CFP last date
22 April 2024
Reseach Article

Towards Securing Organizational Data against Social Engineering Attacks

by Azaabi Cletus, Ussiph Najim
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 180 - Number 28
Year of Publication: 2018
Authors: Azaabi Cletus, Ussiph Najim
10.5120/ijca2018916649

Azaabi Cletus, Ussiph Najim . Towards Securing Organizational Data against Social Engineering Attacks. International Journal of Computer Applications. 180, 28 ( Mar 2018), 28-34. DOI=10.5120/ijca2018916649

@article{ 10.5120/ijca2018916649,
author = { Azaabi Cletus, Ussiph Najim },
title = { Towards Securing Organizational Data against Social Engineering Attacks },
journal = { International Journal of Computer Applications },
issue_date = { Mar 2018 },
volume = { 180 },
number = { 28 },
month = { Mar },
year = { 2018 },
issn = { 0975-8887 },
pages = { 28-34 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume180/number28/29155-2018916649/ },
doi = { 10.5120/ijca2018916649 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T01:02:04.731965+05:30
%A Azaabi Cletus
%A Ussiph Najim
%T Towards Securing Organizational Data against Social Engineering Attacks
%J International Journal of Computer Applications
%@ 0975-8887
%V 180
%N 28
%P 28-34
%D 2018
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The study was carried out mainly to investigate how data of organizations can be secured against Social Engineering (phishing) attack using a model. The phenomenon of social engineering is emerging as a major security threat to organizations’ information systems accounting for about thirty (30) percent of all security breaches globally with its attendant negative impact. It exploits the vulnerabilities inherent in users of information systems using psycho-social skills to influence them to divulge confidential information that is usually used later to gain access to a targeted technology system. Thus to secure data against social engineering attacks, the defense should be modeled around the user who is often considered as the weakest link in the information security chain. The paper used the Design Research method by proposing a model which was translated into web application system that identified vulnerable users to Socially Engineered attack by using their responses to a scam emails administered to them in phases. Purposive sampling was used to select customers of the community Bank where the study exercise (Simulated Phishing Attack) was conducted and evaluation of the efficiency of the model was carried out. Data was collected using log files and was analyzed using simple descriptive statistics and the results presented using frequency tables, bar charts and pie charts. The result showed that, users are highly vulnerable to social engineering attacks, and this vulnerability can be reduced by adopting the CEMASEA training model since it can build the resistance of users or reduces vulnerability by 69.05%. It was recommended that, for organizations to build social engineering resistance or immunity in particular and a sound security culture in general, Ethical Penetration Testing or Red Team Assessment should be adopted by all organizations periodically using a novel CLEMASEA model.

References
  1. Björck, F. (2005) Discovering Information
  2. Security Management. Diss.University of Stockholm. Report series No. 05-010, Stockholm.
  3. Chapman, A. (2010). Conscious competence
  4. earning model. Retrieved July 11, 2015, from http://www.businessballs.com/consciouscompetencelearningmodel.html.
  5. Dodge, J., Carver, C., & Ferguson, A. J. (2007). Phishing for user security awareness. Computers & Security, 26(1), 73-80. doi:10.1016/j.cose.2006.10.009
  6. Hasle, H., Kristiansen, Y., Kintel, K., Snekkenes,E. (2005) Measuring Resistance to Social Engineering. In Proceedings of the First International Conference on Information Security Practice and Experience -ISPEC'05 (LNCS 3439), 132-143.
  7. Herold, R. (2010). Managing an Information Security and Privacy Awareness and Training rogram, Second Edition. CRC Press.
  8. Jagatic, T. N., Johnson, N., Jakobsson, M., & Menczer, F. (2007, October). Social phishing. Communications of the ACM, 50, 94–100.
  9. Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of phish: a real-world evaluation of anti-phishing training. Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS ’09 (pp. 3:1–3:12). New York, NY, USA: ACM. doi:10.1145/1572532.1572536
  10. Kowalski, S. (1994) IT Insecurity: A Multi-disciplinary Inquiry. Diss. University of Stockholm. Report series No. 94-040, Stockholm.
  11. Mann, I. (2008). Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd.
  12. Mitnick, K. D., & Simon, W. L. (2011)
  13. The art of deception: Controlling the human element of security. Indianapolis, IN: Wiley Publishing, Inc. Nohlberg, M. (2008).Securing information assets: understanding, measuring and protecting against social engineering attacks. (No.09-001). Stockholm: Sotkcholm University &University of Skövde.
  14. Pfleeger, C. (2003) Security in Computing
  15. (3rd ed). Upper Saddle River: Prentice Hall.
  16. Randolph, J.J. (2007). Multidisciplinary methods in educational technology research and development. Retrieved February 9, 2015 from http://justus.randolph.name/methods.
  17. Reeves, T.C. (2008). Design-based research and educational technology: Rethinking technology and the research agenda, Educational Technology & Society, 11(4): 29-40.
  18. Von Solms, S. H., & Von Solms, R. (2008).Information Security Governance. New York: Springer.
Index Terms

Computer Science
Information Sciences

Keywords

Penetration testing Red Team Assessment social engineering compliant user Non Social Engineering Compliant user CLEMASEA model.