Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wang,Raian Ali,Ziqi Wei

DOI: https://doi.org/10.1002/spy2.161

2021-01-01

Security and Privacy

Abstract:Malicious scammers and social engineers are causing great harms to modern society, as they have led to the loss of data, information, money, and many more for individuals and companies. Knowledge about social engineering (SE) is wide‐spread and it exits in non‐academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources, guided by academic principles around SE, and solicit existing SE scenarios from public awareness education materials, news stories, research literature, official advisories to public departments. We adopted grounded theory to extract the general knowledge behind SE, such as, attacking cycles, information gathering strategies, psychological principles, attack vectors, and so on. In this article, we aim to review and synthesize a body of knowledge (rationale and motivation of social engineers). The study aims to: (a) understand the rationale of social engineers; (b) capture the knowledge of SE attacks and extract important information from the sources; (c) propose an activity for counteracting SE attacks, and how it can be used in security education.

Heidi Wilcox,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.2005.04049

2020-05-08

Cryptography and Security

Abstract:Social engineering through social media channels targeting organizational employees is emerging as one of the most challenging information security threats. Social engineering defies traditional security efforts due to the method of attack relying on human naivet\'e or error. The vast amount of information now made available to social engineers through online social networks is facilitating methods of attack which rely on some form of human error to enable infiltration into company networks. While, paramount to organisational information security objectives is the introduction of relevant comprehensive policy and guideline, perspectives and practices vary from global region to region. This paper identifies such regional variations and then presents a detailed investigation on information security outlooks and practices, surrounding social media, in Australian organisations (both public and private). Results detected disparate views and practices, suggesting further work is needed to achieve effective protection against security threats arsing due to social media adoption.

Affan Yasin,Rubia Fatima,Lin Liu,Awaid Yasin,Jianmin Wang

DOI: https://doi.org/10.1002/spy2.73

2019-01-01

Abstract:The previous year has seen an enormous increase in the studies related to social engineering. This increase is partly due to increasing number of social engineering attacks and partly due to people's inability to identify the attack. Thus, it is of great importance to find solutions which are helpful for human to understand the social engineering attacks and scenarios. To address this, we have performed a literature review of studies (on social engineering) in top-notch journals and conferences. In this paper, we have enlisted the types of attacks, and the persuasion techniques used by social engineers as listed in the literature. We also combined different theories which researchers tried to use to explain various activities of social engineers. Furthermore, we have mentioned that a better understanding of the social engineering attack scenarios can be done using thematic and game-based analysis techniques. Preliminary empirical evaluation of the proposed game based method shows overall neutral results. Future extension and evaluation is needed for the proposed methods.

Temitayo Oluwaseun Abrahams,Oluwatoyin Ajoke Farayola,Simon Kaggwa,Prisca Ugomma Uwaoma,Azeez Olanipekun Hassan,Samuel Onimisi Dawodu

DOI: https://doi.org/10.51594/csitrj.v5i1.708

2024-01-11

Computer Science & IT Research Journal

Abstract:As organizations continue to grapple with the escalating threat landscape of cyber-attacks, the imperative to fortify their cybersecurity defenses becomes increasingly paramount. This review delves into the critical realm of cybersecurity awareness and education programs, focusing on the pivotal factors of employee engagement and accountability. The effectiveness of these programs in cultivating a cyber-resilient workforce is scrutinized through an extensive examination of existing literature, empirical studies, and industry practices. The review begins by exploring the foundational elements of cybersecurity awareness programs, elucidating the significance of imparting knowledge and instilling a culture of vigilance among employees. It examines the diverse methodologies employed in these programs, ranging from interactive workshops and simulated phishing exercises to online modules and gamified learning platforms. A comparative analysis of these approaches sheds light on their respective strengths and limitations. A central theme of this review revolves around the nexus between employee engagement and cybersecurity resilience. It delves into the psychological and behavioral aspects of engagement, assessing how motivational factors and tailored learning experiences contribute to heightened cybersecurity awareness. The impact of organizational culture and leadership support on fostering a sense of responsibility among employees is also explored, emphasizing the need for a holistic approach that transcends mere compliance. Furthermore, the review investigates the role of accountability in sustaining the efficacy of cybersecurity initiatives. It examines the mechanisms employed by organizations to enforce adherence to security policies and protocols, emphasizing the role of robust monitoring systems, clear communication channels, and consequence management. Case studies and real-world examples are integrated to illustrate instances of successful accountability frameworks and their influence on overall cybersecurity posture. This review synthesizes key findings and identifies emerging trends in cybersecurity awareness and education programs, with a particular focus on optimizing employee engagement and fostering a culture of accountability. The insights gleaned from this analysis provide a roadmap for organizations seeking to fortify their defenses against evolving cyber threats by cultivating a vigilant and proactive workforce. Keywords: Cybersecurity, Education, Cyber threat, Employee engagement, Accountability.

