INFORMATION SECURITY AWARENESS TECHNIQUES THAT REDUCE DATA
BREACHES CAUSED BY SOCIAL ENGINEERING ATTACKS
By Linda Kostic, CISA, CISSP, CPA
Data breaches originating from social engineering attacks have increased in direct proportion with the increased business and personal Internet consumption, resulting in financial losses, reputational damage, and negatively affected customer relationships (Ponemon, 2018, 2019). Aggregated global financial losses caused by social engineering attacks reached approximately $445 billion per year (Samtani, Chinn, Chen, & Nunamaker, 2017). Ponemon (2018) estimated that 2018 data breach losses to be an average of $148 per record. That loss extended beyond $6.45 million when 50,000 or more of a firm’s data records are compromised (Ponemon, 2019). Cybercriminals deceptively draft communications to be from a known entity like the Internal Revenue Service to convince end-users to fall prey to the social engineering attack.
The sophistication of cybercriminals is compounded with the amount of unique data that can be obtained through social networks. Cybercriminals learn from information that organizations and individuals post in the social networks, creating communications, such as phishing emails, that build a trust relationship with the end-user (Lord, 2019). The business technical problem for this research study was that increased sophistication of cybercriminals and an organization’s growing dependency on Internet connectivity created an increased data breach threat caused by social engineering attacks because a significant control dependency is related to human behavior (Dahbur, Bashabsheh, & Bashabsheh, 2017; Fan, Lwakatare, & Rong, 2017; Ponemon, 2018; Samtani et al., 2017). Research participants provided responses that answered the research question “What information security awareness techniques that incorporate social engineering attack elements can be aggregated into an information security awareness model to reduce successful data breaches caused by social engineering attacks?”
Data collection was conducted through two iterative rounds. Round one was an open-ended questionnaire with responses provided by twenty-seven information security experts from several professional organizations, including ISACA-GWDC. Five themes were developed from the round one responses, which resulted in the round two closed-ended questionnaire using a 7-point Likert scale rating. Eighteen of the twenty-seven participants rated the identified themes using a 7-point Likert scale. A consensus was reached on three of the five themes below. The lack of consensus on two themes is related to organizational diversity.
- Organizations execute multiple information security awareness techniques, building a suite of human interaction activities (Learning Modules, Drills, Townhall Sessions) and automated tools (KnowBe4, SANS, and Phishing Email tests) that vary with each organization. An annual information security awareness learning module alone does not sufficiently provide information security awareness defenses to prevent social engineering attacks.
- Information security awareness sessions are more effective when provided through many channels, employing multiple techniques, and executed throughout the year. Classroom or face-to-face forums with interactive workshops/labs that include real-world scenarios and case study activities, the effect of successful social engineering attacks, and information that is personalized in lieu of just indicating organizational benefits capture the audience’s attention that then increases information retention to combat social engineering attacks.
- Information security awareness training primarily focuses on phishing emails and attack scenarios that are relevant to all system end-users. Future enhancements to the information security awareness program require mandatory participation from C-Suite personnel and social engineering attack training specific to technical personnel.
- Non-compliance with social engineering prevention strategies, such as inadvertently failing phishing email tests, should result in targeted remedial training for those individuals in lieu of harsh consequences. The harsh consequences could discourage individuals from raising information security concerns.
- Organizations have implemented some technological tools (IPS/IDS, Symantec, and Splunk), information security awareness training tests, social engineering penetration test results, and phishing email test results to monitor for information security compliance. Hackers have extensive resources to develop new social engineering techniques that require rapid information security awareness technique development. Future improvements recommended focused on technology-specific tools that provide immediate social engineering alerts, employ artificial intelligence to proactively identify social engineering attacks, and more role-playing with current social engineering attack scenarios.
