A wide range of malicious activities that are carried out through human interactions are referred to as “social engineering.” It induces users to commit security breaches or divulge private information through psychological manipulation. This begs the question: can social engineering be predicted through the use of social media?
“Predicting an Individual’s Vulnerability to Social Engineering in Social Networks”
In 2017, 85% of all U.S. organizations were hit with some form of phishing attacks launched worldwide (Gatlan, 2019). Phishing requires human interaction to be done, compromising accounts, and compromising data. This is known as the human factor of cybersecurity. Phishing takes advantage of the human factor; however, phishing is not the only type of social engineering. There are countless methods an attacker can use to harvest user and employee credentials and data. User and employee credentials can be banking information or social networking sites such as Facebook. Researchers Samar Muslah Albladi and George R.S. Weir would research social networks and see if it was possible to predict an individuals’ vulnerability to social engineering through the following questions: what is the level of involvement in the network, how much motivation to use the network, and what is competence in dealing with threats on the network are all factors that interact with one another? Albladi and Weir hypothesized that a users’ characteristics in response to the questions determined their level of vulnerability of succumbing to social engineering attacks.
Billions of people use social networking sites to interact with one another and share information. However, giving away information online leads to numerous operational security holes that malicious attackers can exploit to gain the credentials of a user and make monetary gain from post exploitation. Sharing more information often leads to more involvement in a social network. According to Albladi and Weir, “users with a higher level of involvement will be more susceptible to social engineering attack” because users tend to be more relaxed in an environment that they are familiar with rather than being alert and aware. In addition, through the lens of a social scientist, determinism can be connected to higher levels of involvement in social networks. Determinism means behavior is caused, determined, or influenced by preceding events. For example, teenagers use social media on a daily basis for a variety of reasons. Most of the time, teenagers use social media to make and connect with friends. This results in higher social media usage, which increases the likelihood of a social engineering attack. The determinism or independent variable would be the presence of friends on the social platform. In return, the result or dependent variable would be an increase in falling for an attack. Connecting back to research of Albladi and Weir, determinism is a leading factor of how often and long people use social media on a daily basis.
Motivation also plays a key role in social engineering online. In order to comprehend online user behavior, it is necessary to take into consideration users’ motivations for utilizing communication technologies. Motivation is linked to empiricism. Empiricism is observations based on the human senses such as touch, smell, taste, hearing, or sight. For example, when browsing social media, data is collected and sent to the company of origin. The data is then fed through a data algorithm which gives targeted advertisements to a user. Users then see the advertisement, and it may be tempting to click on it. The advertisement acts on the motivation of a user. Furthermore, the researchers state, “users with a higher level of motivation will be more susceptible to social engineering attacks” (Albladi & Weir, 2020). Motivation influences a user’s trust, level of involvement, and experience with cybercrime.
Lastly, a user’s competence is “essential determinant” of how a user acts online and ability to spot, identity, and avoid cybercrime such as social engineering (Albladi & Weir, 2020). Albladi and Weir state, “users with a higher level of competence will be less susceptible to social engineering attacks.” This is because users often feel as if they are in control of their situation when encountering cybercrime. Users are also found to be less likely to be vulnerable to being a victim of cybercrime as their behavior changes to be more aware when red flags begin to rise. To further explain, relativism can be used in the social science end to help provide support that increased competition leads to less victimization from cybercrime. Relativism is defined as all aspects and things are connected to each other. By linking relativism and competence, it can be concluded that competence is a major element of how a user can spot, identify, and avoid cybercrime and social engineering.
To evaluate the hypothesis of users’ characteristics determined their level of vulnerability of succumbing to social engineering attacks, Albladi and Weir used the Qualtrics online survey tool. The survey would ask for the participants’ demographics, questions of the constructs of the proposed model, and a scenario-based experiment (Albladi & Weir, 2020). Finally, the survey was sent to two universities among the students and staff. The survey would find that young adults were less susceptible compared to older adults. The survey would also reveal that there was no significant impact on gender, major, and education level. However, one significant hole in the research is testing on all age groups. From the research of Albladi and Weir, they only used two universities in the study instead of incorporating high school and middle school students to see if even younger people were more or less likely to fall for a social engineering attack. Children have less developed brains and understanding compared to a younger or older adult. This leaves whether or not children are likely to fall for social engineering techniques when using social media. In addition, the research did not include people from other countries that are less developed than the country of origin of the research. This would have provided a wider set of data to work with to conclude if education is a more important factor, rather than stating that it is not. For societal contributions, the research proved that people tend to think that they are not likely to fall for social engineering in any capacity. This is only true if the person is experienced, competent, and is not too comfortable in the online environment that they are engaging in. The research also proved that preying on people’s characteristics can be effective and could even be used in spear phishing attacks to extort information or data from the target.
Overall, the research proved that social engineering can prey on an individual’s characteristics of social media usage, motivation, and competency. Although there was some biased objectivity on who received the survey for the research, the research concluded that people that use social media more than others, motivation, and low competency leads to exploitation of people on what they share willingly with social engineers. The research shows that human factors play a huge role in the effectiveness of social engineering.
References
Albladi, S., & Weir, G. (2020). Predicting individuals’ vulnerability to social engineering in social networks. Cybersecurity, 3(1), 1-19. https://doi.org/10.1186/s42400-020-00047-5
Gatlan, S. (2019, April 16). Over 80% of All Phishing Attacks Targeted U.S. Organizations. BleepingComputer. Retrieved January 21, 2023, from https://www.bleepingcomputer.com/news/security/over-80-percent-of-all-phishing-attacks-targeted-us-organizations/
