The Human Factor

So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?

Social engineering: a growing threat

In the recent years, organisations of all types and sizes, including those offering critical and emergency services, have been the victim of social engineering attacks. As more organisations acquire enhanced IT solutions and robust encryption tools to protect their data, attackers will continue to resort to old-fashioned methods of exploiting human weaknesses, to achieve their objectives.

Social engineering is an ultimate psychological manipulation technique that is used by attackers to generate responses from unwilling targets, which are not in their best interest and coerce them into a position of disadvantage. This act is mostly conducted with the aim of influencing the other party to carry out actions, either lawful or unlawful, which may go against them, or others around them. The influence could be as simple as tricking an office employee to allow an actor into their workplace unchallenged, or it could be as complicated as obtaining state secrets through coercion, blackmail, manipulation, extortion or intimidation.

Today, social engineering is among the top information security threat faced by the multiple industries and organisations and thus far proven to be challenging to protect against. The only practical protection available against social engineering attacks is cybersecurity awareness and training. For instance, when a social engineering attack occurs, all the technical protection systems combined cannot stop an employee from giving out their password to an attacker over the phone. But with the appropriate security training, that same employee can act as the most reliable contender in the line of defence and alert relevant department about the social engineering attack attempt, potentially saving the company from a major security incident.

To develop an understanding of the security threats, it is essential to understand what social engineering manipulations techniques are used during an attack. This understanding can be achieved through experience, taught examples as well as training, like the one discussed in Sect. 4 of this paper. The knowledge acquired through a well-developed training framework will aid the trainees in gaining an understanding of social engineering attack strategies, as well as the ability to counter and limit any potential harm.