Visible to the public Social Engineering for Diagnostic the Information Security Culture

TitleSocial Engineering for Diagnostic the Information Security Culture
Publication TypeConference Paper
Year of Publication2019
AuthorsMarchand-Niño, William-Rogelio, Fonseca, Bruno Paolo Guzman
Conference Name2019 IEEE 39th Central America and Panama Convention (CONCAPAN XXXIX)
Date Publishednov
KeywordsComputer crime, confidential information, controlled social engineering attacks, cybersecurity, data privacy, Human Behavior, Human Behavior and Cybersecurity, human factors, information assets, information assets protection, Information Security Culture, information security culture assessment, ISCA survey questionnaire, phishing, pubcrawl, public university, security, security culture, sensitive information, Social Engineering, social engineering techniques
AbstractIn the process of diagnosing the culture of information security in an organization, it is considered two methods, the first one is the application of an ISCA (Information Security Culture Assessment) survey questionnaire and the second one based on social engineering techniques such as phishing, answering the question, How can a diagnosis be made effectively of the level of information security culture within an organization? with the objective of determining which of the two methods is the most effective and realistic for the diagnosis of the information security culture. This helps to understand and have a real and complete perception of the behavior and reaction of the users against the attacks of threat actors who make use of persuasion and manipulation tactics in order to obtain confidential or sensitive information. A description of these two methods is applied to a case study (public university). As a result, it is obtained that it is not enough to perform a diagnosis based on questionnaires because they can be relatively subjective in the sense of the way in which users respond to questions or statements. Evidence of controlled social engineering attacks that demonstrate in more detail the real behavior of users should be considered. Based on this more complete knowledge, appropriate strategies can be formulated for the change or strengthening of the security culture that ultimately contributes to the purpose of protecting information assets.
Citation Keymarchand-nino_social_2019