ArticlePDF Available

Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks

Authors:
Nabie Y Conteh at University of Maryland Global Campus
Nabie Y Conteh
Paul J. Schmick
Paul J. Schmick
Paul J. Schmick
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract and Figures

The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology infrastructure, which include hardware and software systems, transmission media, local area networks, wide area networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer optimism that social engineering attacks can be reduced.
Figures - uploaded by Nabie Y Conteh
Author content
All figure content in this area was uploaded by Nabie Y Conteh
Content may be subject to copyright.
56e2733408aebc9edb19ee
bc.pdf
Content uploaded by Nabie Y Conteh
Author content
All content in this area was uploaded by Nabie Y Conteh on Mar 11, 2016
Content may be subject to copyright.
Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attac
ks.pdf
Available via license: CC BY 4.0
Content may be subject to copyright.
International Journal of Advanced Computer Research, Vol 6(23)
ISSN (Print): 2249-7277 ISSN (Online): 2277-7970
http://dx.doi.org/ 10.19101/IJACR.2016.623006
31
Cybersecurity:risks, vulnerabilities and countermeasures to prevent social
engineering attacks
Nabie Y. Conteh1* and Paul J. Schmick2
Assistant Professor of Computer Information Systems, Department of Computer Information Systems,
College of Business & Public Administration, Southern University at New Orleans, Louisiana, USA1
Department of Cyber Security and Information Assurance, Graduate School of MGT and Technology
University of Maryland University College, Adelphi, Maryland, USA2
Received: 21-December-2015; Revised: 07-February-2016; Accepted: 10-February-2016
©2016 ACCENTS
1.Introduction
Social engineering, also known as human hacking, is
the art of tricking employees and consumers into
disclosing their credentials and then using them to
gain access to networks or accounts. It is a hacker’s
tricky use of deception or manipulation of people’s
tendency to trust, be corporative, or simply follow
their desire to explore and be curious. Sophisticated
IT security systems cannot protect systems from
hackers or defend against what seems to be
authorized access. People are easily hacked, making
them and their social media posts high-risk attack
targets. It is often easy to get computer users to infect
their corporate network or mobiles by luring them to
spoof websites and or tricking them into clicking on
harmful links and or downloading and installing
malicious applications and or backdoor's.
*Author for correspondence
In a 2013 study conducted by TNS Global for Halon
an email security service, 30 percent of the surveyed
populace comprised of 1,000 adults in the U.S.
disclosed that they would open an e-mail even if they
were aware it contained a virus or was suspicious [1].
Even with robust campaigns conveying the dangers
of opening suspicious e-mails a large majority of
email users remain vulnerable to social engineering
attacks [2]. To confront the challenges posed from
social engineering attacks, recommendations deriving
from research offer options to reduce the probability
of success of a social engineering attack.
With cyber security incidents growing exponentially
in terms of frequency and damage to an organizations
reputation in their respective marketplace, users and
organizations have not adequately deployed defenses
to discourage would-be attacker’s intent to strike.
The terms information and network security continue
to dominate U.S. headlines with a large-scale cyber-
attack surpassing the probability of a physical
terrorist attack on U.S. soil. In fact, in a 2013
interview of FBI Director James Comey, the Director
Review Article
Abstract
The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology
infrastructure, which include hardware and software systems, transmission media, local area networks, wide area
networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the
paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also
discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete
description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a
discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend
some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper
concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability
resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers
of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer
optimism that social engineering attacks can be reduced.
Keywords
Cyber security, Cyber theft, Social Engineering, Cybercrime, Phishing, Network Intrusions.
Nabie Y. Conteh et al.
32
testified before a Senate Homeland Security
Committee that cyber-attacks have surpassed
terrorism as a major domestic threat, with the threat
continuing to rise [3].
In this paper social engineering is defined along with
the types of social engineering attacks. In addition,
this research will identify why cyber theft continues
to advance at an alarming rate. Furthermore,
psychological variables that contribute to
vulnerabilities will be discussed. And finally, studies
will be presented that identify key considerations
regarding social engineering, testing and training, and
point to how users can be coached to prevent attacks
which offers a promising methodology to reduce
system and user's risk.
2.What is social engineering?
Engebretson (2011) [4] defines social engineering as
“one of the simplest methods to gather information
about a target through the process of exploiting
human weakness that is inherit to every
organization.” The foundation of an attack is to
persuade the forfeiture of information that is
confidential then exploit an individual or an
organization. In essence, an attacker engages social
engineering as a tactic to use human insiders and
information to circumvent computer security
solutions through deceit.
Regarding the human vulnerability of social
engineering [5] note that while social engineering is
identified as a low-tech attack; the attack aims at
manipulating victims to divulge confidential
information and is successful in its attempt due to
exploiting personality vulnerabilities. Social
engineering as a tactic deploys techniques to gain
access to private and confidential information by
exploiting flaws in human logic know as cognitive
biases [5]. While security technology measures aim
at improving information system security, human
factors represent a weak-link which is exploited
during a social engineering attack. Bisson (2015) [6]
notes that social engineering is “a term that
encompasses a broad spectrum of malicious activity”
and identifies five of the most common types of
social engineering attacks to target victims which
include:
Phishing: Phishing scams attempt to obtain personal
information such as names, addresses and other
personal identifiable information (PII) such as social
security numbers.
