{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T00:37:45Z","timestamp":1773707865066,"version":"3.50.1"},"reference-count":51,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2017,6,12]],"date-time":"2017-06-12T00:00:00Z","timestamp":1497225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,6,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies\u2019 bars against social engineering attacks.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-04-2017-0022","type":"journal-article","created":{"date-parts":[[2017,4,27]],"date-time":"2017-04-27T07:54:51Z","timestamp":1493279691000},"page":"206-222","source":"Crossref","is-referenced-by-count":32,"title":["Social engineering defence mechanisms and counteracting training strategies"],"prefix":"10.1108","volume":"25","author":[{"given":"Peter","family":"Schaab","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kristian","family":"Beckers","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sebastian","family":"Pape","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020120707580957700_ref001","unstructured":"Adams, A. and Sasse, M.A. (1999), \u201cUsers are not the enemy\u201d, Communication on ACM, Vol. 42 No. 12, pp. 4-46, available at: http:\/\/doi.acm.org\/10.1145\/322796.322806"},{"key":"key2020120707580957700_ref003","first-page":"12","article-title":"A practical assessment of social engineering vulnerabilities","year":"2008"},{"issue":"4","key":"key2020120707580957700_ref004","doi-asserted-by":"crossref","first-page":"56","DOI":"10.1016\/S1363-4127(03)00007-4","article-title":"Penetration testing and social engineering: hacking the weakest link","volume":"8","year":"2003","journal-title":"Information Security Technical Report"},{"key":"key2020120707580957700_ref005","article-title":"A serious game for eliciting social engineering security requirements","year":"2016"},{"key":"key2020120707580957700_ref006","article-title":"HATCH: Hack and trick capricious humans \u2013 a serious game on social engineering","year":"2016"},{"key":"key2020120707580957700_ref049","article-title":"HATCH: Hack and Trick Capricious Humans \u2013 A Serious Game on Social Engineering","volume-title":"In Proceedings of the 2016 British HCI Conference","year":"2016"},{"key":"key2020120707580957700_ref007","volume-title":"A Theory of Psychological Reactance","year":"1966"},{"issue":"1","key":"key2020120707580957700_ref008","doi-asserted-by":"crossref","first-page":"85","DOI":"10.1080\/02650487.2014.997080","article-title":"Na\u00efve theories about persuasion: implications for information processing and consumer attitude change","volume":"34","year":"2015","journal-title":"International Journal of Advertising"},{"key":"key2020120707580957700_ref009","first-page":"1","article-title":"Breaching the human firewall: social engineering in phishing and spear-phishing emails","year":"2015"},{"issue":"5","key":"key2020120707580957700_ref010","doi-asserted-by":"crossref","first-page":"1032","DOI":"10.1037\/0022-3514.51.5.1032","article-title":"Central and peripheral routes to persuasion: an individual difference perspective","volume":"51","year":"1986","journal-title":"Journal of Personality and Social Psychology"},{"key":"key2020120707580957700_ref011","volume-title":"Influence: the Psychology of Persuasion","year":"2009"},{"key":"key2020120707580957700_ref050","article-title":"The risk of social engineering on information security: A survey of IT professionals","author":"Dimensional Research","year":"2011"},{"key":"key2020120707580957700_ref012","doi-asserted-by":"crossref","unstructured":"Ferreira, A., Coventry, L. and Lenzini, G. (2015), \u201cPrinciples of persuasion in social engineering and their use in phishing\u201d, in Tryfonas, T. and Askoxylakis, I. (Eds), Human Aspects of Information Security, Privacy, and Trust SE, Springer International Publishing, pp. 36-47, available at: http:\/\/dx.doi.org\/10.1007\/978-3-319-20376-8_4","DOI":"10.1007\/978-3-319-20376-8_4"},{"key":"key2020120707580957700_ref013","first-page":"52","article-title":"Psychosocial risks: can their effects on the Security of Information Systems really be ignored?","year":"2012"},{"key":"key2020120707580957700_ref014","first-page":"1","article-title":"Strategies and motives for resistance to persuasion: an integrative framework","volume":"6","year":"2015","journal-title":"Frontiers