Social Engineering: Managing The Human Element Of Information Security In The Organization
A definition given by European Network and Information Security Agency social engineering refers to techniques that exploit human weaknesses and manipulate people into breaking normal security procedures (ENISA, 2008, p. 7). We can therefore say that organizations are still at risk because the people entrusted to safeguard their information are highly vulnerable to social engineering attacks. In this regard the study offered guidelines on how stakeholders can manage the social engineering threat within the organizations’ risk appetite. The general objective of the study focused on social engineering as a security threat in the organization and how human behavior contributes to its success. The specific objectives explored social engineering techniques, highlighted motives and factors that influence the success of social engineering attacks, determined risk areas that needed to be improved and modelled a risk matrix of probability of compromise/breach involving stakeholders and finally recommended guidelines on how the threat level of social engineering may be reduced in the organization. This study adopted a hybrid of quantitative and qualitative methodologies and targeted the stakeholders of a general insurance company whose headquarters are situated in Nairobi. The study being descriptive was observational and also made use of questionnaires. The collected data was coded and entered into the Statistical Package for Social Sciences (SPSS) for analysis. The output presented by these techniques indicate that social engineering being a ‘non-technical’ way of infiltration should be taken seriously as any other technical threat. It is therefore important for continuous research to be carried out in this field as the field of social engineering is dynamically changing with the advancement of technology. Further recommendations on how the social engineering threat level could be reduced were also provided by customizing elements of Enterprise Risk Management (ERM) Integrated Framework of the Committee of Sponsoring Organizations (COSO).