Phishing scams may embed links to redirect users to
suspicious websites that appear legitimate. These
types of scams create a sense of urgency to
manipulate users to act in a manner that challenges
good judgment.
Pretexting: This type of social engineering attack is
driven by a fabrication scenario attempting to
confirm and steal personal information from a target.
Advanced attacks attempt to exploit a weakness of an
organization or company. This method requires the
attacker to build a credible story that leaves little
room to question doubt by a target. The strategy is to
use fear and urgency while building a sense of trust
with a victim to confirm or obtain sought
information.
Baiting: Baiting is similar to a phishing attack, but
lures a victim through enticement strategies. Hackers
use the lure of promised goods if a user surrenders
log-in credentials to a specific site. Baiting schemes
are not limited to, digital on-line schemes and can
also be launched through the use of physical media.
Quid pro quo: Similar to Baiting, but this type of
threat is presented as a technical service in exchange
for information. A common threat is for an attacker
to impersonate an information technology
representative and offer assistance to a victim who
may be experiencing technical challenges. The
attacker aims to launch malware on a user’s system.
Tailgating: This type of attack uses tailgating and
piggybacking to gain access to restricted areas. This
attack exposes those who have an ability to grant or
gain access to a restricted area by an attacker who
may impersonate delivery personnel or others who
may require temporary access.
3.Social engineering and its role in cyber-
theft
Information Security is defined as “protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction” according to U.S. law
[7]. And while so much attention in terms of
resources and training to overcome information
security breaches have been deployed, Nakashima
and Peterson (2014) [8] note the center for Strategic
and International Studies identifies the annual cost of
cybercrime and economic espionage to cost to global
economy more than $445 billion annuallyor almost
one percent of total global income [9].
International Journal of Advanced Computer Research, Vol 6(23)
33
Hackers are getting increasingly sophisticated and
adept at their social engineering attacks. They are
able to piece together disparate data from various
sources and namely, social media, corporate blogs,
and data and to painstakingly pull crucial and key
data from well-meaning employees, which these
cyber-criminals use to attack networks and steal
invaluable data and even hold corporations hostage
and in some cases damage the object of their targets.
Regarding the rise of cybercrime and theft, Grimes
(2014) [10] identifies key indicators as to the rise and
cause of cybercrime which financially impacts both
individuals and organizations. One reason for cyber
theft appeal is the benefit of theft by ambiguity.
Internet crimes are committed by thousands of cyber
criminals world-wide, but few are prosecuted and
jailed. In addition, cyber criminals do not have to be
intelligent to be successful in digital theft, but are
willing to take risks because of the benefits of
distance from a victim while taking little risk and
little exposure.
Many cyber thefts take place globally and law
enforcement agencies are limited to the jurisdictional
boundaries to pursue cyber criminals. The pursuit
also includes working with other law enforcement
agencies outside of domestic jurisdictions. While
this is less complex domestically, getting
international support to pursue international theft
remains a challenge for U.S. Law enforcement. In
essence, most international governments do not
cooperate with each other [11].
Evidence plays another factor and a lack of
successful convictions is due to a lack of evidence
that can be delivered in court to prosecute cyber
criminals. Two primary variables relate to evidence
fulfilment, such as obtaining evidence that is credible
to hold individuals accountable. Second, few
organizations have the legal expertise to prepare legal
evidence in cybercrime cases which takes planning,
commitment and resources. These challenges lower
the probability that a criminal even if caught will be
prosecuted and jailed.
To overcome crime in the cyber domain, a lack of
resources is perhaps the leading contributor to its
exponential growth. Few organizations have the
dedicated resources to pursue internet crimes and
criminals. The challenge of pursuing cyber theft is
costly and without a potential return-on-investment
(ROI) dedicated resources are difficult to justify.
While the cost of cyber victimization is nearly a half
trillion dollars, it has not hurt global economies and
may even be in the realm of appearing as a cost of
doing business. For meaningful change to occur,
once cybercrime hurts individuals and organizations
to an unbearable point, the reality or managing risk
and loss have been built into the fabric of
organizations, and individual victimization from
small-scale occurrences have become noise that is
expected.
4.Psychological variables and
contribution to cybercrimes
Social engineering attacks challenge information
security professionals because no technical
countermeasures to-date can eliminate the human
vulnerability [5]. Identifying the cause of human
error and successful social engineering attacks Luo,
et al. (2011)[5] argues the social psychology
influences of “alternative routes to persuasion,
attitudes and beliefs that affect human interactions,
and techniques for persuasion influence” expose the
psychological vulnerabilities that enable a successful
social engineering attack.
To seek foundations of the interest to open
potentially damaging e-mails, Ragan (2013) [1] notes
the diversity of intent to engage in such behaviour is
specific among genders with women enticed to open
malicious e-mails appearing from social networks,
while men fall prey to e-mails communicating power,
money and sex. Because social engineering attacks,
tap into human psychological impulses reducing
engagement remains a challenge because occurrences
aim at human psychological vulnerabilities [12].
