You are here: Home Contents V6 N4 V6N4_Cazier.html
Personal tools

Password Collection through Social Engineering: An Analysis of a Simulated Attack



Full text

Journal of Information System Security
Volume 6, Number 4 (2010)
Pages 5370
ISSN 1551-0123
Joseph A. Cazier — Appalachian State University, USA
Christopher M. Botelho — Baylor Health, USA
Information Institute Publishing, Washington DC, USA




This study demonstrates that consumers, healthcare workers and corporate America are still very much vulnerable to simple social engineering attacks, even with current levels of security training. Through a simulation of what a real social engineer might try to do (with a few safeguards to protect participants) security levels were tested in the business district of a large downtown financial center, a hospital, and a university campus. Through the simulation attack, researchers were able to get useful demographic and tactical information from the majority of the 'victims'. In addition, 73% of respondents shared a password with the researchers. Those with recent security awareness training were just as likely as those without to share their passwords with strangers. Results, implications and future directions are discussed.




Social Engineering, Security, Passwords, Security Awareness, Privacy, Hacking




Allen, M. (2006). Social Engineering: A Means to Violate a Computer System. SANS Reading Room. Retrieved November3, 2006 from

Ciampa, M. (2005). Security+ Guide to Network Security Fundamentals (2nd ed.). Boston: Course Technology.

Damie, P. (2002). Social Engineering: A Tip of the Iceberg. Information Systems Control Journal. Retrieved October 21, 2006 from

Dolan, A. (2004). Social Engineering. SANS Reading Room. Retrieved November 3, 2006 from

FBI, (2006) 2005 Computer Crime Survey, Retrieved October 30, 2006 from pdf

Granger, S. (2001). Social Engineering Fundamentals, Part I: Hacker Tactics. Security Focus. Retrieved October 12, 2006 from

Javelin Strategy & Research (2006) 2006 Identity Fraud Survey. Javelin Strategy & Research, retrieved November 3, 2006 from

Medlin, B. D., Cazier, J. A., Dave, D. S. (2006). Password Security Issues on an E-Commerce Site. In M. Khosrow-Pour (Ed.), Encyclopedia of E-Commerce, E-Government, and Mobile Commerce. Hershey, PA: Idea Group Reference.

Mitnick, K. (2002). The Art of Deception: Controlling the Human Element of Society. Indianapolis, In: Wiley Publishing

Weil, S. (2004). HIPAA Security Rule. Security Focus. Retrieved January 3, 2007 from