The Role of Social Engineering in Cybersecurity and Its Impact ()
1. Introduction
The term social engineering has developed as a cause of concern in both virtual and actual cultures [1], as it is a method that is both harmful and effective for attacking information systems [2]. Social engineering refers to the psychological manipulation of others into completing acts or disclosing secret information [3], access, or valuables [1] [2].
Information security is a fast-growing discipline. There are several different options now to protect hardware and software against external and internal threats to information systems [4], but there is little research on the soft elements or the human component in information security. It is a catch-all term for a wide variety of malicious.
Operations are carried out through human relationships [5]. During this time, social engineers make use of services and platforms that create the groundwork for more complex social engineering attacks in order to obtain admission into information systems and other places [6]. The use of communication technologies, technological advancements, and the internet in both private and public settings has made the problem significantly worse [7] [8]. It is possible to determine the level of depth of penetration in social engineering instances that involve social engineering in cybersecurity sectors using a variety of different methods [9]. infiltration areas in psychological manipulation from the perspective of cybersecurity [10], as well as usage of these methods with an analysis of results and gaps in work training to raise awareness in this aspect, as well as obstacles to promoting awareness of the seriousness of social engineering in information management and cybersecurity for cyber-hacking findings and analysis [10] [11]. Certain personnel will need access to the information, and they will be able to undermine the security of the information in some way, either purposefully or accidentally [12]. This is true even if the greatest possible technical solutions are in place to safeguard the information. The controlled compromise is the focus of this research, which is an attempt at social engineering and restricting the intentional and inadvertent compromises of systems and data by minimizing the hazards provided by this manipulation. The managed compromise is at the heart of this study. Even if the best technical solutions are in place to protect the information, certain personnel will need access and will be able to undermine the security of the information, whether intentionally or unintentionally.
Problem Statement
With the increasing use of information systems in many organizations, the value of the data included in the systems has increased. Many organizations have developed electronic systems to serve many purposes such as e-learning systems, student registration systems, and other systems. The importance of these systems has been noted, especially during the COVID-19 pandemic, where online communication was the only way to communicate with students. Because of this importance, there have been many cyber security attacks targeting organizations. For example, the University of Calgary was targeted by a ransom ware attack, and they paid C$20,000 to avoid any data damage [13]. A current study showed that 85% of cybersecurity professionals in organizations are dissatisfied with the level of cybersecurity protection for their organizations [14]. The same report indicated that social engineering attacks and lack of awareness are among the most important threats to organizations. Several studies have identified that organizations suffer from low levels of awareness of cybersecurity concepts [1]. This research addresses the issue of the low level of awareness of social engineering attacks in organizations by investigating the role of prior knowledge about social engineering approaches in improving knowledge, practices, and skills related to cybersecurity in organizations.
2. Literature Review
2.1. Cybersecurity
Data & Information systems (software, hardware and supporting infrastructure), data contents and the services they provide, are all protected from prohibited access, abuse or impurity through cybersecurity. This includes damage intentionally caused by the system operator as well as damage caused by error due to failure to follow security measures [15].
Cybersecurity defined as a set of implements, policies; secure concepts, Security protection guidelines, activities, risk management techniques, training and assurance, best practices and technology that could be used to protect a company’s digital assets from internal and external threats. Since it is a primary medium for terrorism, cybercrime is a huge threat to the economy, individual safety, and even the broader population. Business and government entities are not the only ones who need to be concerned about cybersecurity. It should be for everyone who uses digital devices such as computers, smartphones, tablets, and other similar gadgets. Many minor details are stored on these devices, which digital thieves would love to acquire. What’s more, if hackers get access to your information, they can use you as bait to trick your friends or family into a digital scam. A breach of security can harm anything that is connected to the internet and utilized for communication or other reasons [15].
2.2. Social Engineering
It is a threat that is used to deceive and manipulate users to obtain their information and gain access to their computer. Malicious links or physical access to the machine is used to do this. Many firms may face significant difficulties whether they are unaware of what cybersecurity entails [16].
One of the most crucial parts of the fast-paced, ever-changing digital world is cyber security. The threats of it are hard to deny, so it is crucial to defend from them.