Further evaluating the social psychological
influences, alternate routes to persuasion contribute
to successful social engineering attacks through
influencing a victim’s emotions towards fear or
excitement which may alter a responsible action.
Regarding attitudes and beliefs, this refers to the
differences concerning the beliefs between the victim
and his/her social engineering attackers. And lastly,
influencing techniques relies on peripheral paths to
persuasion that influence behaviour and action [5].
Because of the emotional exposure and triggered a
response initiated by social engineering attacks,
without awareness of the vulnerabilities revealed by
artful exposure of human susceptibility to engage in
the process, denying an attackers ploy is a challenge.
Nabie Y. Conteh et al.
34
However, studies demonstrate awareness through
corporate education campaigns may provide a virtual
barrier to reduce the success rate of social
engineering attacks. In totality, the chief strategy
may reside in awareness in the manipulation tactics
to obtain valuable and confidential information to
prevent social engineering attackers’ from acquiring
information to exploit a user or organization.
5.Social engineering techniqueshuman
and technical
Luo et al. (2011) [5] identifies several human or
technical means that social engineering attackers can
deploy from phishing to dumpster diving as tactics to
gain visibility or obtain confidential information. For
aggressive and successful attackers a synergy of
human and technical strategy may be deployed to
obtain ample information on an individual or to gain
access to an organization. Regarding the steps of
gathering information through execution of a social
engineering attack Luo et al. (2011) [5] identify the
steps in the attack process.
Figure 1 Four steps of social engineering [5]
Figure 1 above graphically explains the stepwise
approaches in the execution of social engineering
attacks. The process begins with the first phase of
studying and gathering information, then a
relationship is established. In the exploitation phase,
access into the system is gained and in the final
phase, the attacked is implemented.
Social engineering attacks can be categorized in
either human or technology deployments. Direct
human engagement stems from an attacker who has
obtained personal information about a victim and
develops a relationship with the user. Because the
attacker deploys a strategy of a known or trusted
party, the victim becomes susceptible and exploited,
and relinquishes sensitive or personal company
information; therefore contributing to the pieces of
the puzzle the attacker can use to his/her advantage.
Technical attacks are more unambiguous and
deployed through a host of options such as; software
programs, email attachments, pop-up windows and
websites [5]. Perhaps the most successful technical
ploy to draw a user into divulging account usernames
and passwords by prompting victims to input user
and password information in pop-up windows.
Websites and pop-up windows can appear as a site
frequently visited by a user, however, the script-
embedded pop-up window manipulates the user to
enter a username and password which delivers the
information to the attacker.
6.Preventive measures against social
engineering
It is evident that regardless of how technologically
secure a network seems the human element will
always be a vulnerability. The success rate and the
number of cybercrimes are steadily on the rise due to
the level of anonymity social engineering offers
malicious actors. Businesses have to remain
cognizant of the various threat actors and their
plethora of attacks so they are able to respond
accordingly. There are technical and non-technical
safeguards that can be implemented to lower the risk
associated with social engineering to a tolerable
level. Companies are adding multiple layers to their
security schemes so that if the mechanism in the
outer layer fails, a mechanism in at least one inner
layer can help prevent a threat from turning into a
disaster (Risk Mitigation). This concept is known as
multi-layer defense or defense in depth. A good
Defense in Depth structure includes a mixture of the
following precautionary measures:
Security Policy: A well written policy should
include technical and nontechnical approaches that
are downward driven by executive management.
Every organization should integrate security into
their operational objectives.
Education and Training: Employees ought to be
required to attend initial training during orientation
and recurring refresher trainings. This builds
awareness by exposing users to commonly employed
tactics and behaviors targeted by a social engineer.
Network Guidance: The organization have to
safeguard the network by whitelisting authorized
websites, using Network address translation (NAT),
and disabling unused applications and ports. Network
users have to maintain complex passwords that are
changed every 60 days.
Audits and Compliance: Organizations have to
actively verify that their security policy is being
adhered to. Some detective controls include
International Journal of Advanced Computer Research, Vol 6(23)
35
reviewing network logs, re-validating employees’
permissions, and checking desktop configurations at
least bi-monthly.
Technical Procedures: The network should have
multiple layers of defence to protect data and core
infrastructure. Software like Intrusion Prevention
Systems (IPS), Intrusion Detection Systems (IDS)
and firewalls should be installed on every device.
Demilitarized Zones (DMZ), web filters and Virtual
Private Network (VPN) should be installed on all
external facing services.
Physical Guidance: There is a range of options that
can be implemented to protect physical assets. Using
a combination of security guards, mantraps and
security cameras to deter intruders from entering the
premises is beneficial. In places where physical
hardware is located businesses should employ
multifactor authentication, biometrics or access
control list before access is granted.
To overcome the challenges of social engineering
attacks Luo et al. (2011) [5] identify the necessity of
a multidimensional approach to overcome threats
through a holistic approach of addressing
organizational policies, procedures, standards,
employee training and awareness programs, and
incident response. While all areas to combat this
threat are critical, without employee training
expensive infrastructure and network security
investment means little considering only seven
percent of U.S. organizations deploy training
programs and materials in phishing education [13].
