Improving Awareness of Social Engineering Attacks

  • Aaron Smith
  • Maria Papadaki
  • Steven M. Furnell
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 406)


Social engineering is a method of attack involving the exploitation of human weakness, gullibility and ignorance. Although related techniques have existed for some time, current awareness of social engineering and its many guises is relatively low and efforts are therefore required to improve the protection of the user community. This paper begins by examining the problems posed by social engineering, and outlining some of the previous efforts that have been made to address the threat. This leads toward the discussion of a new awareness-raising website that has been specifically designed to aid users in understanding and avoiding the risks. Findings from an experimental trial involving 46 participants are used to illustrate that the system served to increase users’ understanding of threat concepts, as well as providing an engaging environment in which they would be likely to persevere with their learning.


Social Engineering Awareness Raising Learning Sciences 


  1. 1.
    Papadaki, M., Furnell, S.M., Dodge, R.C.: Social Engineering: Exploiting the weakest links. In: European Network & Information Security Agency (ENISA), Heraklion, Crete (2008)Google Scholar
  2. 2.
    Mitnick, K., Simon, W.: The Art of Deception: Controlling the human element of security. Wiley Publishing Inc. (2002)Google Scholar
  3. 3.
    Paller, A.: For Questions: Allan Paller, SANS Institute (2007),
  4. 4.
    Wood, P.: Social Engineering’, Social Engineering (2007),
  5. 5.
    Karakasiliotis, A., Furnell, S.M., Papadaki, M.: An assessment of end-user vulnerability to phishing attacks. Journal of Information Warfare 6, 17–28 (2007)Google Scholar
  6. 6.
    Greening, T.: Ask and Ye Shall Receive: A Study in ’Social Engineering, vol. 14, pp. 8–14. ACM Press, NY (1996)Google Scholar
  7. 7.
    Dodge, R.C., Carver, C., Ferguson, A.J.: Phishing for User Security Awareness. Computers & Security 26, 73–80 (2007)CrossRefGoogle Scholar
  8. 8.
    Bakhshi, T., Papadaki, M., Furnell, S.M.: A Practical Assessment of Social Engineering Vulnerabilities. In: Clarke, N.L., Furnell, S.M. (eds.) Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008), pp. 12–23. University of Plymouth (2008)Google Scholar
  9. 9.
    APWG. Phishing Activity Trends Report Q2/2008. Anti-Phishing Working Group (April-June 2008),
  10. 10.
    Evers, J.: Security expert: User education is pointless (2006),
  11. 11.
    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Hong, E.: Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. Institute for Software Research, Carnegie Mellon University (2007)Google Scholar
  12. 12.
    Robila, S.A., James, J., Ragucci, W.: Don’t be a phish: steps in user education. In: 11th Annual SIGCSE Conference on Innovation and Technology In Computer Science Education (ITICSE 2006), pp. 237–241 (2006)Google Scholar
  13. 13.
    Havenstein, H.: Video games poised to boost corporate training. Computerworld (August 26, 2008) Google Scholar
  14. 14.
    Rhodes, C.: Safeguarding Against Social Engineering, East Carolina University, Article at (2007),
  15. 15.
    Microsoft. How to Protect Insiders from Social Engineering Threats, Midsize Business Security Guidance (2006),
  16. 16.
    Thapar, A.: Social Engineering : An Attack Vector Most Intricate to Tackle, Infosec Writers (2007),

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Aaron Smith
    • 1
  • Maria Papadaki
    • 1
  • Steven M. Furnell
    • 1
  1. 1.Centre for Security, Communications and Network ResearchPlymouth UniversityPlymouthUnited Kingdom

Personalised recommendations