Owolabi Phillip Iyanuoluwa

EVALUATION OF CYBERSECURITY BREACHES: INVESTIGATION RECENT
INCIDENT, VULNERABILIITY AND IMMIGRATION STRATEGIES
BY
OWOLABI PHILIP IYANUOLUWA
MATRIC NO: 184223
SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND
ENGINEERING, FACULTY OF ENGINEERING AND TECHNOLOGY,
LADOKE AKINTOLA UNIVERSITY OF TECHNOLOGY, OGBOMOSO, OYO STATE,
NIGERIA.
IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF
BACHELOR DEGREE OF TECHNOLOGY (B.TECH) IN COMPUTER SCIENCE AND
ENGINEERING
SUPERVISED BY: PROF. A. ADETUNJI
FEBURARY, 2024
CERTIFICATION
This is to certify that this project work is done by OWOLABI PHILIP IYANUOLUWA (Matric
no: 184223) in the Department of Computer Science and Engineering, Ladoke Akintola
University of Technology, Ogbomoso, Oyo State, Nigeria in partial fulfilment of the requirement
for the award of Bachelor of Technology (B.Tech) in Computer Science and Engineering.
....................................... .......................................
PROF. A. ADETUNJI Date
(Supervisor)
.............................................. ..........................................
PROF. Date
(Head of Department)
2
DEDICATION
This project work is dedicated to the glory of Almighty God who has been my Anchor and who
in His infinite mercy provides for me.
3
ACKNOWLEDGEMENT
First and foremost, all appreciation goes to Almighty God for His loving kindness, protection,
provisions and mercy shown to me during my academic pursuits and for making this project a
reality.
I wish to express my sincere gratitude to my able supervisor; PROF. A. ADETUNJI for his
efforts and advice on this project work.
Also, my special thanks to my caring and loving parent for their support right from the beginning
of my educational career to this present date. May you live long to eat the fruits of your labor in
Jesus name Amen.
I will not forget to thank all members of my extended family at large for their care, moral and
financial support at all times. Thank you very much.
4
ABSTRACT
As digital ecosystems become increasingly intricate, the frequency and sophistication of

