The current resilience of BiSL (Business Information Services Library) against the risks of Social Engineering.
SUBMITTED IN PARTIAL FULFILLMENT FOR THE DEGREE OF MASTER OF SCIENCE
Ilias Hadri
11862718
i.hadri@hotmail.com
M
ASTER
I
NFORMATION
S
TUDIES
Information Systems
F
ACULTY OF
S
CIENCE
U
NIVERSITY OF
A
MSTERDAM
09-07- 2019
Supervisor / 1
stExaminer
2
ndExaminer
Dhr. Ir. A.M. (Loek) Stolwijk
Dhr. Drs. A.W. (Toon) Abcouwer
Faculty of Science (UvA)
Faculty of Science (UvA)
2
The current resilience of BiSL (Business Information Services Library) against the risks of Social Engineering.
Ilias Hadri
University of Amsterdam
ABSTRACT
Organizations have become increasingly dependent on Information Communication and Technology (ICT); it makes the fulfillment of employees’ jobs within organizations easier, meaning that it is indispensable in 2019. In practice, some ICT-frameworks are recognized, implemented, and applied in several organizations around information systems. One of these frameworks is Business Information Services Library (BiSL). The BiSL-framework is an elaboration of processes that are essential to controlling the information provisioning from the business. BiSL is the alignment between the business and ICT, the business has a strong influence on what the technology does. Organizations faces some technical failures; besides that, an organization can experience human errors as well. With human error, is where Social Engineering (SE) is involved. Social Engineering (SE) is an attack that focuses on people rather than technology. There are currently no scientific theories explaining the link between the BiSL-framework and SE, because the BiSL-framework contains not skilled users, and this is where SE on focuses. This research has contributed to its theoretical and practical relevance by investigating the unknown link between the two subjects. These are subjects that concern every organization. A literature study was carried out on the following themes: the BiSL-framework/ Information Management, SE and Information Security (IS). These different theories formed the basis for the empirical part of this research. Various experts in the field of BiSL, SE, and information security were interviewed for the empirical section. The results showed that the BiSL-framework is insufficiently designed to recognize, mitigate and resist the risks of any kind of abuse of information and this especially in the case of SE. Further research showed that BiSL focuses on the establishment of information management and does not mention information security and safeguarding of information inside the information provisioning itself. However, BiSL does not tackle the problem of SE due to the lack of information security in the BiSL-framework. This means that the BiSL-framework needs to be updated and supplemented with information security in each process inside the framework. Due to this, it can be concluded that there is a gap in the BiSL-framework that does not tackle SE or any kind of abuse of information and does not give space to information security.
INTRODUCTION
According to Veenstra, Zuurveen, and Stol (2015), digitization in Dutch society and industry is increasing at a fast pace. Dutch society and its organizations have been offered various opportunities, because of the digitization, to simplify daily life. As a result, organizations are becoming increasingly dependent on Information Communication and Technology (ICT). In fact, in today's business world, the use of ICT has become indispensable (Van der Kleij, 2018). Nevertheless, as Van der Kleij (2018) showed, digitization comes with risks. That is, the increase in digitization within organizations creates a target for hackers who use Social Engineering (SE) (Munnichs, Kouw, & Kool, 2017; Leukfeldt & Weulen Kranenbarg, 2017). A note for the reader; Social Engineering will be referred to as SE in this research. In recent years, organizations have been spending a lot of resources on the design of ICT processes and digitization, where also problems have arisen regarding the digital resilience of organizations (Munnichs et al., 2017). It is crucial for organizations to become aware of the actions that are performed on the digital network, and it is essential that organizations can identify the weak spots within their own ICT landscape. According to ICT-security expert Boris Sondagh (2009), a resilient digital organization is an organization that can recognize, analyze, defend, resolve and learn from incidents. In practice and theory, there are IT-frameworks such as Information Technology
Infrastructure Library (ITIL), Application Services Library (ASL) and BiSL that are recognized, implemented, and applied in several organizations around information systems. These frameworks, among others, are especially crucial for the security of the information systems where sensitive information plays a significant role. The security of information determines whether or not an organization can be resilient in the digital network. An organization’s ICT-frameworks must ensure continuity within the ICT landscape and the security of ICT must be guaranteed (Cuppen & Cuppen, 2010). The best-known existing frameworks in practice are ITIL and BiSL. The ITIL-framework comes from the technological angle regarding the ICT-infrastructure, as it is about maintaining and managing ICT-infrastructure within an organization (Van Bon, 2011). On the other hand, BiSL comes from a business standpoint and focuses on the management of information provisioning from a business perspective. To be specific, the BiSL-framework is an elaboration of processes that are essential to controlling the information provisioning from the business, although the ICT resources are necessary for this (Pols, R. van der, Donatz, R., & Outvorst, F. van, 2005). Pols et al. (2005) stated that the reason that BiSL is implemented in organizations is because the ICT side cannot communicate with their business counterparts, as both sides of the organization are not cohesive. As mentioned above, BiSL is the business angle on IT; it is the alignment, and the business has a strong influence on what the technology does (Cuppen & Cuppen, 2010). Munnichs et al. (2017) have shown that the current digital resilience of organizations is insufficient. Due to practice, ICT-security has not held a high priority and the functionalities of the ICT software/hardware are mainly assessed in practice for convenience rather than safety (Munnichs et al., 2017). Although digitization offers opportunities to businesses, it gives room to another group within the digital space as well: SE hackers which will be referred as manipulative hackers in this research.
The problem with SE is that it is a significant threat to organizations and has increased considerably in recent years (Leukfeldt & Weulen Kranenbarg, 2017). This threat has been confirmed in the literature and news websites. In short, a manipulative hacker makes use of the weaknesses and fears of people to extract information from them. For an organization, besides a technical failure, it is also the human errors that threaten the continuity of the company. Obviously, it is essential that sensitive information does not fall into the hands of the wrong people. Additionally, it is difficult to counter these threats because new methods of extracting sensitive information are constantly being developed. Therefore, organizations must be aware that information systems are technically only secure because they depend on specialized people to maintain their security (Hadnagy, 2010). Hence, they must consider that no matter how well the information system is technically protected, they are still dependent on people to keep the ICT-security safe (Hadnagy, 2010). It is difficult for organizations to arm themselves against SE because no firewall or virus scanner prevents it entirely. Thus, SE must become more and more of a focus point, as the ICT-security of organizations is not yet entirely reliable, leaving these systems vulnerable to extraction by manipulative hackers (Munnichs et al., 2017).
