A test of interventions for security threats from social engineering

– Recently, the role of human behavior has become a focal point in the study of information security countermeasures. However, few empirical studies have been conducted to test social engineering theory and the reasons why people may or may not fall victim, and even fewer have tested recommended treatments. Building on theory using threat control factors, the purpose of this paper is to compare the efficacy of recommended treatment protocols., – A confirmatory factor analysis of a threat control model was conducted, followed by a randomized assessment of treatment effects using the model. The data were gathered using a questionnaire containing antecedent factors, and samples of social engineering security behaviors were observed., – It was found that threat assessment, commitment, trust, and obedience to authority were strong indicators of social engineering threat success, and that treatment efficacy depends on which factors are most prominent., – This empirical study provides evidence for certain posited theoretical factors, but also shows that treatment efficacy for social engineering depends on targeting the appropriate factor. Researchers should investigate methods for factor assessment, and practitioners must develop interventions accordingly.

[1]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[2]  Robin L. Wakefield,et al.  Examining User Perceptions of Third-Party Organizations Credibility and Trust in an E-Retailer , 2006, J. Organ. End User Comput..

[3]  Lisa L. Massi Lindsey,et al.  Anticipated guilt as behavioral motivation an examination of appeals to help unknown others through bone marrow donation , 2005 .

[4]  Stuart J. Barnes,et al.  Initial trust and online buyer behaviour , 2007, Ind. Manag. Data Syst..

[5]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .

[6]  L. Aldoory,et al.  The Roles of Perceived “Shared” Involvement and Information Overload in Understanding How Audiences make Meaning of News about Bioterrorism , 2006 .

[7]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[8]  F. Sultan,et al.  Are the Drivers and Role of Online Trust the Same for All Web Sites and Consumers?: A Large-Scale Exploratory Empirical Study , 2005 .

[9]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[10]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[11]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[12]  Irene Hanson Frieze,et al.  A Theoretical Perspective for Understanding Reactions to Victimization , 1983 .

[13]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[14]  John T. Scholz Enforcement Policy and Corporate Misconduct: The Changing Perspective of Deterrence Theory , 1997 .

[15]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[16]  Vincent J. Calluzzo,et al.  Ethics in Information Technology and Software Use , 2004 .

[17]  S Roe-Berning,et al.  The association between illusions of invulnerability and exposure to trauma. , 1997, Journal of traumatic stress.

[18]  Mindy E. Bergman,et al.  The relationship between affective and normative commitment: review and research agenda , 2006 .

[19]  N. Pennington,et al.  Evidence evaluation in complex decision making. , 1986 .

[20]  Jonathan J. Rusch The "Social Engineering" of Internet Fraud , 2003 .

[21]  Thomas M. Thomas,et al.  Network security first-step , 2004 .

[22]  Gregory T. Gundlach,et al.  The Structure of Commitment in Exchange , 1995 .

[23]  Nancy B. Kurland Ethical Intentions and the Theories of Reasoned Action and Planned Behavior1 , 1995 .

[24]  Abdulrazzak Charbaji,et al.  Individuality, willingness to take risk, and use of a personal e‐card: A Lebanese study , 2005 .

[25]  Jeffrey N. Weatherly,et al.  Social Influence as Stimulus Control , 1999 .

[26]  R. Lazarus Emotion and Adaptation , 1991 .

[27]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[28]  David W. Schumann,et al.  Corporate Advertising in America: A Review of Published Studies on Use, Measurement, and Effectiveness , 1991 .

[29]  Joseph S. Sherif,et al.  Intrusion detection: the art and the practice. Part I , 2003, Inf. Manag. Comput. Secur..

[30]  Adolfo S. Coronado,et al.  Corporate Computer and Network Security , 2003 .

[31]  John P. Meyer,et al.  The measurement and antecedents of affective, continuance and normative commitment to the organization , 1990 .

[32]  J. Pennebaker,et al.  American Graffiti: Effects of Authority and Reactance Arousal , 1976 .

[33]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[34]  M. Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007 .

[35]  J. Stevens Applied Multivariate Statistics for the Social Sciences , 1986 .

[36]  Nicholas Alex,et al.  On Being Mugged , 1973 .

[37]  Abraham Sagie,et al.  Employee Absenteeism, Organizational Commitment, and Job Satisfaction: Another Look , 1998 .

[38]  Enny Das,et al.  Interpersonal Communication and Compliance , 2006, Commun. Res..

[39]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[40]  Philip Gendall,et al.  Can You Judge a Questionnaire by its Cover? The Effect of Questionnaire Cover Design on Mail Survey Response , 2005 .

[41]  Alessandro Acquisti,et al.  When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information , 2007, WEIS.

[42]  Verlin B. Hinsz,et al.  Assessing Organizational Commitment: An Employee's Global Attitude toward the Organization , 1995 .

[43]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[44]  R. Cialdini Influence: Science and Practice , 1984 .

[45]  Mario Morelli,et al.  Obedience to Authority in a Laboratory Setting: Generalizability and Context Dependency , 1985 .

[46]  James P. Stevens,et al.  Intermediate Statistics: A Modern Approach , 1990 .

[47]  Hervé Debar,et al.  Security information management as an outsourced service , 2006, Inf. Manag. Comput. Secur..

[48]  Lisa Dorn,et al.  Making sense of invulnerability at work—a qualitative study of police drivers , 2003 .

