do not necessarily reflect the views of NursingAnswers.net.
Cyber crime is an extremely prevalent issue in society and contributes largely to the overall crime statistics in the UK (National Crime Agency; 2016) This is shown below in Fig. ? taken from the National Crime Agency’s 2016 Cyber Crime Assessment.
Fig. ? Cyber Crime Statistics for 2015. Source: (National Crime Agency; 2016).
(Verizon Enterprise; 2017) study not only identified the trends in locations worldwide for data breaches (see Fig. ?), but also what percentage of these were social attacks (see Fig. ?).
Fig. ?. Breach trends identified in Verizon 2017 report. Source: Verizon Enterprise. (2017)
Fig. ?. Tactics identified in Verizon 2017 report. Source: Verizon Enterprise. (2017)
This study covered 42,068 reported security incidents, which resulted in 1,935 breaches. This pool of actual breaches is where the 43% total (of social attacks) is established. (Verizon Enterprise; 2017). These type of statistics show not only how prevalent these social engineering attacks are, but also how widespread.
Oxford Dictionaries (no date) defines social engineering as:
“(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Simms (2016, p.24) similarly states:
“It combines technology, psychology and art to manipulate people with simple tricks to gain access to information systems”
Social Engineering is not a new tactic, but a form of manipulation and deceit that has been used for centuries. It can be seen throughout history in events such as the Greeks and the Trojan Horse, possibly one of the most famous social engineering attacks, resulting in both fall of Troy, and the name now being lent to a type of security exploit (Social engineering: learn from the mistakes of Troy; 2017). It can also be seen in mainstream media and literature, such as the “Catch Me If You Can” book and film, based on the true story of Social Engineer, Frank Abagnale. (Frank, A. and Redding, S; 1980).
Although Social Engineering may sound intricate, little to no technical knowledge is required in order to be a ”Social Engineer” (also referred to as “Social Hackers” or “Social Manipulators”), and everyone has some degree of Social engineering abilities. (Blackbourne; 2016). Although this makes it relatively easy to study and train to become an ethical social engineer to combat the issue, it is just as easy for someone to become a malicious social engineer from the comfort of their home.
Whilst awareness and defence against all forms of cyber-attacks is important, Social Attacks (i.e. Social Engineering) can bypass many security measures with ease. A Social Engineer who is intelligent and able to adapt their techniques sufficiently will be able to overcome any security challenge; it is a matter of when they will gain access, rather than if. (Simms; 2016).
Spitzner (no date) states:
“The state of human security is currently at the same level Windows 95 and Windows NT was were when they first came out.”
A rather disturbing statement when considering not only how far security measures have come since these operating systems, but when you also take into account how easy it is to become a social engineer, it highlights that this is a legitimate threat to the public, businesses and society as a whole.
Due to how common social attacks are it is important to understand why they are still so successful and if there is a trend or pattern within society that causes this. For this reason my research question for this study is the following:
What is society’s current understanding surrounding social engineering and is there a correlation between this, the victims of these attacks and current training trends?
In order to address this question fully there are also a set of objectives for this study that will focus on different areas under the topic in order to provide a thorough and well researched response.
The objectives are as follows:
- To establish what the current social engineering tactics and threats are.
- To establish whether there is any specific demographic that falls for attacks over any other and is this due to any specific attributes that impact victim vulnerability.
- To establish what training is currently available on the subject matter, as well as statistics surrounding who is trained.
- To confirm the general public’s knowledge surrounding the subject, such as general awareness and tactics used; specifically with a focus on any significant dips in knowledge
- To determine whether media exposure of security incidents and breaches (specifically those caused by social attacks), has an impact on individuals awareness and comprehension of the subject.
Review of Literature/Background
Stages of a Social Engineering Attack
There are several stages that an attacker will go through in order to perform an attack, the names of these stages can differ depending on your source, however it is generally the same process.
‘Is Social Engineering the easy Way In?’ describes the stages as; “The Research Stage”, “Choosing a Victim”, “Initiating a Relationship” and finally “Exploiting the Relationship” (Simms; 2016).
Whereas other sources combine initiation and exploitation into one stage, and include the exit or closing of the interaction into the series, as displayed below in Fig. ?. SOCIAL ENGINEERING (no date).
Fig. ? Social Engineering Life Cycle Source: (SOCIAL ENGINEERING; no date).
