ArticlePDF Available

Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks

DOI:10.19101/IJACR.2016.623006
Authors:
Nabie Y Conteh at University of Maryland Global Campus
Nabie Y Conteh
Paul J. Schmick
Paul J. Schmick
Paul J. Schmick
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract and Figures

The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology infrastructure, which include hardware and software systems, transmission media, local area networks, wide area networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer optimism that social engineering attacks can be reduced.
Figures - uploaded by Nabie Y Conteh
Author content
All figure content in this area was uploaded by Nabie Y Conteh
Content may be subject to copyright.
56e2733408aebc9edb19ee
bc.pdf
Content uploaded by Nabie Y Conteh
Author content
All content in this area was uploaded by Nabie Y Conteh on Mar 11, 2016
Content may be subject to copyright.
Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attac
ks.pdf
Available via license: CC BY 4.0
Content may be subject to copyright.
International Journal of Advanced Computer Research, Vol 6(23)
ISSN (Print): 2249-7277 ISSN (Online): 2277-7970
http://dx.doi.org/ 10.19101/IJACR.2016.623006
31
Cybersecurity:risks, vulnerabilities and countermeasures to prevent social
engineering attacks
Nabie Y. Conteh1* and Paul J. Schmick2
Assistant Professor of Computer Information Systems, Department of Computer Information Systems,
College of Business & Public Administration, Southern University at New Orleans, Louisiana, USA1
Department of Cyber Security and Information Assurance, Graduate School of MGT and Technology
University of Maryland University College, Adelphi, Maryland, USA2
Received: 21-December-2015; Revised: 07-February-2016; Accepted: 10-February-2016
©2016 ACCENTS
1.Introduction
Social engineering, also known as human hacking, is
the art of tricking employees and consumers into
disclosing their credentials and then using them to
gain access to networks or accounts. It is a hacker’s
tricky use of deception or manipulation of people’s
tendency to trust, be corporative, or simply follow
their desire to explore and be curious. Sophisticated
IT security systems cannot protect systems from
hackers or defend against what seems to be
authorized access. People are easily hacked, making
them and their social media posts high-risk attack
targets. It is often easy to get computer users to infect
their corporate network or mobiles by luring them to
spoof websites and or tricking them into clicking on
harmful links and or downloading and installing
malicious applications and or backdoor's.
*Author for correspondence
In a 2013 study conducted by TNS Global for Halon
an email security service, 30 percent of the surveyed
populace comprised of 1,000 adults in the U.S.
disclosed that they would open an e-mail even if they
were aware it contained a virus or was suspicious [1].
Even with robust campaigns conveying the dangers
of opening suspicious e-mails a large majority of
email users remain vulnerable to social engineering
attacks [2]. To confront the challenges posed from
social engineering attacks, recommendations deriving
from research offer options to reduce the probability
of success of a social engineering attack.
With cyber security incidents growing exponentially
in terms of frequency and damage to an organizations
reputation in their respective marketplace, users and
organizations have not adequately deployed defenses
to discourage would-be attacker’s intent to strike.
The terms information and network security continue
to dominate U.S. headlines with a large-scale cyber-
attack surpassing the probability of a physical
terrorist attack on U.S. soil. In fact, in a 2013
interview of FBI Director James Comey, the Director
Review Article
Abstract
The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology
infrastructure, which include hardware and software systems, transmission media, local area networks, wide area
networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the
paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also
discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete
description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a
discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend
some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper
concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability
resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers
of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer
optimism that social engineering attacks can be reduced.
Keywords
Cyber security, Cyber theft, Social Engineering, Cybercrime, Phishing, Network Intrusions.
Nabie Y. Conteh et al.
32
testified before a Senate Homeland Security
Committee that cyber-attacks have surpassed
terrorism as a major domestic threat, with the threat
continuing to rise [3].
In this paper social engineering is defined along with
the types of social engineering attacks. In addition,
this research will identify why cyber theft continues
to advance at an alarming rate. Furthermore,
psychological variables that contribute to
vulnerabilities will be discussed. And finally, studies
will be presented that identify key considerations
regarding social engineering, testing and training, and
point to how users can be coached to prevent attacks
which offers a promising methodology to reduce
system and user's risk.
2.What is social engineering?
Engebretson (2011) [4] defines social engineering as
“one of the simplest methods to gather information
about a target through the process of exploiting
human weakness that is inherit to every
organization.” The foundation of an attack is to
persuade the forfeiture of information that is
confidential then exploit an individual or an
organization. In essence, an attacker engages social
engineering as a tactic to use human insiders and
information to circumvent computer security
solutions through deceit.
Regarding the human vulnerability of social
engineering [5] note that while social engineering is
identified as a low-tech attack; the attack aims at
manipulating victims to divulge confidential
information and is successful in its attempt due to
exploiting personality vulnerabilities. Social
engineering as a tactic deploys techniques to gain
access to private and confidential information by
exploiting flaws in human logic know as cognitive
biases [5]. While security technology measures aim
at improving information system security, human
factors represent a weak-link which is exploited
during a social engineering attack. Bisson (2015) [6]
notes that social engineering is “a term that
encompasses a broad spectrum of malicious activity”
and identifies five of the most common types of
social engineering attacks to target victims which
include:
Phishing: Phishing scams attempt to obtain personal
information such as names, addresses and other
personal identifiable information (PII) such as social
security numbers.
Phishing scams may embed links to redirect users to
suspicious websites that appear legitimate. These
types of scams create a sense of urgency to
manipulate users to act in a manner that challenges
good judgment.
Pretexting: This type of social engineering attack is
driven by a fabrication scenario attempting to
confirm and steal personal information from a target.
