![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
Social engineering, the manipulation and deception of individuals to gain access to otherwise secure systems and information, has become a major vector to compromise the information security of organizations. Little research has explored characteristics associated with organizations vulnerable to social engineering, particularly from the perspective of persons experienced in such deceptions. To address this gap, the current study uses a qualitative, grounded theory-based approach to analyze interviews with both professional and nonprofessional social engineers (n = 37). Results reveals six themes corresponding to traits participants associated with organizations vulnerable to social engineering. These themes concern an organization’s value, structural controls, organizational efficacy, openness, size, and purpose. This study concludes by exploring directions for future research and policy implications.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1. Many studies have examined the characteristics of organizations that may give rise to criminality among members. While informative, this analysis restricts itself for the purposes of clarity to consideration of literature which examines characteristics associated with organizations themselves becoming the targets of crime. Failure to limit the review of the literature in this manner would make it difficult to disentangle factors conducive to criminality and those which are associated with victimization. Further, a general weakness of available research is that it tends to focus on crimes against organizations by insiders and neglects outsider threats like those that typically define social engineering. Despite this limitation, extant research remains informative.
2. The IRB protocol number for this study is 8194.
3. The concept of “structural controls” is like the concept of “internal controls” used by some scholars of white-collar crime – a term referring to the “internal processes to deal with offending employees” used by organizations (Holtfreter, Citation2005, p. 256). We use structural controls because the concept, as we understand it, is broader than internal controls and more adequately captures the span of controls described by study participants.
4. Many studies define organizational efficacy as perceptions held by organizational members of their colleague’s abilities to carry out their interdependent tasks (e.g., Bohn, Citation2010). Bandura (Citation1997, pp. 468–469), however, distinguishes between organizational efficacy (the actual ability of members to carry out interdependent tasks) and perceived organizational efficacy.
5. It should be noted that while structural controls and efficacy may be interlinked, we consider them to be separate concepts. Structural controls denote the intentional and formal measures taken by an organization to regulate its members and their work. Efficacy, on the other hand, pertains to the shared attitudes, beliefs, and commitments among members.
6. Ellipses indicates unnecessary text was removed.
7. This dynamic applied mostly to in-person based deceptions.
8. Organizational theorists sometimes refer to organizational purpose as “technology” or “the work performed by an organization” including “the hardware used in performing the work,” “the skills and knowledge of workers,” and “the characteristics of the objects on which work is performed.” This analysis uses the term “organizational purpose” instead of “technology” to avoid confusion with our discussion of information security technologies and social engineering. The two terms, however, can likely be used interchangeably.
9. The observation that organizational members may be unwilling to disclose security infractions if they are made to fear harsh punishments resonates with deterrence theory which has long held that overly severe sanctions may encourage additional infractions to avoid punishment (Beccaria, Citation1819, pp. 93–94).
10. Ellipsis indicates unnecessary text was removed.