Florence Sèdes

2024-06-17

Abstract:Major transformations related to information technologies affect InformationSystems (IS) that support the business processes of organizations and their actors. Deployment in a complex environment involving sensitive, massive and heterogeneous data generates risks with legal, social and financial impacts. This context of transition and openness makes the security of these IS central to the concerns of organizations. The digitization of all processes and the opening to IoT devices (Internet of Things) has fostered the emergence of a new formof crime, i.e. cybercrime.This generic term covers a number of malicious acts, the majority of which are now perpetrated using social engineering strategies, a phenomenon enabling a combined exploitation of ``human'' vulnerabilities and digital tools. The maliciousness of such attacks lies in the fact that they turn users into facilitators of cyber-attacks, to the point of being perceived as the ``weak link'' of <a class="link-external link-http" href="http://cybersecurity.As" rel="external noopener nofollow">this http URL</a> deployment policies prove insufficient, it is necessary to think about upstream steps: knowing how to anticipate, identifying weak signals and outliers, detect early and react quickly to computer crime are therefore priority issues requiring a prevention and cooperation <a class="link-external link-http" href="http://approach.In" rel="external noopener nofollow">this http URL</a> this overview, we propose a synthesis of literature and professional practices on this subject.

Cryptography and Security,Databases

Thilini B. G. Herath,Prashant Khanna,Monjur Ahmed

DOI: https://doi.org/10.3390/jcp2010001

2022-01-20

Journal of Cybersecurity and Privacy

Abstract:In this paper, we present secondary research on recommended cybersecurity practices for social media users from the user’s point of view. Through following a structured methodological approach of the systematic literature review presented, aspects related to cyber threats, cyber awareness, and cyber behavior in internet and social media use are considered in the study. The study presented finds that there are many cyber threats existing within the social media platform, such as loss of productivity, cyber bullying, cyber stalking, identity theft, social information overload, inconsistent personal branding, personal reputation damage, data breach, malicious software, service interruptions, hacks, and unauthorized access to social media accounts. Among other findings, the study also reveals that demographic factors, for example age, gender, and education level, may not necessarily be influential factors affecting the cyber awareness of the internet users.

Oluwaseun Oladeji Olaniyi,Christopher Uzoma Asonze,Samson Abidemi Ajayi,Samuel Oladiipo Olabanji,Chinasa Susan Adigwe

DOI: https://doi.org/10.9734/ajeba/2023/v23i231176

2023-12-08

Abstract:Organizations across various sectors are increasingly vulnerable to cybersecurity breaches in an era characterized by unprecedented technological advancements and a rapidly evolving threat landscape. Among the myriad methods employed by malicious actors, social engineering stands out as a particularly insidious and effective means of infiltrating secure systems and obtaining sensitive information. To effectively address these issues, organizations must establish and sustain a principled security process; this process goes beyond installing the latest security technologies. It encompasses the concept of "organizational security culture. This paper investigates the impact of organizational security culture and transformational leadership on bank employees' social engineering awareness, focusing on security education and behavioral change. Social engineering is the unauthorized infiltration of the end user's computer system and network through malware techniques such as tailgating, phishing, vishing, pretexting, and baiting to gain access to companies and individual confidential data; thus, this study aims to analyze the effect of organizational security culture and transformational leadership on social engineering awareness among bank employees while assessing security education's role in driving behavioral change. This research used the Likert scale model to collect primary data through survey questionnaires from 450 bank employees. The data collected was analyzed using linear regression analysis to test the study’s hypothesis. This study recommends that banking institutions should adopt a good organizational security culture and expose their staff to effective security education, as this will cause a change in employees' security behavior and more research should be conducted regarding security culture, security education, and awareness programs within banking institutions due to bank operations' ever-dynamic nature and ensuring preparedness for prevailing cyber threats.