Advanced attacks attempt to exploit a weakness of an
organization or company. This method requires the
attacker to build a credible story that leaves little
room to question doubt by a target. The strategy is to
use fear and urgency while building a sense of trust
with a victim to confirm or obtain sought
information.
Baiting: Baiting is similar to a phishing attack, but
lures a victim through enticement strategies. Hackers
use the lure of promised goods if a user surrenders
log-in credentials to a specific site. Baiting schemes
are not limited to, digital on-line schemes and can
also be launched through the use of physical media.
Quid pro quo: Similar to Baiting, but this type of
threat is presented as a technical service in exchange
for information. A common threat is for an attacker
to impersonate an information technology
representative and offer assistance to a victim who
may be experiencing technical challenges. The
attacker aims to launch malware on a user’s system.
Tailgating: This type of attack uses tailgating and
piggybacking to gain access to restricted areas. This
attack exposes those who have an ability to grant or
gain access to a restricted area by an attacker who
may impersonate delivery personnel or others who
may require temporary access.
3.Social engineering and its role in cyber-
theft
Information Security is defined as “protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction” according to U.S. law
[7]. And while so much attention in terms of
resources and training to overcome information
security breaches have been deployed, Nakashima
and Peterson (2014) [8] note the center for Strategic
and International Studies identifies the annual cost of
cybercrime and economic espionage to cost to global
economy more than $445 billion annuallyor almost
one percent of total global income [9].
International Journal of Advanced Computer Research, Vol 6(23)
33
Hackers are getting increasingly sophisticated and
adept at their social engineering attacks. They are
able to piece together disparate data from various
sources and namely, social media, corporate blogs,
and data and to painstakingly pull crucial and key
data from well-meaning employees, which these
cyber-criminals use to attack networks and steal
invaluable data and even hold corporations hostage
and in some cases damage the object of their targets.
Regarding the rise of cybercrime and theft, Grimes
(2014) [10] identifies key indicators as to the rise and
cause of cybercrime which financially impacts both
individuals and organizations. One reason for cyber
theft appeal is the benefit of theft by ambiguity.
Internet crimes are committed by thousands of cyber
criminals world-wide, but few are prosecuted and
jailed. In addition, cyber criminals do not have to be
intelligent to be successful in digital theft, but are
willing to take risks because of the benefits of
distance from a victim while taking little risk and
little exposure.
Many cyber thefts take place globally and law
enforcement agencies are limited to the jurisdictional
boundaries to pursue cyber criminals. The pursuit
also includes working with other law enforcement
agencies outside of domestic jurisdictions. While
this is less complex domestically, getting
international support to pursue international theft
remains a challenge for U.S. Law enforcement. In
essence, most international governments do not
cooperate with each other [11].
Evidence plays another factor and a lack of
successful convictions is due to a lack of evidence
that can be delivered in court to prosecute cyber
criminals. Two primary variables relate to evidence
fulfilment, such as obtaining evidence that is credible
to hold individuals accountable. Second, few
organizations have the legal expertise to prepare legal
evidence in cybercrime cases which takes planning,
commitment and resources. These challenges lower
the probability that a criminal even if caught will be
prosecuted and jailed.
To overcome crime in the cyber domain, a lack of
resources is perhaps the leading contributor to its
exponential growth. Few organizations have the
dedicated resources to pursue internet crimes and
criminals. The challenge of pursuing cyber theft is
costly and without a potential return-on-investment
(ROI) dedicated resources are difficult to justify.
While the cost of cyber victimization is nearly a half
trillion dollars, it has not hurt global economies and
may even be in the realm of appearing as a cost of
doing business. For meaningful change to occur,
once cybercrime hurts individuals and organizations
to an unbearable point, the reality or managing risk
and loss have been built into the fabric of
organizations, and individual victimization from
small-scale occurrences have become noise that is
expected.
4.Psychological variables and
contribution to cybercrimes
Social engineering attacks challenge information
security professionals because no technical
countermeasures to-date can eliminate the human
vulnerability [5]. Identifying the cause of human
error and successful social engineering attacks Luo,
et al. (2011)[5] argues the social psychology
influences of “alternative routes to persuasion,
attitudes and beliefs that affect human interactions,
and techniques for persuasion influence” expose the
psychological vulnerabilities that enable a successful
social engineering attack.
To seek foundations of the interest to open
potentially damaging e-mails, Ragan (2013) [1] notes
the diversity of intent to engage in such behaviour is
specific among genders with women enticed to open
malicious e-mails appearing from social networks,
while men fall prey to e-mails communicating power,
money and sex. Because social engineering attacks,
tap into human psychological impulses reducing
engagement remains a challenge because occurrences
aim at human psychological vulnerabilities [12].
Further evaluating the social psychological
influences, alternate routes to persuasion contribute
to successful social engineering attacks through
influencing a victim’s emotions towards fear or
excitement which may alter a responsible action.
Regarding attitudes and beliefs, this refers to the
differences concerning the beliefs between the victim
and his/her social engineering attackers. And lastly,
influencing techniques relies on peripheral paths to
persuasion that influence behaviour and action [5].
Because of the emotional exposure and triggered a
response initiated by social engineering attacks,
without awareness of the vulnerabilities revealed by
artful exposure of human susceptibility to engage in
the process, denying an attackers ploy is a challenge.
Nabie Y. Conteh et al.
34
However, studies demonstrate awareness through
corporate education campaigns may provide a virtual
barrier to reduce the success rate of social
engineering attacks. In totality, the chief strategy
may reside in awareness in the manipulation tactics
to obtain valuable and confidential information to
prevent social engineering attackers’ from acquiring
information to exploit a user or organization.
