1. Introduction
Technological advancements in computing environments, including learning institutions, have led to the development of interconnected networks, uncontrolled social networking, and thousands of applications and users. These technologies are essential because they facilitate educational processes and interactions. However, the availability of such technology in advanced computing environments, particularly educational environments, opens doors for security threats by cybercriminals and hackers seeking to exploit vulnerabilities in their systems [
1]. Social engineering is one of the most significant security threats facing organizational systems and data in today’s technology-saturated world. It is considered a challenge for security chains, and attacks are increasing sharply [
2]. Ref. [
3] defined social engineering as the art of exploiting the naivety of unsuspecting individuals and taking advantage of their weaknesses to convince them to comply with one’s desires. Instead of relying on an organization’s technical security shortcomings to break into its computer systems, social engineers use employees’ weaknesses to mislead them into compromising the systems or turning over sensitive information.
Social engineering techniques have evolved and advanced over time, but their success is still highly dependent on the types of security systems and modern preventive tools and measures adopted by the targeted organization. In addition, social engineering’s success depends on the level of personnel training and their competence in handling sensitive information in the organization [
4]. Therefore, organizations need to ensure that their personnel understand as much as possible about information security, the concept of social engineering, and the impacts of these threats and attacks. Unfortunately, it has become more challenging for those targeted by social engineers to distinguish them from legitimate correspondence because the attackers are using more sophisticated social engineering techniques.
According to [
5], social engineering threats are dynamic and continually advancing. Therefore, developing preventive measures and tools should be an ongoing process because no single security system is perfect in preventing social engineering threats. Hence, they suggested the implementation of interactive and innovative education, training, and awareness programs to help organizations prepare their personnel to deal with social engineering. These education, training, and awareness initiatives equip staff with the latest preventive techniques to identify, avoid, and expose social engineering threats. Ref. [
5] further explained that organizations should take a course of action that comprises sufficient training materials, strategic and regulatory frameworks, and adequate training on the safety measures that the staff should take to prepare for attacks and handle them when they occur. In addition to regular training, organizations can conduct regular information security awareness campaigns proactively to emphasize the importance of watching out for social engineers and maintaining persistent vigilance against them. Employees should also strive to implement and execute information security awareness strategies and schemes to protect employees’ sensitive data because they play the paramount role in protecting an organization’s interests against social engineering attacks.
Social engineering attacks can be costly for organizations. In the past two years, 32% of all companies worldwide of all sizes and 48% of large companies have been subjected to 25 or more social engineering attacks. Thirty percent of large companies indicated that social engineering attacks can cost more than 100,000 USD per instance. In 2018, 85% of organizations were attacked, an increase by 16%, and the average annual cost reached 1.4 million USD [
6]. A study conducted by [
7] indicated that the FBI’s data gives an average cost of 130,000 USD and that costs can extend to millions of dollars in some cases.
Therefore, the contribution of this paper is a method of measuring awareness of social engineering attacks in the educational sector in the Kingdom of Saudi Arabia (KSA) through the use of a questionnaire. The study addresses the main factors that can increase the awareness of social engineering in the educational sector in the KSA.
This paper is structured as follows:
Section 2 reviews the literature;
Section 3 explains the problem statement;
Section 4 presents the research methodology;
Section 5 discusses the results;
Section 6 identifies the limitation; and
Section 7 provides a conclusion and recommendations for future work.
2. Literature Review
Social engineering can be traced back to 1984 [
6]. It can be referred to as the “psychological manipulation of people into performing actions or divulging confidential information that cannot be effectively dealt with using traditional security methods”, as these “do not investigate the exploitation of human vulnerabilities” [
8]. Ref. [
3] maintained that social engineering is one of the most prevalent methods used by modern attackers to compromise organizational systems and data. It is a way of accessing personal data or systems using human psychology. It can be used by cybercriminals to defraud users by employing physical, digital, and behavioral dishonesty to obtain their personal and business information [
9]. Social engineering attacks can be categorized into two types: technical-based and human-based attacks [
10]. Another study indicated that social engineering can be classified into several categories according to the method of attack and can be direct or indirect, as shown in
Table 1 [
2].
According to [
11], social engineering is composed of four steps:
Information gathering refers to the collection of information to assist in identifying attack vectors and targets.
