DOCSLIB.ORG

Strategies Used to Mitigate Social Engineering Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Strategies Used to Mitigate Social Engineering Attacks Walden University ScholarWorks Walden Dissertations and Doctoral Studies Walden Dissertations and Doctoral Studies Collection 2020 Strategies Used to Mitigate Social Engineering Attacks Lindiwe T. Hove Walden University Follow this and additional works at: https://scholarworks.waldenu.edu/dissertations Part of the Databases and Information Systems Commons, and the Library and Information Science Commons This Dissertation is brought to you for free and open access by the Walden Dissertations and Doctoral Studies Collection at ScholarWorks. It has been accepted for inclusion in Walden Dissertations and Doctoral Studies by an authorized administrator of ScholarWorks. For more information, please contact [email protected]. Walden University College of Management and Technology This is to certify that the doctoral study by Lindiwe Hove has been found to be complete and satisfactory in all respects, and that any and all revisions required by the review committee have been made. Review Committee Dr. Bob Duhainy, Committee Chairperson, Information Technology Faculty Dr. Gary Griffith, Committee Member, Information Technology Faculty Dr. Jodine Burchell, University Reviewer, Information Technology Faculty Chief Academic Officer and Provost Sue Subocz, Ph.D. Walden University 2020 Abstract Strategies Used to Mitigate Social Engineering Attacks by Lindiwe Hove MS, Walden University, 2016 BS, Minnesota State University, 2013 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University November 2020 Abstract Cybercriminal activity performed widely through social engineering attacks is estimated to be one of the substantial challenges the world will face over the next 20 years. Cybercriminal activity is important to chief information security officers (CISOs) because these attacks represent the largest transfer of economic wealth in history and pose risks to the incentives for organizational innovation and investment and eventually become more profitable than the global trade of all major illegal drugs combined. Grounded in the balanced control theory, the purpose of this multiple case study was to explore strategies CISOs use to mitigate social engineering attacks within their organizations. Participants consisted of 6 CISOs across 6 small to medium-sized organizations that handle payment card industry data in the West Coast region of the United States of America. Data were collected from CISOs by semi structured telephone interviews. Data were analyzed through interview transcription, in-depth exploration of phenomena, data coding development, and the identification of links to themes. Three major themes emerged from the data analysis: information technology (IT) risks, security awareness, and IT strategies. A key recommendation is for CISOs to develop security awareness programs and implement technical, formal, and informal controls, to sustain operations and protect their networks from potential social engineering attacks. The implications for positive social change include the potential for (a) the mitigation of social engineering attacks, (b) the protection of both organizational and consumer data, and (c) an increase in consumer confidence resulting in increased economic prosperity. Strategies Used to Mitigate Social Engineering Attacks by Lindiwe Hove MS, Walden University, 2016 BS, Minnesota State University, 2013 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University November 2020 Dedication This doctoral journey was supported and encouraged by my family, friends, and colleagues. First, this research is dedicated to my parents, who emphasized the importance of higher education and becoming the best that I can be. Second, I dedicate this research study to my husband and siblings. My husband was a constant source of encouragement and understood when I needed to focus on my dissertation and forgo other activities. My siblings provided their encouragement to stay on this path and continue this research study when I encountered challenges. Third, I dedicate this doctoral experience to my living and passed relatives who inspired me to persevere and believe in myself and assured me that I am my ancestors’ wildest dream. Acknowledgments I would like to acknowledge my chair, Dr. Duhainy, for providing excellent guidance, answering all my questions, and being responsive throughout this dissertation journey. I would also like to acknowledge my other committee members, Dr. Griffith, for his input, and Dr. Burchell, for providing editorial feedback. Lastly, I would like to acknowledge my numerous colleagues who provided their opinions on information security trends and general thoughts on tackling my doctorate journey. I could not have achieved my research objectives without their participation. Table of Contents List of Tables ............................................................................................................... iv List of Figures............................................................................................................... v Section 1: Foundation of the Study ................................................................................ 1 Background of the Problem ..................................................................................... 1 Problem Statement .................................................................................................. 2 Purpose Statement ................................................................................................... 2 Nature of the Study ................................................................................................. 3 Research Question ................................................................................................... 5 Conceptual Framework............................................................................................ 5 Operational Definitions ........................................................................................... 6 Assumptions, Limitations, and Delimitations ........................................................... 7 Assumptions ...................................................................................................... 7 Limitations ........................................................................................................ 7 Delimitations ..................................................................................................... 8 Significance of the Study ......................................................................................... 8 Contribution to Information Technology Practice ............................................... 8 Implications for Social Change .......................................................................... 9 A Review of the Professional and Academic Literature ............................................ 9 Application to the Applied IT Problem ............................................................. 13 Balanced Control Theory ................................................................................. 14 Analysis of Supporting Security Theories ......................................................... 20 i Analysis of Contrasting Theories...................................................................... 23 Analysis of Potential Themes and Phenomena .................................................. 25 Transition and Summary........................................................................................ 43 Section 2: The Project ................................................................................................. 45 Purpose Statement ................................................................................................. 45 Role of the Researcher ........................................................................................... 45 Participants ........................................................................................................... 47 Research Method and Design ................................................................................. 49 Method ............................................................................................................ 49 Research Design .............................................................................................. 51 Population and Sampling ....................................................................................... 53 Ethical Research .................................................................................................... 56 Data Collection ..................................................................................................... 58 Instruments...................................................................................................... 58 Data Collection Technique ............................................................................... 60 Data Organization Techniques ......................................................................... 63 Data Analysis Technique ....................................................................................... 64 Reliability and Validity ......................................................................................... 66 Reliability ....................................................................................................... 66 Validity ..........................................................................................................
