Social Engineering and the Value of Data: The Need of Specific Awareness Programs

In the field of cybersecurity human factor is considered one of the most critical elements. Security experts know well the importance of people's security behaviors such as managing passwords, avoiding phishing attacks and similar. However, organizations still lack a strong cybersecurity culture to manage security risks related in particular to the human factor. In this paper we describe the results of a study involving 212 employees belonging to two companies operating in the service sector. Within a cybersecurity awareness project executed in each company, employees participated in workshop sessions and were asked to evaluate the credibility and the success probability of a list of the most common security risk scenarios based on social engineering techniques. Cyber-attacks based on these techniques are considered among the most successful because use psychological principles to manipulate people's perception and obtain valuable information. The comparison of results obtained in the two companies shows that awareness training programs pay off in terms of raising people's attention to cyber-risks.