Measuring Awareness of Social Engineering in the Educational Sector in the Kingdom of Saudi Arabia

: Social engineering is one of the most inventive methods of gaining unauthorized access to information systems and obtaining sensitive information. This type of cybersecurity threat requires minimal technical knowledge because it relies on the organization’s human element. Social engineers use various techniques, such as phishing, to manipulate users into either granting them access to various systems or disclosing their private data and information. Social engineering attacks can cost organizations more than 100,000 USD per instance. Therefore, it is necessary for organizations to increase their users’ awareness of social engineering attacks to mitigate the problem. The aim of this study is to provide a measurement of social engineering awareness in the Saudi educational sector. To achieve the aim of this study, a questionnaire was developed and evaluated. A total of 465 respondents completed the survey and answered questions related to measuring their knowledge of social engineering. The results show that 34% of participants (158 participants) had previous knowledge of social engineering approaches. The results also indicate that there are signiﬁcant differences between participants with prior knowledge of social engineering and those with no such knowledge in terms of their security practices and skills. The implication of this study is that training is an essential factor in increasing the awareness of social engineering attacks in the Saudi educational sector.


Introduction
Technological advancements in computing environments, including learning institutions, have led to the development of interconnected networks, uncontrolled social networking, and thousands of applications and users. These technologies are essential because they facilitate educational processes and interactions. However, the availability of such technology in advanced computing environments, particularly educational environments, opens doors for security threats by cybercriminals and hackers seeking to exploit vulnerabilities in their systems [1]. Social engineering is one of the most significant security threats facing organizational systems and data in today's technology-saturated world. It is considered a challenge for security chains, and attacks are increasing sharply [2]. Ref. [3] defined social engineering as the art of exploiting the naivety of unsuspecting individuals and taking advantage of their weaknesses to convince them to comply with one's desires. Instead of relying on an organization's technical security shortcomings to break into its computer systems, social engineers use employees' weaknesses to mislead them into compromising the systems or turning over sensitive information.
Social engineering techniques have evolved and advanced over time, but their success is still highly dependent on the types of security systems and modern preventive tools and measures adopted by the targeted organization. In addition, social engineering's success depends on the level of personnel training and their competence in handling sensitive information in the organization [4]. Therefore, organizations need to ensure that their personnel understand as much as possible about information security, the concept of social engineering, and the impacts of these threats and attacks. Unfortunately, it has become more challenging for those targeted by social engineers to distinguish them from legitimate correspondence because the attackers are using more sophisticated social engineering techniques.
According to [5], social engineering threats are dynamic and continually advancing. Therefore, developing preventive measures and tools should be an ongoing process because no single security system is perfect in preventing social engineering threats. Hence, they suggested the implementation of interactive and innovative education, training, and awareness programs to help organizations prepare their personnel to deal with social engineering. These education, training, and awareness initiatives equip staff with the latest preventive techniques to identify, avoid, and expose social engineering threats. Ref. [5] further explained that organizations should take a course of action that comprises sufficient training materials, strategic and regulatory frameworks, and adequate training on the safety measures that the staff should take to prepare for attacks and handle them when they occur. In addition to regular training, organizations can conduct regular information security awareness campaigns proactively to emphasize the importance of watching out for social engineers and maintaining persistent vigilance against them. Employees should also strive to implement and execute information security awareness strategies and schemes to protect employees' sensitive data because they play the paramount role in protecting an organization's interests against social engineering attacks.
Social engineering attacks can be costly for organizations. In the past two years, 32% of all companies worldwide of all sizes and 48% of large companies have been subjected to 25 or more social engineering attacks. Thirty percent of large companies indicated that social engineering attacks can cost more than 100,000 USD per instance. In 2018, 85% of organizations were attacked, an increase by 16%, and the average annual cost reached 1.4 million USD [6]. A study conducted by [7] indicated that the FBI's data gives an average cost of 130,000 USD and that costs can extend to millions of dollars in some cases.
Therefore, the contribution of this paper is a method of measuring awareness of social engineering attacks in the educational sector in the Kingdom of Saudi Arabia (KSA) through the use of a questionnaire. The study addresses the main factors that can increase the awareness of social engineering in the educational sector in the KSA. This paper is structured as follows: Section 2 reviews the literature; Section 3 explains the problem statement; Section 4 presents the research methodology; Section 5 discusses the results; Section 6 identifies the limitation; and Section 7 provides a conclusion and recommendations for future work.