This study will be following the stages as defined by Simms (2016).
The Research Stage
This stage is simply where a social engineer will accumulate information on their mark, whether this is an individual, group or an organisation. This can be done by various means and can utilise both soft skills and technical skills. (Information Gathering; no date).
[Expand this section]
Choosing a Victim
Whether or not a social engineering attack is successful, relates to the susceptibility of the targeted victim(s). The human element will always be security’s weakest link, however, some individuals are more susceptible to social engineering than others. Factors such as gullibility, naiveté and ignorance play a key part in this. [Cite – Mitnick, K the art of deception, 2002].
In addition to this, the following user attributes have been defined as user vulnerabilities to social engineering; Behaviour-Related attributes, Perceptual-Related attributes, Socio-psychological-Related attributes and Socio-emotional-Related attributes. (Albladi and Weir; 2018).
Fig. ? User Attributes Source: (Albladi and Weir; 2018)
It is thought that the way in which individuals behaviour, such as the way in which they communicate or socialise for example, impact their susceptibility to attacks as these types of habits can in turn affect their perception of who/what to trust as well a their risk evaluation. (Albladi and Weir; 2018).
The way in which an individual perceives a threat is also an important component. Factors such as the perceived severity will effect the likelihood of becoming a victim. (Albladi and Weir; 2018)
Personality also impacts whether or not someone is likely to become a victim to an attack. Research has found that traits such as neuroticism, and agreeableness have a particularly high influence on detection of deceit (where those more neurotic is less likely to spot deceit and those who are more agreeable a more likely). (Halevi, Lewis, and Memon; 2013).
This relates to the types of emotional manipulation that will be effective on the victim. He identifies that Fear, Obedience, Greed and Helpfulness are all key emotions in different social attack methods (Whipple; 2016).
In the Workplace
In terms of particular roles or positions in the workplace, previous research shows that there are those that a targeted for attacks more often than others. These are; Reception and Help Staff, Technical Support Staff, System Administrators Staff & Clients. (Simms; 2016)
Initiating a Relationship
It is normal behaviour in society to initially trust an individual or a service, whether at face value or after some further risk evaluation and questioning. [Cite – Mitnick, K the art of deception, 2002.] Social engineers rely on and take advantage of human natures tendency to trust and to not suspect any malicious intent (Blackbourne; 2016).
In addition to this studies have found that employees will listen to someone they perceive to be authority, even if orders are against regulation.
Another study found that people will listen to someone they perceive to be of authority, whether or not the orders are against regulation or even immoral, and will in some cases continue to carry out the orders even if they audibly disagree with them (Cialdini; 2009).
Exploiting the Relationship
If an attacker is able is successfully progress to this stage then there are a vast range of tactics that can be used, which fall into three main categories of social engineering attacks. These are face-to-face attacks, phone based attacks and computer based attacks. (Simms; 2016). The following section will discuss tactics for all of these types of attacks.
Types of Attack
Oxford Dictionaries (no date) defines phishing as the following:
“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
The email will be structured to look legitimate but will usually have the intention of obtaining sensitive personal information. This type of attack is very “wide-net” and does not have any particular target in mind, but instead has the aim of capturing the information of as many victims as possible.
Verizon Enterprises 2015 Data Breach Investigation Report found that not only were 23% of recipients opening phishing emails but 11% of these recipients were going on to also click on the attachments. (Verizon Enterprise; 2015).
More concerningly the 2017 Verizon report proclaimed that Phishing made up 93% of social indicidents within their dataset and that nearly all attacks that led to a breach were followed up with some type of Malware. (Verizon Enterprise; 2017).
Oxford Dictionaries (no date) defines spear phishing as the following:
“The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.”
Spear Phishing, like phishing, is a type of email-spoofing attack where a file or link will be sent with malicious intent. However, in this instance the target will be a specific organisation or business rather than an attack sent out on mass. This means that the email will be tailored to suit the business that is being targeted so as to look more believable and to stand a higher chance of being successful.
Some studies suggest that Spear Phishing is more of a threat than that of Phishing, with more people falling for this technique. As part of the ‘Spear Phishing in Organisations Explained’ study it was found that although 19% of participants disclosed personally identifiable information in response to Phishing attempts, 29% do so under the Spear Phishing attempt. (Bullee and Montoya; 2017).