cybersecurity breaches pose significant threats to organizational resilience. This project
addresses the imperative need for an in-depth analysis of recent cybersecurity incidents, the
identification of common vulnerabilities, and the development of effective mitigation strategies.
The project's objectives encompass unraveling the intricacies of recent incidents, discerning
recurring vulnerabilities, and formulating actionable strategies to fortify cybersecurity defenses.
The literature review explores the historical evolution of cybersecurity breaches, providing a
contextual understanding of the current threat landscape. Incident case studies delve into specific
instances, dissecting attack methodologies, and extracting insights to inform a holistic incident
analysis. Common vulnerabilities are identified through an extensive review, categorizing
weaknesses based on prevalence, severity, and impact.
Methodologically, a mixed-methods approach is adopted, combining qualitative and quantitative
analyses. Qualitative methods include interviews and detailed case studies, while quantitative
methods leverage advanced data analysis tools to uncover patterns and trends in cybersecurity
incidents.
The analysis of recent incidents involves the creation of detailed profiles, offering a
comprehensive view of attack lifecycles, impact assessments, and commonalities among diverse
incidents. Patterns and trends across incidents inform the development of targeted mitigation
strategies, addressing vulnerabilities identified through the literature review.
The proposed mitigation strategies encompass a comprehensive and adaptive approach,
considering technical, organizational, and human factors. The conclusion summarizes key
findings, emphasizing their significance in bolstering cybersecurity defenses. Implications for
organizations include proactive security measures, the cultivation of a security-aware culture,
and effective responses to emerging threats.
The project concludes by suggesting avenues for future research, recognizing the dynamic nature
of cyber threats. Future research could explore the effectiveness of the proposed mitigation
strategies in real-world scenarios, contributing to ongoing efforts to fortify cybersecurity in an
ever-evolving digital landscape.
5
CHAPTER ONE
INTRODUCTION
1.1 Introduction
It is well known that the Internet is a global communication system where people all
around the world can meet and talk about almost anything. Communication through social media
be it for good or bad reasons has become the order of the day. The world is so attached to the
Internet. Unfortunately, not everyone uses the Internet for good purposes. There are lots of
people who are using social networks to steal personal information, especially through phishing,
so all users of such sites need to be vigilant to protect themselves.
Phishing is a form of attack whereby attackers try to get hold of one’s personal details by
misleading them. This is widespread on the Internet and one normally receives emails instructing
him/her to enter his/her personal information to protect his/her account. This is mostly done
through sending an email that contains some enticing information. This could be for example,
through sending an attractive link that seems to come from a trusted source to lure the victim to
provide personal information.
Social networks are becoming a very popular source of information for these phishers.
They can easily use all of the information that is contained in someone’s social networking
account to steal the person’s identity. The good thing is that there are preventive measures that
could help mitigate Social Engineering attacks.
1.2 Background of the Study
Cybersecurity has been a major concern since the beginning of APRANET, which is
considered to be the first wide-area packet-switching network with distributed control and one of
the first networks to implement the TCP/IP protocol suite. The term “Phishing” which was also
6
called carding or brand spoofing, was coined for the first time in 1996 when the hackers created
randomized credit card numbers using an algorithm to steal users' passwords from America
Online (AOL) Whitman and Mattord, 2012; Cui et al., 2017. Then phishers used instant
messages or emails to reach users by posing as AOL employees to convince users to reveal their
passwords. Attackers believed that requesting customers to update their account would be an
effective way to disclose their sensitive information, thereafter, phishers started to target larger
financial companies. The author in Ollmann, 2004 believes that the “ph” in phishing comes from
the terminology “Phreaks” which was coined by John Draper, who was also known as Captain
Crunch, and was used by early Internet criminals when they phreak telephone systems. Where
the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they both have the same meaning by
phishing the passwords and sensitive information from the sea of internet users. Over time,
phishers developed various and more advanced types of scams for launching their attack.
Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it could
involve injecting viruses or downloading the malicious program into a victim's computer.
Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that
they disclose their sensitive information Ollmann, 2004.
Phishing attacks are rapidly evolving, and spoofing methods are continuously changing
as a response to new corresponding countermeasures. Hackers take advantage of new tool-kits
and technologies to exploit systems’ vulnerabilities and also use social engineering techniques to
fool unsuspecting users. Therefore, phishing attacks continue to be one of the most successful
cybercrime attacks.
7
1.3 Aim and Objectives of the Study
The aim of this study is to comprehensively explore, analyze, and understand the
dynamics of social engineering and phishing attacks in the context of cybersecurity. By
investigating the psychological principles, techniques, and mitigation strategies, the study seeks
to enhance awareness, knowledge, and preparedness in combating these pervasive threats.
Objectives
The primary objectives of this research are as follows:
 To analyze the current landscape of social engineering and phishing attacks, including
their techniques and trends.
 To identify and evaluate existing cybersecurity measures and their limitations in
addressing these threats.
 To propose innovative strategies and technologies for enhancing protection against social
engineering and phishing attacks.
 To assess the effectiveness of the proposed strategies through practical experiments and
simulations.
1.4 Significance of the Study
The study of social engineering and phishing attacks holds profound significance in
today's interconnected digital landscape. As cyber threats become increasingly sophisticated and
prevalent, understanding the intricacies of these manipulative tactics is crucial for individuals,
businesses, and society at large. Thereby it will enhance the Cyber security awareness and
protect personal privacy.
8
1.5 Scope of the Study
The scope of this study encompasses a comprehensive exploration of the concepts,
techniques, impacts, and mitigation strategies associated with social engineering and phishing
attacks. The study will delve into both the technical and psychological aspects of these attacks,
aiming to provide a holistic understanding of the threat landscape and practical ways to
counteract them.
1.6 Problem Statement
Since social engineering has become such a widespread issue and even more individuals have
fallen victim to social engineering attacks as a result of ignorance and although there are some
level of awareness amongst every-day users of the Internet and networking capable devices, it
seems that individuals are still unaware of how devastating social engineering attacks can be.
This paper strives to present a taxonomy of the most popular social engineering attacks, along
with their respective defense strategies that will be delivered to students in the form of guidelines
which they can follow to avoid falling victims to such attacks. This research was conducted with
the following research questions in mind:
• Research Question 1: What is the taxonomy of modern social engineering attacks?
• Research Question 2: What are the different scientific and practice-based defense strategies that
can be used to counter social engineering attacks?
• Research Question 3: How aware are students about these forms of attacks, and how well can
they defend themselves against
9
1.7 Limitations of the Study
While this project seeks to provide a comprehensive understanding of social engineering
and phishing attacks, it is important to acknowledge certain limitations that might impact the
scope, depth, and generalizability of the findings. These limitations include:
 Complexity of Psychological Factors: Although the project aims to delve into the
psychological aspects of these attacks, fully capturing the intricate interplay of cognitive
biases, emotions, and social dynamics that cybercriminals exploit can be challenging. The
complexity of human psychology might result in an oversimplification of these factors.
 Limited Access to Insider Information: Obtaining access to detailed insider
information about specific social engineering or phishing incidents can be difficult due to
the confidential nature of these incidents. This limitation might restrict the depth of
analysis and prevent a comprehensive examination of real-world cases.
 Rapidly Evolving Techniques: The field of cyber threats, including social engineering
and phishing attacks, evolves rapidly. Some of the techniques discussed in the project
might become outdated or new attack vectors might emerge after the project's
completion, limiting the relevance of the information over time.
 Resource and Technical Constraints: Exploring advanced technical aspects of these
attacks might require specialized resources, tools, and technical expertise. Resource
limitations could hinder the depth of analysis in certain technical areas.
 Incomplete Data and Reporting: Not all instances of social engineering and phishing
attacks are publicly reported or documented. This limitation might result in incomplete
data sets, potentially leading to a skewed understanding of the prevalence and impact of
these attacks.
10
 Lack of Real-time Analysis: The project's research and analysis might not capture the
most recent and emerging trends in social engineering and phishing attacks, as these
tactics are continually evolving.
1.8 Definition of Technical Terms
 Social Engineering: Social engineering refers to the manipulation of individuals into
divulging confidential information, performing actions, or granting unauthorized access
through psychological and emotional manipulation. It exploits human psychology, trust,
and vulnerabilities to deceive individuals and bypass traditional security measures.
 Phishing Attacks: Phishing attacks are a form of cyber-attack where attackers
impersonate legitimate entities, often through emails, messages, or phone calls, to
deceive recipients into revealing sensitive information, clicking on malicious links, or
downloading infected attachments. These attacks aim to trick users into taking actions
that compromise their security.
 Spear Phishing: Spear phishing is a targeted form of phishing attack where
cybercriminals customize their messages to a specific individual or organization. They
often use personal information obtained from various sources to make the phishing
attempt appear more convincing and legitimate.
 Whaling: Whaling is a subset of spear phishing that specifically targets high-profile
individuals, such as CEOs or high-ranking executives, in an organization. These attacks
aim to steal sensitive corporate information or gain access to valuable accounts.
 Vishing (Voice Phishing): Vishing is a type of phishing attack that uses voice
communication, typically phone calls, to deceive victims. Attackers use social
11
engineering techniques to manipulate victims into providing sensitive information or
taking certain actions over the phone.
 Pretexting: Pretexting involves creating a fabricated scenario or pretext to trick
individuals into disclosing information or performing actions they wouldn't otherwise.
The attacker creates a false identity or reason to gain the victim's trust.
 Baiting: Baiting involves enticing victims with something appealing, such as a free
download, in exchange for personal information or access credentials. This tactic exploits
human curiosity and greed to manipulate individuals.
 Tailgating: Tailgating, also known as piggybacking, occurs when an attacker gains
unauthorized physical access to a secured area by following closely behind an authorized
person. This exploits the natural tendency to hold doors open for others.
 Email Spoofing: Email spoofing is a technique where attackers manipulate the email
header to make it appear as though the email originates from a legitimate source. This is
often used in phishing attacks to trick recipients into believing the communication is
genuine.
 Domain Spoofing: Domain spoofing involves creating fraudulent websites or email
addresses that mimic the appearance of legitimate domains. Attackers use these fake
domains to trick users into thinking they are interacting with a trusted entity.
 Multi-Factor Authentication (MFA): Multi-factor authentication is a security method
that requires users to provide two or more authentication factors to verify their identity.
This adds an extra layer of protection against unauthorized access, even if login
credentials are compromised.
12
 Intrusion Detection System (IDS): An intrusion detection system is a security solution
that monitors network traffic and system activities to detect and respond to unauthorized
or suspicious behavior. It helps identify potential cyber-attacks, including social
engineering and phishing attempts.
13
CHAPTER TWO
LITERATURE REVIEW
2.1 Introduction
Social engineering and phishing attacks are tactics employed by cybercriminals to
manipulate individuals and gain unauthorized access to sensitive information or systems. These
attacks exploit human vulnerabilities, such as trust and willingness to help, to deceive victims
into revealing confidential data or performing actions that compromise security. Phishing attacks,
a specific type of social engineering, involve the use of fraudulent emails, websites, or messages
to trick individuals into divulging personal or financial information. Understanding the
background and techniques involved in these attacks is crucial for individuals and organizations
to protect themselves and their data from potential harm. By being aware of the risks and
adopting best practices, individuals can minimize the chances of falling victim to these malicious
schemes.
2.2 Background of the Study
Social engineering and phishing attacks are two common methods used by
cybercriminals to manipulate individuals and gain unauthorized access to sensitive information
or systems.
Social engineering refers to the manipulation of human psychology to trick individuals
into revealing confidential information, performing certain actions, or bypassing security
measures. It exploits the natural tendency of people to trust others and their willingness to help.
Attackers may use various techniques, such as impersonation, deception, or manipulation, to
exploit human vulnerabilities and gain access to sensitive data or systems.
14
Phishing attacks, on the other hand, are a specific type of social engineering attack that
involves the use of fraudulent emails, websites, or messages to deceive individuals into
providing personal or financial information. The attackers typically pose as a legitimate entity,
such as a bank, government agency, or well-known company, and create a sense of urgency or
fear to trick victims into taking action. This action often involves clicking on malicious links,
downloading malware-infected attachments, or entering sensitive information on fake websites.
Phishing attacks can take various forms, including spear phishing, where attackers target
specific individuals or organizations, and whaling, which targets high-profile individuals like
executives or celebrities. Phishing attacks can also occur through other communication channels
like phone calls (vishing) or text messages (smishing).
The ultimate goal of social engineering and phishing attacks is to obtain sensitive
information, such as login credentials, credit card details, or personal data, which can be used for
identity theft, financial fraud, or unauthorized access to systems. These attacks can have severe
consequences for individuals and organizations, including financial loss, reputational damage,
and compromised data security.
By staying informed and adopting proactive security measures, individuals and
organizations can reduce the risk of falling victim to social engineering and phishing attacks.
2.2.1 Importance of Mitigating these Attacks for Enhanced Cybersecurity
Mitigating social engineering and phishing attacks is of utmost importance for enhancing
cybersecurity. Here are some reasons why it is crucial to address these threats:
1. Protection of sensitive information: Social engineering and phishing attacks aim to
obtain sensitive data, such as login credentials, financial information, or personal details.
15
Mitigating these attacks helps safeguard this information, preventing unauthorized access
and potential misuse.
2. Prevention of financial loss: Phishing attacks often target individuals' or organizations'
financial accounts. By mitigating these attacks, the risk of financial loss due to fraudulent
transactions or unauthorized access to accounts is significantly reduced.
3. Preservation of reputation: Falling victim to a social engineering or phishing attack can
damage an individual's or organization's reputation. Attackers may use stolen information
for identity theft or launch further attacks using compromised accounts. By mitigating
these attacks, individuals and organizations can protect their reputation and maintain the
trust of their customers and stakeholders.
4. Prevention of data breaches: Social engineering attacks can lead to data breaches,
where sensitive information is exposed or leaked. These breaches can have severe legal
and financial consequences, as well as damage the trust of customers or clients. By
mitigating social engineering attacks, the risk of data breaches is minimized.
5. Protection against malware and ransomware: Phishing attacks often involve tricking
victims into downloading malicious attachments or clicking on malicious links, which
can lead to the installation of malware or ransomware on their devices or networks. By
mitigating these attacks, the risk of malware infections and subsequent damage to
systems and data is reduced.
6. Enhanced overall cybersecurity posture: Addressing social engineering and phishing
attacks is an essential part of a comprehensive cybersecurity strategy. By educating
individuals, implementing security measures, and promoting awareness, organizations
16
can strengthen their overall cybersecurity posture and reduce vulnerabilities to various
types of attacks.
7. Compliance with regulations: Many industries and jurisdictions have regulations and
standards in place to protect the privacy and security of sensitive information. Mitigating
social engineering and phishing attacks helps organizations comply with these
regulations, avoiding potential legal consequences and penalties.
In conclusion, mitigating social engineering and phishing attacks is vital for enhancing
cybersecurity. It protects sensitive information, prevents financial loss, preserves reputation,
prevents data breaches, safeguards against malware and ransomware, strengthens overall
cybersecurity posture, and ensures compliance with regulations. By taking proactive measures to
address these threats, individuals and organizations can significantly reduce their risk and
maintain a secure digital environment.
2.2.2 Purpose of the Literature Review
The purpose of a literature review is to provide a comprehensive and critical analysis of
existing research and literature on a specific topic. It serves several important purposes:
1. Identifying gaps in knowledge: By reviewing existing literature, researchers can
identify areas where further research is needed. They can identify gaps in knowledge or
unanswered questions that can guide their own research and contribute to the existing
body of knowledge.
2. Understanding the current state of research: A literature review helps researchers
understand the current state of research on a particular topic. It provides an overview of
the theories, concepts, methodologies, and findings that have been explored by previous
17
researchers. This understanding helps researchers build upon existing knowledge and
avoid duplicating previous work.
3. Evaluating the quality and credibility of sources: Conducting a literature review
involves critically evaluating the sources and studies that have been published on a topic.
Researchers assess the credibility and reliability of the sources, considering factors such
as the methodology used, sample size, and the rigor of the research. This evaluation
ensures that researchers rely on high-quality sources and avoid basing their work on
flawed or unreliable studies.
4. Identifying key themes and trends: A literature review helps identify common themes,
patterns, and trends in the existing research. It allows researchers to synthesize and
