Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness

The sharp rise of social engineering attacks in recent years poses serious threats to technology consumers.This is due to the degree of damage that can be done through social engineering. This paper seeks to elaborate on the use of a Social Engineering Awareness Game (SEAG) to improve the rate of awareness of social engineering.This game was tailored towards the needs of technology consumers that are intended to make use of it by ensuring that not only it is knowledgeable but also attractive and fun. In this paper we highlighted the objectives of this study and how it was done.A control laboratory experiment involving participants randomly assigned to either the experimental group or control group (using paper-based) to evaluate the outcome. The impact that the game had on the participants was recorded with an average of 71% improvement in their knowledge and awareness of social engineering, this made them to find the game beneficial and informative.The major drawback of the game is it needs to be more user-friendly and centered.We conclude by showing the need for more research to be put in place pertaining to the aspect of using games in the educational field especially in the network security field that has more threats growing rapidly

Survey on IoT: Security Threats and Applications

the rapid growth of the internet of things (IoT) in the world in recent years is due to its wide range of usability, adaptability, and smartness. Most of the IoT applications are performing jobs an automatic manner without interactions of human or physical objects. It’s required that the current and upcoming devices will be smart, efficient and able to provide the services to the users to implement such a new technology with a secure manner. Thus the security issues are exploring day by day by the researchers. IoT devices are most portable and light in nature so it has several issues such as battery consumption, memory, and as these devices are working open range so the most important is security. In this survey paper, we have elaborated on the security attacks with reference to the different kinds of IoT layers. In the last, we have presented some of the applications of the IoT. This study will provide assistance to the researchers and manufacturers to evaluate and decrease the attacks range on IoT devices

Sit Back, Relax, And Tell Me All Your Secrets

The goal of this research is to describe an active learning opportunity that was conducted as a community service offering through our Center for Cybersecurity Education and Applied Research (CCEAR). As a secondary goal, the participants sought to gain real world experience by applying techniques and concepts studied in security classes. A local insurance company tasked the CCEAR with assembling a team of students to conduct penetration testing (including social engineering exploits) against company personnel. The endeavor allowed the insurance company to obtain information that would assess the effectiveness of employee training with regard to preventing the divulgence of sensitive information. The team of students assembled organized, planned and executed all penetration testing. This academic opportunity allowed the students to build experience transacting the social engineering while laying the groundwork for future projects that will allow additional students to build and expand the process outlined in this study

A Generalized Threat Taxonomy for Cloud Computing

This paper presents a genre-based, generalized threat taxonomy for cloud computing. Cloud computing provides numerous possibilities and challenges but the nature of cloud computing exposes the resources of a cloud architecture to a wide range of threats. Presently, many potential threats, represented as security concerns, are known in a general sense but they are not classified specifically in relation to cloud services delivery. Therefore security concerns need identification and assessment and presented in a consistent and hierarchical form. We posit that to approach the issue in this way allows for more effective enforcement and therefore better resilience in a cloud architecture. We further posit that failure to effectively identify threats will lead to lower levels of trust, effectiveness and performance. The generalized threat taxonomy provides researchers with a framework through which risk factors and threats may be identified; and related against an overall picture of threat patterns

A Study of Scams and Frauds using Social Engineering in “The Kathmandu Valley” of Nepal

Social Engineering scams are common in Nepal. Coupled with inability of government to enforce policies over technology giants and large swaths of population that are uneducated, social engineering scams and frauds are a real issue. The purpose of the thesis is to find out the extent and impact of social engineering attacks in “The Kathmandu valley” of Nepal. The Kathmandu valley consists of 3 cities including the capital city of Nepal. To conduct the research, the newspaper “The Kathmandu Post” from the year 2019 to 2022 was downloaded and searched for keywords “scam” and “fraud”. After which the results were manually examined to separate news reports of social engineering attacks in Nepal and other countries. Also, a survey was conducted by visiting parks in the Kathmandu valley. A total of 149 people were interviewed to collect data by asking 21 questions regarding social engineering attack faced by the interviewee. Further, literature review of the research papers published related to social engineering and phishing was conducted. The main finding of the thesis was that public awareness program are effective reducing the extent and impact of social engineering attacks in Nepal. The survey suggests large percentage of population have become victims of social engineering attack attempts. More than 70 percent have received messages on WhatsApp regarding fake lottery wins