Amy Ertan,Georgia Crossland,Claude Heath,David Denny,Rikke Jensen

DOI: https://doi.org/10.48550/arXiv.2004.11768

2020-04-24

Abstract:This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these are not exhaustive and they do not exist in isolation. In addition, the review explores the notion of security culture as an overarching theme that overlaps and frames the four behavioural sets. The aim of this review is therefore to provide a summary of the existing literature in the area of everyday cyber security within the social sciences, with a particular focus on organisational contexts. In doing so, it develops a series of suggestions for future research directions based on existing gaps in the literature. The review also includes a theoretical lens that will aid the understanding of existing studies and wider literatures. Where possible, the review makes recommendations for organisations in relation to everyday cyber security.

Computers and Society

Theodore Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2203.08302

2022-03-15

Cryptography and Security

Abstract:Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.

Ghaidaa Shaabany,Reiner Anderl

DOI: https://doi.org/10.1007/978-3-319-94782-2_20

2018-06-24

Abstract:In the light of the expanding digitization, connectivity and interconnection of machines, products, and services in Industrie 4.0, the increasing trend of digitalization and transformation to cyber-physical production systems reveal serious cybersecurity-related issues. BSI (the federal office for information security) in Germany has compiled a list of the most cybersecurity threats faced by manufacturing and process automation systems. The results show that the top threats are social engineering and phishing. From these two threats, it is clear that use of non-technical means like human weaknesses and/or unawareness is gaining a lot of prominence. The aim is to gain unauthorized access to target information and IT systems. Furthermore, the goal is to install malware in the victim’s systems, for example, by opening infected attachments. Therefore, human factor becomes a widely discussed topic by cybersecurity incidents nowadays. Facing these threats by utilizing technical measurements alone is not sufficient. Thus, it is important to provide engineers with an adequate cybersecurity awareness like, new possible threats and risks caused by extensive using of digitization. To fill this gap of knowledge at engineering faculties, this paper presents an effective course that concentrates on cybersecurity issues. The focus is to improve the ability to understand and detect these new cybersecurity threats in the industry. By designing this innovative and effective course, a new assessment model is developed. The model is based on important aspects that are required for enhancing student’s social competences and skills. In the first step, students should work together in teams on a given problem based on best practice examples and contents learned during the course. Another aspect that the mentioned assessment model focuses on is giving a feedback review. In this phase, students have to read the paper of another group and then give a systematic feedback according to specific identified criteria. In the final step, students have to present the results and discuss them with the advisor and then get their grades. Our findings show that there is an acute lack of social competence and skill enhancement by the engineering faculties. We believe that these skills are fundamental for engineering careers and therefore are intensively considered in the introduced course and assessment model.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wanga

DOI: https://doi.org/10.1016/s1361-3723(21)00108-1

2021-01-01

Computer Fraud & Security

Abstract:Social engineers are very successful at exploiting human weaknesses, gathering information, communicating with people and creating creative storylines attacking people's psychological needs and weaknesses. And that is why people, who are among the weakest links in the information security chain, remain susceptible to social engineering attacks.

Sarah Sharifi

2023-01-23

Abstract:The Internet and cyberspace are inseparable aspects of everyone's life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet is a recent advance in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the compromised records in 2018. In another survey performed by the Ernst and Young Global Information Security during 2018-2019, it is reported that 34% of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. Inattentive users are one of the reasons for data breaches and cyberattacks. The National Cyber Security Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is 123456, as their account password. The Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of many cybersecurity attacks in recent years. Hence, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. Both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment.

