Professional Documents
Culture Documents
Owolabi Phillip Iyanuoluwa
Owolabi Phillip Iyanuoluwa
Owolabi Phillip Iyanuoluwa
BY
NIGERIA.
ENGINEERING
FEBURARY, 2024
CERTIFICATION
This is to certify that this project work is done by OWOLABI PHILIP IYANUOLUWA (Matric
no: 184223) in the Department of Computer Science and Engineering, Ladoke Akintola
University of Technology, Ogbomoso, Oyo State, Nigeria in partial fulfilment of the requirement
for the award of Bachelor of Technology (B.Tech) in Computer Science and Engineering.
....................................... .......................................
(Supervisor)
.............................................. ..........................................
PROF. Date
(Head of Department)
2
DEDICATION
This project work is dedicated to the glory of Almighty God who has been my Anchor and who
3
ACKNOWLEDGEMENT
First and foremost, all appreciation goes to Almighty God for His loving kindness, protection,
provisions and mercy shown to me during my academic pursuits and for making this project a
reality.
I wish to express my sincere gratitude to my able supervisor; PROF. A. ADETUNJI for his
Also, my special thanks to my caring and loving parent for their support right from the beginning
of my educational career to this present date. May you live long to eat the fruits of your labor in
I will not forget to thank all members of my extended family at large for their care, moral and
4
ABSTRACT
5
CHAPTER ONE
INTRODUCTION
1.1 Introduction
It is well known that the Internet is a global communication system where people all
around the world can meet and talk about almost anything. Communication through social media
be it for good or bad reasons has become the order of the day. The world is so attached to the
Internet. Unfortunately, not everyone uses the Internet for good purposes. There are lots of
people who are using social networks to steal personal information, especially through phishing,
Phishing is a form of attack whereby attackers try to get hold of one’s personal details by
misleading them. This is widespread on the Internet and one normally receives emails instructing
him/her to enter his/her personal information to protect his/her account. This is mostly done
through sending an email that contains some enticing information. This could be for example,
through sending an attractive link that seems to come from a trusted source to lure the victim to
Social networks are becoming a very popular source of information for these phishers.
They can easily use all of the information that is contained in someone’s social networking
account to steal the person’s identity. The good thing is that there are preventive measures that
Cybersecurity has been a major concern since the beginning of APRANET, which is
considered to be the first wide-area packet-switching network with distributed control and one of
the first networks to implement the TCP/IP protocol suite. The term “Phishing” which was also
6
called carding or brand spoofing, was coined for the first time in 1996 when the hackers created
randomized credit card numbers using an algorithm to steal users' passwords from America
Online (AOL) Whitman and Mattord, 2012; Cui et al., 2017. Then phishers used instant
messages or emails to reach users by posing as AOL employees to convince users to reveal their
passwords. Attackers believed that requesting customers to update their account would be an
effective way to disclose their sensitive information, thereafter, phishers started to target larger
financial companies. The author in Ollmann, 2004 believes that the “ph” in phishing comes from
the terminology “Phreaks” which was coined by John Draper, who was also known as Captain
Crunch, and was used by early Internet criminals when they phreak telephone systems. Where
the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they both have the same meaning by
phishing the passwords and sensitive information from the sea of internet users. Over time,
phishers developed various and more advanced types of scams for launching their attack.
Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it could
involve injecting viruses or downloading the malicious program into a victim's computer.
Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that
Phishing attacks are rapidly evolving, and spoofing methods are continuously changing
and technologies to exploit systems’ vulnerabilities and also use social engineering techniques to
fool unsuspecting users. Therefore, phishing attacks continue to be one of the most successful
cybercrime attacks.
7
1.3 Aim and Objectives of the Study
The aim of this study is to comprehensively explore, analyze, and understand the
investigating the psychological principles, techniques, and mitigation strategies, the study seeks
Objectives
To analyze the current landscape of social engineering and phishing attacks, including
To propose innovative strategies and technologies for enhancing protection against social
To assess the effectiveness of the proposed strategies through practical experiments and
simulations.
The study of social engineering and phishing attacks holds profound significance in
today's interconnected digital landscape. As cyber threats become increasingly sophisticated and
prevalent, understanding the intricacies of these manipulative tactics is crucial for individuals,
businesses, and society at large. Thereby it will enhance the Cyber security awareness and
8
1.5 Scope of the Study
techniques, impacts, and mitigation strategies associated with social engineering and phishing
attacks. The study will delve into both the technical and psychological aspects of these attacks,
aiming to provide a holistic understanding of the threat landscape and practical ways to
counteract them.
Since social engineering has become such a widespread issue and even more individuals have
fallen victim to social engineering attacks as a result of ignorance and although there are some
level of awareness amongst every-day users of the Internet and networking capable devices, it
seems that individuals are still unaware of how devastating social engineering attacks can be.
This paper strives to present a taxonomy of the most popular social engineering attacks, along
with their respective defense strategies that will be delivered to students in the form of guidelines
which they can follow to avoid falling victims to such attacks. This research was conducted with
• Research Question 2: What are the different scientific and practice-based defense strategies that
• Research Question 3: How aware are students about these forms of attacks, and how well can
9
1.7 Limitations of the Study
and phishing attacks, it is important to acknowledge certain limitations that might impact the
Complexity of Psychological Factors: Although the project aims to delve into the
psychological aspects of these attacks, fully capturing the intricate interplay of cognitive
biases, emotions, and social dynamics that cybercriminals exploit can be challenging. The
information about specific social engineering or phishing incidents can be difficult due to
the confidential nature of these incidents. This limitation might restrict the depth of
Rapidly Evolving Techniques: The field of cyber threats, including social engineering
and phishing attacks, evolves rapidly. Some of the techniques discussed in the project
might become outdated or new attack vectors might emerge after the project's
attacks might require specialized resources, tools, and technical expertise. Resource
Incomplete Data and Reporting: Not all instances of social engineering and phishing
attacks are publicly reported or documented. This limitation might result in incomplete
data sets, potentially leading to a skewed understanding of the prevalence and impact of
these attacks.
10
Lack of Real-time Analysis: The project's research and analysis might not capture the
most recent and emerging trends in social engineering and phishing attacks, as these
downloading infected attachments. These attacks aim to trick users into taking actions
often use personal information obtained from various sources to make the phishing
Vishing (Voice Phishing): Vishing is a type of phishing attack that uses voice
11
engineering techniques to manipulate victims into providing sensitive information or
The attacker creates a false identity or reason to gain the victim's trust.
Baiting: Baiting involves enticing victims with something appealing, such as a free
download, in exchange for personal information or access credentials. This tactic exploits
person. This exploits the natural tendency to hold doors open for others.
Email Spoofing: Email spoofing is a technique where attackers manipulate the email
header to make it appear as though the email originates from a legitimate source. This is
often used in phishing attacks to trick recipients into believing the communication is
genuine.
addresses that mimic the appearance of legitimate domains. Attackers use these fake
domains to trick users into thinking they are interacting with a trusted entity.
that requires users to provide two or more authentication factors to verify their identity.
This adds an extra layer of protection against unauthorized access, even if login
12
Intrusion Detection System (IDS): An intrusion detection system is a security solution
that monitors network traffic and system activities to detect and respond to unauthorized
13
CHAPTER TWO
LITERATURE REVIEW
2.1 Introduction
manipulate individuals and gain unauthorized access to sensitive information or systems. These
attacks exploit human vulnerabilities, such as trust and willingness to help, to deceive victims
into revealing confidential data or performing actions that compromise security. Phishing attacks,
a specific type of social engineering, involve the use of fraudulent emails, websites, or messages
background and techniques involved in these attacks is crucial for individuals and organizations
to protect themselves and their data from potential harm. By being aware of the risks and
adopting best practices, individuals can minimize the chances of falling victim to these malicious
schemes.
Social engineering and phishing attacks are two common methods used by
or systems.
measures. It exploits the natural tendency of people to trust others and their willingness to help.
14
Phishing attacks, on the other hand, are a specific type of social engineering attack that
involves the use of fraudulent emails, websites, or messages to deceive individuals into
providing personal or financial information. The attackers typically pose as a legitimate entity,
such as a bank, government agency, or well-known company, and create a sense of urgency or
fear to trick victims into taking action. This action often involves clicking on malicious links,
Phishing attacks can take various forms, including spear phishing, where attackers target
specific individuals or organizations, and whaling, which targets high-profile individuals like
executives or celebrities. Phishing attacks can also occur through other communication channels
The ultimate goal of social engineering and phishing attacks is to obtain sensitive
information, such as login credentials, credit card details, or personal data, which can be used for
identity theft, financial fraud, or unauthorized access to systems. These attacks can have severe
consequences for individuals and organizations, including financial loss, reputational damage,
organizations can reduce the risk of falling victim to social engineering and phishing attacks.
Mitigating social engineering and phishing attacks is of utmost importance for enhancing
cybersecurity. Here are some reasons why it is crucial to address these threats:
obtain sensitive data, such as login credentials, financial information, or personal details.
15
Mitigating these attacks helps safeguard this information, preventing unauthorized access
financial accounts. By mitigating these attacks, the risk of financial loss due to fraudulent
for identity theft or launch further attacks using compromised accounts. By mitigating
these attacks, individuals and organizations can protect their reputation and maintain the
4. Prevention of data breaches: Social engineering attacks can lead to data breaches,
where sensitive information is exposed or leaked. These breaches can have severe legal
5. Protection against malware and ransomware: Phishing attacks often involve tricking
mitigating these attacks, the risk of malware infections and subsequent damage to
16
can strengthen their overall cybersecurity posture and reduce vulnerabilities to various
types of attacks.