5.Social engineering techniqueshuman
and technical
Luo et al. (2011) [5] identifies several human or
technical means that social engineering attackers can
deploy from phishing to dumpster diving as tactics to
gain visibility or obtain confidential information. For
aggressive and successful attackers a synergy of
human and technical strategy may be deployed to
obtain ample information on an individual or to gain
access to an organization. Regarding the steps of
gathering information through execution of a social
engineering attack Luo et al. (2011) [5] identify the
steps in the attack process.
Figure 1 Four steps of social engineering [5]
Figure 1 above graphically explains the stepwise
approaches in the execution of social engineering
attacks. The process begins with the first phase of
studying and gathering information, then a
relationship is established. In the exploitation phase,
access into the system is gained and in the final
phase, the attacked is implemented.
Social engineering attacks can be categorized in
either human or technology deployments. Direct
human engagement stems from an attacker who has
obtained personal information about a victim and
develops a relationship with the user. Because the
attacker deploys a strategy of a known or trusted
party, the victim becomes susceptible and exploited,
and relinquishes sensitive or personal company
information; therefore contributing to the pieces of
the puzzle the attacker can use to his/her advantage.
Technical attacks are more unambiguous and
deployed through a host of options such as; software
programs, email attachments, pop-up windows and
websites [5]. Perhaps the most successful technical
ploy to draw a user into divulging account usernames
and passwords by prompting victims to input user
and password information in pop-up windows.
Websites and pop-up windows can appear as a site
frequently visited by a user, however, the script-
embedded pop-up window manipulates the user to
enter a username and password which delivers the
information to the attacker.
6.Preventive measures against social
engineering
It is evident that regardless of how technologically
secure a network seems the human element will
always be a vulnerability. The success rate and the
number of cybercrimes are steadily on the rise due to
the level of anonymity social engineering offers
malicious actors. Businesses have to remain
cognizant of the various threat actors and their
plethora of attacks so they are able to respond
accordingly. There are technical and non-technical
safeguards that can be implemented to lower the risk
associated with social engineering to a tolerable
level. Companies are adding multiple layers to their
security schemes so that if the mechanism in the
outer layer fails, a mechanism in at least one inner
layer can help prevent a threat from turning into a
disaster (Risk Mitigation). This concept is known as
multi-layer defense or defense in depth. A good
Defense in Depth structure includes a mixture of the
following precautionary measures:
Security Policy: A well written policy should
include technical and nontechnical approaches that
are downward driven by executive management.
Every organization should integrate security into
their operational objectives.
Education and Training: Employees ought to be
required to attend initial training during orientation
and recurring refresher trainings. This builds
awareness by exposing users to commonly employed
tactics and behaviors targeted by a social engineer.
Network Guidance: The organization have to
safeguard the network by whitelisting authorized
websites, using Network address translation (NAT),
and disabling unused applications and ports. Network
users have to maintain complex passwords that are
changed every 60 days.
Audits and Compliance: Organizations have to
actively verify that their security policy is being
adhered to. Some detective controls include
International Journal of Advanced Computer Research, Vol 6(23)
35
reviewing network logs, re-validating employees’
permissions, and checking desktop configurations at
least bi-monthly.
Technical Procedures: The network should have
multiple layers of defence to protect data and core
infrastructure. Software like Intrusion Prevention
Systems (IPS), Intrusion Detection Systems (IDS)
and firewalls should be installed on every device.
Demilitarized Zones (DMZ), web filters and Virtual
Private Network (VPN) should be installed on all
external facing services.
Physical Guidance: There is a range of options that
can be implemented to protect physical assets. Using
a combination of security guards, mantraps and
security cameras to deter intruders from entering the
premises is beneficial. In places where physical
hardware is located businesses should employ
multifactor authentication, biometrics or access
control list before access is granted.
To overcome the challenges of social engineering
attacks Luo et al. (2011) [5] identify the necessity of
a multidimensional approach to overcome threats
through a holistic approach of addressing
organizational policies, procedures, standards,
employee training and awareness programs, and
incident response. While all areas to combat this
threat are critical, without employee training
expensive infrastructure and network security
investment means little considering only seven
percent of U.S. organizations deploy training
programs and materials in phishing education [13].
Evaluating variables of cause and identifying those
who are susceptible in an organization Chitery,
Singh, Bag, & Singh (2012) [14] identify the drivers,
targets and motivation behind social engineering
attacks. The 2012 study attempted to demonstrate an
analytical approach towards social engineering
attacks and identify attacker trends. The study,
which surveyed an undisclosed amount of IT
professionals, sheds light on potential training
measures for organizations that are eager to deploy
information security awareness programs to reduce
the risk of employee proneness to a social
engineering attack.
Figure 2 Questionnaire results regarding the motivation behind social engineering attacks
According to a study conducted by Chitery, Singh,
Bag, & Singh (2012) [14] as introduced in the
preceding paragraph above, figure 2 depicts the
motivating factors behind social engineering attacks.
It is evident that the access motivated by the need to
gain proprietary information ranks the highest in
terms of the volume which is 30%. Financial gain
ranks second, followed by the need for competitive
advantage, then by “just for fun”, revenge and last
and least by unnamed others. Figure 3 depicts the
results from the same study as above obtained on
entities that are vulnerable to social engineering
attacks. The most vulnerable group is the new
employees (41%), followed by clients and customers
(23%), then by IT professionals (17%), by Partners
and Contractors (12%) and lastly followed by others.
23%
30%
21%
10%
11%
5%
Motivation Behind Social Engineering Attacks
FINANCIAL GAIN
ACCESS TO PROPRIATARY
INFORMATION
COMPETITIVE ADVANTAGE
REVENGE
JUST FOR FUN
OTHER
Nabie Y. Conteh et al.