Relationship development refers to the establishment of a rapport with the target.
Exploitation refers to the use of information and relationships to gain access to the target.
Execution refers to the accomplishment of the attacker’s final goal.
Ref. [
12] identified four steps for the social engineering attacks. It starts with the research/Information Gathering step that collects information about the victim. The second step is to develop a relation with the victim by using some techniques such as using an email. The third step is accessing the victim’s information. The last step is closing the communication with the victim and remove any evidence of the crime.
In the last decades, users have interacted with many platforms on the Internet, which lead to them being attacked by hackers using social engineering attacks [
13] and their data being shared on the Internet [
14]. Some studies indicate that social engineering relies on human nature and vulnerabilities to hack into organizational systems. Such attackers assume the identity of an organization’s trusted employees, customers, auditors, or technicians to access restricted information that may help them break into a company’s information system [
3,
8,
15]. Similarly, [
16] stated that social engineering attacks include interpersonal interactions through face-to-face, telephone, or electronic communication with the recipient to manipulate them into divulging a company’s confidential information. This argument aligns with [
15]’s argument that social engineering relies on human psychology to exploit people’s vulnerabilities for the attacker’s benefit. In this regard, different scholars have defined social engineering in psychological terms, whereby attackers gain unauthorized access to an organization’s sensitive data by building trust-based relationships with unsuspecting personnel who have the clearance to access such information.
Ref. [
17] claimed that social engineering is made especially dangerous by the fact that it depends on human error instead of software and operating systems’ vulnerabilities. This assertion is similar to [
15]’s argument that social engineering is threatening because it targets legitimate users, who make up the largest part of any organization.
Ref. [
18] identified phishing as the most prolific social engineering technique in recent years. According to them, phishing involves stealing users’ credit card numbers and login details to access their personal information. It accounted for 77% of all social engineering attacks in the KSA’s educational sector in 2017, with over 40 million users reporting phishing attacks. Ref. [
18] further contended that email phishing is the most common form of attack. However, these attacks can also be executed through text messages, phone calls, and other forms of communication such as the internet and social media. Providentially, many email phishing attackers have been inexperienced in the past; hence, some of them have been easily recognized by computer users. However, email phishing has become more sophisticated in the recent past, with attackers using different techniques to fake the authenticity of an email or to manipulate individuals into sending emails for them. Cybercriminals can use cognitive and motivational biases techniques as part of the social engineering attacks [
19]. These techniques rely on providing some promises such as financial gains so the victims can share their personal information.
Attackers do this by disguising the sender’s email address to make it appear as if it comes from a prominent and trusted bank, utility, or government organization. Well-designed phishing emails appear almost identical to legitimate emails from the imitated organizations. One example of a phishing scam used by social engineers, as highlighted by [
18], involves sending an email to online service users, alerting them of a policy infringement that demands immediately updating their passwords. Such emails include an unauthorized website link that is similar to its legitimate version. Such action may prompt trusting and unsuspecting users to enter their credentials and update their passwords, thereby submitting their sensitive information to the attacker. Social engineering threats, especially phishing, are a global challenge and are advancing in sophistication. The Kingdom of Saudi Arabia is no exception to phishing, as reports by Kaspersky indicate that the country recorded approximately one million phishing attacks in the first three months of 2020 [
20]. According to the same reports by Kaspersky, this is the largest number of social engineering attacks to be recorded in the Gulf Cooperation Council GCC region this year. Additionally, the widespread use of computer networks in KSA learning institutions exposes them to numerous types of cyber-attacks, according to Alabdulatif [
21]. For instance, a hacker claimed to have hacked and stolen private data, including academic results and students’ and professors’ details, from 4000 KSA universities towards the beginning of 2015.
Phishing can cause two consequences: financial and data loss and lawsuits. It can cause financial loss for individuals and businesses. Individuals are at risk of a hacker accessing important personal data such as bank account information. Businesses are required to pay fines and remediation costs if a hacker manages to access their data. Ninety percent of data breaches are caused by phishing, and phishing attempts increased by 65% in 2018. In addition, 76% of businesses indicated that they had been the victims of phishing attacks [
22].