7. Compliance with regulations: Many industries and jurisdictions have regulations and
standards in place to protect the privacy and security of sensitive information. Mitigating
social engineering and phishing attacks helps organizations comply with these
In conclusion, mitigating social engineering and phishing attacks is vital for enhancing
prevents data breaches, safeguards against malware and ransomware, strengthens overall
cybersecurity posture, and ensures compliance with regulations. By taking proactive measures to
address these threats, individuals and organizations can significantly reduce their risk and
existing research and literature on a specific topic. It serves several important purposes:
identify areas where further research is needed. They can identify gaps in knowledge or
unanswered questions that can guide their own research and contribute to the existing
body of knowledge.
the theories, concepts, methodologies, and findings that have been explored by previous
17
researchers. This understanding helps researchers build upon existing knowledge and
involves critically evaluating the sources and studies that have been published on a topic.
Researchers assess the credibility and reliability of the sources, considering factors such
as the methodology used, sample size, and the rigor of the research. This evaluation
ensures that researchers rely on high-quality sources and avoid basing their work on
4. Identifying key themes and trends: A literature review helps identify common themes,
patterns, and trends in the existing research. It allows researchers to synthesize and
analyze the findings from multiple studies, providing a broader understanding of the topic
theoretical framework for their own study. By reviewing existing theories and models,
researchers can identify the most appropriate theoretical perspectives to guide their
6. Informing research design and methodology: Researchers can learn from the strengths
and weaknesses of previous studies when designing their own research. They can identify
the most effective research methodologies, data collection techniques, and analytical
7. Generating new research ideas: The synthesis of existing literature can often lead to the
18
inconsistencies in the existing literature that can spark new avenues for investigation or
understanding of existing knowledge, identifying gaps, and informing the design and direction of
future studies. It helps researchers contribute to the field by building upon previous work and
Social engineering attacks are tactics used by cybercriminals to manipulate and deceive
individuals into divulging sensitive information or performing actions that may compromise their
security. These attacks exploit human psychology and rely on the target's trust, curiosity, or lack
of awareness.
1. Phishing: As mentioned earlier, phishing is a type of social engineering attack where the
attacker impersonates a trusted entity, such as a bank or email provider, and tries to trick
2. Spear Phishing: This is a more targeted form of phishing where the attacker tailors the
information about the target to make the phishing attempt more convincing.
executives or celebrities. The goal is to trick them into revealing sensitive information or
19
4. Pretexting: In pretexting attacks, the attacker creates a fictional scenario or story to trick
the target into providing information or performing actions. For example, an attacker may
pose as a customer service representative and request personal details under the guise of
solving an issue.
5. Baiting: Baiting attacks involve enticing the target with something appealing, such as a
free download or a USB drive, which contains malware or malicious software. The target
6. Watering Hole: In a watering hole attack, the attacker compromises a trusted website or
online platform that the target frequently visits. When the target accesses the
compromised site, their device may be infected with malware or prompted to provide
sensitive information.
legitimate access.
These are just a few examples of social engineering attacks, but it's important to note that
attackers are constantly evolving their tactics to exploit new vulnerabilities. Being aware of these
types of attacks and staying vigilant can help individuals protect themselves from social
engineering threats.
Phishing attacks are a specific type of social engineering attack where attackers
performing actions that can compromise their security. Phishing attacks are typically carried out
20
through email or instant messaging platforms, but they can also occur through phone calls or text
messages.
1. Deceptive Phishing: This is the most common type of phishing attack. The attacker
sends emails or messages that appear to be from a legitimate organization, such as a bank
or an online service provider. The message typically contains a link that leads to a fake
2. Spear Phishing: Spear phishing attacks are more targeted and personalized. The attacker
gathers information about the target, such as their name, position, or recent activities, to
make the phishing attempt more convincing. These attacks often target specific
individuals or organizations.
3. Clone Phishing: In clone phishing attacks, the attacker creates a near-identical copy of a
legitimate email or website and replaces a legitimate link or attachment with a malicious
one. The recipient is tricked into thinking that the communication is genuine and falls
celebrities. The attacker poses as a trusted entity and attempts to trick the target into
5. Smishing: Smishing attacks occur through SMS or text messages. The attacker sends text
messages that appear to be from a legitimate source and tricks the recipient into clicking
21
6. Vishing: Vishing attacks involve voice communication, typically through phone calls.
7. Pharming: In pharming attacks, the attacker redirects the target's internet traffic to a fake
website without their knowledge. The fake website is designed to collect sensitive
it involves requests for personal information or clicking on unknown links. Regularly updating
software, using strong and unique passwords, and enabling multi-factor authentication can also
individuals and trick them into divulging sensitive information or performing actions that
compromise their security. Here are some common techniques used in these attacks:
agencies, or well-known companies, to gain the target's trust. They may use email
addresses, logos, or website designs that closely resemble the legitimate ones to deceive
the target.
2. Urgency and Fear: Attackers create a sense of urgency or fear to prompt immediate
action from the target. They may claim that the target's account is compromised, that they
will face legal consequences, or that they need to update their information immediately to
avoid a problem.
22
3. Emotional Manipulation: Social engineering attacks often exploit human emotions like
curiosity, greed, or sympathy. Attackers may use enticing offers, promises of rewards, or
4. Information Gathering: Attackers gather personal information about their targets from
various sources, such as social media platforms, public records, or data breaches. This
information helps them personalize their attacks and make them more convincing.
5. Phishing Links and Attachments: Phishing attacks commonly include malicious links
or attachments in emails, messages, or websites. These links may lead to fake websites
6. Spoofed Websites and Emails: Attackers create fake websites or emails that closely
resemble legitimate ones. They use similar domain names, logos, and designs to trick the
member to gain the target's trust and convince them to share sensitive information or
8. Pretexting: Attackers create a fictional scenario or story to gain the target's confidence
and obtain sensitive information. For example, they may pose as a customer service
representative, IT support technician, or a trusted authority figure to trick the target into
sharing information.
9. Authority Exploitation: Attackers may pose as someone with authority or power, such
23
10. Social Influence: Attackers may use social influence techniques, such as creating a sense
of social proof or scarcity, to persuade the target to take specific actions. For example,
they may claim that many others have already taken advantage of an offer or that the
opportunity is limited.
It's crucial to be cautious and skeptical of any unsolicited communications and to verify
the authenticity of requests before sharing sensitive information or performing actions. Regularly
updating security software, being aware of current attack techniques, and educating oneself about
social engineering and phishing can also help in preventing falling victim to these attacks.
Social engineering and phishing attacks can have significant impacts on individuals,
organizations, and society as a whole. Here are some of the key impacts:
1. Financial Loss: Phishing attacks often aim to steal sensitive financial information such
as credit card numbers, bank account details, or login credentials. When successful, these
attacks can result in financial loss for individuals or organizations. Stolen funds can be
2. Data Breaches: Social engineering attacks can also lead to data breaches, where
sensitive information such as personal data, intellectual property, or trade secrets are
compromised. This can have severe consequences for individuals and organizations,
3. Identity Theft: Phishing attacks often involve tricking individuals into providing
personal information, such as social security numbers, dates of birth, or addresses. This
information can be used for identity theft, where the attacker assumes the identity of the
24
victim to carry out fraudulent activities or gain unauthorized access to accounts or
systems.
malware. This can lead to downtime, loss of productivity, and financial costs associated
5. Spread of Malware: Phishing attacks often involve malicious attachments or links that,
when clicked, download malware onto the victim's device. This malware can spread
across networks, infect other devices, and potentially cause widespread damage,
taking certain actions. Victims of successful attacks may experience feelings of violation,
interactions.
7. Trust and Confidence Erosion: Social engineering and phishing attacks erode trust in
organizations fall victim to these attacks, it can undermine confidence in the security of
online transactions, communication, and data protection. This can have long-term
To mitigate the impact of social engineering and phishing attacks, individuals and
organizations should educate themselves about these threats, implement robust security
25
measures, regularly update software and systems, and remain vigilant in detecting and reporting
suspicious activities.
Employee education and training is a crucial strategy for mitigating social engineering
about the different types of social engineering and phishing attacks, including email,
phone calls, and in-person interactions. Teach them how to recognize common red flags
employees' awareness and response to phishing emails. This helps identify areas where
3. Teach email hygiene: Train employees on how to identify phishing emails, including
looking for suspicious email addresses, misspellings, grammatical errors, and urgent or
threatening language. Encourage them to verify the sender's identity before clicking on
4. Safe browsing practices: Educate employees about safe browsing habits, such as
26
visiting unknown websites. Teach them to look for the padlock symbol and "https" in the
5. Password security: Teach employees about the importance of strong and unique
passwords. Instruct them to never share passwords, use password managers, and enable
suspicious emails, phone calls, or any other potential social engineering attempts.
Establish a clear and accessible reporting mechanism, such as a dedicated email address
or a designated person.
messaging platforms. Share real-life examples of social engineering attacks and their
8. Role-specific training: Tailor training programs to specific job roles and departments.
For example, finance and HR departments may require additional training on identifying
9. Stay updated: Keep employees informed about the latest social engineering and
phishing techniques, trends, and news. Provide them with resources such as articles,
awareness programs by recognizing and rewarding those who demonstrate good security
practices and report suspicious activities. This helps create a positive security culture
27
Remember that employee education and training should be an ongoing effort, with
regular refreshers and updates as new threats arise. Additionally, involving employees in the
development of security policies and procedures can help increase their sense of ownership and
responsibility towards protecting the organization from social engineering and phishing attacks.
solutions can help protect against social engineering and phishing attacks. Here are some key
1. Email filtering and spam detection: Deploy robust email filtering solutions that can
identify and block phishing emails. These solutions use various techniques, such as
analyzing email headers, content, and attachments, to detect and prevent malicious emails
2. Multi-factor authentication (MFA): Implement MFA for all critical systems and
applications. This adds an extra layer of security by requiring users to provide additional
verification, such as a code sent to their mobile device, in addition to their username and
password.
including antivirus, anti-malware, and firewall solutions, on all devices within the
organization. This helps detect and block known threats and suspicious activities.
4. Web filtering and URL reputation services: Implement web filtering solutions that can
block access to known malicious websites. Use URL reputation services to assess the
reputation of websites and prevent users from visiting potentially dangerous sites.
