Professional Documents
Culture Documents
Evaluating Contemporary Digital Awareness Programs For Future Application Within The Cyber Security Social Engineering Domain
Evaluating Contemporary Digital Awareness Programs For Future Application Within The Cyber Security Social Engineering Domain
net/publication/338623162
CITATIONS READS
0 64
2 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Hussain Aldawood on 16 January 2020.
57
International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 31, January 2020
Published before the year 2014. modern awareness program that is adopted by organizations is
called WBT, which is a web-based computer security
3. DISCUSSION awareness program. This WBT involves user-friendly and
flexible modules through which users can increase their
3.1 Traditional Awareness Programs security awareness at their own pace. It also provides
Today, social engineering has emerged as a primary threat and
organizations with flexibility in spreading awareness of
is considered an entry point for most other significant cyber-
organization-wide standards among employees. Security alert
attacks. When it comes to attacks that pose a threat to an
messages have also come up as an alternative way of raising
information system, a tactical and a strategic weapon to
awareness levels among employees [15].
mitigate the risk is to provide physiological enhancement to
employees in the form of awareness programs on inter- Another popular awareness program is a simulation-based
functional and the intra-functional aspects [6]. Awareness in security awareness program, under which employees are sent
our study refers to the knowledge among the members of simulated phishing emails to test their awareness and
organizations with respect to the protection of critical vulnerability to social engineering [16]. Additionally, game-
information and their physical assets. This also includes based awareness programs have evolved as a new strategy in
acknowledging that external parties can deliberately steal, organizations against social engineering. The traditional
damage or misuse data relating to organizations [8]. Until the methods, which lacked the scope to engage employees, were
early-2000s, traditional methods were popularly employed by ineffective; however, game-based methods are meant to be
organizations as a means of keeping their employees abreast more fun and engaging. They are emerging as an effective
of various social engineering attacks. These traditional tool to increase employees’ security awareness. A good
methods typically included onsite training and awareness example of those game-based methods is the cyber security
camps, screensavers, posters, manual reminders or in some requirement awareness game (CSRAG). This game-based tool
cases, online e-learning courses [9]. However, the major is designed to make employees aware of the concepts of
problem with these traditional awareness methods was that security, threats, various ways of identifying the threats, and
they were not interactive and dynamic. Moreover, these possible solutions to help them safeguard their intellectual
traditional programs generally adopted a generalized approach property. To achieve better awareness levels, the players are
rather than emphasizing different manipulation techniques required to play the game multiple times because one session
adopted by attackers. Further, they were conducted in a is insufficient to grasp the basics thoroughly, whereas
completely formal setting which had certain limitations such multiple game sessions can unfold various lessons for
as lack of employee engagement [10]. As mentioned in [11], employees [17].
traditional awareness programs like printing posters and
warning messages in the form of screensavers only provided Additionally, another such game-based awareness program is
basic awareness regarding such attacks. However, when faced called Securix, which is a 3D phishing attack awareness game
with such attacks in real life, employees usually fail to developed in order to enhance social engineering skills. This
recognize them due to the lack of practical exposure. game is popular among many organizations today due to its
effectiveness in developing awareness on three aspects
Another shortcoming of traditional awareness programs is including manipulation, e-mail/spam and website forgery
their inability to consider the behavioral aspect of employees [18]. Several scholars have also developed game-based
such as their tendency to trust, which is the key to applications to stimulate interest among employees and
manipulation by social engineers. Moreover, it has been engage them in raising awareness regarding social
argued in the literature that the perception of threats is engineering attacks [19, 20].
subjective, which is not explored in traditional awareness
programs [12]. Furthermore, uncertainty in the mode of these 3.2 Available Digital Interactive Learning
attacks has further come up as a major challenge. For Solutions to Raise Awareness
instance, in spite of spending hours undergoing traditional In general, in order to have a more secure information system,
awareness programs, it has been found that employees find it end-users should be aware and informed. Some of the various
hard to curtail their curiosity in opening suspicious links and other solutions that are also available to raise information
emails. Thus, there is an urgent need of advanced awareness security awareness include a tool called the YooHoo
methods to better handle the problems of social engineering awareness system. This tool has mainly been developed for
[13]. Social engineering is dynamic, as newer methods of software developers to raise their awareness considering the
attacks are constantly being devised. Therefore, new number of interrelated codes they are working with on a daily
mechanisms to tackle them are mandated. Modern awareness basis. This specific system filters information regarding the
programs changes taking place internally, thus strengthening the internal
Due to various shortcomings of traditional awareness security system [21].