36
Figure 3 Questionnaire results regarding entities which present risk of falling prey to a social engineering attack
In another study by Bowen, Devarajan & Stolfo
(2011)[15] this Columbia University study measured
enterprise susceptibility to phishing attacks which is a
technical path and deployment mechanism to
instigate a social engineering attack. The 2011
study’s primary focus conducted by Columbia
University was on reinforced training and the impact
to prevent social engineering attacks. As the results
shown in table 1 and 2 below, the study tested user
vulnerabilities using decoy e-mails to lure users to
supply information or access phony e-mails so data
could be gathered and utilized for training purposes
to prevent future attacks.
Table 1 The number of responses for each round for
the first experiment to measure the user response to
phony phish
Decoy Type
1st
Round
3rd
Round
4th
Round
Email with
internal URLs
52
0
NA
Email with
external URLs
177
1
0
Forms to obtain
credentials
39/20
0
NA
Beacon
Documents
45
NA
NA
Table 2 The number of responses for each round of
the second experiment to measure the user response
to phony phish
Decoy Type
1st
Round
2nd
Round
3rd
Round
4th
Ro
un
d
Email with
internal URLs
69
7
1
0
Email with
external URLs
176
10
3
0
Forms to obtain
credentials
69/50
10/9
0
NA
Beacon
Documents
71
2
0
NA
The Bowen, et al. (2011) [15] study was conducted
by deploying two rounds of experiments. Users were
probed repeatedly, then educated each time to
understand how the luring techniques occurred until
victims stopped falling prey to attacks. The data
ultimately support that both repetitious probes
followed by education offers value and a return on
investment (ROI) to limit successful probes of users
regardless of psychological predispositions or gender.
Evaluating the data from both rounds of the
Columbia University experiment confirms users can
be coached to deploy caution before opening
suspicious e-mail messages.
41%
17%
23%
12%
7%
0%
Entities which fall prey to social engineering attacks
NEW EMPLOYEES
IT PROFESSIONALS
CLIENTS & CUSTOMERS
PARTNERS & CONTRACTORS
TOP LEVEL MANAGEMENT
OTHERS
International Journal of Advanced Computer Research, Vol 6(23)
37
As the data supports, by reaffirming threats through
repetitive communication, although slower learners
had the highest probability that they would fall-prey
to social engineering attacks, users were still able to
be coached to disengage in the luring process of
social engineering attacks.
7.Limitations of the Study
Luo et al. (2011) [5] recognizes key considerations
that can be learned from social engineering
penetration testing and education. Most importantly,
the 2011 Columbia University study noted in this
research paper identifies that education followed by
additional social engineering, testing leads to a
dramatic reduction in social engineering attack
success, therefore reducing information system and
network vulnerability. However, the 2011 Columbia
University study offers no consideration to how
frequently testing and training may be required to
maintain the same results. In essence, the limitations
of the Columbia University study prevents drawing
an absolute conclusion that the same results should
be expected if further testing was conducted. This
leaves consideration to the deployment of recurrent
training models after periods of time to determine if
similar results can be produced by users after one
phase of testing to determine if training efforts are
lasting.
8.Conclusions
To overcome cyber security incidents involving
social engineering attacks, research supports the most
effective defence is an educated computer user. To
consider is those most vulnerable which are identified
in this research as new employees within an
organization, as specifically shown in figure 3 above,
with the attacker seeking personal identifiable
information (PII) from those engaged. Further
supported in this research are the psychological
variables that contribute to user vulnerability. This
paper concludes that while technology has a role to
play in reducing the impact of social engineering
attacks, the vulnerability resides with human
behaviour, human impulses and psychological
predispositions that can be influenced through
education. Ultimately, investment in organizational
education campaigns offer optimism that social
engineering attacks can be reduced, but an absolute
solution to overcome such cyber security threats has
yet to be put-forward.
Acknowledgment
None.
Conflicts of interest
The authors have no conflicts of interest to declare.
References
[1] Ragan S, W Staff. Social engineering: study finds
Americans willingly open malicious
emails.http://www.csoonline.com/article/2133877/soci
al-engineering/social-engineering--study-finds-
americans-willingly-open-malicious-emails.html.
Accessed 28 August 2013.
[2] Maan PS, Sharma M. Social engineering: a partial
technical attack. International Journal of Computer
Science Issues. 2012; 9(2):557-9.
[3] Anonymous. FBI: Cyber-attacks surpassing terrorism
as major domestic threat. https://www.rt.com/usa/fbi-
cyber-attack-threat-739/. Accessed 25 November
2013.
[4] Engebretson P. The basics of hacking and penetration
testing: ethical hacking and penetration testing made
easy. Elsevier; 2011.
[5] Luo X, Brody R, Seazzu A, Burd S. Social
engineering: the neglected human factor for
information security management. Information
Resources Management Journal. 2011; 24(3):1-8.
[6] Bisson D. 5 Social engineering attacks to watch
out for. The state of security.
http://www.tripwire.com/state-of-
security/security-awareness/5-social-
engineering-attacks-to-watch-out-for/. Accessed
23 March 2015.
[7] Andress J. The basics of information security:
understanding the fundamentals of InfoSec in theory
and practice. Elsevier; 2011.
[8] Nakashima E, Peterson A. Report: cybercrime
and espionage costs $445 billion annually. The
Washington Post.
https://www.washingtonpost.com/world/national
-security/report-cybercrime-and-espionage-costs-
445-billion-annually/2014/06/08/8995291c-ecce-
11e3-9f5c-9075d5508f0a_story.html . Accessed
9 June 2014.
[9] Strohm C. Cyber theft, already a $445 billion
business, to grow bigger.
http://www.insurancejournal.com/news/national/
2014/06/09/331333.htm. Accessed 9 June 2014.