Evaluating variables of cause and identifying those
who are susceptible in an organization Chitery,
Singh, Bag, & Singh (2012) [14] identify the drivers,
targets and motivation behind social engineering
attacks. The 2012 study attempted to demonstrate an
analytical approach towards social engineering
attacks and identify attacker trends. The study,
which surveyed an undisclosed amount of IT
professionals, sheds light on potential training
measures for organizations that are eager to deploy
information security awareness programs to reduce
the risk of employee proneness to a social
engineering attack.
Figure 2 Questionnaire results regarding the motivation behind social engineering attacks
According to a study conducted by Chitery, Singh,
Bag, & Singh (2012) [14] as introduced in the
preceding paragraph above, figure 2 depicts the
motivating factors behind social engineering attacks.
It is evident that the access motivated by the need to
gain proprietary information ranks the highest in
terms of the volume which is 30%. Financial gain
ranks second, followed by the need for competitive
advantage, then by “just for fun”, revenge and last
and least by unnamed others. Figure 3 depicts the
results from the same study as above obtained on
entities that are vulnerable to social engineering
attacks. The most vulnerable group is the new
employees (41%), followed by clients and customers
(23%), then by IT professionals (17%), by Partners
and Contractors (12%) and lastly followed by others.
23%
30%
21%
10%
11%
5%
Motivation Behind Social Engineering Attacks
FINANCIAL GAIN
ACCESS TO PROPRIATARY
INFORMATION
COMPETITIVE ADVANTAGE
REVENGE
JUST FOR FUN
OTHER
Nabie Y. Conteh et al.
36
Figure 3 Questionnaire results regarding entities which present risk of falling prey to a social engineering attack
In another study by Bowen, Devarajan & Stolfo
(2011)[15] this Columbia University study measured
enterprise susceptibility to phishing attacks which is a
technical path and deployment mechanism to
instigate a social engineering attack. The 2011
study’s primary focus conducted by Columbia
University was on reinforced training and the impact
to prevent social engineering attacks. As the results
shown in table 1 and 2 below, the study tested user
vulnerabilities using decoy e-mails to lure users to
supply information or access phony e-mails so data
could be gathered and utilized for training purposes
to prevent future attacks.
Table 1 The number of responses for each round for
the first experiment to measure the user response to
phony phish
Decoy Type
1st
Round
3rd
Round
4th
Round
Email with
internal URLs
52
0
NA
Email with
external URLs
177
1
0
Forms to obtain
credentials
39/20
0
NA
Beacon
Documents
45
NA
NA
Table 2 The number of responses for each round of
the second experiment to measure the user response
to phony phish
Decoy Type
1st
Round
2nd
Round
3rd
Round
4th
Ro
un
d
Email with
internal URLs
69
7
1
0
Email with
external URLs
176
10
3
0
Forms to obtain
credentials
69/50
10/9
0
NA
Beacon
Documents
71
2
0
NA
The Bowen, et al. (2011) [15] study was conducted
by deploying two rounds of experiments. Users were
probed repeatedly, then educated each time to
understand how the luring techniques occurred until
victims stopped falling prey to attacks. The data
ultimately support that both repetitious probes
followed by education offers value and a return on
investment (ROI) to limit successful probes of users
regardless of psychological predispositions or gender.
Evaluating the data from both rounds of the
Columbia University experiment confirms users can
be coached to deploy caution before opening
suspicious e-mail messages.
41%
17%
23%
12%
7%
0%
Entities which fall prey to social engineering attacks
NEW EMPLOYEES
IT PROFESSIONALS
CLIENTS & CUSTOMERS
PARTNERS & CONTRACTORS
TOP LEVEL MANAGEMENT
OTHERS
International Journal of Advanced Computer Research, Vol 6(23)
37
As the data supports, by reaffirming threats through
repetitive communication, although slower learners
had the highest probability that they would fall-prey
to social engineering attacks, users were still able to
be coached to disengage in the luring process of
social engineering attacks.
7.Limitations of the Study
Luo et al. (2011) [5] recognizes key considerations
that can be learned from social engineering
penetration testing and education. Most importantly,
the 2011 Columbia University study noted in this
research paper identifies that education followed by
additional social engineering, testing leads to a
dramatic reduction in social engineering attack
success, therefore reducing information system and
network vulnerability. However, the 2011 Columbia
University study offers no consideration to how
frequently testing and training may be required to
maintain the same results. In essence, the limitations
of the Columbia University study prevents drawing
an absolute conclusion that the same results should
be expected if further testing was conducted. This
leaves consideration to the deployment of recurrent
training models after periods of time to determine if
similar results can be produced by users after one
phase of testing to determine if training efforts are
lasting.