Information Behaviors of Ethical Hackers

Ethical hackers emulate the processes of cyber-criminals in controlled settings in order to test the security posture of their clients. One common part of this process is testing the susceptibility to social engineering. This study explores the information seeking habits of Ethical Hackers during the reconnaissance phase of a social engineering attack in order to better understanding the strategies involved in cyber-crime. Eight ethical hackers with social engineering experience were interviewed using contextual inquiry. Participants were asked to walk through their process for gathering information in two-three social engineering scenarios as well as asked to describe the scenario they most often encounter. The study revealed a semi-structured, cyclic approach to information gathering that used many of the same tools as everyday life social search. The results of this study should help businesses and individuals better understand the risk of posting information in public forums.Master of Science in Information Scienc

Enhancing Key Digital Literacy Skills: Information Privacy, Information Security, and Copyright/Intellectual Property

Key Messages Background Knowledge and skills in the areas of information security, information privacy, and copyright/intellectual property rights and protection are of key importance for organizational and individual success in an evolving society and labour market in which information is a core resource. Organizations require skilled and knowledgeable professionals who understand risks and responsibilities related to the management of information privacy, information security, and copyright/intellectual property. Professionals with this expertise can assist organizations to ensure that they and their employees meet requirements for the privacy and security of information in their care and control, and in order to ensure that neither the organization nor its employees contravene copyright provisions in their use of information. Failure to meet any of these responsibilities can expose the organization to reputational harm, legal action and/or financial loss. Context Inadequate or inappropriate information management practices of individual employees are at the root of organizational vulnerabilities with respect to information privacy, information security, and information ownership issues. Users demonstrate inadequate skills and knowledge coupled with inappropriate practices in these areas, and similar gaps at the organizational level are also widely documented. National and international regulatory frameworks governing information privacy, information security, and copyright/intellectual property are complex and in constant flux, placing additional burden on organizations to keep abreast of relevant regulatory and legal responsibilities. Governance and risk management related to information privacy, security, and ownership are critical to many job categories, including the emerging areas of information and knowledge management. There is an increasing need for skilled and knowledgeable individuals to fill organizational roles related to information management, with particular growth in these areas within the past 10 years. Our analysis of current job postings in Ontario supports the demand for skills and knowledge in these areas. Key Competencies We have developed a set of key competencies across a range of areas that responds to these needs by providing a blueprint for the training of information managers prepared for leadership and strategic positions. These competencies are identified in the full report. Competency areas include: conceptual foundations risk assessment tools and techniques for threat responses communications contract negotiation and compliance evaluation and assessment human resources management organizational knowledge management planning; policy awareness and compliance policy development project managemen

A Risk management framework for the BYOD environment

Computer networks in organisations today have different layers of connections, which are either domain connections or external connections. The hybrid network contains the standard domain connections, cloud base connections, “bring your own device” (BYOD) connections, together with the devices and network connections of the Internet of Things (IoT). All these technologies will need to be incorporated in the Oman Vision 2040 strategy, which will involve changing several cities to smart cities. To implement this strategy artificial intelligence, cloud computing, BYOD and IoT will be adopted. This research will focus on the adoption of BYOD in the Oman context. It will have advantages for organisations, such as increasing productivity and reducing costs. However, these benefits come with security risks and privacy concerns, the users being the main contributors of these risks. The aim of this research is to develop a risk management and security framework for the BYOD environment to minimise these risks. The proposed framework is designed to detect and predict the risks by the use of MDM event logs and function logs. The chosen methodology is a combination of both qualitative and quantitative approaches, known as a mixed-methods approach. The approach adopted in this research will identify the latest threats and risks experienced in BYOD environments. This research also investigates the level of user-awareness of BYOD security methods. The proposed framework will enhance the current techniques for risk management by improving risk detection and prediction of threats, as well as, enabling BYOD risk management systems to generate notifications and recommendations of possible preventive/mitigation actions to deal with them

Social engineering attack examples, templates and scenarios

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process.The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.http://www.elsevier.com/locate/cose2017-06-30hb2016Computer Scienc