[49]  L. Porter,et al.  The Measurement of Organizational Commitment. , 1979 .

[50]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[51]  Charles Oppenheim,et al.  Legal aspects of the web , 2005, Annu. Rev. Inf. Sci. Technol..

[52]  David M. Messick,et al.  Scarcity or abundance caused by people or the environment as determinants of behavior in the resource dilemma , 1987 .

[53]  William J. Buchanan,et al.  NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data , 2006, Comput. Secur..

[54]  Karen Beck,et al.  Development of Affective Organizational Commitment: A Cross-Sequential Examination of Change with Tenure , 2000 .

[55]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[56]  Jurij F. Tasic,et al.  Information systems security and human behaviour , 2007, Behav. Inf. Technol..

[57]  John S. Seiter,et al.  Persuasion: Social Inflence and Compliance Gaining , 2015 .

[58]  B. Tabachnick,et al.  Using Multivariate Statistics , 1983 .

[59]  N. Noorderhaven,et al.  When Does Trust Matter to Alliance Performance , 2006 .

[60]  Joann Horai,et al.  The Effects of Expertise and Physical Attractiveness Upon Opinion Agreement and Liking , 1974 .

[61]  Franziska Marquart,et al.  Communication and persuasion : central and peripheral routes to attitude change , 1988 .

[62]  L. Kohlberg,et al.  Developing Senses of Law and Legal Justice , 1971 .

[63]  I. Rosenstock Historical Origins of the Health Belief Model , 1974 .

[64]  J. Cacioppo,et al.  Central and Peripheral Routes to Advertising Effectiveness: The Moderating Role of Involvement , 1983 .

[65]  William H. Bommer,et al.  ON THE INTERCHANGEABILITY OF OBJECTIVE AND SUBJECTIVE MEASURES OF EMPLOYEE PERFORMANCE: A META-ANALYSIS , 1995 .

[66]  F. Levine,et al.  Legal socialization : strategies for an ethical legality , 1974 .

[67]  P. Simpson,et al.  Softlifting: A model of motivating factors , 1994 .

[68]  Tom Pyszczynski,et al.  Why Do We Need What We Need? A Terror Management Perspective on the Roots of Human Social Motivation , 1997 .

[69]  C. Farn,et al.  Investigating Initial Trust Toward E-tailers from the Elaboration Likelihood Model Perspective , 2006 .

[70]  Henry H. Emurian,et al.  An overview of online trust: Concepts, elements, and implications , 2005, Comput. Hum. Behav..

[71]  Robert D. Marx,et al.  Relapse Prevention for Managerial Training: A Model for Maintenance of Behavior Change , 1982 .

[72]  C. F. Kao,et al.  Central and peripheral routes to persuasion: An individual difference perspective. , 1986 .

[73]  Douglas P. Dotterweich,et al.  The Practicality of Super Bowl Advertising for New Products and Companies , 2005 .

[74]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[75]  M. Lobo,et al.  Competent jerks, lovable fools, and the formation of social networks. , 2005, Harvard business review.

[76]  Jeffrey D. Berejikian A Cognitive Theory of Deterrence , 2002 .

[77]  Lisa A. Burke,et al.  Improving positive transfer: A test of relapse prevention training on transfer outcomes , 1997 .

[78]  Richard E Petty,et al.  Thought confidence as a determinant of persuasion: the self-validation hypothesis. , 2002, Journal of personality and social psychology.

[79]  Michael Lynn,et al.  Scarcity's Enhancement of Desirability: The Role of Naive Economic Theories , 1992 .

[80]  C. A. Seibel,et al.  A cognitive theory of resistance and reactance: Implications for treatment. , 1990 .

[81]  Elaine Donelson,et al.  Personality: A Scientific Approach , 1973 .

[82]  T. Grothmann,et al.  People at Risk of Flooding: Why Some Residents Take Precautionary Action While Others Do Not , 2006 .

[83]  Rita Walczuch,et al.  Psychological antecedents of institution-based consumer trust in e-retailing , 2004, Inf. Manag..

[84]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[85]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of applying criminological theory to the IS security context , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[86]  Y Melamed,et al.  Hoarding--what does it mean? , 1998, Comprehensive psychiatry.

[87]  A. H. Cole,et al.  Effect of a favor which reduces freedom. , 1966, Journal of personality and social psychology.

[88]  Brown,et al.  Organizational Commitment: Clarifying the Concept and Simplifying the Existing Construct Typology , 1996, Journal of vocational behavior.

[89]  R. Cialdini,et al.  Online persuasion: An examination of gender differences in computer-mediated interpersonal influence. , 2002 .

[90]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[91]  Richard P. Larrick,et al.  Protecting the self from the negative consequences of risky decisions. , 1992, Journal of personality and social psychology.

[92]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[93]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[94]  S. Asch Forming impressions of personality. , 1946, Journal of Abnormal Psychology.

[95]  Werner J. Severin,et al.  Communication Theories: Origins, Methods and Uses in the Mass Media , 1991 .

[96]  H. Arkes,et al.  The Psychology of Sunk Cost , 1985 .

[97]  H. Kelley,et al.  Interpersonal relations: A theory of interdependence , 1978 .

[98]  J. Brehm A theory of psychological reactance. , 1981 .

[99]  Meng Hsiang Hsu,et al.  An investigation of volitional control in information ethics , 2003, ICIS.

[100]  K. Miller Communication Theories: Perspectives, Processes, and Contexts , 2001 .