Social engineering: assessing vulnerabilities in practice-Reference-Cited by-同舟云学术

Social engineering: assessing vulnerabilities in practice

Published:2009-03-20 Issue:1 Volume:17 Page:53-63
ISSN:0968-5227
Container-title:Information Management & Computer Security
language:en
Short-container-title:

Author:

Bakhshi Taimur,Papadaki Maria,Furnell Steven

Abstract

PurposeThe purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation.Design/methodology/approachAn e‐mail‐based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security‐aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation.FindingsIn spite of a short window of operation for the experiment, the results revealed that 23 per‐cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online.Research limitations/implicationsAfter running for approximately 3.5 h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended.Practical implicationsDespite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial.Originality/valueThis paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e‐mail‐based social engineering study that was conducted amongst staff within a cooperating organisation.

Publisher

Emerald

Subject

Library and Information Sciences,Management Science and Operations Research,Business and International Management,Management Information Systems

Reference11 articles.

1. Dodge, R.C., Carver, C. and Ferguson, A.J. (2007), “Phishing for user security awareness”, Computers and Security, Vol. 26 No. 1, pp. 73‐80.

2. Erianger, L. (2004), “The weakest link”, PC Magazine, Vol. 23, pp. 58‐9.

3. Granger, S. (2001), “Social engineering fundamentals, part I: hacker tactics”, SecurityFocus, 18 December, available at: www.securityfocus.com/infocus/1527 (accessed 12 October 2008).

4. Greening, T. (1996), “Ask and ye shall receive: a study in social engineering”, ACM SIGSAC Review, Vol. 14 No. 2, pp. 8‐14.

5. Karakasiliotis, A., Furnell, S. and Papadaki, M. (2007), “An assessment of end user vulnerability to phishing attacks”, Journal of Information Warfare, Vol. 6 No. 1, pp. 17‐28.

Cited by 21 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Cognition in Social Engineering Empirical Research: A Systematic Literature Review;ACM Transactions on Computer-Human Interaction;2024-01-29

2. Workplace Violence and Social Engineering Among Korean Employees;Research Anthology on Modern Violence and Its Impact on Society;2022-08-12

3. Using machine learning algorithms to predict individuals’ tendency to be victim of social engineering attacks;Information Development;2022-08-02

4. Organizational Characteristics Associated with Vulnerability to Social Engineering Deception: A Qualitative Analysis;Victims & Offenders;2021-06-30

5. Phishing: message appraisal and the exploration of fear and self-confidence;Behaviour & Information Technology;2019-09-23