An awareness policy framework for cyber security social engineering threats

Due to the ever-increasing adaptation of digital technologies, most organisations are currently vulnerable to social engineering threats. In the context of cybersecurity, social engineering is expressed as the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal within the domain of a technical organisation or IT firm, etc. Typically, the attackers or cybercriminals exploit the emotions of human workforces to gain illegal access to their personal or administrative details, credentials, and other classified information. In this research study, various countermeasures have been proposed to mitigate the social engineering threats encountered by these organisations. Firstly, a comprehensive literature review has been undertaken to identify the most frequently occurring cybersecurity and social engineering threats, such as social phishing and spear phishing, electronic theft and email fraud, etc. The primary focus of evaluating the literature is to ascertain the human elements related to the cybersecurity threats in order to recognise staff’s vulnerabilities and lack of awareness, which are exploited by hackers. Thus, these issues can contribute to various cybersecurity loopholes and attacks, which consist of the malfunctioning of the information systems, the transfer of unauthorised funds, and the stealing of credentials, etc. Secondly, this research study has employed two research methodologies—namely, qualitative and quantitative methods—to determine the significance of human behaviours related to cybersecurity. The qualitative study is based on a thorough analysis of the cybersecurity experts’ responses, and it has identified that the employees’ awareness levels positively correlate with the avoidance of cybersecurity breaches in an organisation. Therefore, the organisations can enhance their employees’ contextual knowledge about the most prevalent cybersecurity threats to handle the social engineering attacks. Moreover, the quantitative methodology has been employed by surveying 265 employees from various organisations; and the results intimate that the probability of social engineering attacks can be significantly reduced if the awareness levels of employees can be substantiated and improved. Thirdly, this research study specifies an advanced taxonomy of various social engineering threats based on the qualitative and quantitative analyses. This taxonomy serves as an essential element of this research study, with the primary objectives of facilitating the development and implementation of improved preventive measures and emphasising the significance of ISA in an organisation. Finally, a policy framework has been developed which elaborates on the recommended policies and procedures for organisations to use to disseminate cybersecurity awareness across their employees. For this purpose, the framework outlines three key activities—incident, investigate, and invigilate—required to prepare the employees for the overall improvement of an organisation’s ISA. Consequently, the cybersecurity managers can steer, prioritise, and optimise their human resources to achieve more effective outcomes.