Load more

Recommended publications
  • FCC Cyber Security Planning Guide
    Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise of these entities. This guide is not a substitute for consulting trained cyber security professionals. Table of Contents Thank you for using the FCC’s Small Biz Cyber Planner, a tool for small businesses to create customized cyber security planning guides. Businesses large and small need to do more to protect against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals. This planning guide is designed to meet the specific needs of your company, using the FCC’s customizable Small Biz Cyber Planner tool. The tool is designed for businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats. Even a business with one computer or one credit card terminal can benefit from this important tool. We generally recommend that businesses using more sophisticated networks with dozens of computers consult a cyber security expert in addition to using the cyber planner. The FCC provides no warranties with respect to the guidance provided by this tool and is not responsible for any harm that might occur as a result of or in spite of its use. The guidance was developed by the FCC with input from public and private sector partners, including the Department of Homeland Security, the National Cyber Security Alliance and The Chamber of Commerce.
    [Show full text]
  • FCC Cyber Security Planning Guide
    Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise of these entities. This guide is not a substitute for consulting trained cyber security professionals. Table of Contents Thank you for using the FCC’s Small Biz Cyber Planner, a tool for small businesses to create customized cyber security planning guides. Businesses large and small need to do more to protect against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals. This planning guide is designed to meet the specific needs of your company, using the FCC’s customizable Small Biz Cyber Planner tool. The tool is designed for businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats. Even a business with one computer or one credit card terminal can benefit from this important tool. We generally recommend that businesses using more sophisticated networks with dozens of computers consult a cyber security expert in addition to using the cyber planner. The FCC provides no warranties with respect to the guidance provided by this tool and is not responsible for any harm that might occur as a result of or in spite of its use. The guidance was developed by the FCC with input from public and private sector partners, including the Department of Homeland Security, the National Cybersecurity
    [Show full text]
  • An Academic Definition and Study of Social Engineering - Analyzing the Human Firewall Nathaniel Joseph Evans Iowa State University
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2009 Information technology social engineering: an academic definition and study of social engineering - analyzing the human firewall Nathaniel Joseph Evans Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Electrical and Computer Engineering Commons Recommended Citation Evans, Nathaniel Joseph, "Information technology social engineering: an academic definition and study of social engineering - analyzing the human firewall" (2009). Graduate Theses and Dissertations. 10709. https://lib.dr.iastate.edu/etd/10709 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Information technology social engineering: an academic definition and study of social engineering - analyzing the human firewall by Nathaniel Joseph Evans A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Engineering Program of Study Committee: Doug Jacobson, Major Professor Kevin Amidon Thomas Daniels Mani Mina Roger Smith Iowa State University Ames, Iowa 2009 Copyright © Nathaniel Joseph Evans, 2009. All rights reserved. ii DEDICATION This dissertation is dedicated first to my grandmother, Mary Lou Villinis. Without her wonderful example of kindness and patience, I could never have completed this. Second, I would like to dedicate this to Walt Disney, who has been a guiding light for me for since my internship in 2003.
    [Show full text]
  • Protecting Internet Traffic: Security Challenges and Solutions
    White Paper PROTECTING INTERNET TRAFFIC: SECURITY CHALLENGES AND SOLUTIONS May 2017 Copyright © 2017 IEEE - All rights reserved Disclaimer This document represents the considered judgement and personal views of the participating individuals listed on the following page with expertise in the subject field. It shall not be considered the official position of IEEE or any of its committees, and shall not be relied upon as a formal position of IEEE. It is produced by the IEEE Internet Initiative to enhance knowledge and promote discussion of the issues addressed. AUTHORS AND EDITORS Authors • Mohammed Aledhari, Western Michigan University • Sukanya Mandal • Nagender Aneja, Universiti Brunei Darussalam • Mikael Dautrey • Rajesh Nighot, Independent Consultant • Prasad Mantri • Jared Bielby, Independant Consultant Editors • Sherrill Fink, Independant Technical Writer • Nagender Aneja, Universiti Brunei Darussalam • Mohammed Aledhari, Western Michigan University • Jared Bielby, Independant Consultant • Ali Kashif Bashir, Editor-in-Chief, IEEE Internet Policy Newsletter TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................. 1 INTRODUCTION .......................................................... 2 Confidentiality, Integrity, and Availability (CIA) ........................................ 3 Protecting Internet Traffic: Concerns ...................................................... 5 Protecting Internet Traffic: Towards a Solution ......................................... 5 INTERNET TRAFFIC PERIMETER PROTECTION ...........
    [Show full text]