[10] Grimes RA. 5 reasons internet crime is worse than
ever. Info World.
http://www.infoworld.com/article/2608631/security/5-
reasons-internet-crime-is- worse-than-
ever.html?page=2. Accessed 23 March 2015.
[11] Taylor RW, Fritsch EJ, Liederbach J. Digital crime
and digital terrorism. Prentice Hall Press; 2014.
[12] Vacca JR. Computer and information security
handbook. Newnes; 2012.
Nabie Y. Conteh et al.
38
[13] Diana A. Social engineering targets weakest security
link: employees.
http://www.enterprisetech.com/2015/05/19/social-
engineering-targets-weakest-security-link-employees/
Accessed 19 May 2015.
[14] Chitrey A, Singh D, Singh V. A comprehensive study
of social engineering based attacks in India to develop
a conceptual model. International Journal of
Information and Network Security. 2012; 1(2):45-53.
[15] Bowen BM, Devarajan R, Stolfo S. Measuring the
human factor of cyber security. In international
conference on technologies for homeland security
(HST) 2011(pp. 230-235). IEEE.
Dr. Nabie Y. Conteh is a Computer
Information Systems Professor at
Southern University at New Orleans
(SUNO). He holds a BS in information
systems from the Institute for
Information and Communication
Technology, in the Netherlands; an
MBA in information systems
management from Ferris State University; and an MS and
Ph.D. in information systems from the University of
Maryland, Baltimore County. His areas of teaching and
research interest include decision support systems, systems
modeling and simulation; artificial intelligence/expert
systems; systems analysis and design; and knowledge
management and organizational learning. Dr. Conteh
possesses many technical skills and the ability to speak
English, Dutch, Russian and German. Dr. Conteh has made
many presentations at national and international
conferences and has been published in refereed journals
and proceedings. He has worked as Assistant Professor at
Shenandoah University and is currently an Adjunct
Associate Professor of Cyberspace and Cyber Security at
the Graduate School of the University of Maryland
University College and Professor of Database Management
Systems and Global Information Technology at Florida
Tech. During the tenure of his Ph.D. program, he worked as
Research Assistant at the University of Maryland Baltimore
County. He did consulting for Datastream at College Park
in Maryland, a company whose primary activity is data
conversion. He has also worked for Getronics Transaction
Services and EuroShell International, ABN AMRO Bank at
Amsterdam, in the Netherlands.
Email: nconteh@suno.edu
Paul J. Schmick is a Speaker,
Professor and Vice President of
Security Technology for Alliance
Security Services headquartered in New
York. Paul is a seasoned professional
in the disciplines of security
convergence and information
technology, cybersecurity, physical
security, risk-based security and security technologies. Paul
previously held the position of Director of Corporate
Security Programs at FJC Security Services where he
directed the company’s corporate security programs,
managed FJC’s Office of Information Technology (OIT),
and was the Managing Director of FJC Technology
Solutions where he directed the organizations security
technology service division. Paul also served eight years
with the U.S. Department of Homeland Security (DHS) -
Transportation Security Administration (TSA) and in his
last role with the department was responsible for the
implementation of aviation security policy, managed
security technology equipment deployments, and
supervised training programs and personnel to enhance the
agency’s formidable defense against improvised explosive
device (IED) threats targeting U.S. aviation assets and
infrastructure. Paul earned his M.S. in Homeland Security
Management from the Homeland Security and Terrorism
Institute at LIU Post, and holds a B.A. in Homeland
Security & Emergency Management from Ashford
University. As an active member in the academic, security
and emergency management communities, Paul serves as
the Advisory Board Chair and Executive Director of the
Homeland Security and Security Management program at
the Long Island Business Institute in New York. He also
serves as an Adjunct Professor under the U.S. Department
of Homeland SecurityTransportation Security
Administration Partnership Program at Erie Community
College.
... These scams create a sense of urgency to manipulate users to act in a manner that challenges good judgment [30]. Helmi et al. defined phishing as a computer security attack. ...
... It is pretty straightforward as hanging tight for somebody who has approved admittance to enter a place and afterwards acting like somebody who failed to remember an identification or is there for an exact reason, like support [33]. This attack exposes those who have the power to access information systems or restricted areas or grant access to users of those systems by the attacker who may impersonate delivery personnel or others who may require temporal access to the system or premise [30]. For example, an intruder trying to have physical access to an authorised place may ask an authorised person with an RFID to hold the door open to have access because he forgot his RFID Card [32,34]. ...
... Pretexting is an attack driven by a fabricated scenario designed by the attacker, attempting to confirm and steal personal or organisational information from the target [30,35]. Before phishing became the most used social engineering technique, pretexting was the pervading [36]. ...
Phishing Attacks in Social Engineering: A Review
Article
Full-text available
  • Aug 2023
Organisations closed their offices and began working from home online to prevent the spread of the COVID-19 virus. This shift in work culture coincided with increased online use during the same period. As a result, the rate of cybercrime has skyrocketed. This study examines the approaches, techniques, and countermeasures of Social Engineering and phishing in this context. The study discusses recent trends in the existing approaches for identifying phishing assaults. We explore social engineering attacks, categorise them into types, and offer both technical and social solutions for countering phishing attacks which makes this paper different from similar works that mainly focused on the types of attacks. We also show essential human characteristics that make users vulnerable to phishing attacks, their mitigating strategies, challenges, and future directions.
View
... The costs associated with sharing information about cyber threats and vulnerabilities often being significant barrier. (Conteh & Schmick, 2016) 9 ...
... This has become vulnerable due to increased cyber-attacks. (Conteh & Schmick, 2016) 17 ...