28
5. Patch management: Regularly update and patch all software, including operating
systems, web browsers, and applications, with the latest security patches. This helps
6. Secure configuration management: Ensure that all systems and devices are configured
securely, following best practices and security guidelines. This includes disabling
unnecessary services, using strong encryption protocols, and enforcing secure password
policies.
and sensitive data from the rest of the network. This limits the potential damage that an
8. Intrusion detection and prevention systems (IDS/IPS): Deploy IDS/IPS solutions that
can detect and block suspicious network traffic and activities. These systems can help
9. Security information and event management (SIEM): Implement a SIEM solution that
collects and analyzes security event logs from various systems and devices. This helps
identify patterns and anomalies that may indicate social engineering or phishing attempts.
10. Data encryption: Encrypt sensitive data both at rest and in transit to prevent
unauthorized access. This includes using encryption protocols for email communication,
encrypting data stored on devices and in databases, and implementing secure file transfer
protocols.
11. Regular backups: Implement regular backup procedures to ensure critical data is
protected and can be restored in case of a successful attack. Test the restoration process
29
12. Vulnerability scanning and penetration testing: Conduct regular vulnerability scans
and penetration tests to identify and address any weaknesses in your security
infrastructure. This helps identify potential entry points for attackers and allows for
proactive remediation.
updates, monitoring, and adjustments are necessary to stay ahead of evolving threats and ensure
Despite the best efforts to prevent social engineering and phishing attacks, it is still
possible for an attack to occur. In such cases, having a well-defined incident response plan can
help minimize the damage and reduce the impact on the organization. Here are some key steps to
1. Identify the incident: Train employees to recognize the signs of a social engineering or
phishing attack, and establish clear reporting procedures. Encourage employees to report
2. Contain the incident: Once an incident is identified, take immediate steps to contain it.
This may include disabling compromised accounts, disconnecting affected devices from
3. Investigate the incident: Conduct a thorough investigation to determine the scope and
impact of the incident. This may involve analyzing logs, reviewing network traffic, and
30
4. Notify stakeholders: Notify relevant stakeholders, including management, IT, legal, and
5. Mitigate the damage: Take steps to mitigate the damage caused by the incident, such as
affected systems and devices are thoroughly checked for any residual malware or
backdoors.
6. Learn from the incident: Conduct a post-incident review to identify areas for
improvement in your security infrastructure and incident response plan. Update your
needed.
7. Report the incident: In some cases, it may be necessary to report the incident to
regulatory authorities or law enforcement. Ensure that you comply with any legal or
Remember that the incident response plan should be regularly reviewed and updated to
reflect changes in the threat landscape and the organization's security posture. Additionally, it is
comfortable reporting incidents and taking appropriate action to protect the organization.
security strategy to protect against social engineering and phishing attacks. By sharing
information and collaborating with internal teams, external partners, and industry peers,
31
organizations can improve their collective ability to detect, prevent, and respond to these threats.
Here are some key considerations for effective collaboration and information sharing:
organization, such as IT, security, legal, and human resources. Establish clear
coordination of efforts to prevent and respond to social engineering and phishing attacks.
industry groups, government agencies, and cybersecurity vendors. These partnerships can
provide access to threat intelligence, best practices, and resources that can enhance your
3. Information sharing platforms: Explore the use of information sharing platforms, such
organizations can share anonymized threat data, indicators of compromise, and incident
response best practices. These platforms can help identify emerging threats and provide
4. Incident sharing and reporting: Encourage employees and stakeholders to report any
5. Training and awareness programs: Conduct regular training and awareness programs
employees to share their experiences and lessons learned, and provide them with the tools
32
6. Red teaming exercises: Engage in red teaming exercises or simulated phishing
attacks. These exercises can help identify vulnerabilities and gaps in your defenses and
vulnerabilities. This can help you proactively adjust your security controls and defenses
law enforcement agencies, legal counsel, and incident response service providers, to
phishing attack.
and trusted manner. Implement appropriate safeguards to protect sensitive information and
ensure compliance with legal and regulatory requirements. Additionally, regularly evaluate the
effectiveness of your collaboration efforts and adjust your strategies as needed to stay ahead of
evolving threats.
Continuous monitoring and risk assessment are essential components of a robust security
strategy to protect against social engineering and phishing attacks. By continuously monitoring
your systems, networks, and processes, and regularly assessing your security risks, you can
identify vulnerabilities, detect potential threats, and take proactive measures to mitigate risks.
Here are some key considerations for effective continuous monitoring and risk assessment:
33
1. Vulnerability scanning: Conduct regular vulnerability scans to identify weaknesses in
your systems, applications, and network infrastructure. Use automated tools to scan for
known vulnerabilities and misconfigurations, and promptly address any identified issues.
2. Log monitoring and analysis: Implement a centralized logging system and regularly
review logs for any suspicious activities or indicators of compromise. Use security
information and event management (SIEM) tools to aggregate and analyze log data to
3. Network traffic analysis: Monitor network traffic for any unusual or suspicious patterns.
Use intrusion detection and prevention systems (IDPS) or network traffic analysis tools to
exfiltration.
4. User behavior analytics: Implement user behavior analytics (UBA) tools to analyze user
activities and detect anomalies that may indicate social engineering or phishing attempts.
Monitor for unusual login patterns, privilege escalation, or unauthorized access attempts.
5. Patch management: Establish a robust patch management process to ensure that all
systems, applications, and devices are regularly updated with the latest security patches.
Regularly review vendor advisories and security bulletins to identify vulnerabilities and
6. Threat intelligence integration: Integrate threat intelligence feeds into your monitoring
and attack techniques. Leverage this intelligence to proactively adjust your security
34
7. Risk assessments: Conduct regular risk assessments to identify and prioritize potential
threats and vulnerabilities. Assess the impact and likelihood of social engineering and
phishing attacks on your organization, and develop appropriate risk mitigation strategies.
to educate them about social engineering and phishing attacks. Reinforce good security
practices, such as strong password management, email hygiene, and safe browsing habits.
9. Incident response readiness: Regularly review and update your incident response plan
to ensure it aligns with the current threat landscape. Conduct tabletop exercises and
simulations to test your incident response capabilities and identify areas for improvement.
10. Compliance monitoring: Monitor and assess your organization's compliance with
relevant security standards, regulations, and policies. Regularly review and update your
Remember that continuous monitoring and risk assessment are ongoing processes.
Regularly review and update your monitoring tools, techniques, and risk assessment
methodologies to stay ahead of evolving threats. Additionally, collaborate with internal teams
and external partners to share information and insights that can enhance your monitoring and risk
assessment capabilities.
educating them about common tactics used by attackers, teaching them how to identify
35
suspicious emails or messages, and emphasizing the importance of not sharing sensitive
information.
layer of security, making it more difficult for attackers to gain unauthorized access even
3. Email filtering and monitoring: Organizations can deploy advanced email filtering and
monitoring systems that can detect and block suspicious emails or attachments. These
systems can also analyze email patterns and identify potential phishing attempts.
1. Importance of vigilance: Real-world incidents have shown that even with robust
security measures in place, attackers can still find ways to exploit human vulnerabilities.
Organizations have learned the importance of maintaining a high level of vigilance and
2. Need for continuous education: Phishing attacks and social engineering tactics
and awareness programs for employees. Regular updates on new attack methods and
3. Incident response and reporting: Organizations have learned the importance of having
a well-defined incident response plan in place. Prompt reporting of phishing attempts and
incidents is crucial for minimizing the impact and preventing further damage.
36
1. Security awareness training: Conduct regular security awareness training sessions for
employees to educate them about social engineering and phishing attacks. Provide
practical examples and simulations to help them recognize and respond appropriately to
and applications to add an extra layer of security. This can significantly reduce the risk of
3. Email filtering and monitoring: Deploy advanced email filtering and monitoring
4. Incident response plan: Develop a comprehensive incident response plan that outlines
the steps to be taken in the event of a phishing attack or social engineering incident. This
should include clear guidelines on reporting incidents, isolating affected systems, and
5. Regular testing and evaluation: Conduct regular phishing simulations and tests to
assess the effectiveness of security measures and identify areas for improvement. Use the
2.7 Challenges and Future Directions in Social Engineering and Phishing Attacks
1. Smishing: Smishing refers to phishing attacks conducted through SMS or text messages.
Attackers use text messages to trick individuals into providing sensitive information or
37
2. Vishing: Vishing, or voice phishing, involves attackers using phone calls to manipulate
individuals into divulging sensitive information or performing certain actions. They may
into revealing sensitive information. Attackers may pose as someone in authority, such as
disclosing sensitive information. These attacks often involve careful research and social
engineering tactics.
engineering tactics, phishing attacks, and the importance of following secure practices.
assess the susceptibility of their employees to phishing attacks. These simulations help
identify areas of improvement and provide targeted training to mitigate the human factor
in cybersecurity.
unauthorized access even if an attacker manages to obtain login credentials through social
engineering.
38
4. Incident response and reporting: Encouraging employees to report suspicious emails,
calls, or messages promptly can help organizations respond quickly and mitigate the
1. Artificial Intelligence (AI): AI can be used by both attackers and defenders. Attackers
can leverage AI to automate and enhance their social engineering tactics, while defenders
can use AI-driven techniques to detect and prevent phishing attacks more effectively.
2. Machine Learning (ML): ML algorithms can analyze vast amounts of data to identify
patterns and anomalies associated with phishing attacks. ML can help organizations
develop more robust phishing detection systems and improve their ability to identify and
Implementing biometric authentication can reduce the risk of attackers obtaining login
help organizations stay ahead of evolving social engineering and phishing attacks. These
solutions can provide real-time insights into emerging threats, enabling organizations to
5. User behavior analytics: User behavior analytics tools can monitor user activity and
detect anomalies that may indicate a social engineering or phishing attack. By analyzing
39
user behavior patterns, organizations can identify suspicious activities and take
The key findings from this literature review on mitigating social engineering and
1. Social engineering and phishing attacks pose significant threats to organizations, leading
2. Employee education and training programs are crucial in raising cybersecurity awareness
and equipping employees with the knowledge to identify and respond to these attacks.
and endpoint protection can provide additional layers of defense against social
organizations can help organizations stay updated on the latest threats and preventive
measures.