analyze the findings from multiple studies, providing a broader understanding of the topic
and potential relationships between different variables or factors.
5. Providing a theoretical framework: A literature review helps researchers establish a
theoretical framework for their own study. By reviewing existing theories and models,
researchers can identify the most appropriate theoretical perspectives to guide their
research and develop hypotheses or research questions.
6. Informing research design and methodology: Researchers can learn from the strengths
and weaknesses of previous studies when designing their own research. They can identify
the most effective research methodologies, data collection techniques, and analytical
approaches based on the experiences and findings of previous researchers.
7. Generating new research ideas: The synthesis of existing literature can often lead to the
generation of new research ideas or hypotheses. Researchers may identify gaps or
18
inconsistencies in the existing literature that can spark new avenues for investigation or
suggest alternative perspectives to explore.
Overall, a literature review serves as a foundation for research by providing a comprehensive
understanding of existing knowledge, identifying gaps, and informing the design and direction of
future studies. It helps researchers contribute to the field by building upon previous work and
generating new insights.
2.3 Understanding Social Engineering and Phishing Attacks
2.3.1 Definition and Types of Social Engineering Attacks
Social engineering attacks are tactics used by cybercriminals to manipulate and deceive
individuals into divulging sensitive information or performing actions that may compromise their
security. These attacks exploit human psychology and rely on the target's trust, curiosity, or lack
of awareness.
Here are some common types of social engineering attacks:
1. Phishing: As mentioned earlier, phishing is a type of social engineering attack where the
attacker impersonates a trusted entity, such as a bank or email provider, and tries to trick
the recipient into clicking on a malicious link or providing sensitive information.
2. Spear Phishing: This is a more targeted form of phishing where the attacker tailors the
attack to a specific individual or organization. The attacker may gather personal
information about the target to make the phishing attempt more convincing.
3. Whaling: Similar to spear phishing, whaling targets high-profile individuals, such as
executives or celebrities. The goal is to trick them into revealing sensitive information or
granting unauthorized access.
19
4. Pretexting: In pretexting attacks, the attacker creates a fictional scenario or story to trick
the target into providing information or performing actions. For example, an attacker may
pose as a customer service representative and request personal details under the guise of
solving an issue.
5. Baiting: Baiting attacks involve enticing the target with something appealing, such as a
free download or a USB drive, which contains malware or malicious software. The target
unknowingly installs the malware, compromising their security.
6. Watering Hole: In a watering hole attack, the attacker compromises a trusted website or
online platform that the target frequently visits. When the target accesses the
compromised site, their device may be infected with malware or prompted to provide
sensitive information.
7. Tailgating: This physical social engineering attack involves an attacker following an
authorized person into a restricted area by pretending to be an employee or someone with
legitimate access.
These are just a few examples of social engineering attacks, but it's important to note that
attackers are constantly evolving their tactics to exploit new vulnerabilities. Being aware of these
types of attacks and staying vigilant can help individuals protect themselves from social
engineering threats.
2.3.2 Definition and Types of Phishing Attacks
Phishing attacks are a specific type of social engineering attack where attackers
impersonate a trusted entity to deceive individuals into providing sensitive information or
performing actions that can compromise their security. Phishing attacks are typically carried out
20
through email or instant messaging platforms, but they can also occur through phone calls or text
messages.
Here are some common types of phishing attacks:
1. Deceptive Phishing: This is the most common type of phishing attack. The attacker
sends emails or messages that appear to be from a legitimate organization, such as a bank
or an online service provider. The message typically contains a link that leads to a fake
website designed to steal login credentials or other sensitive information.
2. Spear Phishing: Spear phishing attacks are more targeted and personalized. The attacker
gathers information about the target, such as their name, position, or recent activities, to
make the phishing attempt more convincing. These attacks often target specific
individuals or organizations.
3. Clone Phishing: In clone phishing attacks, the attacker creates a near-identical copy of a
legitimate email or website and replaces a legitimate link or attachment with a malicious
one. The recipient is tricked into thinking that the communication is genuine and falls
victim to the attack.
4. Whaling: Whaling attacks target high-profile individuals, such as executives or
celebrities. The attacker poses as a trusted entity and attempts to trick the target into
revealing sensitive information or granting unauthorized access.
5. Smishing: Smishing attacks occur through SMS or text messages. The attacker sends text
messages that appear to be from a legitimate source and tricks the recipient into clicking
on a malicious link or providing personal information.
21
6. Vishing: Vishing attacks involve voice communication, typically through phone calls.
The attacker poses as a trustworthy individual or organization and tries to extract
sensitive information from the target over the phone.
7. Pharming: In pharming attacks, the attacker redirects the target's internet traffic to a fake
website without their knowledge. The fake website is designed to collect sensitive
information, such as login credentials or financial details.
It's important to be cautious and skeptical of any unsolicited communication, especially if
it involves requests for personal information or clicking on unknown links. Regularly updating
software, using strong and unique passwords, and enabling multi-factor authentication can also
help protect against phishing attacks.
2.3.3 Common Techniques used in Social Engineering and Phishing Attacks
Social engineering and phishing attacks utilize various techniques to manipulate
individuals and trick them into divulging sensitive information or performing actions that
compromise their security. Here are some common techniques used in these attacks:
1. Impersonation: Attackers often impersonate trusted entities, such as banks, government
agencies, or well-known companies, to gain the target's trust. They may use email
addresses, logos, or website designs that closely resemble the legitimate ones to deceive
the target.
2. Urgency and Fear: Attackers create a sense of urgency or fear to prompt immediate
action from the target. They may claim that the target's account is compromised, that they
will face legal consequences, or that they need to update their information immediately to
avoid a problem.
22
3. Emotional Manipulation: Social engineering attacks often exploit human emotions like
curiosity, greed, or sympathy. Attackers may use enticing offers, promises of rewards, or
stories of hardship to manipulate the target into taking a desired action.
4. Information Gathering: Attackers gather personal information about their targets from
various sources, such as social media platforms, public records, or data breaches. This
information helps them personalize their attacks and make them more convincing.
5. Phishing Links and Attachments: Phishing attacks commonly include malicious links
or attachments in emails, messages, or websites. These links may lead to fake websites
designed to collect login credentials or install malware on the target's device.
6. Spoofed Websites and Emails: Attackers create fake websites or emails that closely
resemble legitimate ones. They use similar domain names, logos, and designs to trick the
target into thinking they are interacting with a trusted entity.
7. Manipulating Trust: Social engineering attacks exploit the natural tendency of
individuals to trust others. Attackers may impersonate a colleague, friend, or family
member to gain the target's trust and convince them to share sensitive information or
perform certain actions.
8. Pretexting: Attackers create a fictional scenario or story to gain the target's confidence
and obtain sensitive information. For example, they may pose as a customer service
representative, IT support technician, or a trusted authority figure to trick the target into
sharing information.
9. Authority Exploitation: Attackers may pose as someone with authority or power, such
as a supervisor, manager, or law enforcement officer, to manipulate the target into
complying with their requests.
23
10. Social Influence: Attackers may use social influence techniques, such as creating a sense
of social proof or scarcity, to persuade the target to take specific actions. For example,
they may claim that many others have already taken advantage of an offer or that the
opportunity is limited.
It's crucial to be cautious and skeptical of any unsolicited communications and to verify
the authenticity of requests before sharing sensitive information or performing actions. Regularly
updating security software, being aware of current attack techniques, and educating oneself about
social engineering and phishing can also help in preventing falling victim to these attacks.
2.4 Impact of Social Engineering and Phishing Attacks
Social engineering and phishing attacks can have significant impacts on individuals,
organizations, and society as a whole. Here are some of the key impacts:
1. Financial Loss: Phishing attacks often aim to steal sensitive financial information such
as credit card numbers, bank account details, or login credentials. When successful, these
attacks can result in financial loss for individuals or organizations. Stolen funds can be
used for unauthorized purchases, money transfers, or identity theft.
2. Data Breaches: Social engineering attacks can also lead to data breaches, where
sensitive information such as personal data, intellectual property, or trade secrets are
compromised. This can have severe consequences for individuals and organizations,
including reputational damage, legal repercussions, and financial penalties.
3. Identity Theft: Phishing attacks often involve tricking individuals into providing
personal information, such as social security numbers, dates of birth, or addresses. This
information can be used for identity theft, where the attacker assumes the identity of the
24
victim to carry out fraudulent activities or gain unauthorized access to accounts or
systems.
4. Business Disruption: Phishing attacks targeted at organizations can disrupt business
operations by compromising systems, stealing sensitive information, or spreading
malware. This can lead to downtime, loss of productivity, and financial costs associated
with remediation efforts.
5. Spread of Malware: Phishing attacks often involve malicious attachments or links that,
when clicked, download malware onto the victim's device. This malware can spread
across networks, infect other devices, and potentially cause widespread damage,
including data loss, system crashes, or unauthorized access.
6. Psychological Impact: Social engineering attacks often exploit human vulnerabilities,
such as trust or fear, to manipulate individuals into divulging sensitive information or
taking certain actions. Victims of successful attacks may experience feelings of violation,
embarrassment, or guilt, leading to psychological distress and loss of confidence in online
interactions.
7. Trust and Confidence Erosion: Social engineering and phishing attacks erode trust in
online platforms, services, and communication channels. When individuals or
organizations fall victim to these attacks, it can undermine confidence in the security of
online transactions, communication, and data protection. This can have long-term
consequences for the adoption and utilization of digital technologies.
To mitigate the impact of social engineering and phishing attacks, individuals and
organizations should educate themselves about these threats, implement robust security
25
measures, regularly update software and systems, and remain vigilant in detecting and reporting
suspicious activities.
2.5 Strategies for Mitigating Social Engineering and Phishing Attacks
2.5.1 Employee Education and Awareness
Employee education and training is a crucial strategy for mitigating social engineering
and phishing attacks. Here are some key aspects to consider:
1. General awareness training: Provide regular training sessions to educate employees
about the different types of social engineering and phishing attacks, including email,
phone calls, and in-person interactions. Teach them how to recognize common red flags
and suspicious behaviors.
2. Phishing simulation exercises: Conduct simulated phishing campaigns to test
employees' awareness and response to phishing emails. This helps identify areas where
additional training is needed and reinforces good security practices.
3. Teach email hygiene: Train employees on how to identify phishing emails, including
looking for suspicious email addresses, misspellings, grammatical errors, and urgent or
threatening language. Encourage them to verify the sender's identity before clicking on
any links or opening attachments.
4. Safe browsing practices: Educate employees about safe browsing habits, such as
avoiding clicking on suspicious links, downloading files from untrusted sources, or
26
visiting unknown websites. Teach them to look for the padlock symbol and "https" in the
URL to ensure secure connections.
5. Password security: Teach employees about the importance of strong and unique
passwords. Instruct them to never share passwords, use password managers, and enable
multi-factor authentication whenever possible.
6. Reporting procedures: Clearly communicate to employees the process for reporting
suspicious emails, phone calls, or any other potential social engineering attempts.
Establish a clear and accessible reporting mechanism, such as a dedicated email address
or a designated person.
7. Ongoing communication: Continuously reinforce the importance of security awareness
through regular communication channels, such as newsletters, posters, and internal
messaging platforms. Share real-life examples of social engineering attacks and their
consequences to emphasize the need for vigilance.
8. Role-specific training: Tailor training programs to specific job roles and departments.
For example, finance and HR departments may require additional training on identifying
and handling targeted attacks like CEO fraud or spear phishing.
9. Stay updated: Keep employees informed about the latest social engineering and
phishing techniques, trends, and news. Provide them with resources such as articles,
blogs, and webinars to stay updated on emerging threats.
10. Reward and recognition: Encourage employees to actively participate in security
awareness programs by recognizing and rewarding those who demonstrate good security
practices and report suspicious activities. This helps create a positive security culture
within the organization.
27
Remember that employee education and training should be an ongoing effort, with
regular refreshers and updates as new threats arise. Additionally, involving employees in the
development of security policies and procedures can help increase their sense of ownership and
responsibility towards protecting the organization from social engineering and phishing attacks.
2.5.2 Technical Measures and Solutions
In addition to employee education and training, implementing technical measures and
solutions can help protect against social engineering and phishing attacks. Here are some key
technical measures to consider:
1. Email filtering and spam detection: Deploy robust email filtering solutions that can
identify and block phishing emails. These solutions use various techniques, such as
analyzing email headers, content, and attachments, to detect and prevent malicious emails
from reaching employees' inboxes.
2. Multi-factor authentication (MFA): Implement MFA for all critical systems and
applications. This adds an extra layer of security by requiring users to provide additional
verification, such as a code sent to their mobile device, in addition to their username and
password.
3. Endpoint protection: Install and regularly update endpoint protection software,
including antivirus, anti-malware, and firewall solutions, on all devices within the
organization. This helps detect and block known threats and suspicious activities.
4. Web filtering and URL reputation services: Implement web filtering solutions that can
block access to known malicious websites. Use URL reputation services to assess the
reputation of websites and prevent users from visiting potentially dangerous sites.
28
5. Patch management: Regularly update and patch all software, including operating
systems, web browsers, and applications, with the latest security patches. This helps
protect against known vulnerabilities that attackers may exploit.
6. Secure configuration management: Ensure that all systems and devices are configured
securely, following best practices and security guidelines. This includes disabling
unnecessary services, using strong encryption protocols, and enforcing secure password
policies.
7. Network segmentation: Implement network segmentation to separate critical systems
and sensitive data from the rest of the network. This limits the potential damage that an
attacker can cause if they gain access to the network.
8. Intrusion detection and prevention systems (IDS/IPS): Deploy IDS/IPS solutions that
can detect and block suspicious network traffic and activities. These systems can help
identify and prevent social engineering and phishing attacks in real-time.
9. Security information and event management (SIEM): Implement a SIEM solution that
collects and analyzes security event logs from various systems and devices. This helps
identify patterns and anomalies that may indicate social engineering or phishing attempts.
10. Data encryption: Encrypt sensitive data both at rest and in transit to prevent
unauthorized access. This includes using encryption protocols for email communication,
encrypting data stored on devices and in databases, and implementing secure file transfer
protocols.
11. Regular backups: Implement regular backup procedures to ensure critical data is
protected and can be restored in case of a successful attack. Test the restoration process
periodically to ensure backups are functioning properly.
29
12. Vulnerability scanning and penetration testing: Conduct regular vulnerability scans
and penetration tests to identify and address any weaknesses in your security
infrastructure. This helps identify potential entry points for attackers and allows for
proactive remediation.
Remember that implementing these technical measures is an ongoing process. Regular
updates, monitoring, and adjustments are necessary to stay ahead of evolving threats and ensure
the effectiveness of your security measures.
2.5.3 Incident Response and Reporting
Despite the best efforts to prevent social engineering and phishing attacks, it is still
possible for an attack to occur. In such cases, having a well-defined incident response plan can
help minimize the damage and reduce the impact on the organization. Here are some key steps to
include in your incident response plan:
1. Identify the incident: Train employees to recognize the signs of a social engineering or
phishing attack, and establish clear reporting procedures. Encourage employees to report
any suspicious activity immediately to designated personnel or a dedicated email address.
2. Contain the incident: Once an incident is identified, take immediate steps to contain it.
This may include disabling compromised accounts, disconnecting affected devices from
the network, or shutting down affected systems.
3. Investigate the incident: Conduct a thorough investigation to determine the scope and
impact of the incident. This may involve analyzing logs, reviewing network traffic, and
interviewing affected employees.
30
4. Notify stakeholders: Notify relevant stakeholders, including management, IT, legal, and
law enforcement, as appropriate. Consider the potential impact on customers, partners,
and vendors, and communicate with them as necessary.
5. Mitigate the damage: Take steps to mitigate the damage caused by the incident, such as
restoring backups, patching vulnerabilities, or resetting passwords. Ensure that all
affected systems and devices are thoroughly checked for any residual malware or
backdoors.
6. Learn from the incident: Conduct a post-incident review to identify areas for
improvement in your security infrastructure and incident response plan. Update your
policies and procedures accordingly, and provide additional training to employees as
needed.
7. Report the incident: In some cases, it may be necessary to report the incident to
regulatory authorities or law enforcement. Ensure that you comply with any legal or