• Problem definition
The problem definition of the research is as follows: when looking at organizations that have applied the BiSL-framework, a significant risk arises. That is, user organizations, thus the business side, that have applied the BiSL-framework are not technically skilled, which allows them to be
3 targeted by SE. Consequently, SE could then be easily applied in a user
organization that has utilized the BiSL-framework. Due to this, it is not clear whether the BiSL-framework is resilient against the risks of SE, and whether BiSL focuses on the threats that SE entails. The present study will carry out research based on the problem definition.
• The focus of the research
This research provides insight into the phenomenon of ‘Social Engineering’ (SE), in combination with the BiSL-framework. Additionally, it aims to determine whether the BiSL-framework is resistant to attacks from SE and whether the BiSL-framework requires an extension or not. Therefore, the focus of the research is the BiSL-framework.
• Relevance
This research has practical and academic relevance. It is practically relevant because it can be of added value to society. The academic relevance of this research is that it adds to the existing knowledge.
o Practical Relevance
The results of the research may be useful for organizations that would benefit from additional knowledge on SE and BiSL. Moreover, the way that the digital resilience of organizations that apply the BiSL-framework to their information systems can be increased is researched as well. For organizations, it is essential to know the different methods SE may use and how they may protect themselves from these attacks. This research indicates where the weaknesses of the BiSL-framework are and where improvements can be made.
o Academic Relevance
Academic relevance is essential in this research. Several studies have recommended that organizations must investigate the elements that make attacks by manipulative hackers more likely. Thus also, which elements form obstacles for manipulative hackers, as well as how organizations are able to become digitally defensible against attacks of SE or any form of cybercrime (Munnichs et al., 2017; Krombholz, Hobel, Huber, & Weippl, 2015; Luo, Brody, Seazzu, & Burd, 2011; Siponen, 2000). The link with the BiSL-framework and SE has not been conducted in a scientific research. Also, there was not much scientific literature available about the link. Given that the problem has not yet been fully explored, the current literature surrounding the relation between BiSL (or other frameworks) and SE provides insufficient insight. Through the research of this project, the available knowledge in the field of study will increase and contribute to the scientific literature on this subject. It will also provide a recommendation for organizations to be resilient against SE from a BiSL perspective.
• Main research question and sub-questions
In order to carry out the research, a research question has been formulated as follows, namely: To what extent does the BiSL-framework describe
information management in order to offer sufficient resistance against the risks of Social Engineering?
To be able to answer the main research question, several studies have been examined. Therefore, the research question is disaggregated into nine sub-questions. The sub-questions that will help gaining a better understanding are:
1. How do organizations organize information management and what is the role of BiSL?
2. What is Social Engineering, and what are common ways to attack organizations?
2.1 What is the impact of Social Engineering?
2.2 What developments are expected in particular from Social Engineering, and how often does it occur?
2.3 What can be expected of Social Engineering in the near future if no preventive actions are taken?
3. Which information security measures are present in the BiSL-framework?
3.1 Are essential guidelines regarding information security missing, in relation to Social Engineering in particular?
4. To what extent is the BiSL-framework resilient against Social Engineering?
5. Are there other existing frameworks that prevent or minimize the risks of Social Engineering when compared with the BiSL-framework?
The structure of the thesis is as follows: the first chapter is the literature review, which consists of several theories that will form the foundation of the research. The second chapters will discuss the research methodology that will be applied during the research. Thereafter, the results will be discussed and following that, the conclusion, discussion/future work and recommendations/limitations of the research will be explored.
1.
LITERATURE REVIEW
This chapter is a literature review that consists of various scientific theories. It discusses relevant scientific literature concerning SE, the Amsterdam Information Management Model (AIM model), BiSL-framework, and information security, after which a conceptual model will be developed regarding the relation between BiSL and SE. Various scientific studies will be combined to develop a well-substantiated theory that answers the central and with associated sub-questions.
1.1 Social Engineering
There are many technological resources available to address IT security vulnerabilities. Among these, the human factor that contributes to security breaches has received the least attention. This is partly due to the many technological methods present (Luo et al., 2011). Firstly, it is essential to develop a clear definition of SE; this is defined within the context of computer and information security. Several authors have defined SE as the art of misleading users to gain access to information systems in organizations (Mitnick & Simon, 2002; Oosterloo, 2008; Krombholz et al. (2015); Luo et al., 2011). And without using any kind of technology (Mitnick,2003), whereby the focus is on the weakest spot in information security, and that is the human element (Nelson, 2001; Oosterloo, 2008; Peltier, 2006; Krombholz et al. 2015; Krombholz, Hobel, Huber, & Weippl, 2013; Luo et al., 2011). Also, SE aims to mislead people for economic reasons by gathering confidential company-critical information and carrying out actions that endanger the safety of people and the organization (Mitnick & Simon, 2002; Gragg, 2003; Peltier, 2006; Oosterloo, 2008; Krombholz et al., 2013). The SE hackers also known as the manipulative hackers. Manipulative hackers focuses on individuals who have access to information systems, in order to manipulate rather than using technical attacks on information systems (Mitnick, 2003). These individuals include: receptionists, students, executives, human resources, finances and new hires (Krombholz et al., 2015). The manipulative hackers are motivated financially and thus steal valuable information from an organization (Molok, Chang, and Ahmad, 2010). Several studies have investigated the threat that SE poses in the field of information security (Luo et al., 2011; Thompson, 2006; Tayouri, 2015; Leukfeldt & Weulen Kranenbarg, 2017). The studies have shown that even the technical information security measures are not always effective against SE and are therefore powerless when people are manipulated by a manipulative hacker. The infamous SE Kevin Mitnick has demonstrated in practices how devastating SE attacks are on the entire information security environment of organizations and government institutions (Thompson, 2006). The stories and examples of Kevin Mitnick are often used and discussed in the field of information security (Krombholz et al., 2015). Dr. Peter Stephenson indicated in the research of Peltier (2006) that about 70% of SE attacks come from within the organization, thus from their own employees, and that the other 30% come from outside the organization, from people who have not worked for the organization or former employees (Peltier, 2006). Meaning that organizations must not only observe the dangers from the outside, but they must also observe the internal risks and how to coordinate that properly. The average cost of data breaches on an annual basis worldwide costs nearly $6 billion (Tschider, 2015).