8.Conclusions
To overcome cyber security incidents involving
social engineering attacks, research supports the most
effective defence is an educated computer user. To
consider is those most vulnerable which are identified
in this research as new employees within an
organization, as specifically shown in figure 3 above,
with the attacker seeking personal identifiable
information (PII) from those engaged. Further
supported in this research are the psychological
variables that contribute to user vulnerability. This
paper concludes that while technology has a role to
play in reducing the impact of social engineering
attacks, the vulnerability resides with human
behaviour, human impulses and psychological
predispositions that can be influenced through
education. Ultimately, investment in organizational
education campaigns offer optimism that social
engineering attacks can be reduced, but an absolute
solution to overcome such cyber security threats has
yet to be put-forward.
Acknowledgment
None.
Conflicts of interest
The authors have no conflicts of interest to declare.
References
[1] Ragan S, W Staff. Social engineering: study finds
Americans willingly open malicious
emails.http://www.csoonline.com/article/2133877/soci
al-engineering/social-engineering--study-finds-
americans-willingly-open-malicious-emails.html.
Accessed 28 August 2013.
[2] Maan PS, Sharma M. Social engineering: a partial
technical attack. International Journal of Computer
Science Issues. 2012; 9(2):557-9.
[3] Anonymous. FBI: Cyber-attacks surpassing terrorism
as major domestic threat. https://www.rt.com/usa/fbi-
cyber-attack-threat-739/. Accessed 25 November
2013.
[4] Engebretson P. The basics of hacking and penetration
testing: ethical hacking and penetration testing made
easy. Elsevier; 2011.
[5] Luo X, Brody R, Seazzu A, Burd S. Social
engineering: the neglected human factor for
information security management. Information
Resources Management Journal. 2011; 24(3):1-8.
[6] Bisson D. 5 Social engineering attacks to watch
out for. The state of security.
http://www.tripwire.com/state-of-
security/security-awareness/5-social-
engineering-attacks-to-watch-out-for/. Accessed
23 March 2015.
[7] Andress J. The basics of information security:
understanding the fundamentals of InfoSec in theory
and practice. Elsevier; 2011.
[8] Nakashima E, Peterson A. Report: cybercrime
and espionage costs $445 billion annually. The
Washington Post.
https://www.washingtonpost.com/world/national
-security/report-cybercrime-and-espionage-costs-
445-billion-annually/2014/06/08/8995291c-ecce-
11e3-9f5c-9075d5508f0a_story.html . Accessed
9 June 2014.
[9] Strohm C. Cyber theft, already a $445 billion
business, to grow bigger.
http://www.insurancejournal.com/news/national/
2014/06/09/331333.htm. Accessed 9 June 2014.
[10] Grimes RA. 5 reasons internet crime is worse than
ever. Info World.
http://www.infoworld.com/article/2608631/security/5-
reasons-internet-crime-is- worse-than-
ever.html?page=2. Accessed 23 March 2015.
[11] Taylor RW, Fritsch EJ, Liederbach J. Digital crime
and digital terrorism. Prentice Hall Press; 2014.
[12] Vacca JR. Computer and information security
handbook. Newnes; 2012.
Nabie Y. Conteh et al.
38
[13] Diana A. Social engineering targets weakest security
link: employees.
http://www.enterprisetech.com/2015/05/19/social-
engineering-targets-weakest-security-link-employees/
Accessed 19 May 2015.
[14] Chitrey A, Singh D, Singh V. A comprehensive study
of social engineering based attacks in India to develop
a conceptual model. International Journal of
Information and Network Security. 2012; 1(2):45-53.
[15] Bowen BM, Devarajan R, Stolfo S. Measuring the
human factor of cyber security. In international
conference on technologies for homeland security
(HST) 2011(pp. 230-235). IEEE.
Dr. Nabie Y. Conteh is a Computer
Information Systems Professor at
Southern University at New Orleans
(SUNO). He holds a BS in information
systems from the Institute for
Information and Communication
Technology, in the Netherlands; an
MBA in information systems
management from Ferris State University; and an MS and
Ph.D. in information systems from the University of
Maryland, Baltimore County. His areas of teaching and
research interest include decision support systems, systems
modeling and simulation; artificial intelligence/expert
systems; systems analysis and design; and knowledge
management and organizational learning. Dr. Conteh
possesses many technical skills and the ability to speak
English, Dutch, Russian and German. Dr. Conteh has made
many presentations at national and international
conferences and has been published in refereed journals
and proceedings. He has worked as Assistant Professor at
Shenandoah University and is currently an Adjunct
Associate Professor of Cyberspace and Cyber Security at
the Graduate School of the University of Maryland
University College and Professor of Database Management
Systems and Global Information Technology at Florida
Tech. During the tenure of his Ph.D. program, he worked as
Research Assistant at the University of Maryland Baltimore
County. He did consulting for Datastream at College Park
in Maryland, a company whose primary activity is data
conversion. He has also worked for Getronics Transaction
Services and EuroShell International, ABN AMRO Bank at
Amsterdam, in the Netherlands.