Structural Analysis of the Barriers to Address Cyber Security Challenges
Article
Full-text available
  • Sep 2023
The study is aimed to analyze the barriers to address the cyber security challenges. Research design includes examination of literature, data collection and analysis. It uses Interpretive Structural Modeling (ISM) technique with Matriced' Impacts Croise's Multiplication Appliquée a UN Classement (MICMAC). It is a qualitative approach to structure poorly articulated relations of elements of complex systems. Results of literature review show that there are total 18 barriers to address cyber security challenges. ISM generated a four level model i.e. barriers namely: 'collaborative barriers', 'data management', 'performance barriers', 'costs associated cyber threats and vulnerabilities', 'lack of documented processes', 'inappropriate cyber security policies', 'cyber terrorism', 'system migration vulnerabilities', 'complex operating system updates' and 'under-enforced cyber security policies' at top level; 'legal complication' at bottom level; remaining barriers at middle of model. Legal complication is the most critical barrier to address cyber security challenges. Barriers occupying middle part of model having moderate criticalness accordingly that on top have less criticalness. MICMAC analysis shows that 'legal complications' is independent whereas 'system migration vulnerabilities' is dependent, remaining all sixteen barriers are linking and no barrier is autonomous. The study has impactful practical implications for: internet service providers who can understand barriers and take informed decisions to plug the loops/incorporate counter solutions/checks; software vendors who can understand complex relations among barriers and create better built-in security checks; industry/companies across economy who understand barriers and better formulate corporate policies to prevent data and systems; individual users who will become well aware of issues of era of digitization; research community by way of providing theoretical framework for future researches. It also has implications for governments who can better understand cyber-security issues and formulate better policies, fool proof cyber-law, codes for criminal and civil matters concerning the cyber-security. This study will also help governments to prioritize the key barriers/issues and to handle with order of preference. It provides foundations for designing quantitative studies testing hypothesized mediation and/or moderation. It also has theoretical implications by extending the frontiers of knowledge and information about the phenomenon of cyber-security. The study also has some methodological, data and resources limitations. Methodological limitations include: qualitative with inductive approach in the era of quantitative approaches, answering what is related to what without cause and quantification, dispensing with transitive links in model and using majority rule contrary to consensus for aggregation. Data limitations include: review of limited amount of literature, collection of data from relatively small number of respondents (medium size of panel of experts), taking data on matrix questionnaire containing large number of pairs of relations by simultaneous evaluation. Limitations of resources include: limited time and lack of any financial support. It is an original study since it is conducted in real time field setting addressing highly practical angles of a unique topic in a simple but a novel way. It uses original data, well established methods, techniques and procedures and contributes new knowledge towards the domain in form of structural model, classification of barriers and related information. It is useful for internet service providers, software vendors, industry/companies across economy, individual users, governments and research community.
View
... The core of Pretexting attack is that the attacker will come up with a fabricated scenario to take the victim's attention and engage them. Due to making a false story, the attacker is willing to prompt the victim to give up valuable information and access the credentials or personal information [8]. ...
... Quid Pro Quo method is a common type of threat which the attackers will impersonate IT by proposing value to the victim, especially those who have limited knowledge of technologies [8]. ...
Analysis of Social Engineering Awareness Among Students and Lecturers
Article
Full-text available
  • Jan 2023
The massive technological progress and wide use of Information Technology have increased cyber security threats. Social engineering attacks are a common type of cyber security threat that faces everyone. It uses several methods, such as pretexting using Artificial Intelligence or phishing, to attack users’ valuable data due to human error. The risks of data attacks have increased, especially in the institutions sector, as the use of digital technologies become easier around the users. This paper investigates the awareness of social engineering attacks and cyber-security threats at the University of Sulaimani. The University of Sulaimani, based in the Kurdistan Region of Iraq, has a large number of students and staff; due to the increase of social engineering threats and lack of knowledge of cyber securities, the internet users at the University of Sulaimani put their confidential data at risk. This research has employed a quantitative approach, using a self-report questionnaire to gather primary data from participants. The online survey has been launched at the University of Sulaimani to provide a measurement of social engineering attacks on students and staff. The results show a variety of factors impacting participants’ awareness of their data. The objective of this study is to evaluate the participants’ knowledge of cyber-security and analyze their awareness of social engineering data breaches.
View
... While previous research has concentrated primarily on technical and operational aspects, we aim to examine the impact of both cybersecurity management, as well as cyberattacks, on the cybersecurity resilience of SMEs. 2,6,20 Other researchers such as Conteh and Schmick, 4 and Fernandez De Arroyabe and Fernandez de Arroyabe 12 have also observed the challenge of establishing a relationship between the types of incidents, cybersecurity management, and their impact on firm management. ...
... Thus, companies are exposed to cyberattacks, which are constantly growing, becoming more sophisticated, and diversified in nature, which makes it challenging for companies to safeguard themselves. 1,4,35 Cybersecurity attacks can occur in various ways, depending on the attacker's objectives, the method of execution, and the attacker's identity. The literature identifies different types of adversaries that use various techniques, including phishing, malware or web attacks, and the exploitation of vulnerabilities arising from the incorrect use of IT systems within organizations. ...
View
... The BYOD direction also raises concerns about the possibility of device loss or theft. If an employee's device containing sensitive company information is lost or stolen, the risk of unauthorised access to that information increases [5]. ...
... These criteria include confidentiality, integrity, availability, authenticity, privacy preservation, non-repudiation, and attack detection. Achieving these criteria ensures the system can eliminate potential privacy and security vulnerabilities and comply with regulatory guidelines [5,22]. The process of this study will ensure unbiased data retrieval and thorough search procedures. ...
