NL samenvatting: In dit verkennend onderzoek werden social engineering-aanvallen bestudeerd, vooral de aanvallen die mislukten, om organisaties te helpen weerbaarder te worden. Fysieke, telefonische en digitale aanvallen werden uitgevoerd met behulp van een script volgens de 'social engineering-cyclus'. We gebruikten het COM-B model van gedragsverandering, verfijnd door het Theoretical Domains Framework, om door middel van een enquête te onderzoeken hoe Capability, Motivational en vooral Opportunity factoren helpen om de weerbaarheid van organisaties tegen social engineering-aanvallen te vergroten. Binnen Opportunity leek sociale invloed van extra belang. Werknemers die in kleine ondernemingen werken (<50 werknemers) waren succesvoller in het weerstaan van digitale social engineering-aanvallen dan werknemers die in grotere organisaties werken. Een verklaring hiervoor zou een grotere mate van sociale controle kunnen zijn; deze medewerkers werken dicht bij elkaar, waardoor ze in staat zijn om onregelmatigheden te controleren of elkaar te waarschuwen. Ook het installeren van een gespreksprotocol over hoe om te gaan met buitenstaanders was een maatregel die door alle organisaties werd genomen waar telefonische aanvallen faalden. Daarom is het moeilijker voor een buitenstaander om toegang te krijgen tot de organisatie door middel van social engineering. Dit artikel eindigt met een discussie en enkele aanbevelingen voor organisaties, bijvoorbeeld met betrekking tot het ontwerp van de werkomgeving, om hun weerbaarheid tegen social engineering-aanvallen te vergroten. ENG abstract: In this explorative research social engineering attacks were studied, especially the ones that failed, in order to help organisations to become more resilient. Physical, phone and digital attacks were carried out using a script following the ‘social engineering cycle’. We used the COM-B model of behaviour change, refined by the Theoretical Domains Framework, to examine by means of a survey how Capability, Motivational and foremost Opportunity factors help to increase resilience of organisations against social engineering attacks. Within Opportunity, social influence seemed of extra importance. Employees who work in small sized enterprises (<50 employees) were more successful in withstanding digital social engineering attacks than employees who work in larger organisations. An explanation for this could be a greater amount of social control; these employees work in close proximity to one another, so they are able to check irregularities or warn each other. Also, having a conversation protocol installed on how to interact with outsiders, was a measure taken by all organisations where attacks by telephone failed. Therefore, it is more difficult for an outsider to get access to the organisation by means of social engineering. This paper ends with a discussion and some recommendations for organisations, e.g. the design of the work environment, to help increase their resilience against social engineering attacks. https://openaccess.cms-conferences.org/publications/book/978-1-958651-29-2/article/978-1-958651-29-2_8 DOI: 10.54941/ahfe1002203
NL samenvatting: In dit verkennend onderzoek werden social engineering-aanvallen bestudeerd, vooral de aanvallen die mislukten, om organisaties te helpen weerbaarder te worden. Fysieke, telefonische en digitale aanvallen werden uitgevoerd met behulp van een script volgens de 'social engineering-cyclus'. We gebruikten het COM-B model van gedragsverandering, verfijnd door het Theoretical Domains Framework, om door middel van een enquête te onderzoeken hoe Capability, Motivational en vooral Opportunity factoren helpen om de weerbaarheid van organisaties tegen social engineering-aanvallen te vergroten. Binnen Opportunity leek sociale invloed van extra belang. Werknemers die in kleine ondernemingen werken (<50 werknemers) waren succesvoller in het weerstaan van digitale social engineering-aanvallen dan werknemers die in grotere organisaties werken. Een verklaring hiervoor zou een grotere mate van sociale controle kunnen zijn; deze medewerkers werken dicht bij elkaar, waardoor ze in staat zijn om onregelmatigheden te controleren of elkaar te waarschuwen. Ook het installeren van een gespreksprotocol over hoe om te gaan met buitenstaanders was een maatregel die door alle organisaties werd genomen waar telefonische aanvallen faalden. Daarom is het moeilijker voor een buitenstaander om toegang te krijgen tot de organisatie door middel van social engineering. Dit artikel eindigt met een discussie en enkele aanbevelingen voor organisaties, bijvoorbeeld met betrekking tot het ontwerp van de werkomgeving, om hun weerbaarheid tegen social engineering-aanvallen te vergroten. ENG abstract: In this explorative research social engineering attacks were studied, especially the ones that failed, in order to help organisations to become more resilient. Physical, phone and digital attacks were carried out using a script following the ‘social engineering cycle’. We used the COM-B model of behaviour change, refined by the Theoretical Domains Framework, to examine by means of a survey how Capability, Motivational and foremost Opportunity factors help to increase resilience of organisations against social engineering attacks. Within Opportunity, social influence seemed of extra importance. Employees who work in small sized enterprises (<50 employees) were more successful in withstanding digital social engineering attacks than employees who work in larger organisations. An explanation for this could be a greater amount of social control; these employees work in close proximity to one another, so they are able to check irregularities or warn each other. Also, having a conversation protocol installed on how to interact with outsiders, was a measure taken by all organisations where attacks by telephone failed. Therefore, it is more difficult for an outsider to get access to the organisation by means of social engineering. This paper ends with a discussion and some recommendations for organisations, e.g. the design of the work environment, to help increase their resilience against social engineering attacks. https://openaccess.cms-conferences.org/publications/book/978-1-958651-29-2/article/978-1-958651-29-2_8 DOI: 10.54941/ahfe1002203
Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
