Abstract:
Despite heavy investment in security infrastructure cybercrime is still growing both in quantity and quality. With the enormous growth in adoption of Internet enabled applications and devices the focus for cyber criminals is increasingly shifting from exploiting software vulnerabilities to exploiting vulnerabilities in human behaviour through the use of social engineering methodologies. However, there only has been intermittent and as a result in exhaustive academic scrutiny on it till date. The objective of this research, therefore, is to reinvigorate the extant research on cybercrimes built using social engineering principles by giving new directions and in-depth perspectives. This research focusses on new and emerging attack types, level of awareness regarding these attack types and the impact these new attack types potentially have on users’ ability to detect them. The new and emerging attack types are presented across two separate research studies that result in a taxonomy of social engineering attacks. In order to understand the level of awareness and preparedness to tackle these new forms of attacks, a qualitative study of security policies for online banking industry is carried out. Finally, the impact of these new types of social engineering attacks is tested through an experimental study where subjects are exposed to a simulated version of some of these attacks in order to test their deception detection abilities. Together, the conceptual and the empirical studies contribute to research by: (1) providing a systematic way to categorize social engineering attack types (2) suggesting a framework for organizations to audit the adequacy of their security policies and (3) a revealing a new direction and method for analysing the impact of these attack types on users’ ability to detect deception.