SMS Phishing, also referred to as Smishing, is a relatively more modern form of attack , originating around 2008 and becoming ever more prevalent since. (Segarra; 2017).
This method is very similar to Phishing and Spear Phishing and is used in variety of ways one of which is to trick the user into following a link which will take them to an untrustworthy site, or will cause malicious software to be downloaded on their device. Another example is where the text will be posed as if it is from a legitimate source such as the user’s banking provider and will provide a contact number. This number will in fact be a direct line to the hacker and once contacted they will go onto attempt to convince the user to provide access or sensitive information.
Oxford Dictionaries (no date) defines vishing as the following:
“The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.”
This technique is also known as Voice Phishing and is usually conducted under the rouse of providing some form of support or service. Usually individuals who make these calls will ensure they have the expected knowledge relating to the victim (i.e. name, address etc), and will apply a sense of urgency to the call, some also going as far as holding the line so if the victim is suspicious and attempts to hang up and call a legitimate line, they will again be put through to the social engineer. (Keyworth; 2016).
Vishers (the social engineer conducting the call) may also hide their actual number using methods such as phone spoofing or Voice over Internet Protocol (VoIP) to ensure that the number the victim sees is much more believable. (Keyworth, 2016; Hiremath, Malle and Patil; 2016).
Also referred to as Piggybacking, this method is extremely simple but shockingly effective. It is essentially the act of walking into an establishment and behaviour as though you belong.
Individuals likely to tailgate could be anyone from thieves and vandals, to ex-employees, all of which have the capability to cause large amounts of damage. (Rouse; no date).
This tactic is possible to do overtly, by making their presence known to those around, possibly under the rouse of another employee or some form of uniformed/authorised worker, as these tailgaters rely on those around feeling uncomfortable at the idea of confronting a stranger or denying access. (Silva Consultants; no date and Mcdaid; 2017)
It is also possible for this to do done covertly. where the tailgater will wait and discreetly follow behind someone else who is authorised. (Silva Consultants; no date).
Pretexting is a form of social engineering where the fraudster will use a “pretext” in order to obtain more information on the individual they are speaking to. This is usually under the rouse of confirming the victims identity (for a false, yet believable story they have provided) when in fact they will instead use the information for fraudulent activities. (Global Learning Systems; 2016).
This method can be used to obtain sensitive and non-sensitive information, but this tactic in particular requires a lot of trust and if this is not established then this method will not work. (Nadeem; 2018).
Also known as Quid Pro Quo, this type of attack is similar to the famous ‘Trojan Horse’, where an item is used to entice the victims greed and/or curiosity in order to successfully complete an attack, however instead of a wooden horse, a removable device or the offer of free digital media is used. (Nadeem; 2018).
This type of attack involves the infection of multiple sites with malware, these sites will have been chosen specifically based on the predicted or confirmed traffic of the selected victim (Rouse; 2015).
Ability to Recognise Attacks
Although all of these stages are important to keep in mind when defending against social engineering attacks, two stages of particular interest are “Choosing a Victim” and “Initiating a Relationship”. This is because if the “mark” or selected victim for the attack is not susceptible to the methods used, then the attempt will be ineffective and the hacker will be unable to progress to the final stage (“Exploiting the Relationship”), regardless of how much prior research has been done.
Several studies have been conducted in order to identify particular demographics who are more susceptible to social engineering attacks.
In 2010, a study (“Who falls for phish?”) found that the participants age actually affected their ability to detect phishing attack attempts, particularly those between the age of 18 – 22, due to having a lower level of education (Sheng et al; 2010). Whereas a similar study conducted in 2016 (“Baiting the Hook”) found that age only had an impact on the time taken to respond, rather than the response itself (Iuga, Nurse, and Erola; 2016).
In the later (web-based) study, 382 participants were involved, and the purpose was to establish factors that affect individual’s ability to recognise phishing attack attempts. These participants were shown images that alternated between legitimate and incorrect URLs, HTTPs indicators and source code fragments and then asked if they would provide their login details to the site. Out of the 382 participants, only 25% obtained a detection score over 75% (Iuga, Nurse, and Erola; 2016).
This rate of detection is extremely low and shows the need for not only further research into this area, but also an evident need for combative steps.