Systematic Literature Review on Security Access Control Policies and Techniques Based on Privacy Requirements in a BYOD Environment: State of the Art and Future Directions
Article
Full-text available
  • Jul 2023
The number of devices connected within organisational networks through ”Bring Your Own Device” (BYOD) initiatives has steadily increased. BYOD security risks have resulted in significant privacy and security issues impacting organisational security. Many researchers have reviewed security and privacy issues in BYOD policies. However, not all of them have fully investigated security and privacy requirements. In addition to describing a system’s capabilities and functions, these requirements also reflect the system’s ability to eliminate various threats. This paper aims to conduct a comprehensive review of privacy and security criteria in BYOD security policies, as well as the various technical policy methods used to mitigate these threats, to identify future research opportunities. This study reviews existing research and highlights the following points: (1) classification of privacy and security requirements in the context of BYOD policies; (2) comprehensive analyses of proposed state-of-the-art security policy technologies based on three layers of security BYOD policies, followed by analyses of these technologies in terms of the privacy requirements they satisfy; (3) technological trends; (4) measures employed to assess the efficacy of techniques to enhance privacy and security; and (5) future research in the area of BYOD security and privacy.
View
... 123 They should also tailor the program to reach employees of all levels at different stages of their employment to keep cybersecurity a top priority and prevent any employee, whether brand new or decades in, from endangering the company. 124 The main benefit of cybersecurity awareness training is protection from attacks on digital systems or a data breach. Preventing such incidents is critical because a successful cyber attack can financially cripple an organization and significantly harm its brand reputation. ...
Safety and Security Online
Technical Report
Full-text available
  • Sep 2023
The proliferation of internet penetration presents safety and security challenges in the world. Incidences of online safety, security, women’s rights online and online gender-based violence are on the rise. This section deals with the impacts of online safety and security on the society, economy, legal framework, policy and regulation in countries based in Africa, America, Caribbean, Europe, Eurasia, Balkans, South and Southeast Asia, Central Asia and Middle East. It concludes with the activism and advocacy strategies that can be adopted to curb online threats.
View
... Utilising the identify function is one of the essential functions required for the effective use of the framework (National Institute of Standards and Technology, 2018). Organisations need to understand the context of the work performed, identify the resources that support critical functions, and identify the cybersecurity risks that may occur in these areas (Conteh & Schmick, 2016). These definitions, if done correctly, allow an organisation to focus on and prioritise objectives consistent with its risk management strategy and business needs (RSI Security, 2019). ...
View
... Cybercrime represents a modern manifestation of traditional criminal acts, leveraging information and communication technology tools and devices (Conteh & Schmick, 2016;Ojilere & Oraegbunam, 2021). It encompasses a wide range of illegal activities facilitated by electronic devices, such as financial fraud, child trafficking, intellectual property theft, and privacy violations through identity theft (Mohammed et al., 2019). ...
Trend and Emerging Types of 419 Scams
Preprint
Full-text available
  • Aug 2023
Technological advancements have revolutionized various aspects of human life, facilitating communication, business operations, healthcare, education, and environmental monitoring. However, this increased reliance on technology has also led to a surge in cybercrime, including cyber scams. The "419 scam" or Nigerian scam has been a persistent problem for decades, encompassing frauds like advance fee scams, fake lotteries, and black money scams. Initially prevalent through postal mail and later via fax, the scam has now transitioned to email. This study aims to identify recent types of 419 scam emails, particularly after the covid 19 pandemic, and explore commonly used email subjects. Analysis of the sample 419 scam emails revealed trending scams like lucky winner, threat of exposure, business/partnership proposals, investment, cancer/long-term illness, fund, and compensation scams. Emerging scams included COVID-related, cryptocurrency, marketing contact, and software development scams. Irrespective of the scam type, scammers commonly employed email subjects such as 'Re', 'Good day', 'Greetings', 'Dear friend', 'Confirm', 'Attention', and 'Hello dear'. The severity of cybercrime, especially the 419 scams, cannot be overstated, as it erodes trust, causes financial losses, and hampers Nigeria's reputation and economic progress. Combatting cyber scams and enhancing cybersecurity measures are crucial to protect individuals and organizations from falling victim to these fraudulent schemes.
View
... Cybercrime represents a modern manifestation of traditional criminal acts, leveraging information and communication technology tools and devices (Conteh & Schmick, 2016;Ojilere & Oraegbunam, 2021). It encompasses a wide range of illegal activities facilitated by electronic devices, such as financial fraud, child trafficking, intellectual property theft, and privacy violations through identity theft (Mohammed et al., 2019). ...