Literature Review
Social engineering can be traced back to 1984 [6]. It can be referred to as the "psychological manipulation of people into performing actions or divulging confidential information that cannot be effectively dealt with using traditional security methods", as these "do not investigate the exploitation of human vulnerabilities" [8]. Ref. [3] maintained that social engineering is one of the most prevalent methods used by modern attackers to compromise organizational systems and data. It is a way of accessing personal data or systems using human psychology. It can be used by cybercriminals to defraud users by employing physical, digital, and behavioral dishonesty to obtain their personal and business information [9]. Social engineering attacks can be categorized into two types: technical-based and human-based attacks [10]. Another study indicated that social engineering can be classified into several categories according to the method of attack and can be direct or indirect, as shown in Table 1 [2].

Identification Categorizations
Involved entity Human and software How the attack is conducted Social, technical, and physical-based According to [11], social engineering is composed of four steps: • Information gathering refers to the collection of information to assist in identifying attack vectors and targets.

•
Relationship development refers to the establishment of a rapport with the target. • Exploitation refers to the use of information and relationships to gain access to the target. • Execution refers to the accomplishment of the attacker's final goal.
Ref. [12] identified four steps for the social engineering attacks. It starts with the research/Information Gathering step that collects information about the victim. The second step is to develop a relation with the victim by using some techniques such as using an email. The third step is accessing the victim's information. The last step is closing the communication with the victim and remove any evidence of the crime.
In the last decades, users have interacted with many platforms on the Internet, which lead to them being attacked by hackers using social engineering attacks [13] and their data being shared on the Internet [14]. Some studies indicate that social engineering relies on human nature and vulnerabilities to hack into organizational systems. Such attackers assume the identity of an organization's trusted employees, customers, auditors, or technicians to access restricted information that may help them break into a company's information system [3,8,15]. Similarly, [16] stated that social engineering attacks include interpersonal interactions through face-to-face, telephone, or electronic communication with the recipient to manipulate them into divulging a company's confidential information. This argument aligns with [15]'s argument that social engineering relies on human psychology to exploit people's vulnerabilities for the attacker's benefit. In this regard, different scholars have defined social engineering in psychological terms, whereby attackers gain unauthorized access to an organization's sensitive data by building trust-based relationships with unsuspecting personnel who have the clearance to access such information.
Ref. [17] claimed that social engineering is made especially dangerous by the fact that it depends on human error instead of software and operating systems' vulnerabilities. This assertion is similar to [15]'s argument that social engineering is threatening because it targets legitimate users, who make up the largest part of any organization.
Ref. [18] identified phishing as the most prolific social engineering technique in recent years. According to them, phishing involves stealing users' credit card numbers and login details to access their personal information. It accounted for 77% of all social engineering attacks in the KSA's educational sector in 2017, with over 40 million users reporting phishing attacks. Ref. [18] further contended that email phishing is the most common form of attack. However, these attacks can also be executed through text messages, phone calls, and other forms of communication such as the internet and social media. Providentially, many email phishing attackers have been inexperienced in the past; hence, some of them have been easily recognized by computer users. However, email phishing has become more sophisticated in the recent past, with attackers using different techniques to fake the authenticity of an email or to manipulate individuals into sending emails for them. Cybercriminals can use cognitive and motivational biases techniques as part of the social engineering attacks [19]. These techniques rely on providing some promises such as financial gains so the victims can share their personal information.
Attackers do this by disguising the sender's email address to make it appear as if it comes from a prominent and trusted bank, utility, or government organization. Well-designed phishing emails appear almost identical to legitimate emails from the imitated organizations. One example of a phishing scam used by social engineers, as highlighted by [18], involves sending an email to online service users, alerting them of a policy infringement that demands immediately updating their passwords. Such emails include an unauthorized website link that is similar to its legitimate version. Such action may prompt trusting and unsuspecting users to enter their credentials and update their passwords, thereby submitting their sensitive information to the attacker. Social engineering threats, especially phishing, are a global challenge and are advancing in sophistication. The Kingdom of Saudi Arabia is no exception to phishing, as reports by Kaspersky indicate that the country recorded approximately one million phishing attacks in the first three months of 2020 [20]. According to the same reports by Kaspersky, this is the largest number of social engineering attacks to be recorded in the Gulf Cooperation Council GCC region this year. Additionally, the widespread use of computer networks in KSA learning institutions exposes them to numerous types of cyber-attacks, according to Alabdulatif [21]. For instance, a hacker claimed to have hacked and stolen private data, including academic results and students' and professors' details, from 4000 KSA universities towards the beginning of 2015.
Phishing can cause two consequences: financial and data loss and lawsuits. It can cause financial loss for individuals and businesses. Individuals are at risk of a hacker accessing important personal data such as bank account information. Businesses are required to pay fines and remediation costs if a hacker manages to access their data. Ninety percent of data breaches are caused by phishing, and phishing attempts increased by 65% in 2018. In addition, 76% of businesses indicated that they had been the victims of phishing attacks [22].