regulatory requirements for reporting incidents.
Remember that the incident response plan should be regularly reviewed and updated to
reflect changes in the threat landscape and the organization's security posture. Additionally, it is
important to maintain a culture of transparency and accountability, where employees feel
comfortable reporting incidents and taking appropriate action to protect the organization.
2.5.4 Collaboration and Information Sharing
Collaboration and information sharing are crucial components of a comprehensive
security strategy to protect against social engineering and phishing attacks. By sharing
information and collaborating with internal teams, external partners, and industry peers,
31
organizations can improve their collective ability to detect, prevent, and respond to these threats.
Here are some key considerations for effective collaboration and information sharing:
1. Internal collaboration: Foster collaboration among different teams within your
organization, such as IT, security, legal, and human resources. Establish clear
communication channels and processes to facilitate the sharing of information and
coordination of efforts to prevent and respond to social engineering and phishing attacks.
2. External partnerships: Establish partnerships with external organizations, such as
industry groups, government agencies, and cybersecurity vendors. These partnerships can
provide access to threat intelligence, best practices, and resources that can enhance your
organization's security posture.
3. Information sharing platforms: Explore the use of information sharing platforms, such
as threat intelligence sharing communities or industry-specific forums, where
organizations can share anonymized threat data, indicators of compromise, and incident
response best practices. These platforms can help identify emerging threats and provide
early warning of potential attacks.
4. Incident sharing and reporting: Encourage employees and stakeholders to report any
incidents or suspicious activities promptly. Establish a clear process for reporting
incidents internally, and consider participating in industry-specific incident reporting
programs or sharing information with relevant authorities or organizations.
5. Training and awareness programs: Conduct regular training and awareness programs
to educate employees about social engineering and phishing attacks. Encourage
employees to share their experiences and lessons learned, and provide them with the tools
and knowledge to recognize and report potential threats.
32
6. Red teaming exercises: Engage in red teaming exercises or simulated phishing
campaigns to test your organization's readiness and response to social engineering
attacks. These exercises can help identify vulnerabilities and gaps in your defenses and
provide valuable insights for improvement.
7. Threat intelligence sharing: Establish relationships with trusted threat intelligence
providers to gain access to real-time information on emerging threats, tactics, and
vulnerabilities. This can help you proactively adjust your security controls and defenses
to mitigate the risk of social engineering and phishing attacks.
8. Incident response coordination: Develop relationships with key stakeholders, such as
law enforcement agencies, legal counsel, and incident response service providers, to
ensure effective coordination and response in the event of a social engineering or
phishing attack.
Remember that collaboration and information sharing should be conducted in a secure
and trusted manner. Implement appropriate safeguards to protect sensitive information and
ensure compliance with legal and regulatory requirements. Additionally, regularly evaluate the
effectiveness of your collaboration efforts and adjust your strategies as needed to stay ahead of
evolving threats.
2.5.5 Continuous Monitoring and Risk Assessment
Continuous monitoring and risk assessment are essential components of a robust security
strategy to protect against social engineering and phishing attacks. By continuously monitoring
your systems, networks, and processes, and regularly assessing your security risks, you can
identify vulnerabilities, detect potential threats, and take proactive measures to mitigate risks.
Here are some key considerations for effective continuous monitoring and risk assessment:
33
1. Vulnerability scanning: Conduct regular vulnerability scans to identify weaknesses in
your systems, applications, and network infrastructure. Use automated tools to scan for
known vulnerabilities and misconfigurations, and promptly address any identified issues.
2. Log monitoring and analysis: Implement a centralized logging system and regularly
review logs for any suspicious activities or indicators of compromise. Use security
information and event management (SIEM) tools to aggregate and analyze log data to
detect potential security incidents.
3. Network traffic analysis: Monitor network traffic for any unusual or suspicious patterns.
Use intrusion detection and prevention systems (IDPS) or network traffic analysis tools to
identify potential malicious activities, such as unauthorized access attempts or data
exfiltration.
4. User behavior analytics: Implement user behavior analytics (UBA) tools to analyze user
activities and detect anomalies that may indicate social engineering or phishing attempts.
Monitor for unusual login patterns, privilege escalation, or unauthorized access attempts.
5. Patch management: Establish a robust patch management process to ensure that all
systems, applications, and devices are regularly updated with the latest security patches.
Regularly review vendor advisories and security bulletins to identify vulnerabilities and
apply patches promptly.
6. Threat intelligence integration: Integrate threat intelligence feeds into your monitoring
systems to receive real-time information on emerging threats, indicators of compromise,
and attack techniques. Leverage this intelligence to proactively adjust your security
controls and defenses.
34
7. Risk assessments: Conduct regular risk assessments to identify and prioritize potential
threats and vulnerabilities. Assess the impact and likelihood of social engineering and
phishing attacks on your organization, and develop appropriate risk mitigation strategies.
8. Security awareness training: Provide regular security awareness training to employees
to educate them about social engineering and phishing attacks. Reinforce good security
practices, such as strong password management, email hygiene, and safe browsing habits.
9. Incident response readiness: Regularly review and update your incident response plan
to ensure it aligns with the current threat landscape. Conduct tabletop exercises and
simulations to test your incident response capabilities and identify areas for improvement.
10. Compliance monitoring: Monitor and assess your organization's compliance with
relevant security standards, regulations, and policies. Regularly review and update your
security controls to ensure ongoing compliance.
Remember that continuous monitoring and risk assessment are ongoing processes.
Regularly review and update your monitoring tools, techniques, and risk assessment
methodologies to stay ahead of evolving threats. Additionally, collaborate with internal teams
and external partners to share information and insights that can enhance your monitoring and risk
assessment capabilities.
2.6 Case Studies and Best Practices
Examples of Successful Mitigation Strategies
1. Employee training: Organizations have successfully mitigated social engineering and
phishing attacks by providing comprehensive training to employees. This includes
educating them about common tactics used by attackers, teaching them how to identify
35
suspicious emails or messages, and emphasizing the importance of not sharing sensitive
information.
2. Multi-factor authentication: Implementing multi-factor authentication adds an extra
layer of security, making it more difficult for attackers to gain unauthorized access even
if they have obtained login credentials through phishing attacks.
3. Email filtering and monitoring: Organizations can deploy advanced email filtering and
monitoring systems that can detect and block suspicious emails or attachments. These
systems can also analyze email patterns and identify potential phishing attempts.
Lessons Learned from Real-World Incidents
1. Importance of vigilance: Real-world incidents have shown that even with robust
security measures in place, attackers can still find ways to exploit human vulnerabilities.
Organizations have learned the importance of maintaining a high level of vigilance and
regularly updating security protocols to stay ahead of evolving attack techniques.
2. Need for continuous education: Phishing attacks and social engineering tactics
constantly evolve, making it essential for organizations to provide continuous education
and awareness programs for employees. Regular updates on new attack methods and
techniques can help employees stay informed and alert.
3. Incident response and reporting: Organizations have learned the importance of having
a well-defined incident response plan in place. Prompt reporting of phishing attempts and
incidents is crucial for minimizing the impact and preventing further damage.
Best Practices for Organizations to Adopt
36
1. Security awareness training: Conduct regular security awareness training sessions for
employees to educate them about social engineering and phishing attacks. Provide
practical examples and simulations to help them recognize and respond appropriately to
suspicious emails or messages.
2. Strong authentication measures: Implement multi-factor authentication for all systems
and applications to add an extra layer of security. This can significantly reduce the risk of
unauthorized access even if login credentials are compromised.
3. Email filtering and monitoring: Deploy advanced email filtering and monitoring
systems to automatically detect and block suspicious emails or attachments. Regularly
update these systems to stay ahead of new attack techniques.
4. Incident response plan: Develop a comprehensive incident response plan that outlines
the steps to be taken in the event of a phishing attack or social engineering incident. This
should include clear guidelines on reporting incidents, isolating affected systems, and
communicating with relevant stakeholders.
5. Regular testing and evaluation: Conduct regular phishing simulations and tests to
assess the effectiveness of security measures and identify areas for improvement. Use the
results to refine training programs and update security protocols accordingly.
2.7 Challenges and Future Directions in Social Engineering and Phishing Attacks
Emerging trends in social engineering and phishing attacks:
1. Smishing: Smishing refers to phishing attacks conducted through SMS or text messages.
Attackers use text messages to trick individuals into providing sensitive information or
clicking on malicious links.
37
2. Vishing: Vishing, or voice phishing, involves attackers using phone calls to manipulate
individuals into divulging sensitive information or performing certain actions. They may
impersonate trusted individuals or organizations to gain the victim's trust.
3. Pretexting: Pretexting involves creating a false scenario or pretext to deceive individuals
into revealing sensitive information. Attackers may pose as someone in authority, such as
a bank representative or IT support personnel, to gain the victim's trust.
4. Business Email Compromise (BEC): BEC attacks target businesses by impersonating
executives or employees to trick individuals into making fraudulent transactions or
disclosing sensitive information. These attacks often involve careful research and social
engineering tactics.
Addressing the human factor in cybersecurity:
1. Cybersecurity awareness training: Organizations need to invest in comprehensive
cybersecurity awareness training programs to educate employees about social
engineering tactics, phishing attacks, and the importance of following secure practices.
2. Phishing simulations: Conducting regular phishing simulations can help organizations
assess the susceptibility of their employees to phishing attacks. These simulations help
identify areas of improvement and provide targeted training to mitigate the human factor
in cybersecurity.
3. Multi-factor authentication (MFA): Implementing MFA adds an extra layer of security
by requiring additional verification beyond just passwords. This helps prevent
unauthorized access even if an attacker manages to obtain login credentials through social
engineering.
38
4. Incident response and reporting: Encouraging employees to report suspicious emails,
calls, or messages promptly can help organizations respond quickly and mitigate the
impact of social engineering attacks. Establishing clear incident response protocols is
crucial to ensure a swift and effective response.
Technological advancements and their impact on attacks:
1. Artificial Intelligence (AI): AI can be used by both attackers and defenders. Attackers
can leverage AI to automate and enhance their social engineering tactics, while defenders
can use AI-driven techniques to detect and prevent phishing attacks more effectively.
2. Machine Learning (ML): ML algorithms can analyze vast amounts of data to identify
patterns and anomalies associated with phishing attacks. ML can help organizations
develop more robust phishing detection systems and improve their ability to identify and
block malicious emails or websites.
3. Biometric authentication: Biometric authentication methods, such as fingerprint or
facial recognition, can provide more secure alternatives to traditional passwords.
Implementing biometric authentication can reduce the risk of attackers obtaining login
credentials through social engineering.
4. Advanced threat intelligence: Leveraging advanced threat intelligence solutions can
help organizations stay ahead of evolving social engineering and phishing attacks. These
solutions can provide real-time insights into emerging threats, enabling organizations to
proactively defend against them.
5. User behavior analytics: User behavior analytics tools can monitor user activity and
detect anomalies that may indicate a social engineering or phishing attack. By analyzing
39
user behavior patterns, organizations can identify suspicious activities and take
appropriate action to prevent potential breaches.
2.8 Summary of Key Findings
The key findings from this literature review on mitigating social engineering and
phishing attacks with strategies for enhanced cybersecurity are as follows:
1. Social engineering and phishing attacks pose significant threats to organizations, leading
to financial losses, data breaches, and damage to reputation.
2. Employee education and training programs are crucial in raising cybersecurity awareness
and equipping employees with the knowledge to identify and respond to these attacks.
3. Technical measures such as multi-factor authentication, email filters, secure browsing,
and endpoint protection can provide additional layers of defense against social
engineering and phishing attempts.
4. Establishing incident response plans and encouraging reporting of suspicious activities
are essential for effective incident handling and investigation.
5. Collaboration and information sharing with public-private partnerships and cybersecurity
organizations can help organizations stay updated on the latest threats and preventive
measures.
6. Continuous monitoring, risk assessment, and vulnerability management are necessary to
identify and address security vulnerabilities promptly.
7. Case studies and best practices offer valuable insights into successful mitigation
strategies and lessons learned from real-world incidents.
8. Challenges include emerging trends in attacks, addressing the human factor in
cybersecurity, and adapting to technological advancements.
40
9. Organizations need to prioritize cybersecurity measures and continuously evolve their
strategies to stay ahead of attackers and protect their assets and reputation.
Overall, implementing a comprehensive approach that combines employee education,
technical measures, incident response, collaboration, continuous monitoring, and risk assessment
is crucial for mitigating social engineering and phishing attacks and enhancing cybersecurity.
41
CHAPTER THREE
METHODOLOGY
3.1 Research Method and Design
3.1.1 Method
Three primary methodologies are used in scholarly research: qualitative, quantitative, and
mixed method. A researcher’s beliefs and experiences may play a role in the questions they ask
survey respondents as well as how those responses are interpreted (Leppink, 2017).
A qualitative methodology paves the way for research questions to be open to unexpected
findings (Tavakol & Sandars, 2014a) with the choice of design depending on the nature of the
research problem and scientific knowledge being sought (Korstjens & Moser, 2017). A qualitative
methodology is exploratory and used to understand human behavior, conceptual phenomena, groups,
or individuals as opposed to numerical data in quantitative research (Yin, 2013). In comparison to a
quantitative method in which the researcher is isolated from the phenomenon, the qualitative method
allows a researcher to obtain user data from a participant to address the research question. Qualitative
research encompasses a broad range of philosophies, approaches, and methods, which, when used,
enable a researcher to acquire an in-depth understanding of people’s perceptions (Vass, Rigby, &
Payne, 2017). Methodologies within qualitative research focus on the reasoning of a participant to
obtain results that are;
(a) Focused on a worthy topic,
(b) Include productive rigor,
(c) Sincere,
(d) Credible,
(e) Resonate,
(f) Provide a significant contribution,
42
(g) Ethical, and
(h) Provide meaningful coherence.
A qualitative method was the best choice for this study because qualitative descriptions were
essential to exploring the mitigation strategies CISOs implement to protect their organizations from
cyberattacks.
A quantitative methodology is used to examine variables and the testing of hypotheses
(Boyle, Whittaker, Eyal, & McCarthy, 2017) with probability and statistics determined within a
population (Barnham, 2015). The measurement tools used in quantitative research aid in the validity
and reliability of a study (Tavakol & Sandars, 2014a). Quantitative research provides the structure
and processes to collect, analyze, and evaluate statistical data via tables, charts, graphs, or figures to
find associations within a population (Barczak, 2015). The context of this study was in mitigation
strategies for social engineering attacks without the intention of testing hypotheses, seeking statistical
data, or generalizing the data across other non-IT attacks on organizations. The quantitative method
was not appropriate for this study because it requires a hypothesis test.
A mixed methodology is used to examine data sets and statistical results from a quantitative
method along with the data from qualitative methods to further interpret the reason for a phenomenon
(McKim, 2015). A researcher uses mixed methods to examine relationships and differences between
variables utilizing a central research question and hypothesis (Venkatesh, Brown, & Bala, 2013).
Mixed methods provide researchers with the option to combine participants’ experiences with
empirical data to determine the relationship between specific variables (Yin, 2013). A mixed-method
study combines the best of qualitative and quantitative methods (Leppink, 2017). A mixed-method
component relies on a combination of experiences, hypotheses, and relationships among variables,
which was not my intention in this study. A mixed methodology was not appropriate for this study
43
because the participants’ experiences did not be combined with empirical data to address the research
question.
3.1.2 Research Design
A case study was considered, phenomenological, ethnography, and narrative research designs
for this study. Each of the four qualitative research designs has its strengths and weaknesses
(Almalki, 2016). Yin (2013) noted that a rigorous research design is essential and expertly guides a
researcher throughout the study.
Multiple case study design were selected for this study. The nature of this design is gathering
detailed and multifaceted opinions (Ridder, 2017). Multifaceted opinions allowed for the exploration
of social engineering mitigation strategies through the incorporation of different goals, collections,
and data analysis. Carolan, Forbat, and Smith (2016) described that the use of multiple data sources
typifies this research approach. Data sources can include observation, interviewing, recording, or
documenting participant information (Yin, 2013). The data collection methods within the design
provide a holistic approach focused on variables in a natural setting and working toward
understanding participants’ perceptions and interpretations (Cope, 2015). With the case study design,
a researcher illustrates the viewpoints of participants through incorporating numerous data sources to
determine how participants gain knowledge and make decisions regarding an event (Yin, 2013). A
case study was appropriate for this study because it focused on discovering future solutions through
exploration and consensus. The case study design supported the purpose of this research study, which
was to gather the opinions of CISOs and seek a consensus on strategies and solutions for mitigating
social engineering attacks.