4 Peltier (2006) indicated that it is crucial for organizations to take this
statistic into account when developing defense strategies. In short, organizations must recognize that SE works as well (Peltier, 2006). According to Gulati (2003), Richardson (2007) and Applegate (2009), the impact of SE attacks on organizations is considerable. Moreover, the attacks of SE are increasing and the damage that every organization suffers from successful attacks is substantial. Studies undertaken by Gulati (2003), Richardson (2007) and Applegate (2009) have shown that, in addition to financial losses, organizations must deal with other losses as well. Namely, as Richardson (2007) and Applegate (2009) state, organizations face competitive loss, loss of profit and market share, reputational damage (Gulati, 2003), and perhaps experience legal ramifications (Richardson, 2007; Applegate, 2009). According to Gulati (2003), Thompson (2006), Maan & Sharma (2012), Conteh and Schmick (2016), and Albladi and Weir (2018) there are two categories of SE attacks, namely: human-based and technology-based with each of these categories containing different attacks techniques. The human-based is implemented through human interaction where victims are misled, and sensitive information is obtained. Maan and Sharma (2012) and Albladi and Weir (2018) state that deception is used by showing authority, by being kind and by imitating others. Several authors have argued that the category ‘human-based’ is very successful in practice due to the tendency of people to be helpful to others and people’s ignorance (Gulati, 2003, Thompson, 2006; Maan & Sharme, 2012; Albladi & Weir, 2018). Examples of human-based techniques are dumpster diving, impersonation, shoulder surfing and reverse SE. On the other hand, technology-based techniques focus on a victim believing that they are dealing with a real computer system. This type of attack becomes dangerous when the victim provides sensitive information while falsely believing they are communicating with a computer system. (Gulati, 2003; Thompson, 2006; Maan & Sharme, 2012; Albladi & Weir, 2018). Examples of technology-based techniques are phishing, spam, vishing, identity theft and pre-texting.
An example of a SE attack can be found outlines in figure 1. According to Allen (2006) and Thompson (2006), a SE attack consists of four steps, namely collecting information, building a relationship with the victim, exploitation and execution. These steps are then continued in cycles. The first step of an attack is to collect information about the potential victim, in which research will be used as a tool, which is in turn crucial in building a relationship with the victim. The second step will focus on building a friendly relationship with the target. Once this has been developed, the manipulative hacker will make use of the relationship that is established (Thompson, 2006; Allen, 2006). In this step, the attacker uses psychological techniques to obtain information from the target or convinces them to perform an action; this step may also be the last because the attacker may have already acted (Allen, 2006).
1.2 Amsterdam Information Management Model (AIM)
Firstly, before explaining the AIM model, it is essential to develop a clear definition of information management. Various researchers have defined 'information management' as managing information that is considered and used as an organizational tool (Maes, 2003). In other words, how an organization deals with its information provisioning (Bruins & Pinkster, 2010; Rutkens & van Hillegersberg, 2009). The aim of information management is to align the information provisioning with the relevant business processes. Over the years, several models have been developed
to define and shape information management and to reflect the activities and responsibilities within. In 2019, the preferred model is the Amsterdam Information management Model (AIM), also known. Nine Square framework. This model was developed and introduced by Abcouwer, Maes, and Truijens in 1997 and can be found in appendix C (van Hee, 2008). Abcouwer et al.’s is derived from the Strategic Alignment Model (SAM) of Henderson & Venkatrama.
The AIM model is predominantly used to establish the relationship between organizations (businesses) and their information provisioning (ICT) (Maes, 2003). According to Thiadens (2012) and van Haele (2012), the AIM model can be seen as a conventional means of communication between different parties, these can be people from IT or Business. Additionally, the AIM model ensures that the problems in the field of information management are mapped, allowing different parties (Business and ICT) to communicate with one another about the issues surrounding information management (Thiadens, 2012). The model has three control levels: Strategy, Structure, and Operations. These control levels are set against three control domains, namely: the business domain, information/communication domain and technology domain. Within the business domain, business operations take place with its people, resources and processes. The middle domain, information/communication, focuses on information being seen as a supporting tool in its business operations. Maes (2003), therefore, positions information management in this domain as a cross. Additionally, the information domain translates the demand from the information services to the technology domain (van Hee, 2008; Akker, 2006). Akker (2006) stated in his research that BiSL is positioned in this domain of the AIM model. Moreover, the technology domain is where the ITIL framework is positioned in the AIM model (Akker, 2006). All things considered, the model makes it possible to connect the control levels and domains with each other, which provides insight from different perspectives between all aspects within the model (Rutkens & van Hillegersberg, 2009; Lin & Brockhoff, 2011; van Hee, 2008).
1.3 Business Information Services Library (BiSL)
Every organization needs information; therefore, it must organize its information facilities. In other words, what does an organization need? And where do they meet that need? The Business information Services Library is a Dutch framework that helps to challenge the needs, as mentioned above, and therefore has established processes for it. To be specific, BiSL is a framework for the implementation and professionalization of information management and functional management. The introduction briefly addressed ITIL’s focus on technology (the supply side), while BiSL focuses on the user organization (the demand side). The user organization acts as a client in BiSL and is a customer of the information provisioning (Pols et al., 2005). See Appendix D, for the BiSL-framework. In theory, BiSL gives substance to information management and functional management in three layers: Strategic, Managing, and Operational (Cuppen & Cuppen, 2010; Pols et al., 2005). At the Strategic layer, the way the information provisioning should look in the long term must be determined, as well as how it should be organized. The middle layer, the Managing layer, focuses primarily on schedules, revenues, costs, and contracts with IT suppliers. The bottom layer, Operational layer, emphasizes the processes of functional management and is concerned with the daily use, management and design of the information provisioning(Pols, et al., 2005; Cuppen & Cuppen, 2010). Pols et al. (2005) and van Outvorst et al. (2015) state that the most significant motive for organizations’ application of BiSL is that BiSL supports the alignment between the user organization (business) and the IT-service provider. (Pols et al., 2005; van Outvorst et al., 2015). In other words, the needs of the user organization (business) can be translated into IT solutions and non-IT solutions. Another motivation also plays a role, namely organizations having a desire to professionalize their information management, therefore bringing the actual situation under a magnifying glass, improving and monitoring it (Pols, et al., 2005; Van Outvorst et al., 2015). However, in practice, this is not always the case. Studies by van Dam, Methorst, Spee and van Steijn (2015) and Roest, Theuns, and
5 Pijnenburg (2014) have shown that the BiSL-framework is not often used
within the business information management domain. Although some elements of the framework are used, the entire framework itself is not utilized. In 2012-2013, research from the authors above showed that 42% of the respondents applied BiSL as a method, as opposed to 60% in 2010-2011.