7. Case studies and best practices offer valuable insights into successful mitigation
40
9. Organizations need to prioritize cybersecurity measures and continuously evolve their
strategies to stay ahead of attackers and protect their assets and reputation.
technical measures, incident response, collaboration, continuous monitoring, and risk assessment
is crucial for mitigating social engineering and phishing attacks and enhancing cybersecurity.
41
CHAPTER THREE
METHODOLOGY
3.1.1 Method
Three primary methodologies are used in scholarly research: qualitative, quantitative, and
mixed method. A researcher’s beliefs and experiences may play a role in the questions they ask
survey respondents as well as how those responses are interpreted (Leppink, 2017).
A qualitative methodology paves the way for research questions to be open to unexpected
findings (Tavakol & Sandars, 2014a) with the choice of design depending on the nature of the
research problem and scientific knowledge being sought (Korstjens & Moser, 2017). A qualitative
methodology is exploratory and used to understand human behavior, conceptual phenomena, groups,
quantitative method in which the researcher is isolated from the phenomenon, the qualitative method
allows a researcher to obtain user data from a participant to address the research question. Qualitative
research encompasses a broad range of philosophies, approaches, and methods, which, when used,
enable a researcher to acquire an in-depth understanding of people’s perceptions (Vass, Rigby, &
Payne, 2017). Methodologies within qualitative research focus on the reasoning of a participant to
(c) Sincere,
(d) Credible,
(e) Resonate,
42
(g) Ethical, and
A qualitative method was the best choice for this study because qualitative descriptions were
essential to exploring the mitigation strategies CISOs implement to protect their organizations from
cyberattacks.
(Boyle, Whittaker, Eyal, & McCarthy, 2017) with probability and statistics determined within a
population (Barnham, 2015). The measurement tools used in quantitative research aid in the validity
and reliability of a study (Tavakol & Sandars, 2014a). Quantitative research provides the structure
and processes to collect, analyze, and evaluate statistical data via tables, charts, graphs, or figures to
find associations within a population (Barczak, 2015). The context of this study was in mitigation
strategies for social engineering attacks without the intention of testing hypotheses, seeking statistical
data, or generalizing the data across other non-IT attacks on organizations. The quantitative method
was not appropriate for this study because it requires a hypothesis test.
A mixed methodology is used to examine data sets and statistical results from a quantitative
method along with the data from qualitative methods to further interpret the reason for a phenomenon
(McKim, 2015). A researcher uses mixed methods to examine relationships and differences between
variables utilizing a central research question and hypothesis (Venkatesh, Brown, & Bala, 2013).
Mixed methods provide researchers with the option to combine participants’ experiences with
empirical data to determine the relationship between specific variables (Yin, 2013). A mixed-method
study combines the best of qualitative and quantitative methods (Leppink, 2017). A mixed-method
which was not my intention in this study. A mixed methodology was not appropriate for this study
43
because the participants’ experiences did not be combined with empirical data to address the research
question.
A case study was considered, phenomenological, ethnography, and narrative research designs
for this study. Each of the four qualitative research designs has its strengths and weaknesses
(Almalki, 2016). Yin (2013) noted that a rigorous research design is essential and expertly guides a
Multiple case study design were selected for this study. The nature of this design is gathering
detailed and multifaceted opinions (Ridder, 2017). Multifaceted opinions allowed for the exploration
of social engineering mitigation strategies through the incorporation of different goals, collections,
and data analysis. Carolan, Forbat, and Smith (2016) described that the use of multiple data sources
typifies this research approach. Data sources can include observation, interviewing, recording, or
documenting participant information (Yin, 2013). The data collection methods within the design
provide a holistic approach focused on variables in a natural setting and working toward
understanding participants’ perceptions and interpretations (Cope, 2015). With the case study design,
a researcher illustrates the viewpoints of participants through incorporating numerous data sources to
determine how participants gain knowledge and make decisions regarding an event (Yin, 2013). A
case study was appropriate for this study because it focused on discovering future solutions through
exploration and consensus. The case study design supported the purpose of this research study, which
was to gather the opinions of CISOs and seek a consensus on strategies and solutions for mitigating
phenomenon (Gill, 2014). According to Roberts (2013), this design best explores participants’ lived
44
experiences. Using the participants’ experiences, the researcher gains an insightful understanding of
understand the challenges and motivations of the culture and to discover emergent themes (Cunliffe
& Karunanayake, 2013). According to Cruz and Higginbottom (2013), this understanding of cultural
groups occurs through observations conducted over prolonged periods. Ethnography is a means to
represent a group graphically and in writing within the context of their culture (Knobloch et al.,
2017).
how humans experience the world and to develop a generalization of what the data means (Kourti,
2016). Tamboukou (2011) stated that a narrative design should be used when exploring a
biographical study that follows the lives of individuals. Lewis (2015) explained the role of
researchers in a narrative study as the exploration of how participants view themselves and their
experiences.
The population for this study was CISOs across six small- to medium-sized organizations
within the PCI industry from the West Coast region of the United States. To understand the
population, the definition of small to medium-sized businesses is 499 or fewer employees (Alkhoraif,
Rashid, & McLaughlin, 2018). The West Coast region is among the highest concentration of
technology companies handling PCI of all regions in the United States. A justification of the
population serves to demonstrate saturation within the dataset (Gentles, Charles, Ploeg, &
McKibbon, 2015). The population and sample size are measured by the depth of data rather than
frequencies, which enables the selection of participants to consist of the best to answer the research
topic (Cho & Lee, 2014). Participants were recruited by obtaining the CISOs name, e-mail address,
45
location, and a number of employees from IT membership databases such as Infragard, which is a
partnership between the FBI and members of the private sector for the protection of U.S. critical
infrastructure. The prospective participants received an invitation via email to participate in the
research study via a telephone interview. Attached to the email was an informed consent form, which
provided detail about their inclusion in the study. All participants must have successfully
implemented strategies to deter cybercrime and mitigate social engineering attacks and were willing
Purposive sampling for this qualitative case study was appropriate for this research study.
characteristics that pertain to the subject matter being researched (Barratt, Ferris, & Lenton, 2015).
use their best judgment to select participants that will provide unique and rich information of value to
Within qualitative research, the sample size is selected to be adequate to identify the themes
within the research study. A researcher chooses the number of participants, which depends on the
topic and availability of resources (Benoit, Hannes, & Bilsen, 2016), and uses this sample to gather a
rich data set. Within qualitative research, there is a point of data saturation reached whereby
continuing to collect data only serves to confirm emerging themes (Fusch & Ness, 2015). The goal of
through the selection of individuals is presented (Kwong et al., 2014). In a case study, the sample
CISOs within organizations are responsible for ensuring compliance with security procedures
and standards and making decisions to safeguard security and effect change (Wara & Singh, 2015).
46
In addition to implementing design and enforcing security policies, they recommend security
Data saturation has an impact on the quality of research conducted. According to Fusch and
Ness (2015), data saturation is reached when enough information has been gathered to replicate the
study, no additional new information is available, and further coding is no longer feasible. A
researcher’s failure to reach data saturation diminishes the validity of one’s research (Walker, 2012).
Kwong et al. (2014) noted that qualitative researchers should continue interviewing participants until
The interview process catered to the interviewees' availability to allow accurate data
collection through open-ended questions, with the possibility of follow up questions that could
provide additional clarity and validation for the study (Houghton, Murphy, Shaw, & Casey, 2015).
This natural setting assisted with performing data analysis that is both inductive and deductive
toward establishing patterns and themes (Elo et al., 2014). An interview also provides clues in cases
of loss of nonverbal data and contextual data (Goodman-Delahunty, Martschuk, & Dhami, 2014). It
is essential to promote a comfortable, natural setting to gain the participant's confidence and support
while creating an asymmetric power relationship between the interviewer and the interviewee
(Robinson, 2014). Also, Robinson (2014) emphasized the importance of allowing the interviewee to
contribute to the study. The contribution sought from interviewees details their experiences,
interrogation.
When designing and researching a qualitative multi-case study, ethical standards need to be
adhered to during several phases of research, including ethical issues of sensitive information of
participants (Yin, 2017). Before the collection of data from selected participants, approval from the
47
Institutional Review Board (IRB) ensures ethical standards and requirements are implemented. Also,
a researcher requires specific conditions to allow access to their data (Nadal et al., 2015).
3.4.1 Instruments
The concept of the researcher within qualitative studies being the primary data collection
instrument is echoed by Råheim et al., 2016). Anleu, Blix, Mack, and Wettergren (2016) discussed
the role of being the primary data collection instrument, where the researcher is responsible for
collecting data in a natural setting to assist with performing data analysis that is both inductive and
deductive to establish patterns and themes. The cultural notions of authority and position within the
research relationship need to be taken into account (Probst, 2016). Qualitative data collection is
(Janghorban, Roudsari, & Taghipour, 2014). Semi-structured interviews have been noted as a valid
data collection instrument (Pezalla, Pettigrew, & Miller-Day, 2012). Open-ended questions was used
within the data collection instrument. The interview questions were open-ended to stimulate more
interaction within the participants. Open-ended questions pave the way for case study researchers to
gather insights on specific issues under study (Yin, 2013). Through the use of semi-structured
interviews, researchers can uncover hidden facets of human and organizational behavior due to the
participant’s openness to respond in the best way they know how to interview questions. Semi-
about the participants' expectations, views, and experiences (Izci, & Göktas, 2017). The use of semi-
structured interviews has been discussed by Thompson (2017) as enabling the researcher to gain
48
Using an interview protocol will assist in increasing the reliability of a case study research
(Yin, 2013). Member checking and thematic analysis aid in adding validity to the study (Comley-
White & Potterton, 2018). Posing the same interview questions in a sequence to research participants
helps to identify themes and allows for efficient data analysis and response comparison (Brédart,
Marrel, Abetz-Webb, Lasch, & Acquadro, 2014; Hermanowicz, 2013). Researchers, however, should
refrain from asking leading questions in interviews in a manner that leads to bias (Onwuegbuzie &
Hwang, 2014). In addition to asking the same questions and avoiding bias, multiple data sources
were used for methodological triangulation. Methodological triangulation increases the credibility,
reliability, and validity of the study (Yin, 2013). Multiple data sources that were used for this study
included utilizing publicly available security and privacy policies implemented in organizations. It
was noted by Saunders and Townsend (2016) that the process of efficient participant interviews
includes reporting, justification, and several interview participants selected within an organization.
