Social Engineering in Information Security Breaches and the Factors That Explain Its Success: An Organizational Perspective

Introduction

The fourth industrial revolution, or Industry 4.0 as it is commonly referred to, has been set in motion and will in due course have an impact on the way individuals and society functions as a whole. In Industry 4.0, all systems communicate with each other, as well as with humans thereby making data accessible via a medium such as the internet for operators and users alike (Chung and Kim, 2016). This element of human interaction and human accessibility poses a threat to information security which needs to be considered, since it is the human who poses the most risk in the information security chain (Workman, 2007; Pavkovic and Perkov, 2011).

A growing segment of research within the domains of information systems, information technology and computer science focuses on information security, which is a sub-discipline that centres on the protection of information assets from users with malicious intent (Pieters, 2011). In the event of an attack or security breach, it is imperative that the confidentiality, integrity and availability of information, commonly referred to as the CIA triad, must be protected via information security mechanisms and tools (Pieters, 2011).

The security of information systems is largely dependent on a myriad of both technical and non-technical aspects (Pavkovic and Perkov, 2011). The efficacy of technical-based attacks such as traditional hacking or malicious code attacks has decreased considerably due to the provision and adoption of technological security solutions by organizations (Janczewski and Fu, 2010). Due to the advent of advanced computer-based security or technical security, it has become common for attackers to instead rely on an alternative, non-technical means of gaining access to systems (Thompson, 2004). This phenomenon is referred to as social engineering, which refers to an attack that utilises the art of manipulating and using human interaction to execute an action or obtain valuable information. This ill-gotten information can be used to access or compromise the information systems of an organisation, thereby sabotaging the financial and economic health of the organisation (Jannson, 2011; Orgill et al, 2004; Kvedar, Nettis and Fulton, 2010).

As stated by Vidalis and Kazmi (2007), the human factor is a shared vulnerability of perceptions and decision making in the sense that it is human beings who interact with computers by typing in commands, automating processes and turning computers off should they think that it is not operating properly by misinterpreting its reactions.

A successful social engineering attack can result in the social engineer gaining control of an entire company’s network servers (Manske, 2000). Social engineering leaves even the most technically secured computer systems extremely vulnerable, as it relies on the social engineers’ social skills to compromise the information security of the organisation (Thompson, 2004). Most often, social engineering attacks are carried out with deception to the degree that the victim does not realize that (s)he has been manipulated, thereby making the identification of social engineering attacks extremely difficult (Gulati, 2003; Bezuidenhout, Mouton and Venter, 2010). Social engineering transpires at a psychological level with psychology being used to generate an authoritative atmosphere where the victim is persuaded into divulging information pertinent in the accessing of a system. Furthermore, these attacks also take place at a physical level, namely at the workplace where the victim feels secure via the medium of work telephone numbers or email (Orgill et al, 2004). More recently, the trend of Bring Your Own Device (BYOD) and cloud computing has given social engineers more opportunities to carry out attack vectors in the workplace (Kromholz et al, 2014; Hatwar & Chavan 2015).