Human-Computer Interaction,Cryptography and Security

Olufiropo Emmanuel Alalade,Olugbenga Adedayo IGE

DOI: https://doi.org/10.32919/uesit.2023.04.03

2023-12-30

Ukrainian Journal of Educational Studies and Information Technology

Abstract:Cybertechnologies have become so important to human daily engagements that society can hardly do anything outside these ubiquitous technologies. These technologies have a great impact on the economy, as well as the social well-being of citizens in developed and third world countries. The dependence on digital technologies is useful in every sector of society. The consistent call for the adoption of digital technologies in education has seen different governments in advanced and developing nations of the world introducing the use of information and communication technologies (ICT) at the different facets of education. This introduction of ICT has brought in the use of the Internet in education which in turn has exposed the learners to the various threats that come with exposure to the Internet or cybertechnology. The internet is believed to have played a prominent role in facilitating the Fourth Industrial Revolution (4IR) in the different sectors of the world economy, most especially education. However, cybertechnology has brought a new dimension of threats ranging from cyber-bullying, identity theft, scamming, advanced fee fraud, and so many other dangers to humans’ daily existence. None of the citizens in the developed and developing nations of the world is immune from these crimes committed in cyberspace; therefore, there is a need to introduce school children to cybersecurity education as early as possible. It is in light of the foregoing that this systematic review proposes the Action Cybercrime Prevention Programme to equip school children with knowledge and skills that would minimise their exposure to dangers inherent in the use of information and communication technology (ICT) and the Internet for education and social purposes. This systematic review discusses the intergenerational effects of the proposed Action Cybercrime Prevention Programme on young learners to educate their parents or grandparents from falling victim to cybercrimes.

Abdullah M. Alnajim,Shabana Habib,Muhammad Islam,Hazim Saleh AlRawashdeh,Muhammad Wasim

DOI: https://doi.org/10.3390/sym15122175

2023-12-07

Symmetry

Abstract:Considering the alarming increase in cyberattacks and their potential financial implications, the importance of cybersecurity education and training cannot be overstated. This paper presents a systematic literature review that examines different cybersecurity education and training techniques with a focus on symmetry. It primarily focuses on traditional cybersecurity education techniques and emerging technologies, such as virtual reality (VR) and augmented reality (AR), through the lens of symmetry. The main objective of this study is to explore the existing cybersecurity training techniques, identify the challenges involved, and assess the effectiveness of cybersecurity training based on VR and AR while emphasizing the concept of symmetry. Through careful selection criteria, 66 primary studies were selected from a total of 150 pertinent research studies. This article offers valuable insights into the pros and cons of conventional training approaches, explores the use of VR and AR in cybersecurity education concerning symmetry, and thoroughly discusses the challenges associated with these technologies. The findings of this review contribute significantly to the continuing efforts in cybersecurity education by offering recommendations for improving employees’ knowledge, engagement, and motivation in cybersecurity training programs while maintaining symmetry in the learning process.

multidisciplinary sciences

Tolga Mataracioglu,Sevgi Ozkan,Ray Hackney

DOI: https://doi.org/10.48550/arXiv.1507.02458

2015-07-09

Abstract:This research considers the impact of social engineering security attacks which are noted as taking opportunities for critically exploiting user awareness and behavior. The research proposes in this respect a managerial method in an attempt to enhance or even ensure protection. The aim of this study is to construct a security lifecycle model against these eventualities and to analyze the test results that have been carried out within the context of the Turkish public sector. The main objective of the study is to determine why employees shared sensitive information by stating fallacies and related amendments through interviews and thus to understand user actions when they are face to face with a real social engineering attack. The research findings demonstrate that employees in Turkish public organizations are not sufficiently aware of information security and they generally ignore critically important security procedures. This represents an important illustration of the increasing need for further generalized user awareness and responsibilities where individuals and not simply software form a critical element of the security protection portfolio.