Archived data, such as documentation and recordings from interviews, provided qualitative research
data.
phenomenon in the study. The use of multiple data collection methods is necessary for the alignment
of data and essential for considering trends in data (Komisar, Novak, & Haycock, 2017). Wierenga,
Engbers, van Empelen, Hildebrandt, and van Mechelen (2012) added that methodological
triangulation enables researchers to probe for patterns within the data to develop overall
interpretations using multiple perspectives. An increase in confidence within the study findings is
evidenced through the researcher's use of multiple sources in the mitigation of research biases
Member checking was also implemented within the interview process to aid in research
validity and the reduction of bias. Member checking assures rigor with research case studies, as
49
discussed by Houghton, Casey, Shaw, & Murphy (2013). Member checking included providing
participants via email, a summarized interpretation of their interview responses. The summarized
interpretation enabled them to view my interpretation of their responses. Member checking provided
a researcher with an opportunity to ensure data saturation had been reached. Also, it enables a
researcher to seek participant’s verification of the accuracy of the interview response (Culver,
Gilbert, & Sparkes, 2012). Member checking is also utilized for quality control to verify and validate
data collected during the research interviews (Harper & Cole, 2012).
The primary data collection technique was the questionnaire in which a Google form was
used. The open-ended questions encouraged the conversation and captured the necessary data to
address the research question. Open-ended questions pave the way for case study researchers to
gather insights on specific issues under study (Yin, 2013). The interviewer encourages interviewees
to recall and report all relevant information they can remember (Vrij, Mann, Jundi, Hillman, & Hope,
2014). Researchers can use questionnaires to learn and understand participants’ experiences and gain
self-awareness and insight into the role they played during the research and how it benefitted them
The process of member checking to assure response validity was utilized. Member checking
assures rigor with research case studies (Houghton et al., 2013). A researcher performs member
checking to consider the accuracy of the participants’ interview responses (Harvey, 2015). Each
interview response was summarized for thematic analysis and member checking to illustrate
emerging themes from individual responses. Member checking is a technique for exploring the
credibility of results and will provide the research with a means to test and fit their interpretation to
participants’ responses (Smith & McGannon, 2018). Data or results were returned to participants to
check for accuracy and resonance with their experiences. Participants were requested to comment on
50
the narrative summary to ensure their views were well understood. In the data analysis process,
feedback received from participants was incorporated, and themes that emerged in the study were
confirmed.
Each data collection technique has its advantages and disadvantages. Document reviews are
timeous to collect, review, and analyze the data (Owen, 2014). The advantage of document reviews is
their inexpensiveness, provision of in-depth, rich background information, and their ability to
highlight issues not yet discovered by other data collection methods (Wolfswinkel, Furtmueller, &
Wilderom, 2013). Elo et al. (2014) highlighted the primary disadvantage of conducting interviews, is
the risk of interview bias. However, interviews encourage participants to elaborate and discuss in-
The data collection for this qualitative multicase study was of responses by CISO’s of small
organization techniques are used by researchers when managing data to ensure the reliability and
validity of a study (Martin & Meyer, 2012). Once the original questionnaire has been transcribed,
and member checking has occurred, the researcher establishes data credibility (Harvey, 2015).
Member checking provides a researcher with an opportunity to seek participant’s verification of the
accuracy of the interview response (Culver et al., 2012). A research log captures data to aid in the
examination of assumptions and actions thematic within the study (Wagstaff, Hanton, & Fletcher,
2013). This qualitative research will organize data into categories that will assist in identifying
themes during data analysis (Merriam, 2014). Yin (2013) adds that the identification of emerging
patterns, themes, and trends from questionnaire is the focus of data organization.
51
3.4.4 Data Analysis Technique
The objective of the data analysis process was for an evaluation of patterns and themes that
emerged during the interview process. Data analysis involves the application of principles such as
interview transcription, in-depth analysis of phenomena explored, data coding development, and the
identification of links to themes (Smith & Firth, 2011). Yin (2017) added that emerging patterns are
identified through analytical techniques, which result in the strengthening of the validity of the study.
The use of multiple sources of evidence in case study research allows the researcher to explore
various evidence and converging lines of inquiry (Yin, 2017). One such analytical technique is
strengthen the construct validity of the study (Morgan, 2019). Methodological triangulation involved
using more than one method to gather data, such as interviews, observations, questionnaires, and
documents
Choosing the most significant research study participants to obtain detailed data was more
significant in comparison to sample size when reaching data saturation. Data analysis relied on data
saturation is reached. Fusch and Ness (2015) detailed data saturation to include (a) no new data
obtained, (b) no new themes identified, (c) no new coding, (d) the ability to replicate the study. The
data analysis process continued with an in-depth evaluation of themes and patterns that emerged
Reliability and validity eliminate bias and minimize errors within qualitative research.
According to Elo et al. (2014), there are four criteria to help ensure reliability and validity. These
criteria are dependability, credibility, transferability, and confirmability. Reliability and validity are
both crucial in qualitative research studies as they help ensure the data is trustworthy.
3.5.1 Reliability
52
The goal of establishing reliability is to eliminate bias in the research study and minimize any
errors (Cope, 2014; Noble & Smith, 2015). Reliability is the consistency of results obtained.
Reliability is a criterion for judging the quality of research study designs, with the logical test of the
research findings being data dependability (Yin, 2013). To establish reliability, researchers in
qualitative studies use dependability to focus on a measurement formed within a construct (Cope,
2014). The following section highlights the establishment of dependability of the study findings.
3.5.2 Dependability
remaining the same under different conditions. The researcher establishes dependability and
trustworthiness through reporting the content analysis obtained from the data collection method,
sampling strategy, and data analysis techniques selected (Hays, Wood, Dahl, & Kirk-Jenkins, 2016).
Thomas (2017) explained that the dependability of the data presented is reliant on the interaction
between the researcher, the research study, research data, and a high level of accuracy. Dependability
was achieved within this study through reviewing transcripts, member checking, and additional note-
3.5.3 Validity
Researchers aim to establish the validity of the research tool to ensure that the selected
instrument most relates to the construct of interest and will assist in answering the research question.
Validity aims to minimize errors, eliminate bias, establish integrity, and applicability of the methods
in use, all while ensuring precision in which the findings accurately reflect the data (Noble & Smith,
2015). According to Yin (2013), researchers ensure validity by focusing on the measurements
between constructs. Trustworthiness, credibility, and conformability are logical tests guiding
qualitative research. Three criteria assist in judging the quality of research designs: construct validity,
internal validity, and external validity (Yin, 2013). Within a qualitative research study, these criteria
53
for establishing validity are in the form of creditability, transferability, and confirmability (Cope,
2014). The following sections discuss how creditability, transferability, and confirmability of the
3.5.4 Creditability
In qualitative research, rather than the term validity, creditability is used. According to Cope
(2014), creditability refers to the truth of the data and the views of the participants. As researchers are
the research instruments, the creditability of the study is ensured through the dependence on
procedures implemented, and the researchers self-awareness throughout the research process. Noble
and Smith (2015) listed methodological strategies used to ensure creditability in findings as a
3.5.5 Transferability
Qualitative researchers provide detailed descriptions of the research process, which the
readers use to determine the transferability of the study. According to Cope (2014), transferability
refers to the application of findings to other settings or similar groups. Purposive sampling is used to
enhance the transferability of findings (Maree, Parker, Kaplan, & Oosthuizen, 2016). The research
structure, which includes purposeful sampling and details, an outline of research assumptions,
limitations, and delimitations, provided sufficient context for determining the transferability of this
study by other researchers. Transferability is the ability to generalize research findings to a larger
population (Marshall & Rossman, 2010). Transferability is essential as it allows researchers in the
future to build on the study or develop a new theory (Elo et al., 2014). Transferability will be
achieved if the findings of a qualitative study are transferable to similar settings (Hays et al., 2016).
3.5.6 Confirmability
54
Confirmability is based on the confirmation of findings and logic of the data following its
analysis (Pozzebon, Rodriguez, & Petrini, 2014). Confirmability ensures the researcher represents a
participant’s response rather than the researcher's bias (Cope, 2014). Member checking of each
interview will ensure the validity of the research process and achieve confirmability (Hays et al.,
2016). The recognition of limitations of the study and audit trail enhances confirmability (Maree et
al., 2016). The development of an audit trail, which included note taking during the interview and
member checking, helped to foster confirmability that was used within this study.
55
CHAPTER FOUR
proposed methods from both State of the Art and State of the Practice perspective. A
comprehensive table was created to visualize the current Social Engineering Attacks and their
appropriate practical defensive methods as well as what is the current State of the Art solutions
and propositions.
The taxonomy showed us that the combination of software and awareness is essential for
the defense of the students. Both state-of-the-art and state-of-the-practice give generally the same
56
4.2 Practice Defense Methods
TABLE 4.1: Taxonomy of Social Engineering Attacks and State of the Art and State of the
Social Engineering Attack State of the Art Defense State of the Practice
Defense
open files in
automated spear-phishing
recognition
Permissions
57
browser and user-agent,
about where the link will lead the end of the link)
them.
