Information security risk management framework for Social Engineering attack and digital prevention techniques

Social Engineering is a domain of study in the information security area. As a matter of fact, social engineering can be any kind of bypass attacks on an organization. The attacks may happen in the forms of human-based Social Engineering attack, computer-based Social Engineering attack and mobile-based Social Engineering attack. Subsequently, these Social Engineering attacks could bring about damage to the organization. Thus, a dedicated risk management framework is needed to manage Social Engineering attacking risk factors. This research focuses on managing Social Engineering attacking risks in Malaysian environment. Mixed research method, combining quantitative and qualitative methods was employed to achieve the research objectives. Hence, 384 questionnaires were distributed to four Malaysian organizations such as health care, government agencies, banking, and education sectors; of which, 143 respondents data were collected for empirical analysis. Semi-structured interviews were conducted on eight organizations to reveal relevant information. Furthermore, empirical analyses such as assessment measurement model and assessment structural model are also done on the research model. Results show that risk management is needed as prevention technique of Social Engineering attacks on the organization. In addition, semi-structured interviews were also done on eight Malaysian organizations, to find out the importance, practice, difficulties, and effectiveness of Social Engineering attacking risk. It was seen that there was divergence in the key activities practiced for the prevention technique of Social Engineering attacks. That is the reason a dedicated risk management framework is needed for the prevention technique of SoE attacks on an organization. Moreover, framework confirmation done through expert-judgment also proved that the framework had thoroughly assessed information security risk management as prevention technique from Social Engineering attacking risk perspective and it is applicable to Malaysian organizations. Fundamentally, the development of the framework will enable organizations to identify Social Engineering attacking risk factors and to urgently address them so that the full benefits of the organization may be reaped.