There is a slight difference between technical computer attacks and social engineering attacks. Social engineering attacks target all organizational levels, while technical attackers only engage staff from IT departments. In social engineering, the targeted personnel may lack sufficient technical knowledge to guide attackers through the cyber-attack process, and they may also be unaware of crucial social engineering concerns. Therefore, all security control elements, including technical, procedural, and physical elements, should be incorporated into an in-depth security strategy to ensure that all personnel within the organization are sufficiently updated on the appropriate security practices [16].
Ref. [16] suggested training programs to provide data security awareness to ensure that users understand all forms of cybersecurity risks and threats, including social engineering. Through educational training for all personnel, a company can establish an information security culture by enlightening the staff about different techniques used by social engineering attackers to invade security systems. Likewise, [1] maintained that comprehensive Information System (IS) programs that include training and awareness can enhance information security and ensure business continuity, mostly because social engineers rely on private information acquired from users in an attack.
Furthermore, [17] confirmed that the most effective way of dealing with social engineering is to provide the necessary and appropriate training to employees to enable them to identify, flag, and interrupt attempted attacks. In line with this, [23] recommended using social engineering simulations via DTS in educational institutions to identify their susceptibility to various social engineering attacks. Open-source intelligence gathering can be implemented to identify vulnerable team members within the organization whom attackers may target, and those employees can then be trained to identify and deal with such attacks. Ref. [23] claimed that simulation tools such as DTS are very useful in increasing security information awareness and assurance for professionals, students, and the entire academic staff. This is because these tools are easy to understand and use; thus, they allow students and other users to conduct experiments that enhance their understanding of different information security concepts.
On the other hand, several studies have identified that personnel lack knowledge regarding various information privacy threats linked to their smart devices. For instance, [17] noted that different e-health device users are unaware of most of the latest cyber threats and social engineering techniques that can be used to extract their personal information. In addition, a study by [1] on the human factors that facilitate social engineering in various educational institutions across the Middle East indicated that both students and professionals had a poor understanding of social engineering in learning institutions. As a result, [1] argued that there is a need to develop new and advanced security awareness initiatives to improve the users' overall awareness of the social engineering threats presented by smart devices such as mobile phones. In light of this, [17] recommended incorporating social engineering awareness training into educational institutions' curriculum because employees, students, and the faculty can facilitate social engineering risks without their knowledge. These findings align with [1]'s findings that there is a need for information security awareness in various academic sectors in the KSA after conducting different social awareness studies among professionals and students in the educational sector across Saudi Arabia. In light of this, all organizations should make information security awareness, education, and training a central part of their security management and risk assessment strategies to minimize the risk of social engineering threats.
A study by [23] on cybersecurity in modern organizations indicated that information security depends on three key factors, namely people, processes, and technology. The weakest link is the human factor, even in organizations implementing the most effective procedures and the most advanced technologies. The findings of this research bring into perspective the scope of this review. The findings indicate that cybersecurity threats through social engineering have a significant impact on the affected organizations because human beings are the core of any business, large or small. Comparably, [17] claimed that the human factor is the most significant element of safeguarding sensitive data in any type of establishment. According to them, trust is among the key security aspects associated with the human factor of information security. Trust is essential in every aspect of information security, and it can affect a company's security conduct substantially [16].
A study was carried out to investigate the role of trust in facilitating social engineering; the findings were that most computer users are overly trusting of strangers due to the lack of awareness about the security implications. This study concluded that most computer users have little or no knowledge of information technology security. The study further revealed that self-security could be improved by increasing awareness among computer users regarding the risks and potential threats associated with trusting strangers with their personal information [1].
One study identified security protective practices as one of the most significant factors that can impact an organization's personnel's vulnerability to social engineering attacks. These practices include, but are not limited to, updating their systems, anti-virus installation, and enabling firewalls. Ref. [16] maintained that organizations must educate their personnel about safe computer behaviors to ensure that their systems are protected from social engineering attacks. Examples of safe practices include refraining from opening strange links sent by unknown sources and refusing to disclose sensitive organizational information to anyone, among others. This factor represents the most substantial behavioral outcome in social engineering because it encompasses both the technical and psychological loopholes that social engineers may exploit to attack an organization. Therefore, organizations should educate and train their employees to ensure that they engage in safe and secure protective practices [1].

