A Practical Assessment of Social Engineering Vulnerabilities

Social engineering refers to the selection of techniques that exploit human weaknesses and manipulate people into breaking normal security procedures. This may involve convincing people to perform atypical actions or divulge confidential information. It remains a popular method of bypassing security because attacks focus on the weakest link in the security architecture: the staff of the organization, instead of directly targeting technical controls, such as firewalls or authentication systems. This paper investigates the level of susceptibility to social engineering amongst staff within a cooperating organisation. An email-based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security-aware users. In spite of a short window of operation for the experiment, the results revealed that 23% of recipients were successfully snared by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online.