Trend and Emerging Types of “419” SCAMS
Article
Full-text available
  • Jul 2023
Technological advancements have revolutionized various aspects of human life, facilitating communication, business operations, healthcare, education, and environmental monitoring. However, this increased reliance on technology has also led to a surge in cybercrime, including cyber scams. The "419 scam" or Nigerian scam has been a persistent problem for decades, encompassing frauds like advance fee scams, fake lotteries, and black money scams. Initially prevalent through postal mail and later via fax, the scam has now transitioned to email. This study aims to identify recent types of 419 scam emails, particularly after the covid 19 pandemic, and explore commonly used email subjects. Analysis of the sample 419 scam emails revealed trending scams like lucky winner, threat of exposure, business/partnership proposals, investment, cancer/long-term illness, fund, and compensation scams. Emerging scams included COVID-related, cryptocurrency, marketing contact, and software development scams. Irrespective of the scam type, scammers commonly employed email subjects such as 'Re', 'Good day', 'Greetings', 'Dear friend', 'Confirm', 'Attention', and 'Hello dear'. The severity of cybercrime, especially the 419 scams, cannot be overstated, as it erodes trust, causes financial losses, and hampers Nigeria's reputation and economic progress. Combatting cyber scams and enhancing cybersecurity measures are crucial to protect individuals and organizations from falling victim to these fraudulent schemes. Keyword: ‘419’ scams, cybercrime, emails, cybersecurity Proceedings Citation Format Falade, P.V. (2023): Trend and Emerging Types of “419” SCAMS. Proceedings of the Cyber Secure Nigeria Conference. Nigerian Army Resource Centre (NARC) Abuja, Nigeria. 11-12th July, 2023. Pp 105-114. https://www.csean.org.ng/. dx.doi.org/10.22624/AIMS/CSEAN-SMART2023P13
View
View
A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model
Article
Full-text available
  • Jan 2012
The objective of this research is to present and demonstrate an analytical approach towards Social Engineering. A questionnaire was created and a survey was conducted accordingly to determine the understanding of IT practitioners and social networking users based in India. Based on the responses an advanced model of Social Engineering based attacks was developed. This model can be used in development of Organization-wide Information Security policy and Information Security Awareness Program
View
Measuring the Human Factor of Cyber Security
Conference Paper
Full-text available
  • Nov 2011
This paper investigates new methods to measure, quantify and evaluate the security posture of human organi-zations especially within large corporations and government agencies. Computer security is not just about technology and systems. It is also about the people that use those systems and how their vulnerable behaviors can lead to exploitation. We focus on measuring enterprise-level susceptibility to phishing attacks. Results of experiments conducted at Columbia University and the system used to conduct the experiments are presented that show how the system can also be effective for training users. We include a description of follow-on work that has been proposed to DHS that aims to measure and improve the security posture of government departments and agencies, as well as for comparing security postures of individual agencies against one another.
View
Social Engineering: The Neglected Human Factor for Information Security Management
Article
Full-text available
  • Jul 2011
Effective information systems security management combines technological measures and managerial efforts. Although various technical means have been employed to cope with security threats, human factors have been comparatively neglected. This article examines human factors that can lead to social engineering intrusions. Social engineering is a technique used by malicious attackers to gain access to desired information by exploiting the flaws in human logic known as cognitive biases. Social engineering is a potential threat to information security and should be considered equally important to its technological counterparts. This article unveils various social engineering attacks and their leading human factors, and discusses several ways to defend against social engineering: education, training, procedure, and policy. The authors further introduce possible countermeasures for social engineering attacks. Future analysis is also presented.
View
Computer and Information Security Handbook
Book
  • Jan 2009
This book presents information on how to analyze risks to your networks and the steps needed to select and deploy the appropriate countermeasures to reduce your exposure to physical and network threats. It also imparts the skills and knowledge needed to identify and counter some fundamental security risks and requirements, inlcuding Internet security threats and measures (audit trails IP sniffing/spoofing etc.) and how to implement security policies and procedures. In addition, this book also covers security and network design with respect to particular vulnerabilities and threats. It also covers risk assessment and mitigation and auditing and testing of security systems. From this book, the reader will also learn about applying the standards and technologies required to build secure VPNs, configure client software and server operating systems, IPsec-enabled routers, firewalls and SSL clients. Chapter coverage includes identifying vulnerabilities and implementing appropriate countermeasures to prevent and mitigate threats to mission-critical processes. Techniques are explored for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation. A public key infrastructure (PKI) is an increasingly critical component for ensuring confidentiality, integrity and authentication in an enterprise. This comprehensive book will provide essential knowledge and skills needed to select, design and deploy a PKI to secure existing and future applications. This book will include discussion of vulnerability scanners to detect security weaknesses and prevention techniques, as well as allowing access to key services while maintaining systems security. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
View
Computer and Information Security Handbook
Book
  • Jan 2013
The second edition of this comprehensive handbook of computer and information security serves as a professional reference and practitioner's guide providing the most complete view computer security and privacy available. It offers in-depth coverage of security theory, technology, and practice as they relate to established technologies as well as recent advancements. It explores practical solutions to a wide range of security issues. Individual chapters are authored by leading experts in the field and address the immediate and long-term challenges in the authors' respective areas of expertise. The book is organized into nine parts composed of 61 contributed chapters by leading experts in the areas of networking and systems security; information management; cyber warfare and security; encryption technology; privacy; data stora physical security; and a host of advanced security topics. New to this edition are chapters on intrusion detection, securing the cloud, securing web apps, ethical hacking, cyber forensics, physical security, disaster recovery, cyber attack deterrence, and more. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
View
The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice: Second Edition
Article
  • Jan 2014
As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. Author Jason Andress gives you the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability, and then dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security. The Basics of Information Security gives you clear-non-technical explanations of how infosec works and how to apply these principles whether youre in the IT field or want to understand how it affects your career and business. The new Second Edition has been updated for the latest trends and threats, including new material on many infosec subjects. Learn about information security without wading through a huge textbook Covers both theoretical and practical aspects of information security Provides a broad view of the information security field in a concise manner All-new Second Edition updated for the latest information security trends and threats, including material on incident response, social engineering, security awareness, risk management, and legal/regulatory issues.
View
View
Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails .html
  • Sep 2013
  • S Ragan
  • W Staff
Ragan S, W Staff. Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails.html. Accessed 28 August 2013.
Social engineering: a partial technical attack
  • Jan 2012
  • 557-559
  • P S Maan
  • M Sharma
Maan PS, Sharma M. Social engineering: a partial technical attack. International Journal of Computer Science Issues. 2012; 9(2):557-9.
Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739
  • Dec 2013
  • Anonymous
  • Fbi
Anonymous. FBI: Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739/. Accessed 25 November 2013.