1.4 Information Security (IS)
In recent years, awareness has been spread regarding the dependency on technologies in the digital world. This is partly due cyber-attacks that have taken place in recent years, which has led to public attention to the issue of information security. For some people, information security seems to be a complicated, but rather dull concept. It is often thought that information security is a matter of technically securing data against cybercriminals, unauthorized use and securing information systems. In practice, information security is more than just a matter of securing the entire IT infrastructure. Today, there are many risks for organizations that involve the security of information, such as reputation damage due to data leakage, the failure of information systems, or an error in information security.
The international organization for standardization defines information security “as maintaining the availability, integrity, and confidentiality of information”, and is based on the CIA triad (ISO / IEC 27002, 2005). Information can be visible on paper, whether written or printed, digitally stored, sent by post, or electronically (ISO / IEC 27002, 2005). Whitman and Mattord (2009) add to this definition by defining information security as the protection of information and its critical factors, including the systems where information can be used, stored and transmitted (Whitman and Mattord, 2009). The critical elements that appear in the definition of Whitman and Mattord (2009) also include the CIA elements (availability, integrity, and confidentiality), just as described in the definition of ISO / IEC 27002 (2005). According to Whitman and Mattord (2009), van Ophem and Joosten (2003), Von Solms & Van Niekerk (2013) and van den Berg (2015), information has three quality aspects that can be influenced positively and negatively by external factors. The first is availability, meaning information must be available and usable when needed. The second is integrity, which means that information cannot be deleted or changed without authorization. The third is confidential, meaning that information cannot be revealed to the outside world. These scholars agree that the security of the CIA elements of information is critical. In practice, an information security policy can be written to, for example, prevent employees from installing anything on their computers. However, according to Laybats and Tredinnick (2016), an information security policy should be aimed at minimizing the potential impact of the risks that are linked to information security. In other words, information security is not about preventing threats, but understanding and managing the risks that information security involves.
As aforementioned in paragraph 1.1, the weakness in information security is not technology, but human elements (Nelsen, 200l; Peltier, 2006; Oosterloo, 2008; Luo et al., 2001; Krombholz et al., 2013). This statement can be confirmed by the recent source of Laybats and Tredinnick (2016). The authors conclude that people can behave unpredictably, and occasionally their behavior cannot be explained. This is where malicious people strike and where SE arises, as mentioned earlier in paragraph 1.1. Therefore, information security should no longer be regarded primarily as a technological matter, but from a human side, because it is the weakest spot in information security (Laybats and Tredinnick, 2016; Von Silmot and Van Niekerk, 2013). Hence, the best way to tackle information security is to understand how information is integrated into work processes within organizations so that vulnerabilities can be identified (Laybats & Tredinnick, 2016).
1.5 Conceptual Model (CM)
The present study has developed a conceptual model (CM), see Appendix B, with a focus on the relation between BiSL and SE as a visual representation of the theory. In other words, it gives a visual overview of which concepts are being used in the research and shows the demarcation of the research. There is a legend in the CM that shows what the various shapes of lines mean in the model.
There are three IT frameworks that are used in the CM, namely BiSL, ITIL and ASL. The emphasis in this CM is on SE and BiSL, thus more the organizational aspect of IT and not the technical side of IT. On the left side of the CM, ‘Business’ is displayed, meaning an organization, is mostly doing business, weighs opportunities and threats against each other and tries to survive in them. The BiSL-framework consists of three layers, namely, Strategic, Managing, and Operational. All three layers within BiSL use ICT and non-ICT. Between these elements, there are thick lines, which means the path from the BiSL-framework. At the bottom of the CM, ‘Social Engineering’ (SE) can be found. The path that SE travels is indicated by thin lines, meaning the attack lines of SE. Malicious persons from SE can be external or internal persons of an organization. The CM indicates that maliciousness can go two sides, namely through non-ICT (face to face conversations, structures, non-ICT equipment, machinery and buildings) or ICT (communication equipment, hardware and software). Due to the literature, it is known that SE causes errors . Through ICT, mistakes can be made intentionally, so-called ‘errors on purpose’, and consists of two types of errors, namely: ‘system errors’ and ‘procedural errors’. System errors and procedural errors have a link with each other, because procedural errors can have an impact on a system. This is shown by a dotted line. System errors are linked to the IT frameworks ITIL (operations) and ASL (development), and they only give interpretation to the technical aspect of ICT. SE does not frequently occur during system errors. The reason is that organizations make the technical aspect of ICT very well watertight. The procedural errors involve human errors, which is caused by SE and mostly occurs when ICT is applied. Procedural errors can be linked to the BiSL-framework because BiSL does not give a meaning to the technical side of ICT. The next step in the CM are the layers within BiSL, namely Strategic, Managing, and Operational layer, where ICT plays a significant role in these layers. These layers have a link with procedural errors, because in general people within BiSL are not technically skilled. Here SE can strike by, for instance, manipulating data or sabotage by malicious (internal/external) people and more abuse. For example, if something goes wrong in the Operational layer, it can have an impact on the other layers, and it also means that something is wrong with ICT as well. An organization runs business risks in terms of SE and can miss out business opportunities. An organization does want at least to be resilient against SE. In establishing a link between SE and the BiSL-framework in the CM, the risk is greater within BiSL. This is because the perspective on the business, in other words the user organization, on which BiSL focuses. From literature, it is clear that the BiSL-framework does not give an optimal interpretation of the technology and the business organization itself is not technically skilled. For these reasons, the focus within the research will be placed on the BiSL-framework, with this framework forming the red thread throughout the research.