Email: nconteh@suno.edu
Paul J. Schmick is a Speaker,
Professor and Vice President of
Security Technology for Alliance
Security Services headquartered in New
York. Paul is a seasoned professional
in the disciplines of security
convergence and information
technology, cybersecurity, physical
security, risk-based security and security technologies. Paul
previously held the position of Director of Corporate
Security Programs at FJC Security Services where he
directed the company’s corporate security programs,
managed FJC’s Office of Information Technology (OIT),
and was the Managing Director of FJC Technology
Solutions where he directed the organizations security
technology service division. Paul also served eight years
with the U.S. Department of Homeland Security (DHS) -
Transportation Security Administration (TSA) and in his
last role with the department was responsible for the
implementation of aviation security policy, managed
security technology equipment deployments, and
supervised training programs and personnel to enhance the
agency’s formidable defense against improvised explosive
device (IED) threats targeting U.S. aviation assets and
infrastructure. Paul earned his M.S. in Homeland Security
Management from the Homeland Security and Terrorism
Institute at LIU Post, and holds a B.A. in Homeland
Security & Emergency Management from Ashford
University. As an active member in the academic, security
and emergency management communities, Paul serves as
the Advisory Board Chair and Executive Director of the
Homeland Security and Security Management program at
the Long Island Business Institute in New York. He also
serves as an Adjunct Professor under the U.S. Department
of Homeland SecurityTransportation Security
Administration Partnership Program at Erie Community
College.
... Regarding the mechanism employed by cybercriminals to execute cybercrime, they leverage the interconnected nature of businesses and the increasing volume of activities that SMEs are conducting online, thereby intensifying their exposure to cybersecurity incidents. Consequently, businesses find themselves susceptible to cyberattacks, which are continuously growing in sophistication and diversifying, making it challenging for companies to safeguard their systems (Fernández De Arroyabe and Fernández de Arroyabe, 2023;Conteh and Schmick, 2016). Cybersecurity attacks can manifest in various ways, contingent on the attacker's objectives, the execution method, and the identity of the perpetrator. ...
... Consistent with prior research (ENISA, 2020; Fernandez de Arroyabe et al., 2023a), we can confirm that cybercrime encompasses a broad spectrum of activities, including computer hacking, identity theft, online fraud, malware attacks, denial-of-service (DoS) attacks, phishing, and malicious software distribution, all seeking economic gains, espionage, data theft, extortion, etc., being amongst the most prevalent. Our results reveal that cybercrime diversifies its attack methods, continuously growing in sophistication and diversity, making it challenging for companies to defend themselves (Fernández De Arroyabe and Fernández de Arroyabe, 2023;Jensen et al., 2021;Conteh and Schmick, 2016). Moreover, our findings confirm existing literature (Fernandez de Arroyabe et al., 2023a), indicating that SMEs are potential targets of cybercrime. ...
View
... Compared to physician systems, patient portal security risk is emerging as a new challenge for HIS due to the growing cyber threats. [6][7][8][9][10][11][12][13][14] Cyber threat is the collection of criminal activities that use computers to issue cyberattacks through the Internet. Hacking 8,14-17 is one of the common forms of cyberattacks, aiming to crack information systems so as to gain unauthorized identity to steal data or encrypt user files to extort money. ...
Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan
Article
Full-text available
  • Jun 2024
Background Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR). Objective This work aims to evaluate the patient portal security risk of Taiwan’s EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type. Methods We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests. Results We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as “absolute low risk”, 104 hospital patient portals as “low to medium risk”, 99 hospital patient portals as “medium to high risk” and 150 hospital patient portals as “high risk”. Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P<0.001). Conclusion The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.
View
... Studies suggest that awareness training can contribute well in reducing successful social engineering attacks [Bullée et al., 2015, Conteh andSchmick, 2016], therefore, conducting awareness trainings is one initial but essential measure to increase the overall security in operating the device [MTG:ORG:01]. For critical configuration work, as well as for handling security-relevant key material, following the four-eyes principle, which requires two individuals to approve an action before it can be taken, can help to counter misuse or even human error ...
Towards a single device for multiple security domains
Article
Full-text available
  • May 2024
Military field operations place high demands on information and communication technology (ICT) devices, both in terms of reliability and security. These requirements include robustness against environmental influences such as vibrations, water, and humidity as well as protection against physical attacks and cyber-attacks. Attempts to compromise a device must be detected immediately, and if necessary, trigger automated countermeasures such as alarms, partial deactivation or emergency wiping of all data. In this work, we specifically focus on cyber security issues and aim to deliver a concept for a device that can be used in multiple security domains, isolating mission-specific data from each other without the risk of data spillover. For that purpose, we outline a high-level concept for a resilient single device concept that is able to withstand common intrusion attempts. We identify threat agents, misuse cases and the risks of a single device concept for multiple security domains and evaluate the most pressing issues. Based on the identified risks, we determine additional mitigation measures and discuss their applicability. We foresee our work to provide valuable insights into the requirements on and design decisions of highly secure mobile device solutions.