Researchers incorporate a phenomenological design study to understand participants versus a
phenomenon (Gill, 2014). According to Roberts (2013), this design best explores participants’ lived
44
experiences. Using the participants’ experiences, the researcher gains an insightful understanding of
the phenomenon (Koçyigit, 2017).
Ethnographic researchers focus on the characteristics of a culture, through observation, to
understand the challenges and motivations of the culture and to discover emergent themes (Cunliffe
& Karunanayake, 2013). According to Cruz and Higginbottom (2013), this understanding of cultural
groups occurs through observations conducted over prolonged periods. Ethnography is a means to
represent a group graphically and in writing within the context of their culture (Knobloch et al.,
2017).
A narrative researcher focuses on gathering participants’ life experiences for storytelling on
how humans experience the world and to develop a generalization of what the data means (Kourti,
2016). Tamboukou (2011) stated that a narrative design should be used when exploring a
biographical study that follows the lives of individuals. Lewis (2015) explained the role of
researchers in a narrative study as the exploration of how participants view themselves and their
experiences.
3.2 Population and Sampling
The population for this study was CISOs across six small- to medium-sized organizations
within the PCI industry from the West Coast region of the United States. To understand the
population, the definition of small to medium-sized businesses is 499 or fewer employees (Alkhoraif,
Rashid, & McLaughlin, 2018). The West Coast region is among the highest concentration of
technology companies handling PCI of all regions in the United States. A justification of the
population serves to demonstrate saturation within the dataset (Gentles, Charles, Ploeg, &
McKibbon, 2015). The population and sample size are measured by the depth of data rather than
frequencies, which enables the selection of participants to consist of the best to answer the research
topic (Cho & Lee, 2014). Participants were recruited by obtaining the CISOs name, e-mail address,
45
location, and a number of employees from IT membership databases such as Infragard, which is a
partnership between the FBI and members of the private sector for the protection of U.S. critical
infrastructure. The prospective participants received an invitation via email to participate in the
research study via a telephone interview. Attached to the email was an informed consent form, which
provided detail about their inclusion in the study. All participants must have successfully
implemented strategies to deter cybercrime and mitigate social engineering attacks and were willing
to provide this information within the interview.
Purposive sampling for this qualitative case study was appropriate for this research study.
Purposive sampling enabled me to deliberately select participants based on specific individual
characteristics that pertain to the subject matter being researched (Barratt, Ferris, & Lenton, 2015).
Purposive sampling is a nonprobability sampling technique whereby the researcher is encouraged to
use their best judgment to select participants that will provide unique and rich information of value to
the study (Suen, Huang, & Lee, 2014).
Within qualitative research, the sample size is selected to be adequate to identify the themes
within the research study. A researcher chooses the number of participants, which depends on the
topic and availability of resources (Benoit, Hannes, & Bilsen, 2016), and uses this sample to gather a
rich data set. Within qualitative research, there is a point of data saturation reached whereby
continuing to collect data only serves to confirm emerging themes (Fusch & Ness, 2015). The goal of
a researcher obtaining an appropriate sample is to ensure a detailed analysis of the phenomenon
through the selection of individuals is presented (Kwong et al., 2014). In a case study, the sample
size can consist of 4 – 15 participants to reach saturation (Gentles et al., 2015).
CISOs within organizations are responsible for ensuring compliance with security procedures
and standards and making decisions to safeguard security and effect change (Wara & Singh, 2015).
46
In addition to implementing design and enforcing security policies, they recommend security
investments (Karanja, 2017).
Data saturation has an impact on the quality of research conducted. According to Fusch and
Ness (2015), data saturation is reached when enough information has been gathered to replicate the
study, no additional new information is available, and further coding is no longer feasible. A
researcher’s failure to reach data saturation diminishes the validity of one’s research (Walker, 2012).
Kwong et al. (2014) noted that qualitative researchers should continue interviewing participants until
data saturation is reached.
The interview process catered to the interviewees' availability to allow accurate data
collection through open-ended questions, with the possibility of follow up questions that could
provide additional clarity and validation for the study (Houghton, Murphy, Shaw, & Casey, 2015).
This natural setting assisted with performing data analysis that is both inductive and deductive
toward establishing patterns and themes (Elo et al., 2014). An interview also provides clues in cases
of loss of nonverbal data and contextual data (Goodman-Delahunty, Martschuk, & Dhami, 2014). It
is essential to promote a comfortable, natural setting to gain the participant's confidence and support
while creating an asymmetric power relationship between the interviewer and the interviewee
(Robinson, 2014). Also, Robinson (2014) emphasized the importance of allowing the interviewee to
contribute to the study. The contribution sought from interviewees details their experiences,
expectations, and predicaments on an interview topic through a conversation rather than an
interrogation.
3.3 Ethical Research
When designing and researching a qualitative multi-case study, ethical standards need to be
adhered to during several phases of research, including ethical issues of sensitive information of
participants (Yin, 2017). Before the collection of data from selected participants, approval from the
47
Institutional Review Board (IRB) ensures ethical standards and requirements are implemented. Also,
a researcher requires specific conditions to allow access to their data (Nadal et al., 2015).
3.4 Data Collection
3.4.1 Instruments
The concept of the researcher within qualitative studies being the primary data collection
instrument is echoed by Råheim et al., 2016). Anleu, Blix, Mack, and Wettergren (2016) discussed
the role of being the primary data collection instrument, where the researcher is responsible for
collecting data in a natural setting to assist with performing data analysis that is both inductive and
deductive to establish patterns and themes. The cultural notions of authority and position within the
research relationship need to be taken into account (Probst, 2016). Qualitative data collection is
comprised of building trust with participants.
When conducting data collection, qualitative researchers use semi-structured interviews
(Janghorban, Roudsari, & Taghipour, 2014). Semi-structured interviews have been noted as a valid
data collection instrument (Pezalla, Pettigrew, & Miller-Day, 2012). Open-ended questions was used
within the data collection instrument. The interview questions were open-ended to stimulate more
interaction within the participants. Open-ended questions pave the way for case study researchers to
gather insights on specific issues under study (Yin, 2013). Through the use of semi-structured
interviews, researchers can uncover hidden facets of human and organizational behavior due to the
participant’s openness to respond in the best way they know how to interview questions. Semi-
structured interviews enable participants to provide an in-depth understanding of a research topic
(Yin, 2013). A semi-structured interview is an appropriate approach to capture detailed information
about the participants' expectations, views, and experiences (Izci, & Göktas, 2017). The use of semi-
structured interviews has been discussed by Thompson (2017) as enabling the researcher to gain
insights into participant’s perspectives about their practices.
48
Using an interview protocol will assist in increasing the reliability of a case study research
(Yin, 2013). Member checking and thematic analysis aid in adding validity to the study (Comley-
White & Potterton, 2018). Posing the same interview questions in a sequence to research participants
helps to identify themes and allows for efficient data analysis and response comparison (Brédart,
Marrel, Abetz-Webb, Lasch, & Acquadro, 2014; Hermanowicz, 2013). Researchers, however, should
refrain from asking leading questions in interviews in a manner that leads to bias (Onwuegbuzie &
Hwang, 2014). In addition to asking the same questions and avoiding bias, multiple data sources
were used for methodological triangulation. Methodological triangulation increases the credibility,
reliability, and validity of the study (Yin, 2013). Multiple data sources that were used for this study
included utilizing publicly available security and privacy policies implemented in organizations. It
was noted by Saunders and Townsend (2016) that the process of efficient participant interviews
includes reporting, justification, and several interview participants selected within an organization.
Archived data, such as documentation and recordings from interviews, provided qualitative research
data.
Methodological triangulation provides the researcher with an in-depth understanding of the
phenomenon in the study. The use of multiple data collection methods is necessary for the alignment
of data and essential for considering trends in data (Komisar, Novak, & Haycock, 2017). Wierenga,
Engbers, van Empelen, Hildebrandt, and van Mechelen (2012) added that methodological
triangulation enables researchers to probe for patterns within the data to develop overall
interpretations using multiple perspectives. An increase in confidence within the study findings is
evidenced through the researcher's use of multiple sources in the mitigation of research biases
(Harrison, Banks, Pollack, O'Boyle, & Short, 2014).
Member checking was also implemented within the interview process to aid in research
validity and the reduction of bias. Member checking assures rigor with research case studies, as
49
discussed by Houghton, Casey, Shaw, & Murphy (2013). Member checking included providing
participants via email, a summarized interpretation of their interview responses. The summarized
interpretation enabled them to view my interpretation of their responses. Member checking provided
a researcher with an opportunity to ensure data saturation had been reached. Also, it enables a
researcher to seek participant’s verification of the accuracy of the interview response (Culver,
Gilbert, & Sparkes, 2012). Member checking is also utilized for quality control to verify and validate
data collected during the research interviews (Harper & Cole, 2012).
3.4.2 Data Collection Technique
The primary data collection technique was the questionnaire in which a Google form was
used. The open-ended questions encouraged the conversation and captured the necessary data to
address the research question. Open-ended questions pave the way for case study researchers to
gather insights on specific issues under study (Yin, 2013). The interviewer encourages interviewees
to recall and report all relevant information they can remember (Vrij, Mann, Jundi, Hillman, & Hope,
2014). Researchers can use questionnaires to learn and understand participants’ experiences and gain
self-awareness and insight into the role they played during the research and how it benefitted them
(Barkham, & Ersser, 2017).
The process of member checking to assure response validity was utilized. Member checking
assures rigor with research case studies (Houghton et al., 2013). A researcher performs member
checking to consider the accuracy of the participants’ interview responses (Harvey, 2015). Each
interview response was summarized for thematic analysis and member checking to illustrate
emerging themes from individual responses. Member checking is a technique for exploring the
credibility of results and will provide the research with a means to test and fit their interpretation to
participants’ responses (Smith & McGannon, 2018). Data or results were returned to participants to
check for accuracy and resonance with their experiences. Participants were requested to comment on
50
the narrative summary to ensure their views were well understood. In the data analysis process,
feedback received from participants was incorporated, and themes that emerged in the study were
confirmed.
Each data collection technique has its advantages and disadvantages. Document reviews are
timeous to collect, review, and analyze the data (Owen, 2014). The advantage of document reviews is
their inexpensiveness, provision of in-depth, rich background information, and their ability to
highlight issues not yet discovered by other data collection methods (Wolfswinkel, Furtmueller, &
Wilderom, 2013). Elo et al. (2014) highlighted the primary disadvantage of conducting interviews, is
the risk of interview bias. However, interviews encourage participants to elaborate and discuss in-
depth issues that are important to them (Pacho, 2015).
3.4.3 Data Organization Techniques
The data collection for this qualitative multicase study was of responses by CISO’s of small
to medium organizations gathered through questionnaires with open-ended questions. Data
organization techniques are used by researchers when managing data to ensure the reliability and
validity of a study (Martin & Meyer, 2012). Once the original questionnaire has been transcribed,
and member checking has occurred, the researcher establishes data credibility (Harvey, 2015).
Member checking provides a researcher with an opportunity to seek participant’s verification of the
accuracy of the interview response (Culver et al., 2012). A research log captures data to aid in the
examination of assumptions and actions thematic within the study (Wagstaff, Hanton, & Fletcher,
2013). This qualitative research will organize data into categories that will assist in identifying
themes during data analysis (Merriam, 2014). Yin (2013) adds that the identification of emerging
patterns, themes, and trends from questionnaire is the focus of data organization.
51
3.4.4 Data Analysis Technique
The objective of the data analysis process was for an evaluation of patterns and themes that
emerged during the interview process. Data analysis involves the application of principles such as
interview transcription, in-depth analysis of phenomena explored, data coding development, and the
identification of links to themes (Smith & Firth, 2011). Yin (2017) added that emerging patterns are
identified through analytical techniques, which result in the strengthening of the validity of the study.
The use of multiple sources of evidence in case study research allows the researcher to explore
various evidence and converging lines of inquiry (Yin, 2017). One such analytical technique is
triangulation. Through triangulation, a researcher can explore multiple sources of information to
strengthen the construct validity of the study (Morgan, 2019). Methodological triangulation involved
using more than one method to gather data, such as interviews, observations, questionnaires, and
documents
Choosing the most significant research study participants to obtain detailed data was more
significant in comparison to sample size when reaching data saturation. Data analysis relied on data
saturation is reached. Fusch and Ness (2015) detailed data saturation to include (a) no new data
obtained, (b) no new themes identified, (c) no new coding, (d) the ability to replicate the study. The
data analysis process continued with an in-depth evaluation of themes and patterns that emerged
from the interviews.
3.5 Reliability and Validity
Reliability and validity eliminate bias and minimize errors within qualitative research.
According to Elo et al. (2014), there are four criteria to help ensure reliability and validity. These
criteria are dependability, credibility, transferability, and confirmability. Reliability and validity are
both crucial in qualitative research studies as they help ensure the data is trustworthy.
3.5.1 Reliability
52
The goal of establishing reliability is to eliminate bias in the research study and minimize any
errors (Cope, 2014; Noble & Smith, 2015). Reliability is the consistency of results obtained.
Reliability is a criterion for judging the quality of research study designs, with the logical test of the
research findings being data dependability (Yin, 2013). To establish reliability, researchers in
qualitative studies use dependability to focus on a measurement formed within a construct (Cope,
2014). The following section highlights the establishment of dependability of the study findings.
3.5.2 Dependability
Dependability, according to McCusker and Gunaydin (2015), refers to research data
remaining the same under different conditions. The researcher establishes dependability and
trustworthiness through reporting the content analysis obtained from the data collection method,
sampling strategy, and data analysis techniques selected (Hays, Wood, Dahl, & Kirk-Jenkins, 2016).
Thomas (2017) explained that the dependability of the data presented is reliant on the interaction
between the researcher, the research study, research data, and a high level of accuracy. Dependability
was achieved within this study through reviewing transcripts, member checking, and additional note-
taking during the interview process.
3.5.3 Validity
Researchers aim to establish the validity of the research tool to ensure that the selected
instrument most relates to the construct of interest and will assist in answering the research question.
Validity aims to minimize errors, eliminate bias, establish integrity, and applicability of the methods
in use, all while ensuring precision in which the findings accurately reflect the data (Noble & Smith,
2015). According to Yin (2013), researchers ensure validity by focusing on the measurements
between constructs. Trustworthiness, credibility, and conformability are logical tests guiding
qualitative research. Three criteria assist in judging the quality of research designs: construct validity,
internal validity, and external validity (Yin, 2013). Within a qualitative research study, these criteria
53
for establishing validity are in the form of creditability, transferability, and confirmability (Cope,
2014). The following sections discuss how creditability, transferability, and confirmability of the
research findings was established.
3.5.4 Creditability
In qualitative research, rather than the term validity, creditability is used. According to Cope
(2014), creditability refers to the truth of the data and the views of the participants. As researchers are
the research instruments, the creditability of the study is ensured through the dependence on
procedures implemented, and the researchers self-awareness throughout the research process. Noble
and Smith (2015) listed methodological strategies used to ensure creditability in findings as a
reflection on the researcher's perceptions, using a representative sample on the phenomenon;
achieving audit ability and application of conclusions to other contexts.
3.5.5 Transferability
Qualitative researchers provide detailed descriptions of the research process, which the
readers use to determine the transferability of the study. According to Cope (2014), transferability
refers to the application of findings to other settings or similar groups. Purposive sampling is used to
enhance the transferability of findings (Maree, Parker, Kaplan, & Oosthuizen, 2016). The research
structure, which includes purposeful sampling and details, an outline of research assumptions,
limitations, and delimitations, provided sufficient context for determining the transferability of this
study by other researchers. Transferability is the ability to generalize research findings to a larger
population (Marshall & Rossman, 2010). Transferability is essential as it allows researchers in the
future to build on the study or develop a new theory (Elo et al., 2014). Transferability will be
achieved if the findings of a qualitative study are transferable to similar settings (Hays et al., 2016).
3.5.6 Confirmability
54
Confirmability is based on the confirmation of findings and logic of the data following its
analysis (Pozzebon, Rodriguez, & Petrini, 2014). Confirmability ensures the researcher represents a
participant’s response rather than the researcher's bias (Cope, 2014). Member checking of each
interview will ensure the validity of the research process and achieve confirmability (Hays et al.,
2016). The recognition of limitations of the study and audit trail enhances confirmability (Maree et
al., 2016). The development of an audit trail, which included note taking during the interview and
member checking, helped to foster confirmability that was used within this study.
55
CHAPTER FOUR
RESULTS AND ANALYSIS
4.1 Taxonomy and Defensive Techniques Summary
In this research, we created a taxonomy of the attacks as well as summarized the
proposed methods from both State of the Art and State of the Practice perspective. A