The technique of persuading individuals to do actions or expose secret information is known as social engineering. Trickery for the purposes of information collecting fraud, identity theft, or computer system access is what the phrase refers to. Direct communication is used in social engineering attacks that incorporate interpersonal engagement (such as in person or by telephone or by email or by social media and internet). Social engineering is a common form of cybercrime [17]. The act of obtaining unauthorized access to a system or sensitive information, such as passwords, using trust and relationship building with others who have access to such information is referred to as social engineering. Only approximately 3% of malware tries to take advantage of a technological defect. The other 97% involves targeting users through social engineering [18]. A social engineer uses human psychology to exploit people for his or her own use [19]. Due to the COVID-19 outbreak, the number of people working remotely has grown melodramatically and there has been a corresponding threat in social engineering attacks. Under such conditions, as employees adapt to unfamiliar work environments away from the office, new coronavirus-themed phishing scams are leveraging fear, hooking vulnerable people, and taking advantage of workplace disruption. Employers must ensure that their staff are aware of the dangers of social engineering and how to prevent them from being a victim, and to emphasize the need to adopt measures and tools, including policies and training programs, to mitigate the risk of social engineering attacks [20] [21].
Before social engineers make a move on a valued system, they would have to make the right preparations; otherwise, their operation would fail. First, they must gather information on their target. This enables them to identify specific flaws in their target.
They will need to find a way to get close enough to attack once they have found an opening. This is usually done by invading your target and building relationships. Once the social engineer has been allowed access to the target, it would not be long before he exploits it and walks away with it unsuspectedly. There are several articles, surveys, and publications on the human component and related topics. However, it is still a relatively untapped scientific topic. Most articles and books lack a scientific foundation and do not provide a comprehensive overview, instead focusing on case studies or descriptions. However, these studies reveal that the human component may cause significant harm to businesses, not just financially, but also in terms of image, which in turn affects the organization’s long-term goals and viability. Human behavior can be easily changed when they are exposed to certain words, feelings or visions [22].
2.3. Hackers and Social Engineers
The terms “hacking” and “social engineering” are often used interchangeably. The motives and goals of both sorts of attackers are similar, and social engineering approaches are used to acquire information in preparation for a hacking operation. Social engineers are also called as “people hackers” since they are so similar. As a result, it is critical to understand who these (human) hackers are [23]. Similarly, [24] stated that social engineering attacks include interpersonal interactions through face-to-face, telephone, or electronic communication with the recipient to manipulate them into divulging a company’s confidential information. This argument aligns with [25]. Argument that social engineering relies on human psychology to exploit peoples’ vulnerabilities for the attacker’s benefit.
2.4. Prevention of Social Engineering Attacks
Social engineering attacks are one of the hardest threats to defend against because they involve the human element, which quite unpredictable. However, some steps can be taken to reduce the risk of social engineering to a manageable level. Organization can mitigate the risk of social engineering with an active security culture throughout the organization that keeps on evolving as the threat landscape changes. Scholars recommend raising information security awareness and developing training programs for employees and members of organizations to teach them how to protect their own data and systems in order to prevent opportunistic attacks [2] [26].
3. Research Methodology
A field cross-sectional survey (level of social engineering awareness) conducted in April 2022. Participants were selected from different Organizations, located at Riyadh City (KSA) [24]. The sample was divided into two groups. The first group contained participants who had knowledge of social engineering approaches, while the other group contained participants who had no prior knowledge of social engineering practices.
By using the standard formula to calculate sample size, the calculated sample size was 509, while during data analysis the researcher found one respondent should be excluded [11], for that reason, the total respondent obtained was 508. Since no recent, accurate data were available, the prevalence taken at 50%, with a 95% confidence interval and 5% marginal error.
Organizations chosen based on the dependence of their business on information technology and the risk level of a social engineering attack, and an equal percent employee obtained from each organization. Men and women participated equally. Forward and backward translation applied. In order to test the validity and reliability of the Arabic version, we administered the Arabic version. We then administered the English version to the same students; Cronbach’s alpha and confirmatory factor analysis applied to test the questionnaire. A questionnaire was developed by the researcher and then reviewed by a group of experts in the computer science department of Shaqra University. After passing the content validity phase, the questionnaire translated into Arabic by the researcher, and an online version created through Google forms. The researchers obtained ethical approval for this research from the Research Ethics Committee at Shaqra University in Saudi Arabia. In order to identify the level of awareness of social engineering attacks, the researcher made a scale for the level of social engineering knowledge, as explained in Table 1 (Weak, moderate & good knowledge).