in Psychology"},{"key":"key2020120707580957700_ref015","unstructured":"Friestad, M. and Wright, P. (1994), \u201cThe Persuasion knowledge model: how people cope with persuasion attempts\u201d, Journal of Consumer Research, Vol. 21 No. 1, pp. 1-31, available at: www.jstor.org\/stable\/2489738"},{"key":"key2020120707580957700_ref016","volume-title":"Simple Heuristics that Make us Smart","year":"1999"},{"key":"key2020120707580957700_ref017","article-title":"Inferential correction","volume-title":"Heuristics and Biases","year":"2002"},{"key":"key2020120707580957700_ref018","unstructured":"Gouldner, A.W. (1960), \u201cThe norm of reciprocity: a preliminary statement\u201d, American Sociological Review, Vol. 25 No. 2, pp. 161-178, available at: www.jstor.org\/stable\/2092623"},{"key":"key2020120707580957700_ref019","doi-asserted-by":"crossref","unstructured":"Gragg, D. (2003), \u201cA multi-level defense against social engineering\u201d, SANS Reading Room, 13 March.","DOI":"10.1093\/acprof:oso\/9780199253890.003.0002"},{"key":"key2020120707580957700_ref020","unstructured":"Gulati, R. (2003), \u201cThe threat of social engineering and your defense against it\u201d, SANS Reading Room."},{"key":"key2020120707580957700_ref021","article-title":"A taxonomy for social engineering attacks","year":"2011"},{"issue":"9","key":"key2020120707580957700_ref023","doi-asserted-by":"crossref","first-page":"697","DOI":"10.1037\/0003-066X.58.9.697","article-title":"A perspective on judgment and choice: mapping bounded rationality","volume":"58","year":"2003","journal-title":"The American Psychologist"},{"issue":"4","key":"key2020120707580957700_ref051","first-page":"289","article-title":"A prototype for assessing information security awareness.","volume":"5","year":"2006","journal-title":"Computers & Security"},{"issue":"4","key":"key2020120707580957700_ref024","doi-asserted-by":"crossref","first-page":"299","DOI":"10.1002\/(SICI)1520-6793(200004)17:4<299::AID-MAR3>3.0.CO;2-E","article-title":"It could have been you: how states exploit counterfactual thought to market lotteries","volume":"17","year":"2000","journal-title":"Psychology & Marketing"},{"issue":"4","key":"key2020120707580957700_ref025","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1037\/h0022386","article-title":"Group cohesiveness as interpersonal attraction: a review of relationships with antecedent and consequent variables","volume":"64","year":"1965","journal-title":"Psychological Bulletin"},{"key":"key2020120707580957700_ref026","doi-asserted-by":"crossref","unstructured":"Lydon, J., Zanna, M.P. and Ross, M. (1988), \u201cBolstering attitudes by autobiographical recall: attitude persistence and selective memory\u201d, Personality and Social Psychology Bulletin, Vol. 14 No. 1, pp. 78-86, available at: http:\/\/psp.sagepub.com\/content\/14\/1\/78.abstract","DOI":"10.1177\/0146167288141008"},{"issue":"2","key":"key2020120707580957700_ref027","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1016\/0167-4870(89)90023-8","article-title":"Scarcity effects on desirability: mediated by assumed expensiveness?","volume":"10","year":"1989","journal-title":"Journal of Economic Psychology"},{"issue":"5","key":"key2020120707580957700_ref028","first-page":"1","article-title":"An introduction to social engineering","volume":"9","year":"2009","journal-title":"Information Security Journal: A Global Perspective"},{"issue":"4","key":"key2020120707580957700_ref029","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1037\/h0040525","article-title":"Behavioral study of obedience","volume":"67","year":"1963","journal-title":"The Journal of Abnormal and Social Psychology"},{"key":"key2020120707580957700_ref030","volume-title":"Obedience to Authority","year":"1974"},{"issue":"1","key":"key2020120707580957700_ref031","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1111\/j.1468-2958.2012.01438.x","article-title":"Boosting the potency of resistance: combining the motivational forces of inoculation and psychological reactance","volume":"39","year":"2013","journal-title":"Human Communication Research"},{"key":"key2020120707580957700_ref032","volume-title":"The Art of Deception: Controlling the Human Element of Security","year":"2011"},{"key":"key2020120707580957700_ref033","volume-title":"Attitudes and Persuasion: Classic and