The role of employee information security awareness in preventing social engineering Attacks [Case example: Tehran Municipality employees]

Hoseini, Seyyedhasan; Majidighahroodi, Nassim

The role of employee information security awareness in preventing social engineering Attacks [Case example: Tehran Municipality employees]

Document Type : Original Article

Authors

¹ PhD student, Islamic Azad University, Department of Research Sciences, Tehran, Iran

² Assistant Professor, Islamic Azad University, Central Tehran Branch, Tehran, Iran

Abstract

Social engineering is a form of attack that seeks to trick employees into revealing their confidential information or performing actions on their behalf that threaten the security of the organization. The purpose of this article is to study the organizational and individual factors that influence employees' information security awareness and how this prevents social engineering attacks. This research was conducted on 1322 employees of Tehran Municipality. Awareness of information security was confirmed as one of the main factors in ensuring information security and raising the level of information security awareness as an important factor in protecting the organization against possible attacks. The theory of rational action and its expanded theory, i.e. the theory of planned behavior, were used in this study. 12 hypotheses were designed based on the opinions of experts and previous research, and the survey showed that six of the hypotheses were confirmed, three of them were partially confirmed, and three of them were rejected. The results of the research showed that information security policies, security awareness, training and skill enhancement programs and the effect of awareness on the insight and motivation of employees and the effect of perceptual behavior control on the motivation of employees in dealing with social engineering have significant effects in preventing the occurrence of social engineering. . The relationship between leadership, trust and risky behaviors with information security awareness was also measured and a weak relationship was found between them.

Keywords

20.1001.1.23224347.1403.12.3.4.6

Main Subjects

Vulnerabilities and threats of cyber space

References

[1] Albladi SM, Weir GRS.ser characteristics that influence judgment of social engineering attacks in social networks. Human-centric Computing and Information Sciences, vol.8, No1 2018. https://doi.org/10.1186/s13673-018-0128-7.

[2] Rocha Flores W, Ekstedt M. Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Computers & Security, 59,pp.26-44, 2016. https://doi.org/10.1016/j.cose.2016.01.004.

[3] Stirnimann S. Der Mensch als Risikofaktor bei Wirtschaftskriminalität. Wiesbaden: Springer Fachmedien Wiesbaden; 2018.

[4] Hauser D. Social Engineering Awareness in Business and Academia. In: MWAIS 2016 Proceedings; p.3, 2016.

[5] Bakhshi T. Social engineering: Revisiting end-user awareness and susceptibility to classic attack vectors. In: 13th International Conference on Emerging Technologies [ICET]; 2017.

[6] Ivaturi K, Janczewski L. A Taxonomy for Social Engineering attacks. CONF-IRM 2011 Proceedings 2011.

[7] Krombholz K, Hobel H, Huber M, Weippl E. Advanced social engineering attacks. Journal of Information Security and Applications vol.22, pp.22-113, 2015. https://doi.org/10.1016/j.jisa.2014.09.005.

[8] Ohaya C. Managing Phishing Threats in an Organization. In: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. New York, NY, USA: ACM, pp.159–161, 2006.

[9] Alazri AS. The awareness of social engineering in information revolution: Techniques and challenges. In: 10th International Conference for Internet Technology and Secured Transactions [ICITST]; pp.198–201, 2015.

[10] Shaw RS, Chen CC, Harris AL, Huang H-J. The impact of information richness on information security awareness training effectiveness. Computers & Education;vol.52[1], pp.92–100, 2009 https://doi.org/10.1016/j.compedu.2008.06.011.

[11] Mouton F, Leenen L, Malan MM, Venter HS. Towards an Ontological Model Defining the Social Engineering Domain. In: Kimppa K, Whitehouse D, Kuusela T, Phahlamohlaka J, editors. ICT and Society. Berlin, Heidelberg: Springer Berlin Heidelberg; pp.266–279. 2014

[12] Mouton F, Leenen L, Venter HS. Social engineering attack examples, templates and scenarios. Computers & Security, vol.59, pp.186–209. 2016 https://doi.org/10.1016/j.cose.2016.03.004.