Problem Statement
As the use of information systems has increased in many institutions, the value of data included in the systems increased. Many educational institutions have developed E-Systems to serve many purposes such as e-learning systems, student registration systems, and other systems. The importance of these systems has been noticed, especially during COVID-19 pandemic, where online contact was the only way to communicate with students. Due to this importance, there were many cybersecurity attacks that targeted educational institutions. For example, the University of Calgary was targeted by a ransomware attack, and they paid 20,000 CAD to avoid any data damages [24]. A current study showed that 85% of cybersecurity professionals in educational organizations were not satisfied with their organizations' cybersecurity protection level [25]. The same report indicated that social engineering attacks and lack of awareness are the top threats in educational organizations. Many studies identified that educational organizations are suffering from low levels of awareness of cybersecurity concepts [1]. This research addresses the issue of low level of awareness of social engineering attacks in educational organizations by investigating the role of prior knowledge about social engineering approaches in improving the cybersecurity knowledge, practices, and skills in the organizations.

Research Methodology
In order to identify the level of awareness of social engineering attacks in the KSA's educational sector, this study started with a literature review, followed by a quantitative survey. The literature review findings were utilized to develop the questionnaire items. The items were then grouped into four categories (i.e., knowledge, practices, solutions, and education) to reflect various level of awareness.
A questionnaire was developed by the authors and then reviewed by a group of experts in the computer science department of Shaqra University. After passing the content validity phase, the questionnaire was translated into Arabic by the authors, and an online version was created through Google forms. A pilot phase was conducted with a group of participants to identify any spilling or timing issues. The researchers obtained ethical approval for this research from the Research Ethics Committee at Shaqra University in Saudi Arabia.
The population of the study consisted of students, teachers, faculty members, and employees in educational organizations in Saudi Arabia. The link to the questionnaire was sent to participants through email and the researchers applied sampling techniques to collect more responses.
The questionnaire consists of 27 questions and is divided into three parts. The first part acts as a cover letter and a consent form for the questionnaire by providing information about the study and the research team. The second part collects the respondent's demographic data including age, nationality, educational background, and gender. The third part contains statements designed to measure the awareness level of social engineering attacks in the KSA's educational sector. The fourth part allows the respondents to add any comments regarding the study.

Data Analysis
A total of 465 respondents, all of them part of educational organizations in Saudi Arabia, completed the survey during the period from 15 December 2020 through 17 January 2021. The analysis was conducted using the statistical package for the social sciences in IBM SPSS version 27.

Sample Characteristics
The demographic distribution of the respondents is shown in Table 2.

Prior Knowledge about Social Engineering
The participants were asked to determine whether or not they knew what is meant by "social engineering". According to their responses, the sample will be divided into two groups. The first group contains participants who had knowledge of social engineering approaches, while the other group contains participants who did not have prior knowledge of social engineering approaches. All responses thereafter will be compared between these two groups to indicate if there are statistically significant differences between these two groups. Table 3 shows that 34% of participants (158 participants) had previous knowledge of social engineering approaches, while 66% of them (307 participants) had no previous knowledge of social engineering approaches. This study did not focus on specific social engineering attacks, but it measures the level of awareness of these approaches in general and its impact on other cybersecurity practices. However, there was a specific question about the common social engineering attacks, and 51% of the participants indicated that they do not know about different types of social engineering attacks.

Level of Awareness of Social Engineering Attacks
This section shows the respondents' answers to questions related to measuring their level of awareness of social engineering attacks in the educational sector in Saudi Arabia. Participants were asked to self-report their level of awareness of social engineering approaches and related practices in the educational sector in Saudi Arabia by answering 23 questions. The questions were related to social engineering activities, security threats, and protection methods. The Appendix A shows the respondents' answers to the questions.
The collected data was tested using the one-sample t-test to examine the significance of prior knowledge of social engineering approaches on the level of awareness of social engineering attacks. Table 4 presents the outcomes of the one-sample t-test analysis of the respondents' answers. The researchers conducted Cronbach's alpha to measure the reliability of some of components of the questionnaire. All of the results were above or equal to the accepted level of Cronbach's alpha (i.e., 0.5) as shown in Table 4 [26]. However, for items in need for education courses group, Cronbach's alpha test was not conducted because it has two items only [27]. The data also was tested using the ANOVA test, which shows the significance of responses based on the participants' ages and occupations. Table 5 shows the results of the ANOVA test.