View
The Power of Persuasion: Exploring Social Engineering in the Digital Age
Chapter
  • Jun 2024
Social Engineering (SE) encompasses various tactics that exploit human vulnerabilities to execute security attacks. This paper provides a thorough review and synthesis of recent literature on social engineering by employing a multidimensional approach which examines the nature of SE, its lifecycle, methods, impact, and strategies for defense. Review papers that review recent literature while taking into consideration these dimensions of SE are still limited and do not consider 2023 literature. To achieve our aim, Materials covering the timeframe from 2016 to 2023 were sourced and reviewed from databases such as IEEE Xplore, Emerald, ProQuest, ACM, Google Scholar, ScienceDirect, and other relevant sources and online statistics. The research findings underscore the ongoing challenge of preventing social engineering attacks, with no organization in the twenty-first century being entirely immune. Among the identified attack methods, phishing emerges as the most prevalent and researched form of social engineering. From the literature review, practical implications for businesses emerge, categorized into three areas: the organization, its employees, and the technology they employ. These insights can help organizations enhance their security measures against social engineering attacks.
View
Systematic Analysis of Individuals’ Perspectives on Cybersecurity Using Q Methodology: Implications for Research and Application in Behavior Analysis
Article
  • Jun 2024
Emerging sociocultural challenges such as malicious cybersecurity attacks and the cyber-unsafe utilization of the internet across industries highlight ways analysis of consumer perspectives pertaining to products of behavioral systems (e.g., government, universities, and business) may inform interventions relating to secure cyberbehaviors. In this study, we conducted a systematic analysis of viewpoints for two groups of college students (computer science and psychology majors) on cybersecurity using a Q methodology approach. The analysis revealed three shared viewpoints. The first one highlighted the importance of facing the security of internet utilization at the level of the entire society, thus suggesting the supply of appropriate cyber training for any type of internet users. The second viewpoint communicated a shared concern for the inability of businesses and the U.S. government to protect the privacy of their users effectively. The third viewpoint, which was only communicated by the psychology major students, emphasized the risks of cyberspace but also expressed difficulties in meeting the requirements associated with users’ safe access to the internet. These types of findings offer guidance for community leaders in making decisions about educational interventions, while accounting for the perspectives of potential recipients of educational services as part of addressing social validity concerns (see Baer et al. Journal of Applied Behavior Analysis, 1(1), 91–97, 1968).
View
CYBER COMPLAINT AUTOMATION SYSTEM USING BLOCKCHAIN
Article
  • May 2024
Due to the Internet's quick spread and the digitalization of commercial activity, cybercrime has risen dramatically. Computers or data are the intended victim of cybercrime. This paper is about “Cyber Complaint Automation System”. The current cyber cell of Kerala police has a time-consuming approach. Complaint can be given in two ways. A written complaint can be given to cyber police station. Second option is to use cyber-crime reporting portal. In this portal user has to undergo four different steps to successfully register the complaint. These complaints are stored in a database and manually classified into respective departments. This methodology of a cyber-complaint takes a great deal of effort and time. The time wasted on current system helps the criminal in covering his track. As a result, the victim's time and money are squandered, and police receive criticism. We are working to create a software that will drastically shorten the time it takes to handle a complaint in an effort to remedy this scenario. Our system automates the process and prioritize emergency complaints. Thus helps the police to apprehend the criminal faster. Key Words: Custom Blockchain, AWS S3, Cybercrime, Complaint Automation System.
View
Investigating Dynamic Behavioral Analysis For Instantaneous Identification and Reduction of Changing Security Risks on the World Wide Web
Article
  • Jan 2024
Cyber Security plays an important role in the field of information technology. As more business activities are being automated and an increasing number of computers are being used to store sensitive information, the need for secure computer systems becomes more apparent. Securing the information have become one of the biggest challenges in the present day. Whenever we think about the cyber security the first thing that comes to our mind is ‘cyber crimes’ which are increasing immensely day by day. Various Governments and companies are taking many measures in order to prevent these cyber-crimes. The Internet itself has become critical for governments, companies, financial institutions, and millions of everyday users. Besides various measures cyber security is still a very big concern to many. This paper mainly focuses on challenges faced by cyber security on the latest technologies. It also focuses on latest about the cyber security techniques, ethics and the trends changing the face of cyber. Threats to the integrity, security and dependability of the World Wide Web (WWW) are ever-evolving. Conventional security solutions sometimes find it difficult to keep up with the ever-evolving strategies used by hackers. By combining adaptive security mechanisms designed especially for protecting the WWW with dynamic threat analysis approaches, our research offers a unique way to handle this difficulty.
View
View
Understanding the Relationship Between Trust and Faith in Micro-Enterprises to Cyber Hygiene: An Empirical Review
Chapter
  • Apr 2024
Cyber hygiene is a practice of maintaining the security and health of devices, networks, and data. It involves some guidelines to prevent cyberattacks, data breaches, and identity theft. Trust needs strong protection in the cyber system world. Cyber hygiene is essential for both individuals and organizations, as it can protect them from financial losses, reputational damage, legal consequences, physical harm, and identity theft. The term “cybersecurity” indicates vulnerabilities or other issues related to protecting personal data. Data must adhere to cyber ethics other than protection. Cyber hygiene thus gives us a notion of how trust issues in a cyber-world can be handled with better understanding of the level, volume, veracity, and the longevity of data present in cyberspace. This chapter is about finding a suitable quantitative relationship between cyber hygiene and policy of trust in micro enterprises along with different aspects of cyber hygiene problems and the possible pathways and remedies that could be taken for better functioning of these enterprises in cyber spaces.