2.
RESEARCH METHODOLOGY
This chapter discusses the research methods that were used during the research process, the data collection and analysis, the sample design and validity of the study. In other words, this chapter describes all of the activities that were done in order for the answering and justifying the main question and the sub-questions.
2.1 Data collection and analysis
This section describes the execution of the desk and field research, and the collection and analysis of the data.
6
2.1.1 Desk research
Verhoeven (2011) and Fischer and Julsing (2015) define desk research as: “collecting existing information on a specific topic from various sources such as scientific databases, websites, books, newspaper articles, scientific research, statistics, and annual reports” (Verhoeven, 2011; Fischer & Julsing, 2015). In addition to collecting available information, the collected information was analyzed. This was necessary to secure a better understanding of the research subject and for answering the main and sub-questions.
2.1.2 Field research
Verhoeven (2011) and Fischer and Julsing (2015) define field research as: “gathering the information that has not been collected in this form before. In other words; start a self-investigation and carry it out”. Therefore, a semi-structured interview was carried out during the research to collect new and relevant data. This decision was motivated by a need to have more personal input, allowing more in-depth and detailed information to be retrieved for answering the main and sub-questions(Fischer & Julsing, 2015; Bryman, 2008).
2.1.3 Data analyzing
The data from the interviews were analyzed by the three steps in coding: open, axial, and selective coding. Open coding was conducted, and the author categorized all fragments of each interview linked them to a code. Axial coding was conducted to compare the assigned codes with one another and then merged them into a standard code. The main categories that became apparent as a result of the axial coding were used in developing the theory, the selective part of coding (see Appendix G).
2.2 Sampling design
The experts that was selected for the interviews were based on expertise, each relating to the primary research question (Bryman, 2012).
To determine the extent that a BiSL-framework is sufficient in resilience to the risks of SE, various professionals were recruited through the author’s network and several business social media channels. The experts who were recruited were active in the field of information security, SE/ cybercrime and information management/BiSL at the time of the research. These experts provided insights that were based on their experiences with various customers. These experts worked either in different organizations or independently. The insights that were obtained from the interviews surrounded the current BiSL-framework, including the shortcomings in practice with regard to the risks of SE. As a result, insights into how SE can strike organizations that work according to the BiSL-framework, as well as how information security can contribute to mitigating the risks of SE within a BiSL-framework, emerged. There were thirteen interviews carried out during the research; this was due to the sample size being dependent on the saturation of the theory that was achieved. Poelman (2015) and Smaling (2009) indicate that obtaining essential data should continue until no new relevant information emerges. Once this point is reached, there is substantive saturation. The achievement of substantive saturation confirms that no standards were set for a fixed sample size in certain situations in qualitative research (Bryman, 2012). Finally, the experts were approached through a snowball sampling approach, where the experts consulted their own network to contribute to the research.
2.3 Trustworthiness
According to Verhoeven (2011), Bryman (2008), and Guba & Lincoln (1985), qualitative studies must be assessed for validity and trustworthiness. According to Bryman (2008) and Guba & Lincoln (1985), trustworthiness is determined by four features, namely: credibility (the findings must be valid), transferability (applying findings in other types of context), confirmability (the researchers’ objectivity during their research), and dependability (the findings being reliable at different times).
The researcher ensured the credibility of this research by providing participants with a transcript of the interview, allowing them to validate the accuracy of the transcription. Additionally, the participant could choose to add or remove information from the transcript. Furthermore, researcher guaranteed confirmability by ensuring that no bias or influence from either the researcher or participant was present (Bryman, 2008). The interview questions were developed in an impartial manner; this was applied to requests that were sent via e-mail and LinkedIn to the participants as well, asking if they were interested in contributing to the research. However, the transferability of this research may not be able to be guaranteed, as it is based on observations and experience of the experts (Guba & Lincoln, 1985). The transferability of the research could be assessed based on a thick description of the context of the research and assess the transferability to their own situation/context (Guba & Lincoln, 1985). The reader determines whether the research situation/context is transferable (Bryman, 2008). Finally, the description of the research process, and the choices that were made for the research methods guarantee dependability. The appendices consist of the complete transcripts of the interviews, the coding analysis report, and the interview scheme. The appendices are not published but are only made available to the examiners. Finally, the literature study formed the basis for the development of the interview questions.
2.4 Authenticity
As mentioned previously in subsection 2.1.3, various experts from different backgrounds were approached. Many insights were gained regarding the research questions and comprehensive interview questions. This led to the authenticity of the research. Catalytic authenticity was considered within this study, that is those involved were motivated to act in certain situations (Bryman 2008; Guba & Lincoln, 1985). Furthermore, this research provided an improved understanding of the practical and theoretical relevance of SE and its risks, as well as information management and the BiSL-framework. This is completed by presenting all possible relevant answers and insights of the interviewees about the research questions in an honest manner. This research will give the reader a sense of the meanings of the themes involved in this research.
3.
RESULTS
This chapter discusses the results that emerged from the interviews. Each sub-question ends with a conclusion in italics. The analysis of the results was done through open, axial, and selective coding. In Appendix F the transcripts of the interviews and in Appendix G the coding reports can be found. The experts are referenced as a resource P1 to 12 in this chapter.
SQ. 1: How do organizations organize information management and what is the role of BiSL?
The analysis of the interviews showed that organizations have established their own information management. The framework that is useful for organizations developing information management and functional management, is the BiSL-framework (as introduced in chapter 1). The analysis of the interviews indicated that organizations do not use a framework or method for organizing information management. Ten of the twelve interviewees suggested that the organizations in which they are employed carry out activities considered BiSL-esque at Strategic, Managing, and Operational levels. Two of the twelve interviewees indicated that the organizations in which they are employed do not utilize the BiSL-framework. The reason behind this is that the organizations are not big enough. Furthermore, the group also indicated that BiSL is not very common, and therefore rarely used in practice. The reason for this may be that BiSL is an abstract framework to bridge the gap between Business and IT (P8). BiSL plays an essential role in the systematization of information management. In broad terms, BiSL has the elements required to organize information management within an organization (P8). According to P1, P4, P8, and P10, BiSL is a robust framework for establishing and managing information management and it supports the organization in this. The BiSL-framework describes which activities an
7 organization must perform in order to arrive at the desired information
provisioning that is necessary for the organization (P7).