The results of the study found that both the gender of the target, as well as their PC usage (number of years), impacted the likelihood of a phishing attack attempt being identified (Iuga, Nurse, and Erola; 2016). Please see Fig. ? for an overview of the study’s results.
Fig. ? Baiting the Hook Results Source: (Iuga, Nurse, and Erola; 2016)
In regards to gender, it was discovered that female participants scored lower overall, which supports the findings of the 2010 study, that theorised this was due to women generally having less technical experience than men (Iuga, Nurse, and Erola; 2016 and Sheng et al; 2010). This also relates to the participant PC usage as it was evident that the longer the participant had been a PC user (i.e. the more technical experience they had), the less likely they were to fall for an attack attempt. (Iuga, Nurse, and Erola; 2016)
[Explain relevance – gender & technical experience]
Finally, Sheng et al; (2010) highlights the importance of appropriate training as prior to receiving any training participants fell for 47% of the phishing websites, however once trained this reduced to 28%.
Current Training Trends
Korpela (page #2015) states that:
“Security professionals propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system.”
The article also goes on to explain that education surrounding how social engineers operate (as well information value and protection) is part of a good prevention plan (Korpela; 2015).
This point has also been made, a little more in depth, in an earlier 2003 publication, which discusses how there is a difference between awareness, training and education and that for full effectiveness there is an awareness/training/education relationship or “continuum” that should be employed. (Wilson and Hash; 2003). This is displayed in Fig. ? below. The more recent publication by Blackbourne supports this, by also discussing awareness and education as separate entities, rather than combining them (Blackbourne; 2016).
Fig. ? Awareness, Training and Education. Source: (Wilson and Hash; 2003)
It is clear from aforementioned studies that providing appropriate training (along with additional supporting components) is one of the key factors to combating the issue at hand. Despite this, another study conducted in 2017 by Accenture found that 55% of of UK workers do not recall receiving any form of cyber security training by their employer. (Muncaster; 2017). [Look at expanding this section a little further]
Simms (page #2016) states that:
“Organisations spend much more money on security systems than on educating and training their users to recognise a social engineering attack.”
[Find a way to move this to conclusion – (certain roles are targeted more than others) It is therefore imperative to ensure that all staff are appropriately trained in how to identify social engineering attempts, and not just those within particular IT roles.]
[Cyber security breaches survey 2017 (main report)]
[Expand on this slightly]
Reflection on the Literature
After reviewing the various publications and literature available surrounding social engineers, their victims and their tactics it clear that there is a gap in the research already conducted that ties together the points already made.
Research into current awareness, training and detection ability seems to be heavily weighted around phishing attacks, which leaves many other tactics insufficiently covered. This is made more surprising by the fact that there are many types of security incidents and beaches publicized in the media that relate to tactics other than phishing.
[Expand on this a little more to ensure the questions are answered.]
Methodology/Sources of data
An extensive range of secondary data was collected, studied and referenced for the purpose of this paper.
Sources of Data
In order to appropriately tackle my aims and objectives for this project a wide scope of literature was reviewed. The types of sources used included research papers, websites, books, e-books and journal articles.
When searching for suitable literature, multiple sources were used such as The University of Worcester’s Online Library Service and Google Scholar, as well as purchasing hard copies of books that researched and found to be applicable.
It was evident early on in the study that literature outside the field of computing would be required, as social engineering relies heavily on persuasion and manipulation, and links largely to psychology. Therefore, documentation related to this subject was focused on particularly for understanding the traits and attributes that influence victims probability to fall for an attack. This was something that was not initially considered when beginning the project, however literature of this nature was accessible via the aforementioned methods.
For specific types of social engineering attacks, the definition of the term was quoted for quick clarification and further articles and reports were examined in order to expand the explanation further. In addition to this publications within the media were searched for and included, specifically UK based where possible (mainly BBC News). This was not only to find case study examples of incidents relating to the attack type, but also to support my objective relating to media exposure.
To understand the current training trends it was necessary to review statistics surrounding whether training not only occurred, but how many people received it. This is because it was important to show whether this statistic was low or high as a basis for the argument as to whether not enough training is being provided, or whether there is plenty of training, but it is insufficient.
Impact to Primary Research
Although creating a questionnaire for the primary research was a method that was considered early on, the findings from the secondary research shaped the flow and content of the questionnaire itself.