View
View
A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model
Article
Full-text available
  • Jan 2012
The objective of this research is to present and demonstrate an analytical approach towards Social Engineering. A questionnaire was created and a survey was conducted accordingly to determine the understanding of IT practitioners and social networking users based in India. Based on the responses an advanced model of Social Engineering based attacks was developed. This model can be used in development of Organization-wide Information Security policy and Information Security Awareness Program
View
Measuring the Human Factor of Cyber Security
Conference Paper
Full-text available
  • Nov 2011
This paper investigates new methods to measure, quantify and evaluate the security posture of human organi-zations especially within large corporations and government agencies. Computer security is not just about technology and systems. It is also about the people that use those systems and how their vulnerable behaviors can lead to exploitation. We focus on measuring enterprise-level susceptibility to phishing attacks. Results of experiments conducted at Columbia University and the system used to conduct the experiments are presented that show how the system can also be effective for training users. We include a description of follow-on work that has been proposed to DHS that aims to measure and improve the security posture of government departments and agencies, as well as for comparing security postures of individual agencies against one another.
View
Social Engineering: The Neglected Human Factor for Information Security Management
Article
Full-text available
  • Jul 2011
Effective information systems security management combines technological measures and managerial efforts. Although various technical means have been employed to cope with security threats, human factors have been comparatively neglected. This article examines human factors that can lead to social engineering intrusions. Social engineering is a technique used by malicious attackers to gain access to desired information by exploiting the flaws in human logic known as cognitive biases. Social engineering is a potential threat to information security and should be considered equally important to its technological counterparts. This article unveils various social engineering attacks and their leading human factors, and discusses several ways to defend against social engineering: education, training, procedure, and policy. The authors further introduce possible countermeasures for social engineering attacks. Future analysis is also presented.
View
Computer and Information Security Handbook
Book
  • Jan 2009
This book presents information on how to analyze risks to your networks and the steps needed to select and deploy the appropriate countermeasures to reduce your exposure to physical and network threats. It also imparts the skills and knowledge needed to identify and counter some fundamental security risks and requirements, inlcuding Internet security threats and measures (audit trails IP sniffing/spoofing etc.) and how to implement security policies and procedures. In addition, this book also covers security and network design with respect to particular vulnerabilities and threats. It also covers risk assessment and mitigation and auditing and testing of security systems. From this book, the reader will also learn about applying the standards and technologies required to build secure VPNs, configure client software and server operating systems, IPsec-enabled routers, firewalls and SSL clients. Chapter coverage includes identifying vulnerabilities and implementing appropriate countermeasures to prevent and mitigate threats to mission-critical processes. Techniques are explored for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation. A public key infrastructure (PKI) is an increasingly critical component for ensuring confidentiality, integrity and authentication in an enterprise. This comprehensive book will provide essential knowledge and skills needed to select, design and deploy a PKI to secure existing and future applications. This book will include discussion of vulnerability scanners to detect security weaknesses and prevention techniques, as well as allowing access to key services while maintaining systems security. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
View
Computer and Information Security Handbook
Book
  • Jan 2013
The second edition of this comprehensive handbook of computer and information security serves as a professional reference and practitioner's guide providing the most complete view computer security and privacy available. It offers in-depth coverage of security theory, technology, and practice as they relate to established technologies as well as recent advancements. It explores practical solutions to a wide range of security issues. Individual chapters are authored by leading experts in the field and address the immediate and long-term challenges in the authors' respective areas of expertise. The book is organized into nine parts composed of 61 contributed chapters by leading experts in the areas of networking and systems security; information management; cyber warfare and security; encryption technology; privacy; data stora physical security; and a host of advanced security topics. New to this edition are chapters on intrusion detection, securing the cloud, securing web apps, ethical hacking, cyber forensics, physical security, disaster recovery, cyber attack deterrence, and more. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
View
The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice: Second Edition
Article
  • Jan 2014
As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. Author Jason Andress gives you the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability, and then dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security. The Basics of Information Security gives you clear-non-technical explanations of how infosec works and how to apply these principles whether youre in the IT field or want to understand how it affects your career and business. The new Second Edition has been updated for the latest trends and threats, including new material on many infosec subjects. Learn about information security without wading through a huge textbook Covers both theoretical and practical aspects of information security Provides a broad view of the information security field in a concise manner All-new Second Edition updated for the latest information security trends and threats, including material on incident response, social engineering, security awareness, risk management, and legal/regulatory issues.
View
View
Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails .html
  • Sep 2013
  • S Ragan
  • W Staff
Ragan S, W Staff. Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails.html. Accessed 28 August 2013.
Social engineering: a partial technical attack
  • Jan 2012
  • 557-559
  • P S Maan
  • M Sharma
Maan PS, Sharma M. Social engineering: a partial technical attack. International Journal of Computer Science Issues. 2012; 9(2):557-9.
Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739
  • Dec 2013
  • Anonymous
  • Fbi
Anonymous. FBI: Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739/. Accessed 25 November 2013.