Does Awareness of Social Engineering Make Employees More Secure?

Social engineering has become one of the biggest security threats facing organizations. Rather than relying upon information security technical-related shortcomings to break into computer networks, social engineers make use of employees’ individual and organizational traits to deceive them. In such a scenario, it is crucial for organizations to ensure that their employees not only possess sound knowledge about information security but also about the concept of social engineering and threats emerging from social engineering attacks. This study aims to test whether awareness of social engineering can predict and explain individuals’ security-protective practices. We conducted a survey of 265 employees working in different organizations in Saudi Arabia. The results suggest that awareness of social engineering is a positive predictor of security-protective practices above and beyond the predictability power of possessing information security knowledge. Thus, to reduce the probability of potential consequences of social engineering attacks, our study suggests that organizations should not only strive to enhance employees’ security knowledge but should also invest in increasing employees’ awareness of social engineering.