UC Irvine

Social engineering attacks can be severe and difficult to detect before considerable damage is done. Therefore, to prevent such attacks, organizations should be aware of social engineering defense mechanisms. The application of security policies is essential for mitigating the risk of social engineering attacks. However, incorporating and enforcing successful security policies in an organization is not a straightforward task. To that end, we developed a taxonomy of social engineering defense mechanisms and a customizable model of formal Social Engineering InfoSec Policies (SE-IPs) that can be adopted by a wide variety of organizations. We also designed and distributed a survey to measure employees awareness of social engineering defense mechanisms and a survey to measure the incorporation of formal SE-IPs in organizations. After collecting and analyzing the data from the two surveys which included over fifteen hundred responses, we found that more than half of employees are not aware of social engineering attacks, and on average, organizations incorporated just over fifty percent of the identified formal Social Engineering InfoSec Policies. Such worrisome results show that organizations are vulnerable to social engineering attacks, and serious steps need to be taken to elevate the awareness level against these emerging security threats.