Walden University ScholarWorks Walden Dissertations and Doctoral Studies Walden Dissertations and Doctoral Studies Collection 2020 Strategies Used to Mitigate Social Engineering Attacks Lindiwe T. Hove Walden University Follow this and additional works at: https://scholarworks.waldenu.edu/dissertations Part of the Databases and Information Systems Commons, and the Library and Information Science Commons This Dissertation is brought to you for free and open access by the Walden Dissertations and Doctoral Studies Collection at ScholarWorks. It has been accepted for inclusion in Walden Dissertations and Doctoral Studies by an authorized administrator of ScholarWorks. For more information, please contact [email protected]. Walden University College of Management and Technology This is to certify that the doctoral study by Lindiwe Hove has been found to be complete and satisfactory in all respects, and that any and all revisions required by the review committee have been made. Review Committee Dr. Bob Duhainy, Committee Chairperson, Information Technology Faculty Dr. Gary Griffith, Committee Member, Information Technology Faculty Dr. Jodine Burchell, University Reviewer, Information Technology Faculty Chief Academic Officer and Provost Sue Subocz, Ph.D. Walden University 2020 Abstract Strategies Used to Mitigate Social Engineering Attacks by Lindiwe Hove MS, Walden University, 2016 BS, Minnesota State University, 2013 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University November 2020 Abstract Cybercriminal activity performed widely through social engineering attacks is estimated to be one of the substantial challenges the world will face over the next 20 years. Cybercriminal activity is important to chief information security officers (CISOs) because these attacks represent the largest transfer of economic wealth in history and pose risks to the incentives for organizational innovation and investment and eventually become more profitable than the global trade of all major illegal drugs combined. Grounded in the balanced control theory, the purpose of this multiple case study was to explore strategies CISOs use to mitigate social engineering attacks within their organizations. Participants consisted of 6 CISOs across 6 small to medium-sized organizations that handle payment card industry data in the West Coast region of the United States of America. Data were collected from CISOs by semi structured telephone interviews. Data were analyzed through interview transcription, in-depth exploration of phenomena, data coding development, and the identification of links to themes. Three major themes emerged from the data analysis: information technology (IT) risks, security awareness, and IT strategies. A key recommendation is for CISOs to develop security awareness programs and implement technical, formal, and informal controls, to sustain operations and protect their networks from potential social engineering attacks. The implications for positive social change include the potential for (a) the mitigation of social engineering attacks, (b) the protection of both organizational and consumer data, and (c) an increase in consumer confidence resulting in increased economic prosperity. Strategies Used to Mitigate Social Engineering Attacks by Lindiwe Hove MS, Walden University, 2016 BS, Minnesota State University, 2013 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University November 2020 Dedication This doctoral journey was supported and encouraged by my family, friends, and colleagues. First, this research is dedicated to my parents, who emphasized the importance of higher education and becoming the best that I can be. Second, I dedicate this research study to my husband and siblings. My husband was a constant source of encouragement and understood when I needed to focus on my dissertation and forgo other activities. My siblings provided their encouragement to stay on this path and continue this research study when I encountered challenges. Third, I dedicate this doctoral experience to my living and passed relatives who inspired me to persevere and believe in myself and assured me that I am my ancestors’ wildest dream. Acknowledgments I would like to acknowledge my chair, Dr. Duhainy, for providing excellent guidance, answering all my questions, and being responsive throughout this dissertation journey. I would also like to acknowledge my other committee members, Dr. Griffith, for his input, and Dr. Burchell, for providing editorial feedback. Lastly, I would like to acknowledge my numerous colleagues who provided their opinions on information security trends and general thoughts on tackling my doctorate journey. I could not have achieved my research objectives without their participation. Table of Contents List of Tables ............................................................................................................... iv List of Figures............................................................................................................... v Section 1: Foundation of the Study ................................................................................ 1 Background of the Problem ..................................................................................... 1 Problem Statement .................................................................................................. 2 Purpose Statement ................................................................................................... 2 Nature of the Study ................................................................................................. 3 Research Question ................................................................................................... 5 Conceptual Framework............................................................................................ 5 Operational Definitions ........................................................................................... 6 Assumptions, Limitations, and Delimitations ........................................................... 7 Assumptions ...................................................................................................... 7 Limitations ........................................................................................................ 7 Delimitations ..................................................................................................... 8 Significance of the Study ......................................................................................... 8 Contribution to Information Technology Practice ............................................... 8 Implications for Social Change .......................................................................... 9 A Review of the Professional and Academic Literature ............................................ 9 Application to the Applied IT Problem ............................................................. 13 Balanced Control Theory ................................................................................. 14 Analysis of Supporting Security Theories ......................................................... 20 i Analysis of Contrasting Theories...................................................................... 23 Analysis of Potential Themes and Phenomena .................................................. 25 Transition and Summary........................................................................................ 43 Section 2: The Project ................................................................................................. 45 Purpose Statement ................................................................................................. 45 Role of the Researcher ........................................................................................... 45 Participants ........................................................................................................... 47 Research Method and Design ................................................................................. 49 Method ............................................................................................................ 49 Research Design .............................................................................................. 51 Population and Sampling ....................................................................................... 53 Ethical Research .................................................................................................... 56 Data Collection ..................................................................................................... 58 Instruments...................................................................................................... 58 Data Collection Technique ............................................................................... 60 Data Organization Techniques ......................................................................... 63 Data Analysis Technique ....................................................................................... 64 Reliability and Validity ......................................................................................... 66 Reliability ....................................................................................................... 66 Validity ..........................................................................................................