There is a slight difference between technical computer attacks and social engineering attacks. Social engineering attacks target all organizational levels, while technical attackers only engage staff from IT departments. In social engineering, the targeted personnel may lack sufficient technical knowledge to guide attackers through the cyber-attack process, and they may also be unaware of crucial social engineering concerns. Therefore, all security control elements, including technical, procedural, and physical elements, should be incorporated into an in-depth security strategy to ensure that all personnel within the organization are sufficiently updated on the appropriate security practices [
16].
Ref. [
16] suggested training programs to provide data security awareness to ensure that users understand all forms of cybersecurity risks and threats, including social engineering. Through educational training for all personnel, a company can establish an information security culture by enlightening the staff about different techniques used by social engineering attackers to invade security systems. Likewise, [
1] maintained that comprehensive Information System (IS) programs that include training and awareness can enhance information security and ensure business continuity, mostly because social engineers rely on private information acquired from users in an attack.
Furthermore, [
17] confirmed that the most effective way of dealing with social engineering is to provide the necessary and appropriate training to employees to enable them to identify, flag, and interrupt attempted attacks. In line with this, [
23] recommended using social engineering simulations via DTS in educational institutions to identify their susceptibility to various social engineering attacks. Open-source intelligence gathering can be implemented to identify vulnerable team members within the organization whom attackers may target, and those employees can then be trained to identify and deal with such attacks. Ref. [
23] claimed that simulation tools such as DTS are very useful in increasing security information awareness and assurance for professionals, students, and the entire academic staff. This is because these tools are easy to understand and use; thus, they allow students and other users to conduct experiments that enhance their understanding of different information security concepts.
On the other hand, several studies have identified that personnel lack knowledge regarding various information privacy threats linked to their smart devices. For instance, [
17] noted that different e-health device users are unaware of most of the latest cyber threats and social engineering techniques that can be used to extract their personal information. In addition, a study by [
1] on the human factors that facilitate social engineering in various educational institutions across the Middle East indicated that both students and professionals had a poor understanding of social engineering in learning institutions. As a result, [
1] argued that there is a need to develop new and advanced security awareness initiatives to improve the users’ overall awareness of the social engineering threats presented by smart devices such as mobile phones. In light of this, [
17] recommended incorporating social engineering awareness training into educational institutions’ curriculum because employees, students, and the faculty can facilitate social engineering risks without their knowledge. These findings align with [
1]’s findings that there is a need for information security awareness in various academic sectors in the KSA after conducting different social awareness studies among professionals and students in the educational sector across Saudi Arabia. In light of this, all organizations should make information security awareness, education, and training a central part of their security management and risk assessment strategies to minimize the risk of social engineering threats.
A study by [
23] on cybersecurity in modern organizations indicated that information security depends on three key factors, namely people, processes, and technology. The weakest link is the human factor, even in organizations implementing the most effective procedures and the most advanced technologies. The findings of this research bring into perspective the scope of this review. The findings indicate that cybersecurity threats through social engineering have a significant impact on the affected organizations because human beings are the core of any business, large or small. Comparably, [
17] claimed that the human factor is the most significant element of safeguarding sensitive data in any type of establishment. According to them, trust is among the key security aspects associated with the human factor of information security. Trust is essential in every aspect of information security, and it can affect a company’s security conduct substantially [
16]. A study was carried out to investigate the role of trust in facilitating social engineering; the findings were that most computer users are overly trusting of strangers due to the lack of awareness about the security implications. This study concluded that most computer users have little or no knowledge of information technology security. The study further revealed that self-security could be improved by increasing awareness among computer users regarding the risks and potential threats associated with trusting strangers with their personal information [
1].
One study identified security protective practices as one of the most significant factors that can impact an organization’s personnel’s vulnerability to social engineering attacks. These practices include, but are not limited to, updating their systems, anti-virus installation, and enabling firewalls. Ref. [
16] maintained that organizations must educate their personnel about safe computer behaviors to ensure that their systems are protected from social engineering attacks. Examples of safe practices include refraining from opening strange links sent by unknown sources and refusing to disclose sensitive organizational information to anyone, among others. This factor represents the most substantial behavioral outcome in social engineering because it encompasses both the technical and psychological loopholes that social engineers may exploit to attack an organization. Therefore, organizations should educate and train their employees to ensure that they engage in safe and secure protective practices [
1].