Bhattacharya, “A framework to mitigate social engineering through social media within the enterprise,” in Proc. 11th IEEE Conf. Industrial Electronics and Applications (ICIEA ’16), Hefei, China, Oct. 2016, pp. 1039–1044.
R. Heartfield, G. Loukas, and D. Gan, “An eye for deception: A case study in utilizing the human-as-a-security-sensor paradigm to detect zero-day semantic social engineering attacks,” in Proc. 15th IEEE Int. Conf. Software Engineering Research, Management and Applications (SERA ’2017), London, UK, Jun. 2017, pp. 371–378.
K. Thomas et al., “Data breaches, phishing, or malware? Understanding the risks of stolen credentials,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Dallas, TX, Oct. 2017, pp. 1421–1434
J. G. Mohebzada, A. E. Zarka, A. H. Bhojani, and A. Darwish, “Phishing in a university community: Two large scale phishing experiments,” in Proc. Int. Conf. Innovations in Information Technology (IIT ’12), Abu Dhabi, UAE, Jun. 2012, pp. 249–254.
T. Kathirvalavakumar, K. Kavitha, and R. Palaniappan, “Efficient harmful email identification using neural network,” British J. Math. & Comput. Sci., vol. 7, no. 1, p. 58, 2015.
A. S. Alazri, “The awareness of social engineering in information revolution: Techniques and challenges,” in Proc. 10th Int. Conf. Internet Technology and Secured Transactions (ICITST ’15), London, UK, Dec. 2015, pp. 198–201.
I. Ghafir, V. Prenosil, A. Alhejailan, and M. Hammoudeh, “Social engineering attack strategies and defence approaches,” in Proc. 4th IEEE Int. Conf. Future Internet of Things and Cloud (FiCloud ’16), Vienna, Austria, Aug. 2016, pp. 145–149.
M. Bezuidenhout, F. Mouton, and H. S. Venter, “Social engineering attack detection model: SEADM,” in Proc. Information Security for South Africa (ISSA ’14), Johannesburg, South Africa, Aug. 2010, pp. 1–8.
K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security. Indianapolis, IN: Wiley, 2011.
V. R. Team, “Data breach investigations report (2012),” ed, 2012.
M. Hosenball and W. Strobel. (2013, Nov. 7). Exclusive: Snowden persuaded other NSA workers to give up passwords – sources. [Online]. Available: https://www.reuters.com/article/net-us-usa-security- snowden/exclusive-snowden-persuaded-other-nsa-workers-to-give-up-passwords-sources-idUSBRE9A703020131108
M. Workman, “Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security,” J. Assoc. Inform. Sci. Technol., vol. 59, no. 4, pp. 662–674, 2008.
J. L. Parrish Jr., J. L. Bailey, and J. F. Courtney, “A personality-based model for determining susceptibility to phishing attacks,” in Proc. Southwest Decision Sciences Institute Annu. Meeting (SDSI ’09). Oklahoma City, OK, 2009, pp. 285–296.
A. Vishwanath, T. Herath, R. Chen, J. Wang, and H. R. Rao, “Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model,” Decision Support Syst., vol. 51, no. 3, pp. 576–586, Jun. 2011.
A. Darwish, A. El Zarka, and F. Aloul, “Towards understanding phishing victims' profile,” in Proc. Int. Conf. Comput. Sys and Industrial Informatics, Sharjah, UAE, Dec. 2012, pp. 1–5.
M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, “Towards automating social engineering using social networking sites,” in Proc. Int. Conf. Computational Science and Engineering, Vancouver, Canada, Aug. 2009, vol. 3, pp. 117–124.
S. Abraham and I. Chengalur-Smith, “An overview of social engineering malware: Trends, tactics, and implications,” Technol. in Soc., vol. 32, no. 3, pp. 183–196, 2010.
J. W. Scheeres, “Establishing the human firewall: reducing an individual's vulnerability to social engineering attacks,” MS thesis, Dept. Elec. & Comput. Eng., Air Inst. Technol., Dayton, OH, 2008.
I. Ghafir and V. Prenosil, “Proposed approach for targeted attacks detection,” in Advanced Computer and Communication Engineering Technology: Proceedings of ICOCOE 2015 (Lecture Notes in Elect. Eng, vol. 362), H. A. Sulaiman, M. A. Othman, M. F. I. Othman, Y. A. Rahim, and N. C. Pee, Eds. Cham, Switzerland: Springer, 2016, pp. 73–80.
A. Algarni, Y. Xu, T. Chan, and Y.-C. Tian, “Social engineering in social networking sites: Affect-based model,” in Proc. 8th Int. Conf. Internet Technology and Secured Transactions (ICITST ’13), London, UK, Dec. 2013, pp. 508–515
A. Kumar, M. Chaudhary, and N. Kumar, “Social engineering threats and awareness: a survey,” European J. Advances Eng. & Technol., vol. 2, no. 11, pp. 15–19, 2015.
E. Albrechtsen and J. Hovden, “The information security digital divide between information security managers and users,” Comput. & Security, vol. 28, no. 6, pp. 476–490, Sep. 2009.
A. Da Veiga and J. H. Eloff, “A framework and assessment instrument for information security culture,” Comput. & Security, vol. 29, no. 2, pp. 196–207, Mar. 2010.
J. Abawajy, “User preference of cyber security awareness delivery methods,” Behavior & Inform. Technol., vol. 33, no. 3, pp. 237–248, Aug. 2014.
J. Holdsworth and E. Apeh, “An effective immersive cyber security awareness learning platform for businesses in the hospitality sector,” in Proc. 25th IEEE Int. Requirements Engineering Conf. Workshops (REW ’17), Lisbon, Portugal, Sep. 2017, pp. 111–117.