comprehensive table was created to visualize the current Social Engineering Attacks and their
appropriate practical defensive methods as well as what is the current State of the Art solutions
and propositions.
The taxonomy showed us that the combination of software and awareness is essential for
the defense of the students. Both state-of-the-art and state-of-the-practice give generally the same
suggestions with state-of-the-practice advises being more tangible while state-of-the-art
proposing future models for development.
56
4.2 Practice Defense Methods
TABLE 4.1: Taxonomy of Social Engineering Attacks and State of the Art and State of the
Practice Defense Methods
Social Engineering Attack State of the Art Defense State of the Practice
Defense
Phishing Education, Awareness,
Anti-Phishing tools Spam Filter,
and extensions, Anti-Phishing
Automated Phishing Browser Plugin,
Recognition, Antivirus, MFA,
Spam Filters Download and
open files in
the cloud environment
Spear-Phishing Awareness Programs, Awareness, MFA, Antivirus,
Corporate Education, Download and open files in
Machine Learning the cloud environment
Algorithms, Software with
automated spear-phishing
recognition
Smishing Automated Smishing Awareness, Smartphone
Recognition, Awareness Antivirus, MFA, Proper App
Permissions
Pop-up Choosing the appropriate Ad-blockers,
57
browser and user-agent,
Advertisement Hiding the ad-blockers raw Awareness,
code Active Firewall
URL shortener A proposed model where part High Awareness,
of Using the preview modes
the actual URL is added that
to the shorter one, big platforms provide
to give a clue to the users (e.g. adding "+" in bit.ly at
about where the link will lead the end of the link)
them.
4.3 Survey
The survey was answered by thirty-one individuals who are matching the profile of
students. The individuals could answer in one week for which the survey was opened. The main
idea for the survey is to use the Likert Scale and thus the main questions are in the form of Likert
Items with the representation of the opinion of the respondents on a scale from one to ten. The
ten represents the state of "Strongly Agree with the statement" and one represents the lowest
border and means "Strongly Disagree with the statement". Below will be described the structure
of the survey as well as the contribution it has to the knowledge and the result.
58
The logical road map of the survey can be seen below
4.3.1 General Internet and Computer Knowledge Assessment
The reason for addressing this particular subsection regarding the online activities of the
participants was to assess the user’s exposure to the social engineering threats. By establishing
the time they spent online, browsing, using email services and social media we see the time they
are having opened vectors of attack when discussing the technical side of the social engineering
and disregarding the user’s capability of mentally estimating and mitigating the risk.
Furthermore, we wanted to explore their general technical knowledge so that we can see whether
they are able to apply different defense mechanisms from the technical spectrum of the state of
the practice.
59
4.3.2 Social Engineering - Education
The subsection was part of the survey, specifically for the people that were part of a
formal education that gave knowledge in the sphere of the social engineering defense techniques.
It was in the interest of the research to give an understanding of whether the respondents found
that it was beneficial for them to participate in such seminars or lectures when it comes to
defending themselves from social engineering attacks. The questions are related to the quality of
the education as well as to what impact it brought to the respondent that participated in it.
4.3.3 Social Engineering - Attacks, Defense & Impact
The section was designed specifically for the category of social engineering knowledge,
which differentiate from the overall computer and smartphone knowledge of the respondents. Its
main purpose is to assess whether the respondents already have applied some tactics to mitigate
the risk of social engineering attacks as well as to establish whether the respondents are aware of
the risk that such an attack can occur.
4.3.4 Social Engineering - Attack Experience
That particular section of the survey is provided for the audience that was attacked in the
past from the means of social engineering. The respondents assess the impact that the attack had
on them by both financial, material, and immaterial damages. Additionally, the respondents can
assess whether that attack made them more vigilant for the next occurrence of it.
4.3.5 Social Engineering - Scenarios
The scenarios are the last part of the survey. Each respondent has the opportunity to test
the awareness that they currently possess regarding the social engineering defense. The
60
respondents are presented with four scenarios with some actually being social engineering and
some that are not but could potentially be. There are two emails one of which represents the
social engineering category of phishing while the other is an actual email.
Additionally, they cover a broader range of categories there is a Smishing scenario and a
URL shortener scenario. By completing the scenarios the respondents can provide another angle
for the research on whether the users are actually informed about different attack taxonomy and
are they suspecting different vectors of attacks when it comes to the attack’s execution.
Figure 4.1: Scenario 1
61
62
4.4 Survey Results
The raw data has been extracted and presented in appendices C and D. The data has been
put into two tables which represent the statement/question number along with the numerical
mean value of the response or the percentage of respondents that answered in a specific way. The
other table represents the statement or question number along with the question itself so that the
readers can benefit from knowing how the survey was conducted and what the respondents
answered. The data can be seen in the different parts and the tables that can be observed have:
63
Table 4.2: Statements and Questions Presented as Likert Items
Statement/ Statement/Question Content
Question
Number
1 I spend a great deal of time browsing on my devices.
2 I spend most of my time on my devices on a social media platform
3 I spend a great deal of time online.
4 I use email, and related services, regularly.
5 I attempt to make my passwords as long and complex as possible
6 I try not to use the same password on different services.
7 I attempt to employ Two Factor Authentication (2FA) wherever applicable.
8 I am aware of what a ’URL shortener’ is.
9 I am knowledgeable when it comes to personal computers.
10 I am experienced when it comes to the usage of internet.
11 I am knowledgeable when it comes to smart devices.
12 I use a Virtual Private Network (VPN) service whenever applicable.
13 I use Anti-Virus software whenever applicable.
14 I use advanced operating systems (Linux-based, FreeBSD, etc.) on a regular
basis.
64
15 use security plugins in my browser whenever applicable.
16 My choice of browser is very important to me.
17 I regularly backup any data present on my devices.
18 Have you taken part in any social engineering defense training
courses/seminars?
19 The course/seminar was useful and taught me about good mitigation
strategies for Social Engineering attacks
20 The information in the course/seminar was practical and can be applied in
real life scenarios.
21 I am aware of what a Social Engineering/ Phishing attack is.
22 I am aware of the different forms that Social Engineering/Phishing attacks
can take
23 I know how to defend myself from Social Engineering/Phishing attacks.
24 I am aware of what my most valuable digital assets are.
25 I use a plugin that can help prevent phishing attacks
26 I am aware of the impact that Social Engineering attacks/Phishing can have
27 I am cautious when opening links that I have received.
28 I tend to share a great deal of personal information online
29 I trust pop-up advertisements on websites
65
30 Have you fallen victim to a Social Engineering/Phishingattack in the past?
31 Was the context of the attack related to Hacking
32 The attack resulted in a loss of sensitive/personal information
33 The attack resulted in financial damage
34 The attack made me more vigilant about these types of cyber-crimes
35 I would trust this link to lead me to the actual Facebook website.
36 I think that this message is legitimately from Apple.
37 I think that the email in the image is illegitimate.
38 I think that the email in the image is legitimate.
Table 4.3: The Mean Values along with the Standard Deviation
Question Likert Item Mean Value/ Standard deviation value/
Number
Positive answers percentage Negative answers percentage
1 8.75 1.3
2 8.58 1.39
3 8.68 1.64
4 8.52 1.83
5 6.49 2.14
6 3.84 2.72
66
7 5.2 3.13
8 7.1 3.15
9 7.23 2.19
10 8.26 1.87
11 8.13 1.98
12 5.07 2.74
13 6.17 3.26
14 3.07 2.48
15 4.42 2.76
16 6.33 2.52
17 5.62 2.41
18 19.4% 80.6%
19 7.34 2.8
20 7.5 3.25
21 4.13 3.96
22 4.2 3.22
23 3.97 2.85
24 5.36 2.13
67
25 3.94 2.97
26 4.81 2.94
27 8.33 2.94
28 4.36 2.15
29 2.33 1.68
30 90.3% 9.7%
31 66.7% 33.3%
32 1 1
33 1.34 0.48
34 4 1.64
35 2.75 2.72
36 2.23 1.93
37 6.49 3.25
38 4.07 2.94
The survey that was conducted starts with a section that is meant to profile the different
respondents that were filling out the survey, in order to be able to draw conclusions and
generalize the findings that we discovered for individuals that match different profiles. The
68
survey was structured in this manner so that we were able to gauge the awareness levels of
people that are less experienced with computers and related devices and compare these results
with the awareness levels of people who are more experienced. This allowed us to see whether
the people who rated themselves quite highly in terms of how well they perceive their own
knowledge about computers and networking are more aware of social engineering attacks than
people who aren’t. This would also allow us to see whether individuals who are more
experienced are able to recognize legitimate and fake emails when we test them in the scenario
section of the questionnaire. The questionnaire begins with a general internet and computer
knowledge assessment, wherein respondents were able to rate themselves using Likert items, on
a scale from 1 – 10, where 1 represents “Strongly Disagree” and 10 represents “Strongly Agree”.
The first question in this section begins the profiling process that will continue throughout the
entire section, and which we hope will allow us to distinguish between advanced and less
advanced users. For the first statement, “I spent a great deal of time browsing on my devices”, all
the respondents answered somewhere between 6 and 10 on the scale, with most respondents
answering with a 10, corresponding to 41.9% of the respondents. Similarly, for the second
statement, “I spend most of my time on my devices on a social media platform”, all the
respondents answered between 6 and 10 on the scale, with a majority of 38.7% answering that
they strongly agree with the statement. In the next statement, “I spend a great deal of time
online”, the respondents were a bit more spread out. However, all the respondents remained
above 5 on the scale, with the majority answering 9 or 10, making up 29% and 41.9% of the
responses, respectively. In the next statement, “I use email, and related services, regularly” the
responses were also a bit more spread out than we had expected, however, the majority agreed
with the statement, with 45.2% of the respondents replying to the statement with a 10 on the
69
scale. The next statement, “I attempt to make my passwords as a long and complex as possible”,
as interesting as the response was also a bit spread out over the scale, with all the respondents
answering between 3 and 10 on the scale, with the largest grouping of responses being a 7,
correlating to 29% of the total responses. The next statement was also related to password
security and was “I try not to use the same password on different services”. The responses to this
statement were also very dispersed over the entire scale, as the responses ranged from 1 to 10 on
the scale, although the largest groupings correlated to 1 and 2 on the scale, which had a
combined response percentage of 22.% and 25.8% respectively. After gaining a sense of the
users’ regular usage habits in relation to computers and online services, we presented them
statements that pertained to security habits online and sought to gauge their awareness of
different security services and methods, as well as how they perceive their own knowledge about
computer science-related topics. The first statement in this subsection of the questionnaire was “I
attempt to employ Two Factor Authentication (2FA) whenever applicable”, and yet again the
respondents’ answers were a bit all over the place in terms of the scale, however, the largest
group, 22.6% replied with a 1 on the scale. For the next statement, “I am aware of what a ‘URL
shortener’ is”, a great deal of the responses and the largest group of answers were a resounding
10, corresponding to 38.7% of the answers that were registered. In the next section, we pry the
users more for how they perceive their own experience and knowledge levels when it comes to
computers. The first statement here was “I am knowledgeable when it comes to personal
computers” and the two largest groupings of answers were 7, 22.6% and 10, 22.6% on the scale.
In the next statement, “I am experienced when it comes to the usage of the internet”, most of the
respondents answered with a 10, corresponding to 35.5% of the responses. In the next statement,
“I am knowledgeable when it comes to smart devices”, the responses were like the previous two
70
statements, with most of the respondents replying to the statement with either a 9, 29% or a 10,
29% on the scale. When a statement about their usage of security tools was presented, the
responses were also quite spread out on the scale. The next statement, “I use a Virtual Private
Network (VPN) service whenever applicable” gained mixed responses, with responses being
found all the way from 1 to 10 on the scale, however, the largest grouping of answers was a 3 on
the scale, 16.1%. The following statement, “I use an Anti-Virus”, also received a mixed response
in terms of how the different responses are spread out over the scale, however, the largest
groupings were also quite high, with 19.4% responding with a 9, and 22.6% responding with a
10 on the scale. The next statement, “I use advanced operating systems (Linux-based, FreeBSD,
etc.) on a regular basis” had responses that were quite low, with 38.7% respondents answering 1
on the scale. By advanced OS we mean that the operating system has advanced networking
capabilities and generally harder to be operated by an average user. The next statement was “I
use security plugins in my browser whenever applicable”, which also gained responses that were
quite a bit all over the place on the scale, with the largest groupings being respondents that
replied with 1, 25.8% and respondents that replied with 5, 16.1%. The next was about browsers
and reads “my choice of browser is very important to me”, where 25.8% of the respondents
replied with a 7 on the scale, and the second-largest grouping, 16.1% was respondents that
replied with a 10. The final statement in this section, “I regularly back up any data present on my
devices”, gained quite high responses in terms of their position on the scale, with the two largest
groupings, 19.4%, corresponding to 6, and 19.4% corresponding to 7. In the next section, a yes
or no question is presented to users. This was meant to separate the respondents based on
whether they had participated in some form of social engineering awareness course or training
program. However, most of the users had not, with 80.6% responding with “No”, to the question
71
“have you taken part in any social engineering defense training courses/seminars?”. The
questions presented in this section were only displayed to respondents who replied with a “Yes”
to the previous section, and thus there were fewer responses overall. The first statement in this
section was “the course/seminar was useful and taught me about good mitigation strategies for
Social Engineering attacks”, of which, from the 6 respondents, 33.3% answered with a 7, and
another 33.3% answered with an 8. The next statement, “the information in the course/seminar
was practical and can be applied in real-life scenarios”, gained a bit of a mixed response, with
responses spread out over the scale, however, the largest group, 33.3% responded with a 10.
Following the section about social engineering training and programs, all the respondents
were once again gathered and were prompted to reply to questions that were completely based on
our findings on performing a literature review on literature related to social engineering and
social engineering attacks. The first statement in this section was “I am aware of what a Social
Engineering attack is”, where the largest grouping of responses was 5,19.4%, 1, 16.1% and 10,
16.1%. The responses to the following statement, “I am aware of the different forms that Social
Engineering attacks can take”, were a bit mixed with most of the responses ending up on the low
side of the scale, with the largest grouping, 35.5%, corresponding to the response 1. The
statement “I know how to defend myself from Social Engineering attacks” also gained quite a
low response, with the two largest grouping of responses, 22.6% and 29% were 1 and 3,
respectively. The next statement, “I am aware of what my most valuable digital assets are” had a
much more spread-out response, with answers being registered in all digits on the scale. The
largest grouping of responses for this statement was response 5, which was chosen by 16.1% of
the respondents, however, there were also some other significant groupings, with 12.9%
responding with 1, another 12.9% responding with 2, a third 12.9% responding with 7 and a final
72
12.9% responding with 9. The largest grouping of responses, corresponding to 41.9% of
responses correlated to 1 on the scale. The statement “I am aware of the impact that Social
Engineering attacks can have” was next, and the responses showed that most respondents are not
aware, since 19.4% of the answers were correlated to 1. The next statement was a bit different in
its response, with a majority, 51.6%, of respondents replying with 10 on the scale. In the next
statement that was presented to the respondents, “I tend to share a great deal of personal
information online”, the responses were also a bit spread over the scale, with the largest grouping
of answers being 3, 29%. The next statement, “I trust pop-up advertisements on websites” gained
a low response, with the majority, 54.8% replying to the statement with a 1. The final question
that was used to conclude this section was also a yes or no question, where respondents who
answered “Yes” would be sent to a different subsection of the questionnaire where specific
information would be gathered. This question was “Have you fallen victim to a social
engineering attack in the past?” and a large majority, 90.3%, responded with “No”. However, the
respondents that said that they did fall victim to a social engineering attack were sent to a
specific subsection where we asked the respondents about the specifics of the attack. In this
subsection, the first question was also a yes or no question, “was the context of the attack related
to Hacking”, where a majority answered with “No”, 66.7%. The statements then make a return in
this subsection, with the first statement being “The attack resulted in a loss of sensitive/personal
information”, where 100% of the respondents replied with a 1 on the scale. The next statement,
“the attack resulted in financial damage” also had low results, with 66.7% of the respondents
replying with a 1, and 33.3% replying with a 2. The final statement in this subsection as “the
attack made me more vigilant about these types of cyber-crimes”, where the responses were quite
73
evenly distributed, with 33.3% replying with 2, another 33.3% replying with 4, and a final 33.3%
replying with a 6.
The final section of the questionnaire presented the respondents with images that would
correspond to a specific phishing attack attempt, as can be seen in Figures B.1, B.2, B.3 and B.4.
The respondents were then able to respond to how legitimate they think that the content of the
image is. For example, if an SMS message was displayed in the image, respondents were able to
respond, on a scale from 1 to 10, on how legitimate they think the SMS is. The first statement
was “I would trust this link to lead me to the actual Facebook website”, with an image being
presented to the respondents that showed a legitimate Facebook link. Many of the respondents
replied with a 1, on this statement, corresponding to 64.5%. In the next statement, “I think that
this message is legitimately from Apple”, the majority also replied with a 1, 54.8%. The
penultimate statement showed an image of an email, and the statement was “I think that the
email in the image is legitimate”, and 19.4% of the respondents replied with a 1. The final
statement, “I think that the email in the image is legitimate” had an evenly distributed response
spread, although the largest grouping, 35.5% replied with a 1
4.5 Survey Analysis
After the raw data was gathered an analysis was conducted and compared primarily with
different related researches and the advice from the theoretical knowledge chapter. The first four