Specifically, BiSL’s contribution to Information Management (IM) is that it helps to plot the work and activities that organizations perform at different levels, such as the Strategic, Managing, and Operational levels (P11). It provides a specific structure to the organization, namely it defines roles and tasks of individuals, and causes less chaos (P1, P2). P1 and P2 specifically indicated that, from their own experience, BiSL provides a structure within an organization that works and is well-organized in practice. Appropriate organization of BiSL at all levels means internally agreed upon procedures on how people will work, so that it works for both the organization as well as the employees themselves (P1, P10).
Conclusion:
The sub-question was answered based on the results of the interviews. From a theoretical standpoint, BiSL has a contribution in organizing information management. However, the analysis has shown that organizations that organize information management do not use a specific method or framework for it. Organizations use some BiSL-esque activities, but in practice, BiSL is utilized in a limited number of cases in regard to the implementation and organization of information management.
SQ. 2: What is social engineering, and what are common ways to attack organizations?
SE has already been introduced from a scientific perspective in Chapter 1. However, in this section this term will be described from the perspective of the interviewees. According to some of the participants, SE is interpreted as a way in which people are influenced, causing them to do things that they should not actually do in violation of information security (P5). The manipulative hacker may attempt to get information from employees or people in order to gain access to valuable information (P3) without using technical skills (P4). An example of this is obtaining personal data from individuals (P7), gaining valuable information from organizations (P1), or accessing business information systems (P2, P3). P1 stated that the target of the attack depends on what a SE is interested in (this is commonly money or valuable information that can be used to commit abuse or theft). A portion of the interviewees were not entirely sure what SE is and what it entails. For example, some interviewees mentioned that a likely hacker would be focused on somebody’s private life, but in theory and practice, it is far more significant than that. In practice, it is often the case that people are naturally helpful, and a manipulative hacker abuses that (P5). Although it is not entirely practical, people have a desire to be loved and/or liked, even within the business world (P4). The natural qualities of being ‘helpful’ and ‘being nice’ cannot be removed from a person, and this is arguably what makes a person human. If such characteristics were to be removed, individuals would frequently be paranoid (P5). This scenario may be safe from SE, but it would no longer be a pleasant environment to work in (P5).
SE has many tools with which to attack organizations through the weakest spot in information security, in other words humans as mentioned in chapter 1. According to P1 through P12, phishing, CEO fraud (impersonation), corporate espionage, dumpster diving and personal contact via social media channels, are the most common attacks of SE in practice. P1 to P5, P10, and P11 stated that, from their own experience, phishing is the most common and popular method of SE in practice. When questioning which organizations are more prone to a SE attack, P1, P5, and P12 argued that it may depend on the focus of the attacker and which method they choose to use. In practice, it is often the case that organizations that possess valuable information or a large amount of money are more likely to be the victims of a SE attack. In terms of money, the most likely victims are banks, insurance companies and wealthy organizations. These organizations may possess valuable data as well as money. Furthermore, hospitals may be a focus for manipulative hackers too, because they possess sensitive information, such as information of patients (P1, P3, P5, P8, P10, and P12). Moreover, large providers such as
Microsoft can also be victims of SE as Microsoft hosts many customers, meaning they also possess sensitive information and data. This may make them very appealing for a manipulative hacker.
Conclusion:
The analysis is that SE, as a term, is not always clear in each layer of an organization. Furthermore, malicious people who use SE exploit human virtuousness with the intent of committing abuse and theft. Targets of SE are organizations with valuable information and money. Moreover, SE involves social pressure, and rules are intentionally broken. The most common SE attacks, that are carried out in practice, are CEO fraud, corporate espionage, dumpster diving and personal contact through social media. The most popular method of SE in practice is phishing
.
SQ. 2.1: What is the impact of social engineering?
SE is becoming increasingly sophisticated and it is difficult for organizations to recognize the risks and attacks (P1 to P5). For instance, regarding complicated data protection, interviewees warned that companies must be agile in detecting attempts to steal information (P3). If they are unable to detect these attempts, SE will have a major impact on the organization. The major impact can lead to various negative effects with which organizations will be punished and the safety of the organization will be discredited as well. The impact of SE leaves a bad feeling, a high pressure, and enduring memories to organizations and individuals (P1 to P5). According to all interviewees, information security is crucial to prevent attacks from SE, particularly in a modern age where organizations as well as individuals have become dependent on ICT. The biggest threat to an organization is not the technology, but the people themselves, who are the weakest link in information security (P2). Thus, the moment that SE is applied, it has significant consequences for organizations (P7, P9, P10). P3 stated that without an information security policy, organizations cannot function. Information security should be essential for every organization because every organization utilizes ICT; organizations must ensure that the information they have is Confidential, Integer, and Available (P5, P11). P7 and P2 raised an important point, namely that information security policies are made from technical points of view. What can be seen in practice is that a business component or aspect is often lacking in information security, which leads to organizations not having solutions to SE. Companies function on information, and information is never stagnant. Information is data-driven; it can be argued that information is “the gold of organizations” (P2 and P3).
Conclusion:
The analysis suggests that protecting information is becoming increasingly difficult for organizations in practice. The impact of SE on organizations can be significant if organizations are unable to recognize potential attacks of SE. Recognition is possible by applying information security, with an emphasis on the risks of SE in practice. The analysis further suggested that in practice, information security is only designed from a technical perspective, meaning there is no business perspective, leaving the business side of an organization vulnerable to SE attacks.
SQ. 2.2: What developments are expected in particular from Social Engineering, and how often it occurs?
According to interviewees, SE is successful in practice (P1, P2, P4, and P5). SE has always been present, and will probably always remain (P1, P3, and P5). The idea of SE will therefore not change, because it still has the same goal as before. According to interviewees P1, P3, and P4, there are certain developments in the field of SE that can ensure that SE increases. They suggest that there is an increase in developments from SE to a possibly more targeted (spear) phishing (P5, P2 and P3). By combining the easy disclosure of information in combination with criminals that are continually evolving, they declare that (spear) phishing
8 within SE still proves to be successful within organizations and private
lives (P2, P3, P5, and P11).