The items grouped into four categories (i.e. knowledge, practices, solutions, and education) to reflect various level of awareness. Data entry and analysis were conducted via SPSS (Statistical Package for the Social Sciences, IBM, and New York, NY) study carried out with IBM SPSS version 26. The questionnaire consists of 27 items, and divided into three parts. The first part acts as a cover letter and a consent form for the questionnaire by providing information about the study and the research team. The second part collects the respondent’s demographic data including age, nationality, educational background, and gender. The third part contains statements designed to measure the awareness level of social engineering attacks in the organizational sector.
Categorical variables expressed as frequency or proportion. Continuous variables expressed as median and interquartile range after testing the normality of the distribution. The chi-square test used to determine the association between categorical variables. The Pearson’s correlation test used for comparison of non-parametric data between groups as explained in Table 2.
In order to measure the validity & Reliability of the scale, the researcher conducted reliability test for the data, which showed a high degree of consistency of scale, Cronbach’s alpha values ranged between 0.707 and 0.763 as indicated in Table 3.
Table 1. Level of awareness of social engineering.
Table 2. Pearson correlation for social engineering.
**: Correlation is significant at the 0.01 level (2-tailed).
Table 3. Item-total statistics for social engineering.
4. Results
Data Analysis
The total number of participants in this study was 508, with a response rate of 99%, including 382 (75.2%) male and 126 (24.8%) female as it illustrated in Table 4. Most of the participants were aged 18 - 25 years old (29.7%). To verify the validity of the SPSS questionnaire, the correlation coefficients were calculated between each of the 10 questions, in which items 1 to 10 are the 10 questions in English language.
According to the results Figure 1, 151 (29.7%) participants were considered to be of age group (18 - 25 years), while 145 (28.5%) were deemed to be aged 26 - 35 years. In total, 75.2% of participants were reported to be male, in the 21.3% for age groups of 46 and above, and only we found that 104 of the study sample members represent 20.5% of the study sample whose age is 36 - 45 years.
In addition, the result showed that 350 of the study sample members represent 68.9% were employee. 60 of them represent 11.8% of the total study sample, were students, while only 57 of them represent 11.2% of the total sample of the study have other occupation.
Prior Knowledge about Social Engineering
Participants (two groups) were asked to indicate if they knew the meaning of “social engineering”. According to their responses, after that, the researcher compared all responses between these two groups to indicate whether there are significant differences between these two groups. It is found that 36.6% (186 participants) had prior knowledge of social engineering approaches, while 63.4%
Table 4. Correlation between knowledge about social engineering & the demographic characteristics.
**: Correlation is significant at the 0.01 level (2-tailed).
of them (322 participants) had no prior knowledge of social engineering applications as shown in Table 5. This study did not focus on specific social engineering attacks, but rather measures the level of awareness of these methods in general and their impact on other cybersecurity practices. However, there was a specific question about common social engineering attacks, and 67.3% of respondents indicated that they did not know about different types of social engineering attacks.
Figure 1. Characteristics of the participants according to demographic variables; June 2022.
Table 5. Social engineering knowledge.
The results of the regression model showed that the regression model is statistically highly significant as illustrated in Table 6, meaning that there is a statistically significant relationship between Knowledge level & social engineering related practices, since the value of F of 556.475 and its significance value of 0.000 which is less than 0.01.
In addition, the results indicated that the explanatory variables explain a rate of 81.6% of the variance in social engineering approaches related practices, by looking at the coefficient of determination (R2), which is seem to be a very high percentage.
The value of the standardized Beta, which explains the relationship between Knowledge level & social engineering approaches related practices, was 0.900 with statistical significance, as it can be deduced from the value of T and the significance associated with it. This means that: for every 0.900 increase of the knowledge level, which lead to increase of social engineering and information security knowledge by one unit.
