Assessing Generational Differences in Susceptibility to Social Engineering Attacks. A Comparison Between Millennial and Baby Boomer Generations
In the age of digital society Social Engineering attacks are very successful and unfortunately users still cannot protect themselves against these threats. Social Engineering is a very complex problem, which makes it difficult to differentiate among vulnerable users. These attacks not only target young users or employees, they select massively, regardless of the users' age. Due to the rapid growth of technology and its misuse, everyone is affected by these attacks, everyone is vulnerable to them (Purkait, 2012; Aggarwal et al., 2012). Users are considered the "weakest link" of security (Mohebzada et al., 2012; Mitnick and Simon, 2011) and as such, protecting confidential information should be the ultimate goal of all people. However, despite the fact that a number of different strategies exists to educate or train endusers to avoid these attacks, they still do, phishing still succeeds (Dhamija et al., 2006). This is mainly because the existing security awareness trainings, theoretical courses, or frameworks are expected to be equally effective for all users regardless of their age, but experience has shown that this is not true (Alseadoon, 2014). In order for these security trainings to be effective, it is essential that they are composed based on the Social Engineering security weaknesses attributed differently to different generations. Identifying unique characteristics (demographic and personality) of generations, determinants of their vulnerability is what this work aims to do. Then frameworks crafted based on that information (addressing these weaknesses) would be of use and worth implementing. Therefore, taking into consideration the complexity of this problem, this study suggests that there is a need to research it from a broader perspective, adding the "generation" element into the study focus to find out if there is indeed any difference in susceptibility among generational cohorts. In order to do so, this research will adapt both qualitative and quantitative methods towards reaching its objectives. Collected-data of users' performance in a phishing assessment are analyzed and psychological translation of results is provided. Thus, the first research question seeks to address what factors determinate endusers vulnerability to Social Engineering, and results from quantitative data (statistical analysis) show that generation is an important element to differentiate potential victims of Social Engineering, whilst computer-efficacy or educational level do not play any noteworthy role in predicting endusers' likelihood of falling for these threats. In consistency with the above elements and previous studies, also gender is shown no potentiality in predicting susceptibility (Parsons et al., 2013). The second research question deems to explain what makes generations differ in susceptibility and this study's findings propose that generation Y personality traits such as consciousness, extraversion and agreeableness are key influencers of their shown vulnerability. Finally, along with establishing strong foundations for future research in studying generations susceptibility to Social Engineering, this thesis employ these findings in proposing a framework aiming to lessen millennial likelihood to Social Engineering victimization. The originality of this study lies on its overall approach: starting with an exhaustive literature review towards identifying factors impacting generations' susceptibility level, then statistically measuring their vulnerability, to finish with a solution proposal crafted to suit the observed generational security weaknesses.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Olaf Manuel Maennel, PhD Raimundas Matulevicius, PhD