The developments of SE will only decrease when there is another, more successful, method. According to P1, P2, P4, and P5, the reason for an increase in the development of SE is by virtue of brutality, guts from social engineers, the growth in the number of devices, and the world continually changing (with the internet simultaneously developing rapidly). Manipulative hackers consider it a legitimate job and feel they have the right to do what they do. For manipulative hackers, it is a revenue model that is profitable. Moreover, in 2019 there are currently no other attacks that produce money as easily. Additionally, SE is currently common among others cyber criminals predominantly because, for example, CEO fraud (impersonation) has increased and they have made products for this (P4). Additionally, according to P4, P3 and P1, some developments are taking place to prevent SE in the business world where patterns and abnormalities can be discovered and prevented due to intelligent software systems. With the arrival of Artificial Intelligence (AI) and Machine Learning (ML), there may be possibilities that will enable organizations to better defend themselves against attacks from SE in the future (P4). Regarding how often SE may occur, no accurate and/or scientific statistics are currently available. However, there are statistics for SE in general. The Breach Level Index has published some statistics regarding SE trends. Although the reliability of these statistics is not known, they may be able to provide a global insight into the development of SE worldwide, namely the that SE is growing exponentially. Interviewees P1, P2, and P4 state that despite the popularity of SE among others cyber criminals, it receives far too little attention within organizations, despite it being a very ‘shocking’ crime. If organizations internally would entirely aware of SE, organizations may be inclined to work together to combat the phenomenon (P5).
Conclusion:
The analysis suggests that SE receives too little attention in practice. A combination of various techniques for disclosing information may contribute to the increase of SE. Furthermore, the analysis showed that the increase in the number of the (digital) devices in the world also contributes to the development of SE. Nonetheless, AI and ML may ensure that possible attacks of SE can be recognized, allowing organizations to arm themselves against SE more effectively. This can also lead to organizations collaborating in order to slow down the development of SE.
SQ. 2.3: What can be expected of social engineering in the near future if no preventative actions are taken?
Since SE is a creative technique, measurements must be taken against it. If no measures are taken, organizations will become victims more often in the future and be visible to other cybercriminals, which in turn increases the chances of becoming a victim of SE (P10). However, this does not only apply to SE but all forms of abuse. The actions that can be expected from SE in the future remain the same as they are now, because (as previously answered under question 2.2) it will be easier for SE to break if organizations do not encounter the obstacles. According to P4, SE will always target the person that is the weakest link in the organization. A cybercriminal ensures that they convince the victim to do things outside the usual processes of an organization.
Additionally, P4 made another important point, namely that anonymity will only be increased if no measures are taken against SE. With large organizations, it is common to not know who you are communicating with. It occurs less within small organizations because they have fewer employees and people are usually familiar with one another. Furthermore, SE will cause significant damage to organizations if there are no preventative measures put in place. The damage that is inflicted by SE can be substantial, such as name damage, financial damage, identity fraud, personal damage and/or reputation damage (P1 through P12). In short, it is harmful to companies if sensitive information is leaked as it is not the desired way to gain publicity (P10). This leads to financial damage
because this information can have monetary value and can be resold by criminals on the dark web to various parties who are interested in it, such as competitors or other people with malicious intent. Among others through training organizations and individuals to be critical to each other, and recognizing possible SE-attacks, people could become more resistant to SE.
Conclusion:
The analysis suggests that if organizations do not take preventative measures against the risks of SE, then organizations will be more affected by it. Manipulative hackers will easily be able to choose their victims, meaning such organizations will then become more visible to hackers. Additionally, a lack of preventative measures against the risks of SE means that it is easier for a manipulative hacker to steal information or money without being prevented. Moreover, SE will cause significant damage to the organization.
SQ. 3: Which information security measures are present in the BiSL-framework?
P1 through P10 stated that the entire dimension of information security is missing in BiSL, it is also not embedded in the framework. According to interviewees P1, P2, P7 and P10, BiSL either does not make statements about it, or does not allow invoking information about information security or measures. In other words, information security is not a topic in BiSL. Also, the words information security, or information security guidelines/measures, do not appear in the literature of the BiSL-framework. According to P1, P2, and P3, the reason that information security does not receive attention in BiSL is that it was not considered when designing and implementing the framework. In other words, it was not an essential topic at the time the framework was designed as digitization was not as ubiquitous as it is now in 2019. Nonetheless, P3 states that information security is not new in the world: “Fifteen years ago, we did take information security into account, but this is now a different world, now everything is connected, people no longer have everything in one system at home, which was closed off from the outside world.” According to P12, there are elements in BiSL that are probably related to information security, or to reducing the risks of threats. However, this statement was not confirmed by the other interviewees. P7 and P9 suggested that the only imaginable outcome from the BiSL-framework doing anything with information security is only in the ‘use management’ cluster in the Operational layer of the BiSL-framework. In the cluster’ use management’, manuals will have to be made, communication to users will have to take place, and authorizations of files will have to be granted. This is not carried out by an information security policy or something similar.
Conclusion:
According to the analysis, BiSL is not effective with regard to information security; the only possible actions are in the ‘use management’ cluster in the operational layer. However, those actions are not conducted due to lack of information security. Thus, BiSL does not recognize any information security policy nor information security measures. In other words, the entire dimension of information security is missing in BiSL. In short, the analysis showed that information security, and its measures, are not a topic within BiSL.
SQ. 3.1: Are essential guidelines regarding information security missing, in relation to social engineering in particular?
As shown in the previous sub-question analysis, BiSL does not offer any handles for information security, which would mean that the BiSL-framework would lack preventative measures for SE. The analysis of the interviews reveals the following: The interviewees argued that this is unusual, since BiSL is a framework for business, and does not give an interpretation to technology, which means that roles in BiSL are not technically skilled. That is precisely where SE strikes, that is, especially on individuals who are not technical skilled.