statements from the survey and statement eight are in place to explore the user’s exposure level
to different technical vectors and tools that the attackers exploit when executing a social
engineering attack of various sorts. According to the statistic that was calculated after collecting
the answers people unanimously reached the high end of the scale averaging 8.63 on the four
questions with a standard deviation averaging 1.54 which speaks for the fact that the students
74
spend a great amount of time online and are being constantly exposed to all of the vectors that
are used by attacks such as phishing, smishing and different pop-up ads.
The statements that were related to the passwords namely statements five and six were
present to gather insight into the user’s behavior when coming to passwords utilization. On the
first statement about the complexity of the passwords, the respondents state that they attempt to
make a complex password that is harder to crack, however on the next statement about whether
they share the same passwords between different devices and platforms the majority state that
they reuse the same password which could imply that if one device is breached the attacker will
have access to the others. This could lead to major security issues for the users and is something
that showed their general security awareness.
On the seventh Likert item the respondents are asked if they employ 2FA(Two-factor
Authentication). In 4.1 we can explore the student’s answers. The highest count of answers is the
minimum value on the scale. This is particularly contradicting the advice that gives regarding the
layers of defense the user should have placed. The same source states that it is a must for the user
to secure at least the most critical accounts with multi-factor authentication.
Figure 4.5: Results from the statement: "I attempt to employ Two Factor Authentication
(2FA) wherever applicable"
75
The user’s self-assessment was high and the users mostly stated they are knowledgeable
when it comes to personal computers and smartphones. However, only 1 statement with
maximum value on the scale was given to the advanced OS usage while the rest was
predominantly small values in the lower half of the scale which can point that despite the users
are familiar with their own devices they are not considering the capabilities that different OS can
have.
Particularly interesting were the answers in statements "I use security plugins in my browser
whenever applicable." and"My choice of browser is very important to me.".
The respondents have stated that they rarely use security plugins in their browsers which could
imply that they are more prone to technical aspects when it comes to general security and
furthermore social engineering. However, the value that is pointing to the importance of their
browser choice has a relatively lower standard deviation than we expected. That can be
associated with the user’s will to increase their privacy, but lower knowledge of the different
options and possibilities. Statement seventeen established the user’s perception about backups.
Common knowledge is that the backups are important to ensure that if data is lost it can be
quickly recovered. It is seen in Fig.4.2 that most people stated that they tend to create and
maintain backups, which is a good additional layer of recovery.
Figure 4.6: Results from the statement: "I regularly backup any data present on my
devices."
76
According to the survey as it can be seen in Fig.4.3 only six out of thirty-one individuals
took formal education However in the next statements that were regarding the education all
respondents stated that the education is useful and applicable in their everyday device usage.
Figure 4.7: The percentage of the respondents who have participated in formaleducation
about social engineering mitigation
On the statement whether the respondents use a plugin that prevents the phishing, it can
be seen in Figure 4.4 the vast majority answered with the minimal value of one in the scale while
the other answers were equally dispersed thus meaning that the most answers were in the lower
half of the scale which indicates that the users are not aware of the defense layer that the said
plugin can add.
77
Figure 4.8: Anti-Phishing plugin usage throughout the survey respondents
The students proved to be extremely careful with unknown links. On the question of
whether they would open an unknown link sixteen of them stated that they are extremely
cautious while only one stated the opposite, and this can be seen in Fig. 4.5. The result
corresponded with the scenario which came later in the survey and put their awareness to the
test. The link scenario results can be seen in Fig. 4.6 and it points out that twenty people would
be on the highest alert when it comes to opening unknown links. Despite the earlier statement
about URL shortener pointed that the respondents do not know the taxonomy when the matter
was more practical they reacted proper and most of them were able to mitigate the risk that was
presented to them.
Figure 4.9: The students response to whether they are cautious when opening links
78
Figure 4.10: Results from the statement: "I trust this link to lead me to Facebook"
When it comes to the spear-phishing threat we looked at the OSINT capabilities of the
attacker and the defense tactics for the users to not share a lot of personal information online.
The answers about sharing personal information publicly as can be seen in Fig.4.7 were mostly
in the negative part of the scale which would imply that the attackers would have a hard time
finding information about the users if they were utilizing the OSINT methods to gain initial
contact. However, as we saw in Fig. 4.3 a very small amount of users have formal education.
That does not particularly mean that they are not aware but it really depends on the individual’s
interest in this field or the will to increase the general cyber-security and privacy. However, it is
well-advised for the users to keep a constantly updated list of the current phishing and spear-
phishing scam scenarios and inform themselves in formal education such as seminars or by just
reading themselves.
79
F
igure 4.11: Results from the statement: "I tend to share a great deal of personal
information online."
For the pop-up ads the respondents gave a unanimous lower score on the scale. As Fig.
4.8 shows, only two individuals gave a value of six which is also the only value in the upper half
of the scale while the rest gave lower values thus constituting themselves rather safe from the
psychological effect that the malicious ads have on users. As the main method of defense is the
awareness on the end-user side the survey’s respondents in this case gave a sign that they are
quite cautious.
Figure 4.12: Results from the statement: "I trust pop-up advertisements on websites."
The scenario that contained the illegitimate scenario proved to be recognized among the
respondents and the majority pointed correctly and did not trust the illegitimate email as can be
seen in Fig. 4.9. Despite they are not particularly savvy within computers we suspect that they
80
already have seen a message that was possibly phishing, spam, or scam, or a relative or a friend
told them that they had a similar experience, thus the students built a portion of the awareness
that is necessary to fight this type of cyber-attack.
Figure 4.13: Results form the illegitimate email scenario
Two-thirds of the students also could tell which is the real email. As can be seen in 4.10
the users assigned majorly the values that correspond to "Agree" to "Strongly Agree" in the
Likert Scale. This can be also a result of their self-taught knowledge or additionally, they were
able to recognize the signs of legit and malicious mail and tell them apart.
Figure 4.14: Results from the legitimate email scenario
81
To gain bigger knowledge the answers were explored on per individual basis for the
scenarios related to the emails where we focused on the individuals that gave the two extremes
"Strongly Agree" and "Strongly Disagree". Six individuals have pointed out that they do not trust
the emails to be legit on both emails thus showing that they were either unsure or extremely
cautious. However addition to that seven respondents pointed out quite precise answers by giving
the values of eight, nine, and ten to the legit email, and to the malicious email, they gave
numbers in the range of one to three. That could be seen as they knew precisely which message
was real and which one was malicious and thus conclude that at least 22.5% of the students were
aware of the phishing and furthermore 19.3% were overcautious. As we saw in the Theoretical
Knowledge chapter that is not necessarily bad and does not mean they are less protected than the
one who could tell the real ones from the phishing one.
Figure 4.15: Results from the smishing scenario
Building on top of that we also examined closely the answers on the smishing scenario on
a per individual basis. The same students who could point out the real and the fake emails
precisely were looked into to see whether they managed to point out the smishing attack and
conclude that the SMS was not authentic. Out of seven respondents, six also pointed precisely
that the SMS is not authentic and the same six individuals who pointed out that both emails were
malicious pointed out that the SMS is not authentic. That could be interpreted as they are being
82
extremely cautious and that they could not tell them apart but nevertheless decided to not trust
the messages.
We cannot give a absolute verdict that the aforementioned students are fully safe but
nevertheless we can say that they have higher awareness and better perception about what is a
real attack and what is not, from the full extent of respondents and that is what makes their
security a little better than the rest. The people who were not mentioned either said that the
malicious email was real and the real was not authentic or gave indecisive opinions within the
middle range of the values on the Likert Scale which constituted that they could not spot
immediately the threat that the non-authentic messages could pose.
4.6 Interview
An interview was conducted with a highly qualified expert in the IT field and currently
working practitioner. The expert is a Lead Administrator of a large public organization with years
of practical experience and is responsible for investigating and mitigating the social engineering
attacks. The interview sealed the state of the practice by providing a real-world practical angle on
the current situation with social engineering. Additionally, it helped in matching the state of the
attacks and defenses with the related research. Despite the expert’s best effort to answer all of the
questions some of them proved to be a security issue and their answers were omitted from the
paper to preserve the integrity of the expert’s workplace.
4.6.1 Interview Results
The question was more related to the attacks as it aimed to see how is the network taking
part in the attack - Is it the host of an attack or is it being attacked? The respondent stated that
both but for now the IT team managed to stay on top of the attackers despite the constant
attempts to breach.
83
On the question "Does the organization provide options for MFA (Multi Factor
Authentication), and are there any multi-layered defenses in place in order to prevent phishing?"
The expert states that the organization provides MFA and the employees are advised to use it
which is corresponding with the current defense methods that were a result of the state of the
practice research. Regarding the organization employee’s behavior when a suspicious email
arrives, they are reporting this directly to the response team even if the software that they use
says the email is legitimate, and additionally they are reporting all events that seem potentially
malicious which further increase the security of the organization.
To no surprise according to the expert the organization is constantly conducting different
seminars and training which are aimed to educate the employees which are specifically not in the
IT sector about the risks of social engineering attacks as well as the attacker’s goals and
behavior. The expert also adds that the internal training and education are updated and that the
public media also had a direct positive impact on the awareness. Furthermore, there are routines
that were not disclosed that help thwart the attacks. On the question about how many attacks
were successful the expert did not disclose it due to risk considerations for the organization’s
security. The respondent, however, assured that there are routines and measures that are taken so
that the attack’s vector is closed for further exploitation. Finally, on the question of whether the
attackers were pinpointed and caught or not, the expert again stated that this information is
confidential to the organization’s IT team and that it will break the IT security if they release any
information on were they able to and how did they pinpoint the perpetrator.
4.6.2 Interview Analysis
The interview was in form of education and training. The answers that the respondent
provides regarding the usage of MFA are aligning with the advice that different sources from the
84
State of the practice research give. The IT team in the organization encourages the usage of MFA
as an extra layer of defense against different cyber-attacks and system exploits. The awareness in
the organization is increased through different training, seminars, and other internal education
which co-relates with what is stated in the advice for combating social engineering within both
the state of the art and state of the practice. The training that they receive within the organization
also includes a routine that is made so that if a suspicious email arrives even if the software that
they use points at it as legitimate, the employee will still escalate the case to the response team
and the IT support so that an extra check is conducted. It is beneficial for the users and
employees to follow the routines and training that are established and the attacks that are
thwarted are a sign that the non-technical layers of defense are just as important as the technical
ones.
4.7 Results Summary
The research questions were answered in the result chapter. The taxonomy provided at
the beginning of the chapter could be seen as the answer to the first research question. The
survey results and analysis are answering directly the third question while the interview and the
taxonomy are answering the second question. The taxonomy provided good guidelines to what
the mitigation tactics are and that was further confirmed by the expert’s opinion.
85
CHAPTER FIVE
CONCLUSION AND RECOMMENDATIONS
5.1 Conclusion
In conclusion, in this paper, we answer the research questions that have been postulated
at the start of the research project. We have outlined and given a taxonomy of a variety of
solutions and defensive mechanisms that can be applied to the student’s everyday online activity
and can be used to protect themselves from social engineering attacks. Additionally, we looked at
state-of-the-art and state-of-the-practice solutions to determine whether any gap existed between
the two and to determine which one has the most effective and practical solutions.
The research questions were answered as follows:
Research Question 1: What is the Taxonomy of Modern Social Engineering Attacks? The
taxonomy that was extracted from the theoretical knowledge chapter can be explored in Table.
4.1. It consists of the majority of modern social engineering attacks that are executed by the
attacker using technology as a vector, as this was the scope to which we limited our exploration
of the different attacks. The taxonomy consists of attacks such as Phishing, Spear-Phishing,
Smishing, Pop-up Ads, and URL shorteners.
Research Question 2: What are the Different Scientific and Practice-Based Defense
Strategies that can be used to Counter Social Engineering Attacks?
The appropriate defensive methods can also be seen in Table. 4.1. The methods are gathered
comprehensively and reflect both state-of-the-art and state-of-the-practice solutions and methods,
as was discovered after performing the literature review on state-of-the-art and state- of-the-
practice literature. Furthermore, they give concrete advice and applicable solutions on how to
86
counter and combat modern social engineering attacks. The advises present are further confirmed
by the expert who was interviewed.
Research Question 3: How Aware are Students of these Forms of Attacks, and how well can
they Defend Themselves Against Them?
The questionnaire gave a good insight into the user’s mindset regarding these attacks. The results
showed that people do not know the particular taxonomy and the names of the attacks as well as
the range of defenses that they apply but, nevertheless, they generally strive to achieve better
security. Additionally, the scenarios at the end of the survey gave higher than the anticipated
results and concluded that the majority of students have a good level of common sense,
awareness, and knowledge to mitigate a real threat.
5.2 Recommendations
It is highly recommended that:
1. Cooperate Organizations should always conduct regular training sessions to educate
employees on the latest phishing tactics and cybersecurity best practices.
2. Some general recommendations can also be made in order to allow people to better
protect themselves from falling victim to such an attack, as presented in. These include,
but are not limited to; using more secure browsers when navigating the web, only
downloading authorized apps from verified locations, such as an app store and typing the
the entire URL that one has received before opening it directly, in order to check whether
the URL is legitimate and leads to the place that it says it does.
3. There are a number of technical prevention methods that can be used, all resembling the
ones that have been recommended for defending against regular phishing attacks, such as
an intrusion detection and prevention system, network monitoring tools in order to see
87
any suspicious activity on the companies network and devices, and anti-phishing
extensions/software that can be run automatically on emails to check their integrity.
88
REFERENCES
1] Memon, S.A., and Awan, J.H., “Transformation Towards Cyber Democracy: A Study on
Contemporary Policies, Practices and Adoption Challenges for Pakistan”, Handbook of Cyber-
Development, Cyber-Democracy and Cyber-Defense, pp. 50-51, Switzerland, 2017
[2] Awan, J.H., Memon, S., Khan, R.A., Noonari, A.Q., Hussain, Z., and Usman, M., “Security
Strategies to Overcome Cyber Measures, Factors and Barriers”, Engineering Science
Technology, International Research Journal, Volume 1, No. 1, pp. 51-58, Pakistan, 2017.
[3] “Massive Data Theft in South Korea Highlights Financial Cybersecurity Weakness [2014-
01-20] Security Magazine”, [Online].
Available: http:// www.securitymagazine.com/articles/85139-massivedata-theft-in-south-korea-
highlights-financialcybersecurity-weakness. [Accessed: 9th June, 2015].
[4] Awan, J.H., Memon, S., Shah, M., and Awan, F.H., “eGovernment Services Security and
Challenges in Pakistan”, SAI Computing, pp. 1082-1085, UK, 2016.
[5] Awan, J.H., and Memon, S., “Threats of Cyber Security and Challenges for Pakistan”, 11th
International Conference on Cyber Warfare and Security, Boston, pp. 425, USA, 2016.
[6] “47% of the World’s Credit Card Fraud Happens in the US [2015-06-01] Security Magazine”,
[Online]. Available: http://www.securitymagazine.com/articles/ 86413-of-the-worlds-credit-card-
fraud-happens-in-theus. [Accessed: 9th June, 2015].
[7] “Report: Top Endpoint Security Packages Perfectly Foil Drive-By Attacks.” [Online].
Available: http:// www.technewsworld.com/story/82009.html. [Accessed: 9th June, 2015].
[8] Dawson, M., Omar, M., and Abramson, J., “Understanding the Methods behind Cyber
Terrorism”, pp. 5270, USA, January, 2015.
[9] “Containing the Zombie Malware Outbreak.” [Online]. Available:
http://www.technewsworld.com/story/ 82090.html. [Accessed: 9th June, 2015].
[10] Broadhurst, R., Grabosky, P., Alazab, M., and Chon, S., “Organizations and Cyber crime:
An Analysis of the Nature of Groups engaged in Cyber Crime”, International Journal of Cyber
Criminol, Volume 8, No. 1, pp. 1-20, Australia, 2014
[11] Hemraj, S., Rao, Y.S., and Panda, T.C., “Cyber-Crimes and their Impacts: A Review”,
International Journal of Engineering Research and Applications, Volume 2, pp. 202-209, India,
2012.
[12] “Medical Devices Used as Pivot Point in Hospital Attacks: Report|SecurityWeek.Com.”
[Online]. Available: http://www.securityweek.com/medical-devices-usedpivot-point-hospital-
attacks-report. [Accessed: 9th Jun, 2015].
89
[13] Awan, J.H., Memon, S.A., Memon, N.A., Shah, R., Bhutto, Z., and Khan, R.A., “Conceptual
Model for WWBAN (Wearable Wireless Body Area Network)”, International Journal of
Advanced Computer Science Applied, Volume 8, No. 1, pp. 377-381, UK, 2017.
[14] “Spy Agencies Planned to Corrupt Google Play.” [Online]. Available:
http://www.technewsworld.com/story/ 82091.html. [Accessed: 9th June, 2015].
[15] Mcllheney, C., and McCotter, S., “Global Economic Crime Survey”, UK , 2016.
[16] “Cyber Security Strategy: The Government of Japan”, Japan, 2015.
[17] “FireEye, Microsoft Outsmart Clever Chinese Malware” [Online]. Available:
http://www.technewsworld.com/ story/82060.html. [Accessed: 9th June, 2015]
90