Information Security Awareness Technique Model (ISATM)
The diversity of some questionnaire responses and lack of consensus for two themes, indicates that each organization is unique and requires an assessment to determine the extent of information security awareness techniques. As a starting point, management should understand and assess the organizational culture, which includes the security culture. The responses to theme four indicated ambiguity to the potential non-compliance consequences and theme three clearly articulated concerns by information security subject matter experts that the executive management team did not support information security awareness programs. A cross-functional expert team would be formed to execute an organizational culture assessment to determine required cultural changes and establish an associated cultural change management process, if applicable (Davis & Cates, 2018). While not a theme, some respondents indicated that they collaborate with other individuals throughout the organization (champions) to develop and execute information security awareness techniques, which also supports the rationale for an organizational culture assessment.
Similar to the organizational culture assessment, a working group should be established to develop and execute a social engineering security risk assessment, which could be executed in parallel with other security risk assessments. The objective is to understand where those vulnerabilities exist and the desired controls to remediate that risk. Some research participants employed automated tools to identify the internal vulnerabilities, then subsequently target those areas for additional information security awareness training. No participants mentioned external methods to identify emerging social engineering attack vectors and subsequently implement or modify the organization’s information security awareness technique model.
Once information security experts have an understanding of the social engineering vulnerabilities, an information security awareness technique model that aligns with that organizations risk tolerance can be developed and implemented. Table 5 categorizes all of the unique information security awareness techniques provided by the research participants that can be employed within an organization. The actionable elements within each ISAT category should align with the results of the organizational culture and security risk assessment results. One information security expert recommended that organizations must identify the appropriate balance between technology and human-related information security awareness controls and activities to maintain the social engineering risk level below the firm’s risk tolerance. The objective of that recommendation was management could not set an expectation of zero successful social engineering attacks that result in data breaches because human errors will continue, but the number of successful social engineering attacks will decrease. However, the technological systems would represent a compensating control to reduce the data breach impact when users inadvertently participate in the social engineering attack.
One central element of ISATM is compliance and monitoring, which aligned with theme five related to the immaturity of compliance and monitoring. Most metrics noted in the existing literature were related to training completion, which does not ensure information retention and reduction in successful social engineering attacks resulting in data breaches. As a final consideration, NIST SP 800-50 recommended an assessment against existing and identified needs as a component of an information security awareness program, which is built into a strategy (Wilson & Hash, 2003, p. 29). That strategy may take more than a year to implement, as such, a maturity model should be developed to communicate the progress with executive management (Steinbart, Raschke, Gal, & Dilla, 2016).
Table 1: Information Security Awareness Technique Model (ISATM)
|ISAT Categories||Actionable Elements|
Training and Learning Activities
(Themes One, Two and Three)
– Vendor created information security awareness training because of the ongoing research performed to keep the training material relevant to existing information security trends (KnowBe4 and SANS Securing the Human).
– New hire information security training
– Application code security training
– Gaming and role-playing activities (Hackathons and Secure Code Warriors).
– Cybersecurity month-long activities in October.
– Face-to-face classroom training and workshops that include interactive activities, real-world scenarios, and case studies.
– Periodic news bulletins
– On-demand webinars and videos
– Digital signage
(Themes One, Two, Three, and Five)
– Phishing email exercises (PhishMe and GoPhish)
– Email scanning (Avanan)
– Social engineering penetration testing
– Intrusion detection/prevention systems
– Application source code scanning (Vericode)
– Data loss prevention (Digital Guardian)
– Artificial Intelligence (Crowdstrike and Cyware)
Compliance and Monitoring
(Themes Four and Five, Individual Responses)
– Training completion metrics
– Social engineering penetration test results
– Phishing email exercise results
– Infrastructure analysis (Splunk)
– Immediate social engineering attack alerts
– Dashboard reporting to executive and senior management
Jason joined ISACA in 2006 and presently serves as GWDC President. He’s served on the Chapter Board of Directors since 2014. Jason is very involved with ISACA International and some of his volunteering consists of serving on the Chapter Services Working Group, Leadership Development Advisory Council, and contributing significantly to CISA and CISM exam preparation content. Jason is an Associate Partner within IBM’s Cybersecurity and Biometrics Practice. He holds the CISSP-ISSAP, CISA, CISM, and PMP.