9 The interviewees all stated that there are undoubtedly many information
security issues in BiSL, and also especially in case of SE. As mentioned earlier, there is a lack of the entire Information Security dimension in BiSL. In other words, it lacks the obligation to make an information security policy and the obligation to appoint a role that implements it (P1). According to P1 through P7, an information security policy from a business perspective is missing. As stated in sub-question 2.1, an information security policy is designed in practice from a technical point of view, whereby organizations immediately miss the mark entirely against the risks of SE. Moreover, the message is not adequately conveyed by those that have designed the information security policy, meaning that it is not applied correctly in practice (P1, P2, and P3). Due to this lack, it is much easier to bypass BiSL-framework issues because information security policies are not defined. The information security policy should take place in the cluster ‘information strategy’ as the strategic layer so that that policy can be rolled out further to the Managing and Operational layers within BiSL (P6 and P10). P4 has indicated that an information security policy from the strategic layer must focus on information security, and in particular to the SE aspect, to ensure that valuable information remains secure. If information security with the risks of SE is not propagated from the strategic level, then no attention will be paid to awareness to SE on each layer of the BiSL-framework.
Many measures for information security, and specifically for SE, are missing in BiSL. P1 to P12 identified the most critical measures to cover the risks of SE at Strategic, Managing, and Operational levels in BiSL. The most critical discussion point is that an anti-social Engineering Strategy should be part of the information security policy. This strategy is something that will have to be managed in various aspects within BiSL (P8). There are some examples of measures than can be taken to minimize the risks of SE. For instance, creating awareness and support for information security and the risks of SE at all levels in BiSL is of vital importance. According to P1 to P12, that is the most critical information security measure against SE. It is essential that there is an awareness of the vulnerability of the information on all layers of the BiSL-framework. Individuals assume that hacking only happens at the application and technical side but may not realize how important the social side is (P8). According to P4, recognition of an SE-attack is more important than taking action against it, especially with regard to spontaneously testing employees on their awareness of this issue. Allowing individuals to become socially aware of what they may be doing creates an environment where they are particularly good at protecting this information. P3 states that awareness of the risks of SE must be guaranteed everywhere, in all layers of the BiSL-framework. Another measure that emerged from the analysis of the interviews is the responsibility role for building resistance against SE. This specific role is not reflected in the BiSL-framework either. It is difficult in practice because SE and security are actually roles for every employee in an organization (including managers and management) (P1, P2, P3, P5, P6, and P10). For example, if colleagues communicate with one another about SE and discuss and share the risks with each other, this way keeps the employees sharp (P5 and P10). Furthermore, another important measure against SE appears to be the ‘four eyes principle’. The four eyes principle is mainly applied when payments have to be made or when activities where sensitive information plays a crucial role are taking place. And there is always a second person who checks the situation. It is reasoned that every activity where the organization performs with data, tendering, outsourcing, finance, planning control, or contract management that handles privacy and security aspects of information (P1 to P12). Furthermore, the analysis of the interviews showed that there is a need to integrate information security with a subset of SE in every cluster: process, sub-process and activities in the BiSL-framework (P2, P3, P5, P8, P9, and P11). Information security with a subset SE should not be considered a separate element, but rather, make it a part of all elements in BiSL. This in turn will increase awareness and resilience to the risks of SE as well (P2, P3, and P9). In order to be proficient in information security and to minimize the risks of SE, it must be present in the blood vessel of the BiSL-framework (P2, P3, P8, and P9).
Conclusion:
The analysis suggests that the most critical point is that an anti-social Engineering Strategy should be part of the information security policy. The following measures must also be included in the anti-social Engineering Strategy: creating awareness, four eyes principle, a role for building resistance to SE, and support for information security at all levels in BiSL. Moreover, the analysis also led the conclusion that there is a need to integrate information security with a subset of SE in every cluster: process, sub-process and activities of the BiSL-framework, so employees within organizations are aware of SE.
SQ. 4: To what extent is the BiSL-framework resilient against social engineering?
The interviews were used to analyze whether the BiSL-framework is resilient to the risks and impact that SE entails, as discussed earlier in the previous sub-questions. In general, the BiSL-framework is insufficiently designed to recognize, mitigate, and resist the risks of SE (P1 to P10). That is, the BiSL-framework focuses predominantly on how information management can be established and applied but does not mention the security and safeguarding of information itself (P2, P4, and P9). As human connections play a key role in the BiSL-framework, this makes it vulnerable to the risks of SE. The framework does not, however, deal with the risks that SE entails. This is due to the lack of information security measures (P1 to P11). In addition, BiSL focuses more on the value of information and making it available to employees, it does not focus on the value of information outside of the organization (P4). However, BiSL is much more about who needs information, and when. Furthermore, possible weaknesses of each layer in BiSL, in particular of SE, have been researched. These are described below.
Strategic layer:
A weakness in this layer in BiSL is that it does not reflect on the formulation of an information security policy within the cluster information strategy. There seems to be given no attention to this at all in the BiSL-framework, which is a significant risk of being sacrificed by SE (P4). Also, not as many people work within this layer as in the other layers of the framework. (P1). The awareness of SE is low in this layer and it is often thought that the functional manager or the IT department will arrange the technical issues (P2 and P3). The people in this layer are naiver than people in the workplace (P2). Moreover, people have to be careful as they may receive phishing e-mails from malicious people, resulting in CEO-fraud. The impact here is enormous if they fall victim to this type of fraud (P1) because this layer of the organization houses the most valuable information, knowledge and money (P2). It may be argued that there is a high chance of a SE attack on this layer.
Managing layer:
There is a risk in this layer because the financial and contract management are embedded here. With contract management and registration of contracts, there sometimes can be manipulation. For example, with financial management, fake invoices can be sent (which somebody may pay). The managing layer must be a controlling body in the field of information security in order to be able to recognize attacks of SE (P4 and P10). In this layer of the BiSL-framework, there should be supervision and a focus on why somebody may step outside of the normal process (P4, P5, P6, and P10). According to P1 to P5, and P9, most of the risks of SE come from within an organization. However, employees at all levels in the BiSL-framework pose a risk to the organization when it comes to SE. The managing layer is a layer that connects the operational and strategic layer with one another; it is the alignment. In this layer, there is a lack of controls for detecting SE attacks and other forms of abuse and theft.