It was found that many of the studies that conducted experiments, to verify participants ability to identify attacks, were based around the phishing tactic. It was then deemed important to include questions relating to a range of tactics and not just phishing in my own research in order to establish whether the awareness surrounding these was lower (which is the expected result).
These studies also established demographics they believed to be more susceptible to attacks. Although questions such as age and technical ability were already to be included in the questionnaire they way in which these were structured was influenced by the studies. For example, age brackets were determined by (Sheng et al; 2010) as it was stated that 18 – 22 year olds were a more heavily affected age range. This was then the first age bracket and each bracket was then incremented as four year brackets (i.e 18 – 22, 23 – 27, 28 – 32 etc). Technical ability was included in more depth to ensure the points made by (Iuga, Nurse, and Erola; 2016) could be investigated and discussed.
Questioning the participants on whether they remembered any specific security incidents in the media is due to noticing a lack of information in the media around exactly how attacks were made/which tactics were used and whether or not they were social engineering attacks. This has therefore been included in order to conduct a direct comparison between the responses and their awareness of social engineering tactics i.e. are they aware of cases in the media but then state that they do not know, or have little knowledge around the tactic used in that attack.
Questions regarding participant behaviour (whether they would report any suspicious activity) was included based on the research of Albladi and Weir (2018) and that of (Halevi, Lewis, and Memon; 2013).
For the primary research, organising focus groups was briefly considered however, it was decided that this type of research method would be more appropriate for a technical project.
A questionnaire was therefore chosen as the method of primary research as this allows efficient creation and distribution, particularly to large audiences in a short period of time. This in turn (and in theory) allows for a quick turn around with results for analysis.
The purpose of the questionnaire is to verify awareness, knowledge and training around cyber security, in particular social engineering, the confidence level and behaviour of participants and then use these responses for analysis to identify trends and patterns in the data.
Please see Appendix ?? to view the questionnaire.
The target audience for the questionnaire is the general public and the aim will be to distribute this to as broad an audience as possible in order to reach a range of backgrounds.
It is desirable to obtain responses from all age ranges, technical experience/ability and occupation (such as student or working individuals). This is to avoid bias and ensure accurate results in the data. Bias is further discussed in section ??.
As the questionnaire is an online form this instantly invites bias into the results. This is because individuals who can access and complete the form already have at least a basic level of technical ability.
The questionnaire will be deployed via social media platforms and this way of distribution can also invite further bias to the study. This again is due to the basic technical ability involved, but also the specific audiences on particular platforms. For example, when distributing on LinkedIn, connections that will be able to see the form being shared will be from a similar background (i.e. technical and computer based).
The questionnaire will be created through Google Forms and, as aforementioned, distributed via a range of social media platforms such as Facebook, Twitter and LinkedIn.
Responses will be obtained and securely held in accordance to The University of Worcester’s Information Security Policy. Please see section ?? for further information.
The raw data from these surveys will be qualitative and in order to analyse the data, it will be exported into Google Sheets.
The graphs and charts created via Google Forms will be captured and discussed to support the analysis. Additionally, a Google Forms add on called Advanced Summary will be used, which provides a better summary of the raw data by providing percentages, timescales and averages of the data.
When collecting data from the general public it is imperative to ensure that this is done so in a safe and ethical manner.
Participants will remain anonymous and no identifiable data will be collected. A disclosure page is displayed upon following the link to the questionnaire which details both the purpose of the questionnaire and what it involves, as well as how participants data will be handled. All participants will need to click next at the bottom of this disclosure page in order to continue to the questions, thus confirming their participation. However, no one is obligated to complete the questionnaire and is able to exit at any point. This also outlined in the disclosure page.
Please see Appendix ? for ethical approval (obtained prior to collecting any data) as well as how this relates to the Ethical Policy.
The University of Worcester Data Security Policy
All software, tools and add ons are used in compliance with the University’s Data Security Policy. Both Google Forms and the add on (Advanced Summary) only have access to raw data results and no personally identifiable/sensitive or personal data.
Using the same format determined for the projects primary research (i.e. Google Forms), a feedback survey was created for the showcase event. The purpose of this form is to obtain adequate and constructive feedback in regards to both the way in which I conducted the presentation as well as the quality of the content. This section will discuss outcome of the showcase and how it will affect the primary research further. For content relating to the quality of the presentation, please see Appendix ?.
