Abstract
In the information security chain, humans have become the weakest point, and social engineers take advantage of that fact by psychologically manipulating people to persuade them to disclose sensitive information or execute malicious acts. Social engineering security attacks can be severe and hard to detect. Therefore, to prevent such attacks, organizations and their employees should be aware of the defense mechanisms that can mitigate the risk of these attacks. To that end, the authors (1) developed a taxonomy of social engineering defense mechanisms and also (2) designed and distributed a survey to measure employees’ level of awareness of these mechanisms. To develop the taxonomy, the authors reviewed the related literature and extracted the main defense mechanisms. To measure employees’ level of awareness of social engineering defense mechanisms, the authors designed and distributed a survey in which 791 employees participated. Finally, after collecting and analyzing the data, the authors found that more than half of the surveyed employees are not aware of social engineering attacks and their defense mechanisms. Such a worrisome result shows that employees and organizations are extremely vulnerable to such attacks, and serious steps need to be taken to elevate the employees’ awareness level against these emerging security threats.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Applegate, S.D.: Social engineering: hacking the wetware!. Inf. Secur. J. Global Perspect. 18(1), 40–46 (2009)
Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley, New York (2010)
Berg, A.: Cracking a social engineer. LAN Times (1995)
Greening, T.: Ask and ye shall receive: a study in “social engineering”. ACM SIGSAC Rev. 14(2), 8–14 (1996)
Karakasiliotis, A., Furnell, S., Papadaki, M.: Assessing end-user awareness of social engineering and phishing (2006)
Workman, M.: A test of interventions for security threats from social engineering. Inf. Manag. Comput. Secur. 16(5), 463–483 (2008)
Orgill, G.L., Romney, G.W., Bailey, M.G., Orgill, P.M.: The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. In: Proceedings of the 5th Conference on Information Technology Education, pp. 177–181. ACM (2004)
Bakhshi, T., Papadaki, M., Furnell, S.: A practical assessment of social engineering vulnerabilities. In: HAISA, pp. 12–23 (2008)
Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: 2014 Information Security for South Africa, pp. 1–9. IEEE (2014)
Choi, M., Levy, Y., Hovav, A.: The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In: Proceedings of the Pre-international Conference of Information Systems (ICIS) SIGSEC – Workshop on Information Security and Privacy (WISP) (2013)
Granger, S.: Social engineering fundamentals, Part I: hacker tactics. Security Focus, 18 December 2001 (2001)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Manske, K.: An introduction to social engineering. Inf. Syst. Secur. 9(5), 1–7 (2000)
Aldawood, H., Skinner, G.: An academic review of current industrial and commercial cyber security social engineering solutions. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, pp. 110–115. ACM (2019)
Alharthi, D.N., Hammad, M.M., Regan, A.C.: A taxonomy of social engineering defense mechanisms. In: Arai, K., Kapoor, S., Bhatia, R. (eds.) Advances in Information and Communication (FICC 2020). Advances in Intelligent Systems and Computing, vol. 1130. Springer, Cham (2020)
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A., et al.: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1421–1434. ACM (2017)
Shane, S., Schmidt, M.S.: Hillary Clinton emails take long path to controversy. The New York Times (2015)
Aviv, A.J., Gibson, K.L., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. Woot 10, 1–7 (2010)
Thapar, A.: Social engineering: an attack vector most intricate to tackle. Infosec Writers, CISSP (2007)
Verizon 2018. 2018 data breach investigations report (2018). https://www.documentwereld.nl/files/2018/Verizon-DBIR_2018-Main_report.pdf
Elnaim, B.M.E., Al-Lami, H.A.S.W.: The current state of phishing attacks against Saudi Arabia University students (2017)
Happ, C., Melzer, A., Steffgen, G.: Trick with treat-reciprocity increases the willingness to communicate personal data. Comput. Hum. Behav. 61, 372–377 (2016)
Medlin, B.D., Cazier, J.A., Foulk, D.P.: Analyzing the vulnerability of U.S. hospitals to social engineering attacks: how many of your employees would share their password? Int. J. Inf. Secur. Priv. (IJISP) 2(3), 71–83 (2008)
Ghafir, I., Prenosil, V., Alhejailan, A., Hammoudeh, M.: Social engineering attack strategies and defence approaches. In: 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), pp. 145–149. IEEE (2016)
Chitrey, A., Singh, D., Singh, V.: A comprehensive study of social engineering based attacks in India to develop a conceptual model. Int. J. Inf. Netw. Secur. 1(2), 45 (2012)
Siadati, H., Nguyen, T., Gupta, P., Jakobsson, M., Memon, N.: Mind your SMSes: mitigating social engineering in second factor authentication. Comput. Secur. 65, 14–28 (2017)
Gupta, M., Sharman, R.: Social network theoretic framework for organizational social engineering susceptibility index. In: AMCIS 2006 Proceedings, p. 408 (2006)
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)
Beuran, R., Chinen, K.-i., Tan, Y., Shinoda, Y.: Towards effective cybersecurity education and training (2016)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)
Stoner, J.A.: Risky and cautious shifts in group decisions: the influence of widely held values. J. Exp. Soc. Psychol. 4(4), 442–459 (1968)
Okoli, C., Schabram, K.: A guide to conducting a systematic literature review of information systems research (2010)
NCSC: National Cybersecurity Center. https://www.ncsc.gov.sa/. Accessed 2019
SurveyMonkey Inc.: SurveyMonkey. https://www.surveymonkey.com/. Accessed 2019
Bronk, C., Tikk-Ringas, E.: The cyber attack on Saudi Aramco. Survival 55(2), 81–96 (2013)
Cheong, D.D.: Cyberattacks in the Gulf: lessons for active defence (2012)
Basamh, S.S., Qudaih, H., Ibrahim, J.B.: An overview on cyber security awareness in Muslim countries. Int. J. Inf. Commun. Technol. Res. 4, 21–24 (2014)
ITU. Committed to connecting the world. https://www.itu.int/en/Pages/default.aspx. Accessed 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Alharthi, D.N., Regan, A.C. (2020). Social Engineering Defense Mechanisms: A Taxonomy and a Survey of Employees’ Awareness Level. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Intelligent Computing. SAI 2020. Advances in Intelligent Systems and Computing, vol 1228. Springer, Cham. https://doi.org/10.1007/978-3-030-52249-0_35
Download citation
DOI: https://doi.org/10.1007/978-3-030-52249-0_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52248-3
Online ISBN: 978-3-030-52249-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)