The persuasion and security awareness experiment: reducing the success of social engineering attacks

Jan-Willem Bullee; L. Montoya; Wolter Pieters; Marianne Junger; Pieter H. Hartel

doi:10.1007/s11292-014-9222-7

The persuasion and security awareness experiment: reducing the success of social engineering attacks

Jan-Willem Bullee, L. Montoya, Wolter Pieters, Marianne Junger, Pieter H. Hartel

Industrial Engineering & Business Information Systems

Research output: Contribution to journal › Article › Academic › peer-review

38 Citations (Scopus)

Abstract

Objectives: The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g. the obtaining of access by persuasion) in an office environment. In particular, we study the effect of authority during a `social engineering' attack. Methods: 31 different `offenders' visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results: 37.0% of the employees who were exposed to the intervention surrendered their keys whilst 62.5% of those who were not exposed to it handed it over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions: Awareness-raising about the dangers, characteristics and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

Original language	Undefined
Pages (from-to)	97-115
Number of pages	19
Journal	Journal of experimental criminology
Volume	11
Issue number	1
DOIs	https://doi.org/10.1007/s11292-014-9222-7
Publication status	Published - Mar 2015

Keywords

EWI-25579
SCS-Cybersecurity
Persuasion
Social Engineering
EC Grant Agreement nr.: FP7/2007-2013
EC Grant Agreement nr.: FP7/318003
Experiment
Intervention
Credentials
METIS-310417
IR-94231
Awareness
Authority

Access to Document

10.1007/s11292-014-9222-7

http://eprints.eemcs.utwente.nl/secure2/25579/01/art%253A10.1007%252Fs11292-014-9222-7-2.pdf

Cite this

@article{1b1a3374948b4268acd9af4aa5d1f3e8,

title = "The persuasion and security awareness experiment: reducing the success of social engineering attacks",

abstract = "Objectives: The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g. the obtaining of access by persuasion) in an office environment. In particular, we study the effect of authority during a `social engineering' attack. Methods: 31 different `offenders' visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results: 37.0% of the employees who were exposed to the intervention surrendered their keys whilst 62.5% of those who were not exposed to it handed it over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions: Awareness-raising about the dangers, characteristics and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.",

keywords = "EWI-25579, SCS-Cybersecurity, Persuasion, Social Engineering, EC Grant Agreement nr.: FP7/2007-2013, EC Grant Agreement nr.: FP7/318003, Experiment, Intervention, Credentials, METIS-310417, IR-94231, Awareness, Authority",

author = "Jan-Willem Bullee and L. Montoya and Wolter Pieters and Marianne Junger and Hartel, {Pieter H.}",

note = "Foreground=100%; Type of activity = publication; Main leader=UT; Type of audience = scientific community; Size of audience = n.a.; Countries addressed = international;",

year = "2015",

month = mar,

doi = "10.1007/s11292-014-9222-7",

language = "Undefined",

volume = "11",

pages = "97--115",

journal = "Journal of experimental criminology",

issn = "1573-3750",

publisher = "Springer",

number = "1",

}

TY - JOUR

T1 - The persuasion and security awareness experiment: reducing the success of social engineering attacks

AU - Bullee, Jan-Willem

AU - Montoya, L.

AU - Pieters, Wolter

AU - Junger, Marianne

AU - Hartel, Pieter H.

N1 - Foreground=100%; Type of activity = publication; Main leader=UT; Type of audience = scientific community; Size of audience = n.a.; Countries addressed = international;

PY - 2015/3

Y1 - 2015/3

N2 - Objectives: The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g. the obtaining of access by persuasion) in an office environment. In particular, we study the effect of authority during a `social engineering' attack. Methods: 31 different `offenders' visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results: 37.0% of the employees who were exposed to the intervention surrendered their keys whilst 62.5% of those who were not exposed to it handed it over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions: Awareness-raising about the dangers, characteristics and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

AB - Objectives: The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g. the obtaining of access by persuasion) in an office environment. In particular, we study the effect of authority during a `social engineering' attack. Methods: 31 different `offenders' visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results: 37.0% of the employees who were exposed to the intervention surrendered their keys whilst 62.5% of those who were not exposed to it handed it over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions: Awareness-raising about the dangers, characteristics and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

KW - EWI-25579

KW - SCS-Cybersecurity

KW - Persuasion

KW - Social Engineering

KW - EC Grant Agreement nr.: FP7/2007-2013

KW - EC Grant Agreement nr.: FP7/318003

KW - Experiment

KW - Intervention

KW - Credentials

KW - METIS-310417

KW - IR-94231

KW - Awareness

KW - Authority

U2 - 10.1007/s11292-014-9222-7

DO - 10.1007/s11292-014-9222-7

M3 - Article

VL - 11

SP - 97

EP - 115

JO - Journal of experimental criminology

JF - Journal of experimental criminology

SN - 1573-3750

IS - 1

ER -