Discussion
This paper aims to develop an understating of the levels of awareness of social engineering approaches in Saudi educational organizations. The majority of respondents (66%) did not have prior knowledge of social engineering approaches, which indicates the need for comprehensive training about social engineering attacks in the educational sector in Saudi Arabia, which is in line with the recommendations of [1,17]. The results also show that there are differences between users with prior knowledge of social engineering approaches and users without prior knowledge in terms of their information security knowledge. Examples include recognizing hacking and attacking signs, the ability to deal with attacks on their computers, and appreciation of the value of installing anti-virus software. These findings demonstrate that employees with a certain level of awareness about information security and social engineering approaches can better deal with social engineering threats. This is supported by other researchers such as [28], who linked awareness of social engineering with protective security practices. The results also indicate that users with prior knowledge of social engineering approaches follow specific information security practices such as noticing viruses or Trojan on their devices, being careful when opening emails and attachments, and noticing suspicious attempts to gather information. This finding aligns with many studies that indicated the human factor as the source of many cyber-attacks via users clicking on malicious URLs [29]. In addition, the results show that there is a significant difference between participants with prior knowledge of social engineering techniques and participants without such knowledge in terms of the technical security solutions that they apply to reduce the impact of possible social engineering attacks. These solutions include enabling a firewall and keeping anti-virus software and regularly updating operating systems. Having an adequate level of computer security skills was found to affect employees' awareness of information security in many studies [20,30].
This study also tried to identify the differences between various categories of participants based on their ages and occupations. Although there are few differences between participants in terms of their social engineering and information security knowledge, the results did not identify any significant differences between them in most social engineering and information security knowledge responses. This could indicate that the lack of knowledge is widespread across various types of organizations despite members' ages or occupations. This finding differs from those of other studies that indicated a difference in awareness of information security among different age groups [31]. The current study also demonstrated that there are differences among the groups in terms of utilizing technical security solutions such as installing anti-virus software and updating it regularly. This emphasizes the range of computer security skills among various age and occupation groups, as indicated by [20,30].
The result of current study indicates that there is a need to develop a holistic enterprise security management which does not focus only on the technical side of cybersecurity, but also includes human resources. This finding is linked with other studies such as [32], which provided a security architecture viewpoint.
The results of the current study show that there is a need for participants of different knowledge levels, ages, and occupations to receive continual training about social engineering techniques and information security skills. The training programs should be designed in flexible ways that consider different personal capabilities of understanding social engineering attacks [33]. This finding of the current study can be indicated by a difference in awareness level of information security among different age groups. The design of such training programs can include some multimedia features such as mentioned in [34]. In addition to training programs, organizations can apply preventive techniques to reduce the impact of social engineering attack such as mentioned in [35].

Limitation
Although rigorous research activities have been conducted in this study, it still has limitation. The study relies on self-report questionnaires which could be not reflect the real practices. Thus, one of the future works could be conducting a long-term observational study to compare the results of the current study with the real practices.

Conclusions
As social engineering attacks have grown more frequent in recent years, the damage done by these attacks has increased and affected organizations and people in various ways. The human factor is considered one of the main causes of social engineering attacks, so the need has arisen for improving the awareness level of social engineering techniques and the methods used in such attacks. Educational organizations can be targets for many social engineering attacks since they have various users (i.e., students, staff, etc.) from different age groups. This study tried to identify the current levels of awareness of social engineering approaches among different members of educational organizations in Saudi Arabia. The results and findings of this study indicate that members with prior knowledge of social engineering approaches have better information security knowledge, practices, and skills. This shows the importance of awareness and educational training regarding social engineering techniques and information security practices. The findings also indicate that there are differences among various age and occupation groups in terms of utilizing technical security solutions. Based on that, educational organizations need to design specific training programs that consider age, education level, and occupation because each category has special requirements. Future work could involve designing a training program to raise the awareness level of social engineering approaches that satisfies the unique needs of different categories of personnel.  Informed Consent Statement: Informed consent was obtained from all subjects involved in the study.

Conflicts of Interest:
The authors declare no conflict of interest.