K. Korpela, “Improving cyber security awareness and training programs with data analytics,” Inform. Security J.: A Global Perspective, vol. 24, no. 1–3, pp. 72–77, Jun. 2015.
M. Junger, L. Montoya, and F. J. Overink, “Priming and warnings are not effective to prevent social engineering attacks,” Comput. Human Behavior, vol. 66, pp. 75–87, Jan. 2017.
R. Butler, “Investigation of phishing to develop guidelines to protect the internet consumer’s identity against attacks by phishers, ” South African J. Inform.Manage., vol. 7, no. 3, Sep. 2005.
W. Rocha Flores and M. Ekstedt, “Shaping intention to resist social engineering through transformational leadership, information security culture and awareness,” Comput. & Security, vol. 59, pp. 26–44, Jun. 2016.
M. E. Whitman, “ In defense of the realm: understanding the threats to information security,” Int. J. Inform. Manage., vol. 24, no. 1, pp. 43–57, Feb. 2004.
J. Merete Hagen, E. Albrechtsen, and J. Hovden, “Implementation and effectiveness of organizational information security measures,” Inform. Manage.& Comput. Security, vol. 16, no. 4, pp. 377–397, 2008.
Q. Ma, M. B. Schmidt, and J. M. Pearson, “An integrated framework for information security management,” Rev. Bus., vol. 30, no. 1, p. 58, 2009.
P. Puhakainen and M. Siponen, “Improving employees' compliance through information systems security training: An action research study,” MIS Quarterly, pp. 757–778, 2010.
E. Albrechtsen and J. Hovden, “Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study,” Comput. & Security, vol. 29, no. 4, pp. 432–445, Jun. 2010.
M. Siponen, M. A. Mahmood, and S. Pahnila, “Employees’ adherence to information security policies: an exploratory field study,” Inform. & Manage., vol. 51, no. 2, pp. 217–224, 2014.
B. Bulgurcu, H. Cavusoglu, and I. Benbasat, “Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness,” MIS Quarterly, vol. 34, no. 3, pp. 523– 548, 2010.
P. Kathryn, M. Agata, P. Malcolm, B. Marcus, and J. Cate, “A study of information security awareness in Australian government organisations,” Inform. Manage. & Comput. Security, vol. 22, no. 4, pp. 334–345, 2014.
A. Wilk, “Cyber security education and law,” in Proc. IEEE Int. Conf. Software Science, Technology and Engineering (SWSTE ’16), Beer- Sheva, Israel, Jun. 2016, pp. 94–103.
X. Bellekens, A. Hamilton, P. Seeam, K. Nieradzinska, Q. Franssen, and A. Seeam, “Pervasive eHealth services a security and privacy risk awareness survey,” in Proc. Int. Conf. Cyber Situational Awareness, Data Analytics and Assessment (CyberSA ’16), London, UK, Jun. 2016, pp. 1–4.
R. Alavi, S. Islam, and H. Mouratidis, “Human factors of social engineering attacks (SEAs) in hybrid cloud environment: Threats and risks,” in Proc. Int. Conf. Global Security, Safety, and Sustainability, London, UK, Sep. 2015, pp. 50–56.
C. Colwill, “Human factors in information security: The insider threat– who can you trust these days?,” Inform. Security Tech. Rep., vol. 14, no. 4, pp. 186–196, Nov. 2009.
N. F. Doherty, L. Anastasakis, and H. Fulford, “The information security policy unpacked: A critical study of the content of university policies,” Int. J. Inform. Manage., vol. 29, no. 6, pp. 449–457, Dec. 2009.
H. Mouratidis, H. Jahankhani, and M. Z. Nkhoma, “Management versus security specialists: An empirical study on security related perceptions,” Inform. Manage. & Comput. Security, vol. 16, no. 2, pp. 187–205, 2008.
K. J. Knapp, T. E. Marshall, R. Kelly Rainer, and F. Nelson Ford, “Information security: management's effect on culture and policy,” Inform. Manage. & Comput. Security, vol. 14, no. 1, pp. 24–36, 2006.
E. McFadzean, J.-N. Ezingeard, and D. Birchall, “Perception of risk and the strategic impact of existing IT on information security strategy at board level,” Online Inform. Rev., vol. 31, no. 5, pp. 622–660, 2007.
J. L. Spears and H. Barki, “User participation in information systems security risk management,” MIS Quarterly, pp. 503–522, Sep. 2010.
M. Siponen and A. Vance, “Neutralization: new insights into the problem of employee information systems security policy violations,” MIS Quarterly, pp. 487–502, 2010.
F. Cervone, “Understand the big picture so you can plan for network security,” Comput. in Libraries, vol. 25, no. 3, pp. 10–15, 2005.
D. Tse, Z. Xie, and Z. Song, “Awareness of information security and its implications to legal and ethical issues in our daily life,” in Proc. IEEE Int. Conf. Industrial Engineering and Engineering Management (IEEM’17), 2017, pp. 1236–1240.
K. Beckers and S. Pape, “A serious game for eliciting social engineering security requirements,” in Proc. 24th IEEE Int. Conf. Requirements Engineering (RE’16), Beijing, China, Sep. 2016, pp. 16–25.
G. Jin, M. Tu, T.-H. Kim, J. Heffron, and J. White, “Game based cybersecurity training for high school students,” in Proc. 49th ACM Tech. Symp. Comp. Sci. Educ. (SIGCSE ’18), Baltimore, MD, Feb. 2018, pp. 68–73.
L. Decker, “Factors affecting the security awareness of end-users: A survey analysis within institutions of higher learning,” PhD dissertation, School of Bus. & Technol., Cappella Univ., Minneapolis, MN, 2008.
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.