Owolabi Phillip Iyanuoluwa

Uploaded by

Copyright:

Available Formats

You might also like

Owolabi Phillip Iyanuoluwa

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Owolabi Phillip Iyanuoluwa

Uploaded by

Copyright:

Available Formats

EVALUATION OF CYBERSECURITY BREACHES: INVESTIGATION RECENT

INCIDENT, VULNERABILIITY AND IMMIGRATION STRATEGIES

OWOLABI PHILIP IYANUOLUWA

MATRIC NO: 184223

SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND

ENGINEERING, FACULTY OF ENGINEERING AND TECHNOLOGY,

LADOKE AKINTOLA UNIVERSITY OF TECHNOLOGY, OGBOMOSO, OYO STATE,

IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF

BACHELOR DEGREE OF TECHNOLOGY (B.TECH) IN COMPUTER SCIENCE AND

SUPERVISED BY: PROF. A. ADETUNJI

PROF. A. ADETUNJI Date

in His infinite mercy provides for me.

efforts and advice on this project work.

Jesus name Amen.

financial support at all times. Thank you very much.

As digital ecosystems become increasingly intricate, the frequency and sophistication of

so all users of such sites need to be vigilant to protect themselves.

provide personal information.

could help mitigate Social Engineering attacks.

1.2 Background of the Study

they disclose their sensitive information Ollmann, 2004.

as a response to new corresponding countermeasures. Hackers take advantage of new tool-kits

dynamics of social engineering and phishing attacks in the context of cybersecurity. By

to enhance awareness, knowledge, and preparedness in combating these pervasive threats.

The primary objectives of this research are as follows:

their techniques and trends.

 To identify and evaluate existing cybersecurity measures and their limitations in

addressing these threats.

engineering and phishing attacks.

1.4 Significance of the Study

protect personal privacy.

The scope of this study encompasses a comprehensive exploration of the concepts,

1.6 Problem Statement

the following research questions in mind:

• Research Question 1: What is the taxonomy of modern social engineering attacks?

can be used to counter social engineering attacks?

they defend themselves against

While this project seeks to provide a comprehensive understanding of social engineering

scope, depth, and generalizability of the findings. These limitations include:

complexity of human psychology might result in an oversimplification of these factors.

 Limited Access to Insider Information: Obtaining access to detailed insider

analysis and prevent a comprehensive examination of real-world cases.

completion, limiting the relevance of the information over time.

 Resource and Technical Constraints: Exploring advanced technical aspects of these

limitations could hinder the depth of analysis in certain technical areas.

tactics are continually evolving.

1.8 Definition of Technical Terms

 Social Engineering: Social engineering refers to the manipulation of individuals into

divulging confidential information, performing actions, or granting unauthorized access

through psychological and emotional manipulation. It exploits human psychology, trust,

and vulnerabilities to deceive individuals and bypass traditional security measures.

 Phishing Attacks: Phishing attacks are a form of cyber-attack where attackers

impersonate legitimate entities, often through emails, messages, or phone calls, to

deceive recipients into revealing sensitive information, clicking on malicious links, or

that compromise their security.

 Spear Phishing: Spear phishing is a targeted form of phishing attack where

cybercriminals customize their messages to a specific individual or organization. They

attempt appear more convincing and legitimate.

 Whaling: Whaling is a subset of spear phishing that specifically targets high-profile