The collected data tested using the one-sample t-test to examine the significance of prior knowledge of social engineering approaches on the level of awareness of social engineering attacks. Presents the outcomes of the one-sample t-test analysis of the respondents’ answers, as it indicated in Table 7.
The study sample indicated significant correlation between knowledge of social engineering & the social engineering attacks, which is highly significant, with a P-Value of 0.000.
The data also tested the four social engineering subscales, using the ANOVA test, which shows the significance of responses in the fourth subscale (Need for education courses), based on the participants’ age groups. The results of the ANOVA test.
Table 6. The relationship between knowledge level and social engineering approaches related practices.
**: Correlation is significant at the 0.01 level (2-tailed).
Table 7. The relation between the knowledge of social engineering & the social engineering attacks; June 2022.
**: Correlation is significant at the 0.01 level (2-tailed).
The differences related to the age group 36 - 45 years that need for education courses as explained in Table 8.
The results of the t-test based on the participants’ gender versus social engineering awareness. The results showed significant differences related to the first subscale (Social engineering and information security knowledge), and the third subscales (Technical security solutions). As indicated in Table 9, the significant differences related to the female group.
The results of the ANOVA Post-Hoc test based on the participants’ occupation versus social engineering awareness. The results showed significant differences related to the second subscale (Information security practices) with P-Value of (0.039*), and the fourth subscale (Need for education courses) with P-Value of (0.027*), as explained in Table 10.
5. Discussion
Since the aim of this search is to improve an understating of the levels of awareness of social engineering approaches in organizations. The researcher conducted this study based on the dependence of their business on information technology and the risk level of a social engineering attack. The researcher developed the questionnaire according to the social engineering knowledge, where
Table 8. LSD-Post Hoc Tests ANOVA (age group) the study group (social engineering awareness); 2022.
Table 9. T-test (gender) for the study group versus the (social engineering awareness), Saudi Arabia; 2022.
**: Correlation is significant at the 0.05 level (2-tailed).
Table 10. LSD-Post Hoc Tests ANOVA (occupation) the study group (social engineering awareness); 2022.
he worked on the development of a scale, through which, can evaluate the level of knowledge of social engineering. This scale expresses criteria 3 for good knowledge, 2 for moderate knowledge and 1 for poor knowledge.
The majority 42.1% of the study sample expressed weak social engineering knowledge, compared to only 7.5% having good social engineering knowledge.
From the researcher’s point of view, this is due to the society’s increasing dependence on communication through electronic social media apps, which in turn is devoid of body language and tone of voice, which contributes to deliver the accurate information to the recipient at a greater rate than receiving the same information through writing.
And the researcher believes that this led to lack and weakness of social engineering among members of society, as modern social media relies very heavily on communicating information in writing without enhancing it with body language and tone of voice, which led to the difficulty in determining the level of validity, accuracy and security of the received information, which made it much easier to the hackers to exploiting Internet users in all its channels and forms.
Most of those respondents, approximately two third of the study population did not have prior knowledge of social engineering approaches, as well as about three quarter did not know any type of social engineering threats, as a result, two third of the respondent are in need to take some courses about social engineering & comprehensive training is needed about social engineering attacks in the organizations, which is with the recommendations of [27] [28]. The results also show that there are disparities in information security awareness between users who have prior knowledge of social engineering techniques and those who have never heard of them. Examples include the capacity to recognize hacking and attacking indicators, the ability to deal with computer attacks, and an understanding of the importance of installing anti-virus software. These findings show that employees who are knowledgeable of information security and social engineering techniques are better prepared to deal with social engineering threats. Other researches, such as have found a link between awareness of social engineering and defensive security practices [7].
When comparing the criteria of age, gender and occupation in terms of the level of maturity of cognitive awareness with the concept of social engineering, we find the following: We find that the age group from (26 to 35 years) and those older than (45 years old) are the most vulnerable, while the age group (18 to 25 years old) is the most aware of the concept of social engineering. When comparing gender, we find that females are more aware than males of the concept of social engineering. On the other hand, when comparing the job status with the extent of knowledge of social engineering, we find that the category of employees is the least aware of the concept of social engineering compared to the category of teachers, which is the highest awareness of the concept of social engineering.