programs, several modern awareness programs are now being Furthermore, FASTDASH is an alternative tool that can be
explored and applied by different organizations. These used for enhancing awareness levels among employees.
modern security awareness programs involve a much more FASTDASH stands for fostering awareness for software
creative approach than the old posters and the training teams’ dashboards which is a visualization tool for software
sessions. developers. This tool helps organizations maintain better
Some of the modern security awareness programs are online awareness during collaborative training programs [22].
awareness approaches that include e-mail broadcasting, online Organizations’ information and security policies and
synchronous and asynchronous discussions, information standards must be developed and updated in such a manner
uploading or animation and blogging [11]. Recently, many that they formally and clearly identify and communicate their
organizations have developed internal blogs to keep their security rules for internal and external stakeholders. Thus, all
employees informed regarding forms of social engineering organizations, regardless of size, should set security policies
threats. Examples include eBay’s online tutorial on email and regulations and have them in place. Furthermore, there
spoofing and Microsoft’s phishing tutorials [14]. Another should be straightforward plans regarding the ongoing
58
International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 31, January 2020
training guidelines and procedures that can help employees to major channel on a review of past evolved as the
maintain a certain level of awareness of the corporate policies of information literature. major channel
and the standards [23]. leakages. of information
leakages.
Another way to increase awareness among employees is by
giving them significant information only as necessary, such as
permission to circulate information from internal security
assessments. Incidents of near-misses is an important element A survey approach
of awareness and training of employees since people was adopted in the
commonly have a habit of underestimating the risk associated following research.
with information exchange [24]. Furthermore, realistic case 1359 respondents
studies and the presentations can further stimulate the belonging to a
thoughts and the discussion on information security issues medium-sized firm Spear-phishing
[25]. Table 1 presents a review of key studies utilized in this based in penetrated due
Understand Washington DC
study for evaluating the effect of modern awareness programs to the lack of
[13] what spear- using emails as a
and techniques in raising social engineering awareness. awareness
phishing is. primary form of among
Table 1. Evaluation of different awareness programs communication. employees.
against social engineering The respondents
were split into
R Aim Method Findings control and
The ultimate treatment groups.
solution
Understand the The research is
requires a
utility of based on the
behavioral Various kinds
[6] security systematic review
change that can of attacks
awareness of the past
be brought include
programs. literature.
through phishing fraud
awareness. Understand the The study is based emails and
[14] different types on a review of past embedded
of cybercrime. literature. training works
There is a high better than
Survey method need to pre- sending
was adopted which decide the notices.
Test the quality included 100 effort and the
of information respondents in cost that is
[8]
security Franklin County, required for the A survey approach
awareness. USA, using a This method
cyber security was adopted in
close-ended was much
awareness Testing the which 50
questionnaire. more fun and
programs in effectiveness of respondents
engaging. The
order to get a security game belonging to
result was far
better results. as an effective different profiles
more effective
[18] method of such as teachers,
In-depth in enhancing
increasing banking staff, and
examination of Artificial avoidance
Understand awareness employees of
secondary data intelligence- behavior
what social among firms. They were
pertaining to social based defense towards
engineering employees. given a close-
engineering programs are phishing
attacks are, their ended
attacks, existing more effective attacks.
[9] classification, questionnaire.
detection, in securing
detection
prevention and information Presenting
strategies and
mitigation security modern
the prevention
techniques and systems against techniques
procedures.
challenges and such crimes. Reviewing such as
future directions. approaches that The study was FASTDASH,
[21] increase the based on a review YooHoo that
level of security of the literature. are very
Understand user A qualitative study awareness. effective in
Combined raising the
preference of 60 participants
delivery awareness
regarding was conducted on
method was a levels.
[11] security full-time and part-
more effective
awareness time workers with
way than a Reviewing the FASTDASH is
delivery a private personal The study was
single method. effectiveness of a very effective
method. computer. based on the
[27] FASTDASH as tool in raising
review of the
an awareness the level of
literature.
tool. awareness.
