| dc.description.abstract | Social engineering is one of the biggest cyber-security threats faced by organisations. Cyber-criminals no longer primarily aim to exploit information systems, but rather target the ‘low hanging fruit’, which is the human element. End-users, primarily administrative staff, are at the highest risk of these social engineering attacks. Administrative staff such as secretaries, clerks, receptionists, etc. have access to sensitive information about the organisation. These administrative staff are considered to be easy targets for attackers, especially in advanced persistent threat (APT) attacks. Administrative staff are less likely able to quickly spot social engineering attack cues, as they are not trained to constantly deal with such attacks. It is for this reason that an intervention is required to raise awareness on social engineering attacks. This study seeks to develop an artefact that is suitable to raise awareness of social engineering attacks on users who are employed as administrative staff in medium to large organisations, specifically within the context of South Africa. Revision of the literature indicates that limited research has been performed regarding interventions to raise social engineering awareness for administrative users who are employed in medium to large organisations in Southern Africa. The research findings indicate that game-based artefacts can be used to raise awareness about social engineering issues.
Research paradigms are discussed as part of the literature review. Design science research (DSR) is a useful approach to developing and reporting on artefact creation. The research is structured according to the design science research methodology (DSRM) process model by Peffers et al. (2007:54) and the artefact development process is guided by the DSR cycles by Hevner (2007:2). This DSR study is reported on similar to the approach followed by Mckenney and van den Akker (2005:49). Cyber security is discussed as part of the literature review. The cyber-security issues are discussed covering concepts of cyber-crime, cyber-terrorism, and cyber-warfare. The cyber-security issue extensively discussed is cyber-crime, with a key focus on the types of cyber-crimes and social engineering being the focal point for the cyber-crimes discussion. The types of social engineering attacks are discussed which lead into a discussion on the interventions available for raising awareness regarding cyber-security issues. The interventions for raising cyber-security awareness (which include social engineering awareness interventions) are identified from the literature and presented in a participatory design workshop to participants who form part of the target user group (which are administrative staff employed in medium to large organisations). Game-based artefacts are identified, with the participants, to be the preferred artefacts to address the social engineering awareness issue. The game-based artefact is initially developed as a conceptual design and iteratively improved into a usable prototype. The design requirements are gathered from the target users, translated into functional and actionable design inputs, and implemented and continuously reviewed by the design experts from academia. The game-based artefact is developed through multiple iterations and participatory design workshops. It is then evaluated through a summative evaluation and testing approach to determine its reaction and learning evaluation. The reaction evaluation seeks to determine whether the artefact is suitably designed according to the design requirements gathered throughout the design and development processes. The learning evaluation seeks to determine whether the artefact can be used to bring about a learning experience in the users. It is also tested for quality to determine whether it addresses the quality criteria of a DSR artefact. The quality evaluation criteria addresses the validity, practicality, and impact potential of the game-based artefact. Due to the COVID-19 pandemic, the summative evaluation and testing (reaction and learning evaluation) is not performed as a participatory design workshop – electronic forms are provided to the participants instead. Two groups of participants are involved in the design, development, and evaluation of the artefact. Participatory design workshops are used to gather the design and development information. In the participatory design workshops, questions are asked about the design of the artefact and the feedback received is electronically captured and analysed using open-coding to identify themes in the data. The first group of participants are from an academic (academia) institution and are mainly involved in the design and development of the artefact. The first group includes the target users (participants) as well as the research experts (which include the DSR experts and design artist). The second group of participants are from a medium to large organisation (industry). The second group of participants include the target users (participants) as well as the cyber security expert. The second group of participants (from industry) are mainly involved in the evaluation of the artefact with a small subset also being involved in the design and development process. In total, 27 participants are involved in this study. The participants from both academia and industry are randomly sampled based on their availability. Twelve of the 27 participants are involved in the design and development of the artefact, and are from different roles from both organisations (academia and industry). The design and development of the artefact occur over three participatory design workshops. Workshops 1 and 2 are performed with a total of eight participants from the first organisation (academia) for the development of the conceptual and first prototypes. The third workshop is performed with the participants from the second organisation (industry) in the development of the second prototype. Four of the 12 participants involved in the design and development also provide feedback on the reaction evaluation of the artefact. The remaining 15 participants from organisation two (industry) are employed in administrative or similar roles and are involved in the learning evaluation of the artefact. Both evaluations are electronically presented to the participants using electronic forms. The reaction evaluation form contains open-ended questionnaires with the results being analysed through open-coding to identify themes in the data. The learning evaluation form contains a pre- and post-test questionnaire, with the results being quantitatively compared to determine whether a learning experience has taken place on the participants after having played the game-based artefact. The study results indicate that web-based artefacts are more preferred for a digitally connected society that prefers to be able to access resources from any location. This has proven relevant during the COVID-19 pandemic, where social distancing was crucial. Video tutorials are a suitable avenue for providing social engineering information during gameplay. The tools used to develop the artefact were also useful. These tools included Image Map, Cloudflare, Apache 2.4.43, GoDaddy, Google Forms, Microsoft Azure, Twine 1.4.2, Unity 2019.1.14, Microsoft OneNote, Microsoft Word, Microsoft PowerPoint, NaturalReader, HTML, Javascript, Blender 2.25, LetsEncrypt (CertBot), and Linux Ubuntu 18.04. These tools are discussed in the study. | en_US |