4.3 Survey
The survey was answered by thirty-one individuals who are matching the profile of
students. The individuals could answer in one week for which the survey was opened. The main
idea for the survey is to use the Likert Scale and thus the main questions are in the form of Likert
Items with the representation of the opinion of the respondents on a scale from one to ten. The
ten represents the state of "Strongly Agree with the statement" and one represents the lowest
border and means "Strongly Disagree with the statement". Below will be described the structure
of the survey as well as the contribution it has to the knowledge and the result.
58
The logical road map of the survey can be seen below
The reason for addressing this particular subsection regarding the online activities of the
participants was to assess the user’s exposure to the social engineering threats. By establishing
the time they spent online, browsing, using email services and social media we see the time they
are having opened vectors of attack when discussing the technical side of the social engineering
and disregarding the user’s capability of mentally estimating and mitigating the risk.
Furthermore, we wanted to explore their general technical knowledge so that we can see whether
they are able to apply different defense mechanisms from the technical spectrum of the state of
the practice.
59
4.3.2 Social Engineering - Education
The subsection was part of the survey, specifically for the people that were part of a
formal education that gave knowledge in the sphere of the social engineering defense techniques.
It was in the interest of the research to give an understanding of whether the respondents found
that it was beneficial for them to participate in such seminars or lectures when it comes to
defending themselves from social engineering attacks. The questions are related to the quality of
the education as well as to what impact it brought to the respondent that participated in it.
The section was designed specifically for the category of social engineering knowledge,
which differentiate from the overall computer and smartphone knowledge of the respondents. Its
main purpose is to assess whether the respondents already have applied some tactics to mitigate
the risk of social engineering attacks as well as to establish whether the respondents are aware of
That particular section of the survey is provided for the audience that was attacked in the
past from the means of social engineering. The respondents assess the impact that the attack had
on them by both financial, material, and immaterial damages. Additionally, the respondents can
assess whether that attack made them more vigilant for the next occurrence of it.
The scenarios are the last part of the survey. Each respondent has the opportunity to test
the awareness that they currently possess regarding the social engineering defense. The
60
respondents are presented with four scenarios with some actually being social engineering and
some that are not but could potentially be. There are two emails one of which represents the
Additionally, they cover a broader range of categories there is a Smishing scenario and a
URL shortener scenario. By completing the scenarios the respondents can provide another angle
for the research on whether the users are actually informed about different attack taxonomy and
are they suspecting different vectors of attacks when it comes to the attack’s execution.
61
Figure 4.2: Scenario 2
62
Figure 4.4: Scenario 4
The raw data has been extracted and presented in appendices C and D. The data has been
put into two tables which represent the statement/question number along with the numerical
mean value of the response or the percentage of respondents that answered in a specific way. The
other table represents the statement or question number along with the question itself so that the
readers can benefit from knowing how the survey was conducted and what the respondents
answered. The data can be seen in the different parts and the tables that can be observed have:
63
Table 4.2: Statements and Questions Presented as Likert Items
Question
Number
basis.
64
15 use security plugins in my browser whenever applicable.
courses/seminars?
can take
65
30 Have you fallen victim to a Social Engineering/Phishingattack in the past?
Table 4.3: The Mean Values along with the Standard Deviation
Number
Positive answers percentage Negative answers percentage
1 8.75 1.3
2 8.58 1.39
3 8.68 1.64
4 8.52 1.83
5 6.49 2.14
6 3.84 2.72
66
7 5.2 3.13
8 7.1 3.15
9 7.23 2.19
10 8.26 1.87
11 8.13 1.98
12 5.07 2.74
13 6.17 3.26
14 3.07 2.48
15 4.42 2.76
16 6.33 2.52
17 5.62 2.41
18 19.4% 80.6%
19 7.34 2.8
20 7.5 3.25
21 4.13 3.96
22 4.2 3.22
23 3.97 2.85
24 5.36 2.13
67
25 3.94 2.97
26 4.81 2.94
27 8.33 2.94
28 4.36 2.15
29 2.33 1.68
30 90.3% 9.7%
31 66.7% 33.3%
32 1 1
33 1.34 0.48
34 4 1.64
35 2.75 2.72
36 2.23 1.93
37 6.49 3.25
38 4.07 2.94
The survey that was conducted starts with a section that is meant to profile the different
respondents that were filling out the survey, in order to be able to draw conclusions and
generalize the findings that we discovered for individuals that match different profiles. The
68
survey was structured in this manner so that we were able to gauge the awareness levels of
people that are less experienced with computers and related devices and compare these results
with the awareness levels of people who are more experienced. This allowed us to see whether
the people who rated themselves quite highly in terms of how well they perceive their own
knowledge about computers and networking are more aware of social engineering attacks than
people who aren’t. This would also allow us to see whether individuals who are more
experienced are able to recognize legitimate and fake emails when we test them in the scenario
section of the questionnaire. The questionnaire begins with a general internet and computer
knowledge assessment, wherein respondents were able to rate themselves using Likert items, on
a scale from 1 – 10, where 1 represents “Strongly Disagree” and 10 represents “Strongly Agree”.
The first question in this section begins the profiling process that will continue throughout the
entire section, and which we hope will allow us to distinguish between advanced and less
advanced users. For the first statement, “I spent a great deal of time browsing on my devices”, all
the respondents answered somewhere between 6 and 10 on the scale, with most respondents
answering with a 10, corresponding to 41.9% of the respondents. Similarly, for the second
statement, “I spend most of my time on my devices on a social media platform”, all the
respondents answered between 6 and 10 on the scale, with a majority of 38.7% answering that
they strongly agree with the statement. In the next statement, “I spend a great deal of time
online”, the respondents were a bit more spread out. However, all the respondents remained
above 5 on the scale, with the majority answering 9 or 10, making up 29% and 41.9% of the
responses, respectively. In the next statement, “I use email, and related services, regularly” the
responses were also a bit more spread out than we had expected, however, the majority agreed
with the statement, with 45.2% of the respondents replying to the statement with a 10 on the
69
scale. The next statement, “I attempt to make my passwords as a long and complex as possible”,
as interesting as the response was also a bit spread out over the scale, with all the respondents
answering between 3 and 10 on the scale, with the largest grouping of responses being a 7,
correlating to 29% of the total responses. The next statement was also related to password
security and was “I try not to use the same password on different services”. The responses to this
statement were also very dispersed over the entire scale, as the responses ranged from 1 to 10 on
the scale, although the largest groupings correlated to 1 and 2 on the scale, which had a
combined response percentage of 22.% and 25.8% respectively. After gaining a sense of the
users’ regular usage habits in relation to computers and online services, we presented them
statements that pertained to security habits online and sought to gauge their awareness of
different security services and methods, as well as how they perceive their own knowledge about
computer science-related topics. The first statement in this subsection of the questionnaire was “I
attempt to employ Two Factor Authentication (2FA) whenever applicable”, and yet again the
respondents’ answers were a bit all over the place in terms of the scale, however, the largest
group, 22.6% replied with a 1 on the scale. For the next statement, “I am aware of what a ‘URL
shortener’ is”, a great deal of the responses and the largest group of answers were a resounding
10, corresponding to 38.7% of the answers that were registered. In the next section, we pry the
users more for how they perceive their own experience and knowledge levels when it comes to
computers. The first statement here was “I am knowledgeable when it comes to personal
computers” and the two largest groupings of answers were 7, 22.6% and 10, 22.6% on the scale.
In the next statement, “I am experienced when it comes to the usage of the internet”, most of the
respondents answered with a 10, corresponding to 35.5% of the responses. In the next statement,
“I am knowledgeable when it comes to smart devices”, the responses were like the previous two
70
statements, with most of the respondents replying to the statement with either a 9, 29% or a 10,
29% on the scale. When a statement about their usage of security tools was presented, the
responses were also quite spread out on the scale. The next statement, “I use a Virtual Private
Network (VPN) service whenever applicable” gained mixed responses, with responses being
found all the way from 1 to 10 on the scale, however, the largest grouping of answers was a 3 on
the scale, 16.1%. The following statement, “I use an Anti-Virus”, also received a mixed response
in terms of how the different responses are spread out over the scale, however, the largest
groupings were also quite high, with 19.4% responding with a 9, and 22.6% responding with a
10 on the scale. The next statement, “I use advanced operating systems (Linux-based, FreeBSD,
etc.) on a regular basis” had responses that were quite low, with 38.7% respondents answering 1
on the scale. By advanced OS we mean that the operating system has advanced networking
capabilities and generally harder to be operated by an average user. The next statement was “I
use security plugins in my browser whenever applicable”, which also gained responses that were
quite a bit all over the place on the scale, with the largest groupings being respondents that
replied with 1, 25.8% and respondents that replied with 5, 16.1%. The next was about browsers
and reads “my choice of browser is very important to me”, where 25.8% of the respondents
replied with a 7 on the scale, and the second-largest grouping, 16.1% was respondents that
replied with a 10. The final statement in this section, “I regularly back up any data present on my
devices”, gained quite high responses in terms of their position on the scale, with the two largest
groupings, 19.4%, corresponding to 6, and 19.4% corresponding to 7. In the next section, a yes
or no question is presented to users. This was meant to separate the respondents based on
whether they had participated in some form of social engineering awareness course or training
program. However, most of the users had not, with 80.6% responding with “No”, to the question
71
“have you taken part in any social engineering defense training courses/seminars?”. The
questions presented in this section were only displayed to respondents who replied with a “Yes”
to the previous section, and thus there were fewer responses overall. The first statement in this
section was “the course/seminar was useful and taught me about good mitigation strategies for
Social Engineering attacks”, of which, from the 6 respondents, 33.3% answered with a 7, and
another 33.3% answered with an 8. The next statement, “the information in the course/seminar
was practical and can be applied in real-life scenarios”, gained a bit of a mixed response, with
responses spread out over the scale, however, the largest group, 33.3% responded with a 10.
