Social Engineering Preparedness of Online Banks: An Asia-Pacific Perspective

Abstract Social engineering is becoming the most prevalent strategy used by hackers today. With continually blossoming e-commerce activity on the web, customers adopting online banking services will become prime targets for such hackers. As such, banks have a responsibility to contain this issue in order to sustain their competitive advantage. Most banks have security policies that manifest their strategy to counter hackers and yet social engineering attacks are rampant. In this study, we analyse the security policies of online banks from 11 countries in the Asia-Pacific region (APAC) region using content analysis to assess their preparedness to handle social engineering attacks. The results show that, except for phishing, there is a dearth of information regarding new and emerging trends in such attacks. The findings also show that although the majority of security best practices include preventive measures, they were presented as ‘general tips’. Without specifying the context of an attack providing these tips can be seen as an ineffective way of presenting information.

[1]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[2]  Maryam Alavi,et al.  Managing the Risks Associated with End-User Computing , 1985, J. Manag. Inf. Syst..

[3]  Patrick R. Gartin,et al.  Hot Spots of Predatory Crime: Routine Activities and the Criminology of Place , 1989 .

[4]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[5]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[6]  M. Sathye Adoption of Internet banking by Australian consumers: an empirical investigation , 1999 .

[7]  Sirkka L. Jarvenpaa,et al.  Perils of Internet fraud: an empirical investigation of deception and trust with experienced Internet consumers , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[8]  Margaret Tan,et al.  Factors Influencing the Adoption of Internet Banking , 2000, J. Assoc. Inf. Syst..

[9]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[10]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[11]  Richard Barber Feature: Social engineering: A People Problem? , 2001 .

[12]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[13]  P. Nath,et al.  A model of trust in online relationship banking , 2003 .

[14]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[15]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[16]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[17]  Ingoo Han,et al.  The Impact of Customer Trust and Perception of Security Control on the Acceptance of Electronic Commerce , 2003, Int. J. Electron. Commer..

[18]  Kyung Kyu Kim,et al.  Initial trust and the adoption of B2C e-commerce: The case of internet banking , 2004, DATB.

[19]  Lena Laribee,et al.  Development of Methodical Social Engineering Taxonomy Project , 2006 .

[20]  K. Williamson,et al.  Understanding Consumer Adoption of Internet Banking: An Interpretive Study in the Australian Banking Context , 2006 .

[21]  T. C. Edwin Cheng,et al.  Adoption of internet banking: An empirical study in Hong Kong , 2006, Decis. Support Syst..

[22]  A. Kagan,et al.  Evaluating information security tradeoffs: Restricting access can interfere with user tasks , 2007, Comput. Secur..

[23]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[24]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[25]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[26]  Paul C. van Oorschot,et al.  Security and usability: the gap in real-world online banking , 2008, NSPW '07.

[27]  M. Goode,et al.  Perceived risk and Chinese consumers' internet banking services adoption , 2008 .

[28]  Indranil Bose,et al.  Assessing anti-phishing preparedness: A study of online banks in Hong Kong , 2008, Decis. Support Syst..

[29]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .

[30]  B. Clegg,et al.  An investigation into the acceptance of online banking in Saudi Arabia , 2009 .

[31]  Douglas P. Twitchell Social Engineering and its Countermeasures , 2009 .

[32]  Michał Polasik,et al.  Empirical Analysis of Internet Banking Adoption in Poland , 2008 .

[33]  Pauline Bowen,et al.  Information Security Training Requirements: A Role- and Performance-Based Model [DRAFT] , 2009 .

[34]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[35]  P. H. Yeow,et al.  An Online Banking Security Framework and a Cross-Cultural Comparison , 2010 .

[36]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[37]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[38]  Kevin Townsend R&D: The art of social engineering , 2010 .

[39]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[40]  Xin Luo,et al.  Social Engineering: The Neglected Human Factor for Information Security Management , 2011, Inf. Resour. Manag. J..

[41]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[42]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[43]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[44]  John Sheldon State of the Art: Attackers and Targets in Cyberspace , 2012 .

[45]  Aaron M. French A Case Study on E-Banking Security â When Security BecomesToo Sophisticated for the User to Access Their Information , 2012 .