[26] Highlighting the The study is based Spear-phishing
59
International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 31, January 2020
Evaluating the A controlled This research was partially supported by GulfNet Solutions
effectiveness of experiment (GNS) Company Limited. We are thankful to our colleagues
social consisting of a Gaming in GNS Cyber Security Division, who provided expertise that
engineering control group and improved greatly assisted the research. We have to express out
awareness game experimental awareness of appreciation to Mr. Omar Aldulaijan, GNS General Manager,
[28] groups. 20 for sharing his pearls of wisdom with us during the course of
on improving social
overall employees in the engineering by this research.
information age group 18-40 71%.
security years participated. 5. CONCLUSION
awareness. Since social engineering attacks mainly target the behavioral
aspect of employees to extract confidential information
The experiment The pertaining to an organization, the enormity of security
Increase social was conducted on experiment concerns is higher because insider access tends to collude
engineering 30 full-time yielded with the skills of outside attackers that can completely
awareness employees with positive results endanger the entire system. The main aim of this study was to
[20] among gaming experience and showed an review different awareness efforts regarding social
employees by from Frankfurt enhanced level engineering practiced in organizations today so that suitable
using a card using a card game of awareness recommendations can be made to improve the efficiency of
game developed by post-playing such programs. In this regard, the study presented various
authors. the game. traditional and modern awareness programs that are used by
enterprises to protect their employees from social engineering
Multi-player attackers. It was found that interactive gaming applications
Evaluate
Secondary studies
games are most can prove to be an effective way of elevating employees’
different game- effective. knowledge and hence reducing the incidences of social
were evaluated to
based learning However, a engineering attacks. These programs, besides increasing
identify the
systems in combination of awareness, also tend to bring about cultural and behavioral
[29] strengths and
increasing different games changes among employees. It was further found that
weaknesses of
social is the best traditional methods failed to efficiently equip employees in
different games
engineering defense against tackling real-life situations involving social engineering
systematically.
awareness social attacks. Further, traditional methods failed to engage the
engineering. employees’ attention. Based on our review, certain
recommendations can be provided, which are listed as follow:
Evaluate the
Mobile-based
effectiveness of
A systematic gaming More proactive management strategies should be
different adopted at the higher levels of the echelon so that it
review method was applications
gaming leads to the adoption or establishment of an
[30] adopted, utilizing are far more
applications in appropriate volatility management framework. This
key secondary effective in
improving framework could base its management decision on
studies. raising
cyber security two main aspects. The first one should focus on the
awareness.
awareness nature of management while the other one should
emphasize people's characteristics before planning
Game-based
prevention strategies.
applications
Test a self-
developed 39 students from
are more In order to protect an organization from cyber-
effective than attacks, enterprises should focus on designing
gamed called Cornell University
traditional contemporary interactive awareness programs like
What.Hack in were recruited in
[19] training game-based tools that take into consideration recent
increasing an experiment
programs and security incidents, employee management issues,
awareness of involving using the
role-play and target identification.
phishing game.
games in
attacks. Serious mini-games involving informant design,
raising
awareness. which have emerged as an effective technique to
raise consumer awareness, can be used as the
framework to include distinctive stakeholders-
specialized inputs while designing the game. This
4. ACKNOWLEDGMENT will not only raise the awareness levels but also
The first author would like to acknowledge the full provide companies with an opportunity to include
scholarship from the Saudi Ministry of Education to study a the needs and preferences of different stakeholders
PhD degree in the Faculty of Engineering and Built and end-users.
Environment at the University of Newcastle, Australia.
6. REFERENCES Journal of Computer Applications, 975 (2019), 8887.
[1] Flores, W. R. and Ekstedt, M. Shaping intention to resist [3] Abass, I. A. M. Social Engineering Threat and Defense:
social engineering through transformational leadership, A Literature Survey. Journal of Information Security, 9,
information security culture and awareness. computers & 04 (2018), 257.
security, 59 (2016), 26-44.
[4] Aldawood, H. and Skinner, G. Educating and Raising
[2] Aldawood, H. and Skinner, G. A Taxonomy for Social Awareness on Cyber Security Social Engineering: A
Engineering Attacks via Personal Devices. International Literature Review. City, 2018.
60
International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 31, January 2020
IJCATM : www.ijcaonline.org 61