The form was distributed in paper form after the presentation was complete and the hard copy results were then manually entered into Google Forms in order to process this into graphical representations of the participant’s responses for analysis.
The showcase supported decisions already made surrounding future changes to the questionnaire. Brief analysis was conducted on the data which hinted towards some correlation with findings documented in the literature, such as gender influencing ability to identify an attack. However with only 15 participants no real conclusion could be drawn, but did show promise for the future research. This analysis is documented in Appendix ?
Verbal discussions with the presentation audience found that there was some awareness surrounding cyber security, although social engineering awareness seemed to be lacking. Therefore a range of questions relating to this will be included as this could help support later investigation and discussion. Furthermore, additional social engineering attack types will be included.
Cyber Security vs Social Engineering Awareness
After assessing the data it was found that there was a greater level of awareness surrounding cyber security and its relative terminology than there was around social engineering and the tactics used by social engineers.
On the one hand, this is surprising as the terminology presented in the primary research under cyber security were typically the types of threats and security risks distributed when a social engineering tactic is successful (such as a phishing email infection a device with malware, ransomware etc). Therefore, there is some expectation for a higher understanding of the social engineering tactics.
On the other hand, when this is compared to the responses participants offered of the security incidents they remembered in the media, the majority were only cyber security incidents and not specifically social engineering incidents. It could be argued that the lack of either social engineering occurrences in the media (or at least the specification that an incident is due to a social engineering attack), is another factor that contributes to the awareness difference between the two. Unfortunately, not enough information around media exposure was obtained from the primary research and therefore this is purely speculative, rather than a definitive statement as proof of this can not be offered.
Attack Awareness and Confidence in Identification
Out of all of the attack types, the phishing tactic had the most participant awareness. When conducting the secondary research for this project it was undeniable that there was an abundance of documentation around phishing and significantly less on other tactics. Interestingly, very few articles or sources of official information for the watering hole tactic were found, and this was the tactic with the lowest level of awareness.
Critical analysis of the data showed that there were at least three factors that contributed to patterns in the responses surrounding attack awareness. These were gender, age and technical experience.
In regards to gender, women had a significantly lower level of awareness than men around the subject matter. (Iuga, Nurse, and Erola; 2016 and Sheng et al; 2010) discuss in their respective studies that women have a lower detection rate, and they believe this is due to men having more technical experience than women. This study’s results from the primary research supports this theory as, when examined, the women had a much lower level of technical experience than the men in the study. Men had only intermediate or higher technical ability (with 52.38% at Advanced and 28.57% at Expert level), whereas females ability was more distributed, with no participants having an expert level of technical skill.
It is possible that this relates not only to ability to detect attacks but also to their general lack of awareness surrounding the subject. This study also found that women’s confidence in their ability to identify attacks was significantly low in comparison to men.
Contradictory to the secondary research, younger age groups appeared to have a greater level of awareness around social engineering tactics.(Sheng et al; 2010) proposes that those between 18 – 22 have less ability to identify an attack based on having a lower level of education. Unfortunately, education could not be efficiently checked due to a mistake in the creation of the questionnaire (this is addressed in full in section ?.?). In order to still investigate this area age brackets were instead compared against both technical ability and training experience. This comparison found that those between 18 – 22 actually displayed a very high level of technical experience and that more than 85% also had some form of security training (42% of which had more than one form of training).
In addition to this the majority (70%) of 18 – 22 year old participants believed that they could identify a social engineering attack, showing a high level of confidence, which likely relates to the similarly high level of technical experience and training.
Awareness vs Training
(Wilson and Hash; 2003) portrays awareness and training as separate entities that are building blocks towards an effective education. This was corroborated by the findings of this study as 80% of those with no formal security still had awareness of cyber security and social engineering. Further proving that awareness and training are not strictly mutual, but one can reinforce the other.
Although key factors of influence on results have been identified as age and gender, demographics such as these do not have any influence on the benefit of quality training. (Sheng, S. et al; 2010).
Despite the conclusive findings in this project and previous studies that show the importance and benefit of training, many remain untrained. Of the 42 individuals who took part in the study, 32 of these were not students. Although an assumption, it is relatively safe to assume that these individuals are within the working world in one industry or another. Over 56% of these individuals had not completed any formal training supporting the findings of Muncaster, P. (2017).