Following the section about social engineering training and programs, all the respondents
were once again gathered and were prompted to reply to questions that were completely based on
our findings on performing a literature review on literature related to social engineering and
social engineering attacks. The first statement in this section was “I am aware of what a Social
Engineering attack is”, where the largest grouping of responses was 5,19.4%, 1, 16.1% and 10,
16.1%. The responses to the following statement, “I am aware of the different forms that Social
Engineering attacks can take”, were a bit mixed with most of the responses ending up on the low
side of the scale, with the largest grouping, 35.5%, corresponding to the response 1. The
statement “I know how to defend myself from Social Engineering attacks” also gained quite a
low response, with the two largest grouping of responses, 22.6% and 29% were 1 and 3,
respectively. The next statement, “I am aware of what my most valuable digital assets are” had a
much more spread-out response, with answers being registered in all digits on the scale. The
largest grouping of responses for this statement was response 5, which was chosen by 16.1% of
the respondents, however, there were also some other significant groupings, with 12.9%
responding with 1, another 12.9% responding with 2, a third 12.9% responding with 7 and a final
72
12.9% responding with 9. The largest grouping of responses, corresponding to 41.9% of
responses correlated to 1 on the scale. The statement “I am aware of the impact that Social
Engineering attacks can have” was next, and the responses showed that most respondents are not
aware, since 19.4% of the answers were correlated to 1. The next statement was a bit different in
its response, with a majority, 51.6%, of respondents replying with 10 on the scale. In the next
statement that was presented to the respondents, “I tend to share a great deal of personal
information online”, the responses were also a bit spread over the scale, with the largest grouping
of answers being 3, 29%. The next statement, “I trust pop-up advertisements on websites” gained
a low response, with the majority, 54.8% replying to the statement with a 1. The final question
that was used to conclude this section was also a yes or no question, where respondents who
answered “Yes” would be sent to a different subsection of the questionnaire where specific
information would be gathered. This question was “Have you fallen victim to a social
engineering attack in the past?” and a large majority, 90.3%, responded with “No”. However, the
respondents that said that they did fall victim to a social engineering attack were sent to a
specific subsection where we asked the respondents about the specifics of the attack. In this
subsection, the first question was also a yes or no question, “was the context of the attack related
to Hacking”, where a majority answered with “No”, 66.7%. The statements then make a return in
this subsection, with the first statement being “The attack resulted in a loss of sensitive/personal
information”, where 100% of the respondents replied with a 1 on the scale. The next statement,
“the attack resulted in financial damage” also had low results, with 66.7% of the respondents
replying with a 1, and 33.3% replying with a 2. The final statement in this subsection as “the
attack made me more vigilant about these types of cyber-crimes”, where the responses were quite
73
evenly distributed, with 33.3% replying with 2, another 33.3% replying with 4, and a final 33.3%
replying with a 6.
The final section of the questionnaire presented the respondents with images that would
correspond to a specific phishing attack attempt, as can be seen in Figures B.1, B.2, B.3 and B.4.
The respondents were then able to respond to how legitimate they think that the content of the
image is. For example, if an SMS message was displayed in the image, respondents were able to
respond, on a scale from 1 to 10, on how legitimate they think the SMS is. The first statement
was “I would trust this link to lead me to the actual Facebook website”, with an image being
presented to the respondents that showed a legitimate Facebook link. Many of the respondents
replied with a 1, on this statement, corresponding to 64.5%. In the next statement, “I think that
this message is legitimately from Apple”, the majority also replied with a 1, 54.8%. The
penultimate statement showed an image of an email, and the statement was “I think that the
email in the image is legitimate”, and 19.4% of the respondents replied with a 1. The final
statement, “I think that the email in the image is legitimate” had an evenly distributed response
After the raw data was gathered an analysis was conducted and compared primarily with
different related researches and the advice from the theoretical knowledge chapter. The first four
statements from the survey and statement eight are in place to explore the user’s exposure level
to different technical vectors and tools that the attackers exploit when executing a social
engineering attack of various sorts. According to the statistic that was calculated after collecting
the answers people unanimously reached the high end of the scale averaging 8.63 on the four
questions with a standard deviation averaging 1.54 which speaks for the fact that the students
74
spend a great amount of time online and are being constantly exposed to all of the vectors that
are used by attacks such as phishing, smishing and different pop-up ads.
The statements that were related to the passwords namely statements five and six were
present to gather insight into the user’s behavior when coming to passwords utilization. On the
first statement about the complexity of the passwords, the respondents state that they attempt to
make a complex password that is harder to crack, however on the next statement about whether
they share the same passwords between different devices and platforms the majority state that
they reuse the same password which could imply that if one device is breached the attacker will
have access to the others. This could lead to major security issues for the users and is something
On the seventh Likert item the respondents are asked if they employ 2FA(Two-factor
Authentication). In 4.1 we can explore the student’s answers. The highest count of answers is the
minimum value on the scale. This is particularly contradicting the advice that gives regarding the
layers of defense the user should have placed. The same source states that it is a must for the user
Figure 4.5: Results from the statement: "I attempt to employ Two Factor Authentication
75
The user’s self-assessment was high and the users mostly stated they are knowledgeable
when it comes to personal computers and smartphones. However, only 1 statement with
maximum value on the scale was given to the advanced OS usage while the rest was
predominantly small values in the lower half of the scale which can point that despite the users
are familiar with their own devices they are not considering the capabilities that different OS can
have.
Particularly interesting were the answers in statements "I use security plugins in my browser
The respondents have stated that they rarely use security plugins in their browsers which could
imply that they are more prone to technical aspects when it comes to general security and
furthermore social engineering. However, the value that is pointing to the importance of their
browser choice has a relatively lower standard deviation than we expected. That can be
associated with the user’s will to increase their privacy, but lower knowledge of the different
options and possibilities. Statement seventeen established the user’s perception about backups.
Common knowledge is that the backups are important to ensure that if data is lost it can be
quickly recovered. It is seen in Fig.4.2 that most people stated that they tend to create and
Figure 4.6: Results from the statement: "I regularly backup any data present on my
devices."
76
According to the survey as it can be seen in Fig.4.3 only six out of thirty-one individuals
took formal education However in the next statements that were regarding the education all
respondents stated that the education is useful and applicable in their everyday device usage.
Figure 4.7: The percentage of the respondents who have participated in formaleducation
On the statement whether the respondents use a plugin that prevents the phishing, it can
be seen in Figure 4.4 the vast majority answered with the minimal value of one in the scale while
the other answers were equally dispersed thus meaning that the most answers were in the lower
half of the scale which indicates that the users are not aware of the defense layer that the said
77
Figure 4.8: Anti-Phishing plugin usage throughout the survey respondents
The students proved to be extremely careful with unknown links. On the question of
whether they would open an unknown link sixteen of them stated that they are extremely
cautious while only one stated the opposite, and this can be seen in Fig. 4.5. The result
corresponded with the scenario which came later in the survey and put their awareness to the
test. The link scenario results can be seen in Fig. 4.6 and it points out that twenty people would
be on the highest alert when it comes to opening unknown links. Despite the earlier statement
about URL shortener pointed that the respondents do not know the taxonomy when the matter
was more practical they reacted proper and most of them were able to mitigate the risk that was
presented to them.
Figure 4.9: The students response to whether they are cautious when opening links
78
Figure 4.10: Results from the statement: "I trust this link to lead me to Facebook"
When it comes to the spear-phishing threat we looked at the OSINT capabilities of the
attacker and the defense tactics for the users to not share a lot of personal information online.
The answers about sharing personal information publicly as can be seen in Fig.4.7 were mostly
in the negative part of the scale which would imply that the attackers would have a hard time
finding information about the users if they were utilizing the OSINT methods to gain initial
contact. However, as we saw in Fig. 4.3 a very small amount of users have formal education.
That does not particularly mean that they are not aware but it really depends on the individual’s
interest in this field or the will to increase the general cyber-security and privacy. However, it is
well-advised for the users to keep a constantly updated list of the current phishing and spear-
phishing scam scenarios and inform themselves in formal education such as seminars or by just
reading themselves.
79
F
igure 4.11: Results from the statement: "I tend to share a great deal of personal
information online."
For the pop-up ads the respondents gave a unanimous lower score on the scale. As Fig.
4.8 shows, only two individuals gave a value of six which is also the only value in the upper half
of the scale while the rest gave lower values thus constituting themselves rather safe from the
psychological effect that the malicious ads have on users. As the main method of defense is the
awareness on the end-user side the survey’s respondents in this case gave a sign that they are
quite cautious.
Figure 4.12: Results from the statement: "I trust pop-up advertisements on websites."
The scenario that contained the illegitimate scenario proved to be recognized among the
respondents and the majority pointed correctly and did not trust the illegitimate email as can be
seen in Fig. 4.9. Despite they are not particularly savvy within computers we suspect that they
80
already have seen a message that was possibly phishing, spam, or scam, or a relative or a friend
told them that they had a similar experience, thus the students built a portion of the awareness
Two-thirds of the students also could tell which is the real email. As can be seen in 4.10
the users assigned majorly the values that correspond to "Agree" to "Strongly Agree" in the
Likert Scale. This can be also a result of their self-taught knowledge or additionally, they were
able to recognize the signs of legit and malicious mail and tell them apart.
81
To gain bigger knowledge the answers were explored on per individual basis for the
scenarios related to the emails where we focused on the individuals that gave the two extremes
"Strongly Agree" and "Strongly Disagree". Six individuals have pointed out that they do not trust
the emails to be legit on both emails thus showing that they were either unsure or extremely
cautious. However addition to that seven respondents pointed out quite precise answers by giving
the values of eight, nine, and ten to the legit email, and to the malicious email, they gave
numbers in the range of one to three. That could be seen as they knew precisely which message
was real and which one was malicious and thus conclude that at least 22.5% of the students were
aware of the phishing and furthermore 19.3% were overcautious. As we saw in the Theoretical
Knowledge chapter that is not necessarily bad and does not mean they are less protected than the
one who could tell the real ones from the phishing one.