Cryptography and Security,Computers and Society

H. Wilcox,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.1511.06915

2015-11-21

Computers and Society

Abstract:The increasing threat of social engineers targeting social media channels to advance their attack effectiveness on company data has seen many organizations introducing initiatives to better understand these vulnerabilities. This paper examines concerns of social engineering through social media within the enterprise and explores countermeasures undertaken to stem ensuing risk. Also included is an analysis of existing social media security policies and guidelines within the public and private sectors.

Saif Al-Dean Qawasmeh,Ali Abdullah S. AlQahtani,Muhammad Khurram Khan

2024-01-21

Abstract:In the dynamic realm of cybersecurity, awareness training is crucial for strengthening defenses against cyber threats. This survey examines a spectrum of cybersecurity awareness training methods, analyzing traditional, technology-based, and innovative strategies. It evaluates the principles, efficacy, and constraints of each method, presenting a comparative analysis that highlights their pros and cons. The study also investigates emerging trends like artificial intelligence and extended reality, discussing their prospective influence on the future of cybersecurity training. Additionally, it addresses implementation challenges and proposes solutions, drawing on insights from real-world case studies. The goal is to bolster the understanding of cybersecurity awareness training's current landscape, offering valuable perspectives for both practitioners and scholars.

Cryptography and Security

Mohamed Zaoui,Belfaik Yousra,Sadqi Yassine,Maleh Yassine,Ouazzane Karim

DOI: https://doi.org/10.1109/access.2024.3403197

IF: 3.9

2024-05-28

IEEE Access

Abstract:Social engineering (SE) attacks are a growing concern for organizations that rely on technology to protect sensitive data. Identifying and preventing these attacks can be challenging, as they frequently rely on manipulating human behavior rather than exploiting technical vulnerabilities. Although various studies have explored SE attacks and their defense mechanisms, there remains a gap in the literature concerning the holistic and layered classification of these threats and countermeasures. To address this, we conducted a comprehensive literature survey to understand existing taxonomies and subsequently identified areas that required a more structured and exhaustive categorization. Based on the survey results, we propose a comprehensive taxonomy of SE attacks, classifying them based on three levels: environment, approaches, and mediums. Additionally, we present a taxonomy of social engineering countermeasures, encompassing both technical and non-technical solutions. The proposed taxonomies serve as a foundation for future research and offer organizations a valuable framework for developing effective strategies to detect, prevent, and respond to social engineering incidents.

computer science, information systems,telecommunications,engineering, electrical & electronic

Angelo Corallo,Mariangela Lazoi,Marianna Lezzi,Angela Luperto

DOI: https://doi.org/10.1016/j.compind.2022.103614

IF: 10

2022-05-01

Computers in Industry

Abstract:Cybersecurity is one of the main challenges faced by companies in the context of the Industrial Internet of Things (IIoT), in which a number of smart devices associated with machines, computers and people are networked and communicate with each other. In this connected industrial scenario, personnel need to be aware of cybersecurity issues in order to prevent or minimise the occurrence of cybersecurity incidents and corporate data breaches, and thus to make companies resilient to cyber-attacks. In addition, the recent increase in smart working due to the COVID-19 pandemic means that the need for cybersecurity awareness is more relevant than ever. In this study, we carry out a systematic literature review in order to analyse how the existing state of the art deals with cybersecurity awareness in the context of IIoT, and to provide a comprehensive overview of this topic. Four areas of analysis are considered: (i) definitions of the concepts of cybersecurity awareness and information security awareness, with keyword extrapolation (e.g. cybersecurity control level, information and responsibility); (ii) the industrial context of the analysed studies (e.g. manufacturing, critical infrastructure); (iii) the techniques adopted to raise company awareness of cybersecurity (e.g. serious games, online questionnaires); and (iv) the main benefits of a large-scale campaign of cybersecurity awareness (e.g. the effectiveness of employees in terms of managing cybersecurity issues, identification of cyber-attacks). Practitioners and researchers can benefit from our analysis of the features of each area in their future research and applications.

computer science, interdisciplinary applications