Below is the abstract for my master’s thesis paper. While unfortunately the paper just confirmed suspicions that most anyone in the cybersecurity industry already knows, I felt that it was important to underscore these bits of information for the masses–especially in management and the commercial space.
Efforts made to reduce or eliminate the threat of social engineering have not been effective in addressing the lack of security awareness exhibited by users of cyber resources. Success combating social engineering attacks requires a new approach of user education and improvements to anti-social engineering technology. This study incorporates existing research with surveys designed to identify trends of online Internet behavior and defensive posture from social engineering attacks.
The research found that cultures which promote trusting and open social relationships are the most vulnerable, while skeptical individuals will be more likely to detect or avoid a social engineering attack; younger subjects exhibit online Internet behaviors that place them at greater risk, and social engineering prevention training in the enterprise does not translate easily to the personal setting.
Recommendations include training specific to social engineering, delivered regularly and in small doses rather than one large course annually, and educating users to recognize the tactics employed by social engineers. Additional emphasis must be placed on mobile device security, and researching new avenues for delivery of social engineering prevention training.
The full thesis may be reviewed here.