Considering the influence of human trust in practical social engineering exercises

Abstract

There are numerous technical advances in the field of information security. However, the application of information security technologies alone is often not sufficient to address security issues. Human factors play an increasing role in securing computer assets and are often detrimental to the security of an organisation. One of the salient aspects of security, which is linked to humans, is trust. It is safe to assume that trust will play an important role in any information security environment and may influence security behaviour significantly. In this paper the results of a practical phishing exercise and a trust survey are considered. The research project is part of a larger project and the phishing exercise is a follow-up to an earlier first practical phishing test. Results of the phishing test are compared with the first exercise. In addition, the newly obtained trust information from the survey is also incorporated into the report in order to try and explain security behaviour. The research was performed at a large organisation. Results indicate that although there is a general high level of trust in the organisation’s ability to provide safe and secure information systems, a large number of staff was still victim to a simple phishing exercise. A possible explanation, which opens up further avenues for research, is offered.