Contemporary Approaches","year":"1996"},{"issue":"4","key":"key2020120707580957700_ref034","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1515\/jhsem-2014-0035","article-title":"From weakest link to security hero: transforming staff security behavior","volume":"11","year":"2014","journal-title":"Journal of Homeland Security and Emergency Management"},{"key":"key2020120707580957700_ref035","first-page":"1","article-title":"The \u2018 social engineering \u2019 of Internet Fraud","year":"1999"},{"key":"key2020120707580957700_ref036","unstructured":"Sagarin, B.J., Ciadini, R.B., Rice, W.E. and Serna, S.B. (2002), \u201cDispelling the illusion of invulnerability: the motivations and mechanisms of resistance to persuasion\u201d, Journal of Personality and Social Psychology, Vol. 83 No. 3, pp. 526-541, available at: http:\/\/doi.apa.org\/getdoi.cfm?doi=10.1037\/0022-3514.83.3.526"},{"key":"key2020120707580957700_ref037","volume-title":"Establishing the Human Firewall: Reducing An Individual\u2019S Vulnerability to Social Engineering Attacks","year":"2008"},{"key":"key2020120707580957700_ref038","first-page":"50","article-title":"The psychology of security","volume-title":"Progress in Cryptology \u2013 AFRICACRYPT 2008 SE","year":"2008"},{"key":"key2020120707580957700_ref039","unstructured":"Stajano, F. and Wilson, P. (2011), \u201cUnderstanding scam victims: seven principles for systems security\u201d, Communication on ACM, Vol. 54 No. 3, pp. 70-75, available at: http:\/\/doi.acm.org\/10.1145\/1897852.1897872"},{"key":"key2020120707580957700_ref040","article-title":"Individual differences in reasoning: implications for the rationality debate","volume-title":"Heuristics and Biases","year":"2002"},{"key":"key2020120707580957700_ref041","first-page":"133","article-title":"Social engineering: the \u2018dark art\u2019","year":"2004"},{"key":"key2020120707580957700_ref042","unstructured":"Verizon (2012), Data Breach Investigations Report, available at: www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf (accessed 13 January 2016)."},{"key":"key2020120707580957700_ref043","unstructured":"Verizon (2013), Data Breach Investigations Report, available at: www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2013_en_xg.pdf (accessed 13 January 2016)."},{"key":"key2020120707580957700_ref044","volume-title":"Measuring the Effectiveness of Information Security Awareness Program","year":"2011"},{"issue":"2","key":"key2020120707580957700_ref045","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1057\/ejis.2009.12","article-title":"Behavioral and policy issues in information systems security: the insider threat","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"5","key":"key2020120707580957700_ref046","doi-asserted-by":"crossref","first-page":"806","DOI":"10.1037\/0022-3514.39.5.806","article-title":"Unrealistic optimism about future life events","volume":"39","year":"1980","journal-title":"Journal of Personality and Social Psychology"},{"key":"key2020120707580957700_ref047","first-page":"1","article-title":"Information security technology?\u2026Don\u2019t rely on it a case study in social engineering","year":"1995"},{"key":"key2020120707580957700_ref048","unstructured":"Xu, A.J. and Wyer, R.S.J. (2012), \u201cThe role of bolstering and counterarguing mind-sets in persuasion\u201d, Journal of Consumer Research, Vol. 38 No. 5, pp. 920-932, available at: www.jstor.org\/stable\/10.1086\/661112"},{"key":"key2020120707580957700_ref002","article-title":"Dimensional research study about social engineering","volume-title":"Analysis of Social Engineering Threats with Attack Graphs","year":"2011"},{"key":"key2020120707580957700_ref022","volume-title":"Understanding and Auditing","year":"2004"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2017-0022\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2017-0022\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:50Z","timestamp":1753406570000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/2\/206-222\/110972"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,6,12]]},"references-count":51,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2017,6,12]]}},"alternative-id":["10.1108\/ICS-04-2017-0022"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2017-0022","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,6,12]]}}}