When comparing the criteria of age, gender, and occupation in terms of the courses in Social Engineering ever taken with the concept of social engineering, we find the following: We find that there is no significant correlation between the age group & the Social Engineering courses taken. When comparing gender, we find that there is a strong significant correlation. The correlation related to male who has not taken courses before about social engineering P-Value (0.001**). In addition, when comparing the job status with the Social Engineering courses taken, we find that there is a strong significant correlation. The correlation related to employees who has not taken courses before about social engineering P-Value (0.001**). According to the study findings, employees should be obliged to attend initial training during orientation as well as periodic refresher trainings. This raises awareness by exposing users to commonly used social engineering strategies and behaviors.
ANOVA test & t-test show a statistically significant difference according to participants’ variables, ages, gender, and occupations. As a result, the differences related to the age group 36 - 45 years that need for education courses. According to gender, the subscales (Social engineering and information security knowledge) & the subscale (Technical security solutions), showed a statistically significant relationship between these subscales according to the significant differences related to the female’s group, i.e. females need social engineering and information security knowledge & technical security solutions.
According to occupation, the subscales (Information security practices) & the subscale (Need for education courses), showed a statistically significant relationship between these subscales according to the significant differences related to the female’s group, i.e. Administrator are in need of Information security practices & faculty members are in Need for education courses.
This could indicate that, regardless of members’ ages or jobs, a lack of knowledge exists in a variety of groups. This result is different from previous studies that referred to a difference in the awareness of information security among different ages [29], and the current study also showed that there are differences between groups regarding the use of technical security solutions such as virus software installation and update. On a regular basis, this confirms the extent of computer security skills among different age and occupational groups, as evidenced by [30]. According to the study findings’ of Conteh and Schmick (2016) [26], employees should be obligated to provide initial training during orientation in addition to periodic refresher trainings. This raises awareness by exposing users to commonly used social engineering strategies and behaviors.
6. Limitation
While research activities have been conducted in this study, they are still limited. The study is based on a self-report questionnaire that does not reflect the real situation. Thus, it is possible that the results will be conducted in a long-term cross-sectional study to compare the results of the current study with the observed facts.
7. Conclusion
With the increase in social engineering attacks in recent years, the damage caused by these attacks has increased and affected or affected people in different ways. Cybersecurity is evolving to grow in development but people are now more exposed than ever before. The human factor is one of the main causes of social engineering attacks, so there is a need to improve the level of awareness of social engineering techniques and methods used in such attacks. Organizations can be offended by many social engineering attacks since they have different users of different age groups. This study attempted to identify the current levels of awareness of social engineering practices among various members of organizations in the Kingdom of Saudi Arabia. The findings and results of this study indicate that members who have prior knowledge of social engineering methods have better knowledge of information security. This demonstrates the importance of awareness and training regarding social engineering techniques and homeland security practices. The results also indicate that there are differences between different age groups and occupations in terms of the use of technical security solutions. Based on this, organizations need to design specific training programs that take into account age, education level and the profession because each category has special requirements. As such, the facts point to the conclusion that in the near future, social engineering will be the most prevalent offensive vector in cybersecurity, and thus merits further study as it evolves in order to advise on good practices and measures for individuals and/or organizations. Future work could include designing a training program to raise awareness of social engineering approaches that meet the unique needs of different groups of people. Social engineering is increasing in both scaling and ruthless efficiency, because people are making the best feats. To summarize, the findings show that employees who are familiar with information security and social engineering are better prepared to deal with social engineering threats. Users who are familiar with the social engineering tactics of threat actors are more likely to follow security measures. These measures include a firewall, antivirus software, and updating operating systems regularly. The study also attempted to distinguish between different groups of participants according to their age and occupation. In short, investing in training and educational campaigns reduces social engineering attacks, but we must definitely find a solution to overcome cybersecurity threats that are not yet posed.
Acknowledgements
I would like to acknowledge my deepest appreciation to, my academic advisor Dr. Abdurahman Al-Ghamdi for his scientific contribution during the time of this study. I would also like to express my thanks and appreciation to the government of the Kingdom of Saudi Arabia and Shaqra University for their financial support. Finally, very special thanks to my great wife and my nice kids for all their support and patience.