Information Security: Identification of Risk Factors Through Social Engineering

Abstract

The use of technology has increased exponentially thanks to the facilities it provides in academic, personal, social, and business activities. Therefore, security information is important to guarantee information privacy. Social engineering is one of the most used techniques by cybercriminals to exploit different risk factors. They take advantage of ignorance and false confidence to evade security mechanisms to access information systems and obtain private information. The aim of this study was to evaluate the behavior of users exposed to fraud and risk factors that can affect a university information system in order to propose methods to avoid future incidents. Participants answered a pre-test to evaluate their knowledge about the risks of social networks. Five social engineering attacks were implemented on university students using computational and non-computational techniques under controlled scenarios. Website attack vectors, infectious media generator, QR code generator, shoulder surfing and vishing were used. Overall, results showed that 57% of the participants were victims of at least one of social engineering attacks. Consequently, it is advisable to apply different techniques to increase students’ awareness and knowledge of information security to help reduce future attacks.