[13] Smith A, Papadaki M, Furnell SM. Improving Awareness of Social Engineering Attacks. In: Dodge RC, Futcher L, editors. Information Assurance and Security Education and Training. Berlin, Heidelberg: Springer, pp. 249–256.2013

[14] Gulenko I. Social against social engineering: Concept and development of a Facebook application to raise security and risk awareness. Information Management & Computer Security; vol.21[2], pp.91–101. 2013 https://doi.org/10.1108/IMCS-09-2012-0053.

[15] Saridakis G, Benson V, Ezingeard J-N, Tennakoon H. Individual information security, user behaviour and cyber victimisation: An empirical study of social networking users. Technological Forecasting and Social Change;102, pp.320–30, 2016 https://doi.org/10.1016/j.techfore.2015.08.012.

[16] Siponen M, Adam Mahmood M, Pahnila S. Employees’ adherence to information security policies: An exploratory field study. Information & Management ;vol.51[2], pp.217–24. 2014. https://doi.org/10.1016/j.im.2013.08.006.

[17] Workman M, Bommer WH, Straub D. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior; vol.24[6], pp.2799–816. 2008 https://doi.org/10.1016/j.chb.2008.04.005.

[18] Ajzen I. The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes;50, pp.179–211. 1991

[19] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly;vol.34, No.3, pp.523–48. 2010

[20] Yuryna Connolly L, Lang M, Gathegi J, Tygar DJ. Organisational culture, procedural countermeasures, and employee security behaviour. Information and Computer Security;vol.25, No.2, pp.118–36, 2017. https://doi.org/10.1108/ICS-03-2017-0013.

[21] D’Arcy J, Hovav A, Galletta D. User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research ;vol.20, No.1 ,pp.79–98, 2009 https://doi.org/10.1287/isre.1070.0160.

[22] Kruger H, Drevin L, Steyn T. A vocabulary test to assess information security awareness. Information Management & Computer Security;Vol.18, No.5, pp.316–27, 2010. https://doi.org/10.1108/09685221011095236.

[23] Vishwanath A, Herath T, Chen R, Wang J, Rao HR. Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems;Vol.51, No.3, pp.576–86. 2011https://doi.org/10.1016/j.dss.2011.03.002.

[24] Wahyudiwan DDH, Sucahyo YG, Gandhi A. Information security awareness level measurement for employee: Case study at ministry of research, technology, and higher education. In: ICSITech: Proceedings 2017 3rd International Conference on Science in Information Technology “Theory and application of IT for education, industry, and society in big data era” October 25-26, 2017, Bandung, Indonesia. New York: IEEE;, pp. 654–658, 2018

[25] Wright RT, Marett K. The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal of Management Information Systems;Vol.27 No.1 ,pp.273–303. 2010. https://doi.org/10.2753/MIS0742-1222270111.

[26] Workman M. A test of interventions for security threats from social engineering. Information Management & Computer Security;Vol.16, No.5, ,pp.463–83. 2008. https://doi.org/10.1108/09685220810920549

[27] Stajano F, Wilson P. Understanding scam victims. Communications of the ACM;Vol.54, No.3, pp.70–5, 2011https://doi.org/10.1145/1897852.1897872.

[28] Öğütçü G, Testik ÖM, Chouseinoglou O. Analysis of personal information security behavior and awareness. Computers & Security; No.56 pp.83–93, 2016. https://doi.org/10.1016/j.cose.2015.10.002.

[29] McCormac A, Zwaans T, Parsons K, Calic D, Butavicius M, Pattinson M. Individual differences and Information Security Awareness. Computers in Human Behavior.No.69, pp.151–6, 2017. https://doi.org/10.1016/j.chb.2016.11.065.