Behaviour upon Detection
Once suspicious activity is detected nearly half of the participants confirmed that would report an attack. However, roughly 40% of participants would want to do so but do not know how or where to do this. Awareness or training in the appropriate actions after this type of activity is identified is imperative, as although awareness and training is useful on how to avoid attacks, if one is found or identified and avoided, this does not help to resolve the issue.
Limitations of the Research
There were multiple limitations to the research that restricted the direction of the project as well as the overall outcome.
There were a few areas where appropriate literature was a little more difficult to obtain. For example, media exposure is touched on with the aims of identifying whether there is a correlation between social engineering exposure and participant awareness. When searching for literature in this area the most prominent results were in relation to social media and not rather than media such as news publications/features.
It was not possible to examine and list case studies prior to the results of the primary research as this would be inefficient. Studies that mentioned by participants as part of the results were examined instead. However, as previously mentioned suitable results were not obtained this way.
Also when searching for literature around particular social engineering tactics, unrelated documentation would be found, even when using sources such as The University of Worcester’s Library Service. For example, tailgating has more than one meaning and when searching for media relating to the social engineering attack, articles and journals relating to the American pass time would be presented instead.
Confidence vs Actual Ability
Firstly, it is important to again stress that this study discusses participants self confessed ability to identify attacks i.e. their confidence in their own ability, rather than their actual ability. This can not be taken as results for actual ability as it would not be reliable, participants can be overconfident or underconfident in themselves. These responses were measured against other factors in order to determine whether confidence was influenced, however in an actual attack results could wildly differ.
When creating the survey only those who stated that they were currently students were asked what level of education they had/were currently studying at. In order to investigate one of the points made in the secondary research (lower age ranges have a lower level of education), the level of education of all participants would need to be established. Although this issue was addressed and moderated by drawing a direct comparison against other similar fields, obtaining this information would have greatly supported this particular area in the study.
Number of participants
The total number of responses obtained for analysis was 42, although this was a large enough pool to successfully complete a series of investigations, it would have been thoroughly beneficial to obtain a much larger set of results (such as 100) in order to conduct a more accurate analysis and to possible mitigate some of the acquired bias.
With such a small set of data it is not possible to establish a definitive result, but rather conduct a more speculative discussion based on the findings. This is because it is much more difficult to identify any patterns or trends within the results. However, the data obtained does make a good foundation for further future research.
Another limitation to the research which has been mentioned multiple times throughout the project is bias. The questionnaire format (an online form), the distribution method (via social media) and the types of social media used (i.e. particular audiences had access) all invited bias before any data had been collected.
One of the platforms used was LinkedIn and therefore the form was viewed by connections who work within technical industries or have a similar background and skill. Additionally the form was also shared on the University of Worcester Computing Students FaceBook page, which again invites those with technical skills and experience to participate. In order to combat this slightly the form was also shared on my own personal FaceBook page in an attempt to reach a more diverse audience.
Upon collection and review of the data, bias based on the number of results from age and student/none student demographics were all identified.
This project, despite its faults and limitations, creates a good foundation for future research. Further research would expand on the results of this study, but would also allow for critical evaluation into areas that were touched on, but for practical reasons could not be expanded on due to time constraints as well as ensuring the project did not become to broad.
This area could not be fully explored in this project, although there is considerable potential in this area. The lack of documentation covering media exposure and its impact on awareness within society (i.e. the general public) was a limitation of the study but also means that future research has the opportunity of conducting original research where there is a clear demand.
The way in which the primary research is conducted would benefit from changes if this was to be taken forward. For example, splitting primary research into two specific research areas, each with different research methods, is recommended.
A questionnaire of some form should be used, but distribution should not only be online but also via physical hard copies (to target bias and reach a larger audience). It is also recommended to include questions that establish what each participants user attributes are. Behavioural and personality traits can be analysed against responses to further study victim traits, this was briefly looked into in the secondary research but not identified in this study.
The second part of the primary research should be a practical experiment in order to monitor and collate participate actual ability to identify social engineering attacks. As phishing is the most documented tactic to be studied it is imperative for future research to expand and focus on lesser known and researched tactics. This however would require extensive ethical approval prior to any research.
Cite This Work
To export a reference to this article please select a referencing stye below: