Improving Awareness of Social Engineering Attacks

Abstract: Social engineering is a method of attack involving the exploitation of human weakness, gullibility and ignorance. Although related techniques have existed for some time, current awareness of social engineering and its many guises is relatively low and efforts are therefore required to improve the protection of the user community. This paper begins by examining the problems posed by social engineering, and outlining some of the previous efforts that have been made to address the threat. This leads toward the discussion of a new awareness-raising website that has been specifically designed to aid users in understanding and avoiding the risks. Findings from an experimental trial involving 46 participants are used to illustrate that the system served to increase users' understanding of threat concepts, as well as providing an engaging environment in which they would be likely to persevere with their learning

SOCIAL ENGINEERING AS AN EVOLUTIONARY THREAT TO INFORMATION SECURITY IN HEALTHCARE ORGANIZATIONS

Information security in healthcare settings is overlooked even though it is the most vulnerable for social engineering attacks. The theft of hospital information data is critical to be monitored as they contain patients’ confidential health information. If leaked, the data can impact patients’ social as well as professional life. The hospital data system includes administrative data, as well as employees’ personal information hacked, which can cause identity theft. The current paper discusses types and sources of social engineering attacks in healthcare organizations. Social engineering attacks occur more frequently than other malware attacks, and hence it is crucial to understand what social engineering is and its vulnerabilities to understand the prevention measures. The paper describes types of threats, potential vulnerabilities, and possible solutions to prevent social engineering attacks in healthcare organizations. Keywords: social engineering, hospitals, healthcare organizations, information security.

Tonga’s organisational vulnerability to social engineering

Tonga is a small developing island in the south pacific and ICT is still in its early stages. In this paper we ask the questions, what is social engineering and who is this social engineer, what are the threats to Tonga, how can these threats be identified and which countermeasures can be taken to mitigate the risk of social engineering? The answers to these questions will lead to a social engineering risk management framework to make the risks of social engineering more transparent and help organisations implement mitigating controls against social engineering. The study was performed in four chosen organisations in Tonga, who were involved with Information Communications, Finance, and Cyber Security in order to model threats and countermeasures and develop a risk management framework

NoPhish App Evaluation: Lab and Retention Study

Phishing is a prevalent issue of today’s Internet. Previous approaches to counter phishing do not draw on a crucial factor to combat the threat - the users themselves. We believe user education about the dangers of the Internet is a further key strategy to combat phishing. For this reason, we developed an Android app, a game called –NoPhish–, which educates the user in the detection of phishing URLs. It is crucial to evaluate NoPhish with respect to its effectiveness and the users’ knowledge retention. Therefore, we conducted a lab study as well as a retention study (five months later). The outcomes of the studies show that NoPhish helps users make better decisions with regard to the legitimacy of URLs immediately after playing NoPhish as well as after some time has passed. The focus of this paper is on the description and the evaluation of both studies. This includes findings regarding those types of URLs that are most difficult to decide on as well as ideas to further improve NoPhish.&nbsp

A Framework to Detect the Susceptibility of Employees to Social Engineering Attacks

Social engineering attacks (SE-attacks) in enterprises are hastily growing and are becoming increasingly sophisticated. Generally, SE-attacks involve the psychological manipulation of employees into revealing confidential and valuable company data to cybercriminals. The ramifications could bring devastating financial and irreparable reputation loss to the companies. Because SE-attacks involve a human element, preventing these attacks can be tricky and challenging and has become a topic of interest for many researchers and security experts. While methods exist for detecting SE-attacks, our literature review of existing methods identified many crucial factors such as the national cultural, organizational, and personality traits of employees that enable SE-attacks not considered by the other researchers. Thus, this thesis aims to address the gap by identifying and analyzing all the factors that make the SE-attack possible. We have developed a framework that operates in an enterprise environment and can detect the susceptibility of victims to SE-attacks. It relies on mapping Gragg’s psychological triggers of social engineering to three groups of factors, namely the national cultural factors, the organizational factors, and the personality traits of employees. Our analysis demonstrates that there is a correlation between the social engineering triggers and the three-layered factors that make employees susceptible to social engineering attacks. Thus, adding these factors in the proposed framework detects susceptibility of victims. Finally, we introduce a proposed framework that would detect and recognize weaknesses and susceptibility of employees in an organization which can be used for enhancing awareness and employee training to better recognize and prevent SE-attacks

Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies

Cybersecurity policies play a fundamental role in fostering organizational cyber governance and cyber resilience. Cybersecurity awareness-raising and training policies specify upskilling requirements and explicitly address persistent threats such as social engineering attacks. While cybersecurity awareness-raising and training activities complement the objectives of security policies, challenges including stakeholder diversity, budget constraints, generic messaging and low user engagement hinder their effectiveness. For successful policy adoption it is crucial for the workforce to grasp the relevance of these policies within their work context, understand how social engineering attacks are deployed, and apply policy rules appropriately. However, existing awareness-raising and training policies often lack specificity, leading to gaps in employee engagement and behavioural change, especially regarding social engineering threats. To address these issues, the paper proposes a dedicated social engineering awareness-raising policy, guided by Merrill's Principles of Instructions. This work aims to merge policy and practice, offering tailored examples of social engineering attacks, explicitly connecting them to relevant cybersecurity policies and making the content more engaging and relevant to the workforce. This is envisioned as a cost-effective resource for organizations with a limited training budget, which can be utilized as a starting point to enhance employee awareness, engagement, and foster a stronger organizational cyber resilience culture

Review and comparison of US, EU, and UK regulations on cyber risk/security of the current Blockchain Technologies - viewpoint from 2023

The results of this study show that cybersecurity standards are not designed in close cooperation between the two major western blocks - US and EU. In addition, while the US is still leading in this area, the security standards for cryptocurrencies, internet-of-things, and blockchain technologies have not evolved as fast as the technologies have. The key finding from this study is that although the crypto market has grown into a multi-trillion industry, the crypto market has also lost over 70% since its peak, causing significant financial loss for individuals and cooperation’s. Despite this significant impact to individuals and society, cybersecurity standards and financial governance regulations are still in their infancy

Review and comparison of US, EU, and UK regulations on cyber risk/security of the current Blockchain Technologies - viewpoint from 2023

The results of this study show that cybersecurity standards are not designed in close cooperation between the two major western blocks - US and EU. In addition, while the US is still leading in this area, the security standards for cryptocurrencies, internet-of-things, and blockchain technologies have not evolved as fast as the technologies have. The key finding from this study is that although the crypto market has grown into a multi-trillion industry, the crypto market has also lost over 70% since its peak, causing significant financial loss for individuals and cooperation’s. Despite this significant impact to individuals and society, cybersecurity standards and financial governance regulations are still in their infancy

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference

Three essays on socially engineered attacks : the case of online romantic scams

The Internet has transformed the way people initiate and nurture romantic relationships. With the continued adoption of social media and online dating platforms, love, literally, is in the air. A recent report indicates that 30% of the U.S. adults have experience using online dating platforms, and 11% of the U.S. adults have used the platform in the past year. However, cybercriminals see a massive opportunity to defraud this emerging demography of online daters by launching online romance scams. The scammers pretend to engage in a romantic relationship with the victim through online platforms and eventually defraud the victim financially. Online romance scam became apparent around 2008, and now it is one of the widely reported cybercrimes. People from developed countries such as the U.S., the U.K., Canada, and Australia face millions of dollars in financial loss from online romance scams, as evident from the public agency reports. In addition to the financial loss, online romance scam victims face significant emotional loss and psychological distress from the betrayal by someone they love. Extant research in information systems, cybersecurity, and criminology investigates online romance scams extensively to better understand this phenomenon. Current literature on online romance scam studies the process of scam, predictors of scam victimization, persuasion and deception techniques used by scammers, human and technical level prevention mechanisms, and rationalizing of the scam from the offender perspective. The first two essays of this dissertation look into two significant but understudied aspects of online romance scam: the impact of psychological stressors around online romance scam on online dating psychological capital and the impact of scammer’s representation of love on online romance scam gullibility of the victims. In the first essay, we integrate the Etiology of Fear Theory, Broaden-Build Theory, and Fear of Crime Framework to check how online dater’s negative psychological states such as anxiety, cognitive vulnerability, social vulnerability, and victimization fear directly or indirectly reduce positive psychology in online dating. This essay employs a sequential mixed-method design with a qualitative phase followed by a quantitative survey. Drawing from the Triangle Theory of Love, Social Exchange Theory, and Theory of Mood-Congruent Judgement, the second essay argues that if the scammers show a higher degree of love in the scam grooming stage, then the victim will be more gullible to fall for the online romance scam through the mechanisms of relationship trust and relationship satisfaction. This essay runs two scenario-based experiments to test the hypotheses. The third essay focuses on the impact of state-level cybercrime governance measure namely cybersecurity taskforce in reducing metro city-level social engineering frauds, including online romance scams. This essay uses a 10-year panel data from the U.S. to conduct a nationwide quasi-experiment. The results show state-level cybersecurity taskforce has deterrence effect in reducing social engineering fraud in metro city-level only in the states where the governance complexity is low. The empirical findings are consistent with the concepts of Stackelberg Security Game. Each essays outlines theoretical and managerial implications. The overarching theoretical contributions of this dissertation are finding – 1) how the negative emotional experiences surrounding online romance scam have detrimental effect on the positive experience on online dating, 2) how scammer’s grooming technique leads to online romance scam gullibility of the victims, and 3) how state-level governance can deter social engineering frauds including online romance scam. The findings of the essays will be useful for the online daters, online dating platforms, and regulatory authorities to make the online dating space a safer place to initiate and nurture romantic relationships and to reduce the economic losses from social engineering attacks