[30] Mamonov S, Benbunan-Fich R. The impact of information security threat awareness on privacy-protective behaviors. Computers in Human Behavior; No.83, pp.32–44, 2018. https://doi.org/10.1016/j.chb.2018.01.028.

[31] Hair JF, Ringle CM, Sarstedt M. PLS-SEM: Indeed a silver bullet. The Journal of Marketing Theory and Practice, Vol.19, No.2. pp.139–52, 2011

[32] Hair JF. A primer on partial least squares structural equations modeling [PLS-SEM]. Los Angeles: Sage; 2014.

[33] Schloderer M, Ringle C, Sarstedt M. Einführung in die varianzbasierte Strukturgleichungsmodellierung. Grundlagen, Mo-dellevaluation und Interaktionseffekte am Beispiel von SmartPLS. In: Schwaiger M, Meyer A, editors. Theorien und Methoden der Betriebswirtschaft: Handbuch für Wissenschaftler und Studierende. München: Vahlen, pp.573–602, 2009

[34] Eberl M. Formative und reflektive Indikatoren im Forschungsprozess: Entscheidungsregeln und die Dominanz des reflektiven Modells.

[35] Gefen D, Straub D, Boudreau M-C. Structural Equation Modeling and Regression: Guidelines for Research Practice. Communications of the Association for Information Systems, p.4, 2000

[36] Garson D. Partial Least Squares: Regression & Structural Equation Models. Asheboro, North Carolina: Statistical Associates Publishing; 2016

[37] Peikari,Hamidreza&Banazadeh,Babak. The Relationship between Information Security Awareness and the Intention to Violate Information Security with the Mediating Role of Individual Norms and Self-control.Journal of Strategic Rssearch on Social Problems. Vol. 7, Issue 4, No. 23, pp. 7-10,2019 (in Persian) Doi: 10.22108/ssoss.2019.108446.1174

[38]Hasanzadeh,Mohammad;Karimzadeganmoghaddam,Davood&Jahangiri,Narges.Providing a conceptual framework for evaluating probabilities and educating knowledge about information security of users.Journal of Information Systems and Services.Vol 1.No .2. pp.1-16, 2012(in Persian)

[39] Rodrigues Cardoso Waldson, Marco Silva João and Admilson Ribamar Lima Ribeiro. AN EXPERT SYSTEM AS AN AWARENESS TOOL TO PREVENT SOCIAL ENGINEERING ATTACKS IN PUBLIC ORGANIZATIONS International Journal on Cybernetics &Informatics,Vol.12,No.5.p.64,2023.https://doi.org/10.19044/esj.2023.v19n1p238

[40] Hoseiny.seyyedhasan;Majidi ghahroody.Nasim; Investigating The Effect of Social Engineering Techniques onEmployees Vulnerability (Case study: Tehran Municipality Employees). Scientific Journal of Electronical & Cyber Defence Vol. 11, No. 4,p.33,2023. https://dorl.net/dor/20.1001.1.23224347.1402.11.1.3.4 (in Persian)

[41] Asker. Hamida& Tamtam. Abdalmonem; An Investigation of the Information Security Awareness and Practices among Third Level Education Staff, Case Study in Nalut Libya. European Scientific Journal; Vol.16, No.15,p.30.2020 ,Doi:10.19044/esj.2020.v16n15p20.

The role of employee information security awareness in preventing social engineering Attacks [Case example: Tehran Municipality employees]

References

Volume 12, Issue 3 - Serial Number 47
November 2024
Pages 25-34

Files

History

Share

How to cite

Statistics

The role of employee information security awareness in preventing social engineering Attacks [Case example: Tehran Municipality employees]

References

Volume 12, Issue 3 - Serial Number 47November 2024Pages 25-34

Files

History

Share

How to cite

Statistics

Volume 12, Issue 3 - Serial Number 47
November 2024
Pages 25-34