Building on top of that we also examined closely the answers on the smishing scenario on
a per individual basis. The same students who could point out the real and the fake emails
precisely were looked into to see whether they managed to point out the smishing attack and
conclude that the SMS was not authentic. Out of seven respondents, six also pointed precisely
that the SMS is not authentic and the same six individuals who pointed out that both emails were
malicious pointed out that the SMS is not authentic. That could be interpreted as they are being
82
extremely cautious and that they could not tell them apart but nevertheless decided to not trust
the messages.
We cannot give a absolute verdict that the aforementioned students are fully safe but
nevertheless we can say that they have higher awareness and better perception about what is a
real attack and what is not, from the full extent of respondents and that is what makes their
security a little better than the rest. The people who were not mentioned either said that the
malicious email was real and the real was not authentic or gave indecisive opinions within the
middle range of the values on the Likert Scale which constituted that they could not spot
4.6 Interview
An interview was conducted with a highly qualified expert in the IT field and currently
working practitioner. The expert is a Lead Administrator of a large public organization with years
of practical experience and is responsible for investigating and mitigating the social engineering
attacks. The interview sealed the state of the practice by providing a real-world practical angle on
the current situation with social engineering. Additionally, it helped in matching the state of the
attacks and defenses with the related research. Despite the expert’s best effort to answer all of the
questions some of them proved to be a security issue and their answers were omitted from the
The question was more related to the attacks as it aimed to see how is the network taking
part in the attack - Is it the host of an attack or is it being attacked? The respondent stated that
both but for now the IT team managed to stay on top of the attackers despite the constant
attempts to breach.
83
On the question "Does the organization provide options for MFA (Multi Factor
Authentication), and are there any multi-layered defenses in place in order to prevent phishing?"
The expert states that the organization provides MFA and the employees are advised to use it
which is corresponding with the current defense methods that were a result of the state of the
practice research. Regarding the organization employee’s behavior when a suspicious email
arrives, they are reporting this directly to the response team even if the software that they use
says the email is legitimate, and additionally they are reporting all events that seem potentially
seminars and training which are aimed to educate the employees which are specifically not in the
IT sector about the risks of social engineering attacks as well as the attacker’s goals and
behavior. The expert also adds that the internal training and education are updated and that the
public media also had a direct positive impact on the awareness. Furthermore, there are routines
that were not disclosed that help thwart the attacks. On the question about how many attacks
were successful the expert did not disclose it due to risk considerations for the organization’s
security. The respondent, however, assured that there are routines and measures that are taken so
that the attack’s vector is closed for further exploitation. Finally, on the question of whether the
attackers were pinpointed and caught or not, the expert again stated that this information is
confidential to the organization’s IT team and that it will break the IT security if they release any
information on were they able to and how did they pinpoint the perpetrator.
The interview was in form of education and training. The answers that the respondent
provides regarding the usage of MFA are aligning with the advice that different sources from the
84
State of the practice research give. The IT team in the organization encourages the usage of MFA
as an extra layer of defense against different cyber-attacks and system exploits. The awareness in
the organization is increased through different training, seminars, and other internal education
which co-relates with what is stated in the advice for combating social engineering within both
the state of the art and state of the practice. The training that they receive within the organization
also includes a routine that is made so that if a suspicious email arrives even if the software that
they use points at it as legitimate, the employee will still escalate the case to the response team
and the IT support so that an extra check is conducted. It is beneficial for the users and
employees to follow the routines and training that are established and the attacks that are
thwarted are a sign that the non-technical layers of defense are just as important as the technical
ones.
The research questions were answered in the result chapter. The taxonomy provided at
the beginning of the chapter could be seen as the answer to the first research question. The
survey results and analysis are answering directly the third question while the interview and the
taxonomy are answering the second question. The taxonomy provided good guidelines to what
the mitigation tactics are and that was further confirmed by the expert’s opinion.
85
CHAPTER FIVE
5.1 Conclusion
In conclusion, in this paper, we answer the research questions that have been postulated
at the start of the research project. We have outlined and given a taxonomy of a variety of
solutions and defensive mechanisms that can be applied to the student’s everyday online activity
and can be used to protect themselves from social engineering attacks. Additionally, we looked at
state-of-the-art and state-of-the-practice solutions to determine whether any gap existed between
the two and to determine which one has the most effective and practical solutions.
Research Question 1: What is the Taxonomy of Modern Social Engineering Attacks? The
taxonomy that was extracted from the theoretical knowledge chapter can be explored in Table.
4.1. It consists of the majority of modern social engineering attacks that are executed by the
attacker using technology as a vector, as this was the scope to which we limited our exploration
of the different attacks. The taxonomy consists of attacks such as Phishing, Spear-Phishing,
Research Question 2: What are the Different Scientific and Practice-Based Defense
The appropriate defensive methods can also be seen in Table. 4.1. The methods are gathered
comprehensively and reflect both state-of-the-art and state-of-the-practice solutions and methods,
as was discovered after performing the literature review on state-of-the-art and state- of-the-
practice literature. Furthermore, they give concrete advice and applicable solutions on how to
86
counter and combat modern social engineering attacks. The advises present are further confirmed
Research Question 3: How Aware are Students of these Forms of Attacks, and how well can
The questionnaire gave a good insight into the user’s mindset regarding these attacks. The results
showed that people do not know the particular taxonomy and the names of the attacks as well as
the range of defenses that they apply but, nevertheless, they generally strive to achieve better
security. Additionally, the scenarios at the end of the survey gave higher than the anticipated
results and concluded that the majority of students have a good level of common sense,
5.2 Recommendations
2. Some general recommendations can also be made in order to allow people to better
protect themselves from falling victim to such an attack, as presented in. These include,
but are not limited to; using more secure browsers when navigating the web, only
downloading authorized apps from verified locations, such as an app store and typing the
the entire URL that one has received before opening it directly, in order to check whether
the URL is legitimate and leads to the place that it says it does.
3. There are a number of technical prevention methods that can be used, all resembling the
ones that have been recommended for defending against regular phishing attacks, such as
an intrusion detection and prevention system, network monitoring tools in order to see
87
any suspicious activity on the companies network and devices, and anti-phishing
88
REFERENCES
1] Memon, S.A., and Awan, J.H., “Transformation Towards Cyber Democracy: A Study on
Contemporary Policies, Practices and Adoption Challenges for Pakistan”, Handbook of Cyber-
Development, Cyber-Democracy and Cyber-Defense, pp. 50-51, Switzerland, 2017
[2] Awan, J.H., Memon, S., Khan, R.A., Noonari, A.Q., Hussain, Z., and Usman, M., “Security
Strategies to Overcome Cyber Measures, Factors and Barriers”, Engineering Science
Technology, International Research Journal, Volume 1, No. 1, pp. 51-58, Pakistan, 2017.
[3] “Massive Data Theft in South Korea Highlights Financial Cybersecurity Weakness [2014-
01-20] Security Magazine”, [Online].
Available: http:// www.securitymagazine.com/articles/85139-massivedata-theft-in-south-korea-
highlights-financialcybersecurity-weakness. [Accessed: 9th June, 2015].
[4] Awan, J.H., Memon, S., Shah, M., and Awan, F.H., “eGovernment Services Security and
Challenges in Pakistan”, SAI Computing, pp. 1082-1085, UK, 2016.
[5] Awan, J.H., and Memon, S., “Threats of Cyber Security and Challenges for Pakistan”, 11th
International Conference on Cyber Warfare and Security, Boston, pp. 425, USA, 2016.
[6] “47% of the World’s Credit Card Fraud Happens in the US [2015-06-01] Security Magazine”,
[Online]. Available: http://www.securitymagazine.com/articles/ 86413-of-the-worlds-credit-card-
fraud-happens-in-theus. [Accessed: 9th June, 2015].
[7] “Report: Top Endpoint Security Packages Perfectly Foil Drive-By Attacks.” [Online].
Available: http:// www.technewsworld.com/story/82009.html. [Accessed: 9th June, 2015].
[8] Dawson, M., Omar, M., and Abramson, J., “Understanding the Methods behind Cyber
Terrorism”, pp. 5270, USA, January, 2015.
[9] “Containing the Zombie Malware Outbreak.” [Online]. Available:
http://www.technewsworld.com/story/ 82090.html. [Accessed: 9th June, 2015].
[10] Broadhurst, R., Grabosky, P., Alazab, M., and Chon, S., “Organizations and Cyber crime:
An Analysis of the Nature of Groups engaged in Cyber Crime”, International Journal of Cyber
Criminol, Volume 8, No. 1, pp. 1-20, Australia, 2014
[11] Hemraj, S., Rao, Y.S., and Panda, T.C., “Cyber-Crimes and their Impacts: A Review”,
International Journal of Engineering Research and Applications, Volume 2, pp. 202-209, India,
2012.
[12] “Medical Devices Used as Pivot Point in Hospital Attacks: Report|SecurityWeek.Com.”
[Online]. Available: http://www.securityweek.com/medical-devices-usedpivot-point-hospital-
attacks-report. [Accessed: 9th Jun, 2015].
89
[13] Awan, J.H., Memon, S.A., Memon, N.A., Shah, R., Bhutto, Z., and Khan, R.A., “Conceptual
Model for WWBAN (Wearable Wireless Body Area Network)”, International Journal of
Advanced Computer Science Applied, Volume 8, No. 1, pp. 377-381, UK, 2017.
[14] “Spy Agencies Planned to Corrupt Google Play.” [Online]. Available:
http://www.technewsworld.com/story/ 82091.html. [Accessed: 9th June, 2015].
[15] Mcllheney, C., and McCotter, S., “Global Economic Crime Survey”, UK , 2016.
[16] “Cyber Security Strategy: The Government of Japan”, Japan, 2015.
[17] “FireEye, Microsoft Outsmart Clever Chinese Malware” [Online]. Available:
http://www.technewsworld.com/ story/82060.html. [Accessed: 9th June, 2015]
90