You are here: Home Contents V17 N2 V17N2_Ahmed.html
Personal tools

The Use of Social Engineering to Change Organizational Behavior toward Information Security in an Educational Institution



Full text

Journal of Information Systems Security
Volume 17, Number 2 (2021)
Pages 103124
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Vikram Ahmed — Stetson University, USA
Serina Al-Haddad — Rollins College, USA
Information Institute Publishing, Washington DC, USA




Modern enterprises have been increasingly relying on technology for operational and decision- support activities. As technology advances, so does the sophistication of cyber-crimes, which consequently requires enhancements in information security measures. This paper addresses how the use of social engineering (SE) can alter the organizational behavior toward information security in an educational institution. Multiple recent reports in information security have indicated that cyber attackers have increased their use of SE by concentrating exclusively on the human element in the organization, in an effort to combat improvements in security systems that utilize multi- layer security protocols. This paper reviews organizational behavior and how it can be changed, explains the importance of information security, presents the results of a SE phishing experiment conducted at a higher education institution alongside a detailed information security training process that attempted to change organizational behavior and raise awareness in an educational institution toward information security. The results of an SE phishing experiment at a higher education institution are discussed and analyzed. The findings suggest that the data were statistically significant, leading to the conclusion that the experiment was successful in changing individuals’ behavior and raising awareness toward information security. Business professionals, information security trainers, students, and educators can all use the findings to understand how to implement both effective organizational behavior change toward information security and security protocols to supplement security awareness.




Information Security, Social Engineering, Organizational Behavior, Training, Phishing, Organizational Change.




Blackbourne, N. (2016). "The Dark Side of Social Engineering", Vol. 4 No. 53, pp. 8-9.

Boncea, A.G. (2018), "Management of Change in Organizational Behavior", Annals of the Constantin Brancusi University of Targu Jiu, Engineering Series, No. 2018/3, pp. 150-157.

Bongiovanni, I. (2019), “The least secure places in the universe? A systematic literature review on information security management in higher education”, Computers & Security, Vol. 86, pp. 350-357.

Borum, R., Felker, J., Kern, S., Dennesen, K. and Feyes, T. (2015). "Strategic cyber intelligence", Information Management & Computer Security, Vol. 23 No. 3, pp. 317-332.

Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R. (2009). If someone is watching, I'll do what i'm asked: mandatories, control, and information security. European Journal of Information Systems, Vol. 18 No. 2, pp. 151-164.

Burns, A., Johnson, M., and Caputo, D. (2019). “Spear phishing in a barrel: Insights from a targeted phishing campaign”, Journal of Organizational Computing and Electronic Commerce, Vol. 29:1, pp. 24-39.

Cabric, M. (2015). Corporate Security Management, Butterworth-Heinemann.

Caldwell, T. (2016). “Making security awareness training work”. Computer Fraud & Security, No. 2016/6, pp. 8-14.

Chatterjee, S., Gao, X., Sarkar, S., and Uzmanoglu, C. (2019). “Reacting to the scope of a data breach: The differential role of fear and anger”. Journal of Business Research, Vol. 101, pp. 183-193.

Chen, Y., and Zahedi, F.M. (2016). Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts between the United States and China. MIS Quarterly, Vol. 40 No. 1, pp. 205-222.

Chronology of Data Breaches – Educational Institutions (2019). Privacy Rights Clearinghouse. Available at: (accessed 11 August 2019).

Corradini, I. (2020). Building a Cybersecurity Culture in Organizations. Studies in Systems, Decision and Control. Volume 284, Page 49

Cronk, L., and Salmon, C. (2017). Culture's influence on behavior: steps toward a theory, Evolutionary Behavioral Sciences, Vol. 11 No. 1, pp. 36-52

Cyber & Information Security Frameworks Explained (2020). Tetra Defense, available at: explained-what-they-mean-and-why-they-matter/ (accessed 3 June 2020)

Daniela, P.M. (2013). “The Interdependence between Management, Communication, Organizational Behavior and Performance”, Annals of the University of Oradea, Economic Science Series.

Data Breach Investigations Report – Verizon Enterprise Solutions (2017). Verizon Enterprise Solutions, available at: (accessed 11 August 2019).

Data Breach Investigations Report – Verizon Enterprise Solutions (2018). Verizon Enterprise Solutions, available at: (accessed 11 August 2019)

Data Breach Investigations Report – Verizon Enterprise Solutions (2019). Verizon Enterprise Solutions, available at: (accessed 11 August 2019)

Dodge, R.C. and Ferguson, A.J. (2006). "Using Phishing for User Email Security Awareness", Security and Privacy in Dynamic, eds. S. Fischer-Hübner, K. Rannenberg, L. Yngström & S. Lindskog, Springer US, Boston, MA, Environments, pp. 454.

Duff, A.S. (2005). "Social Engineering in the Information Age", The Information Society, Vol. 21 No. 1, pp. 67-71.

Farina, K. (2015). International encyclopedia of the social & behavioral sciences, Elsevier, Amsterdam, Netherlands.

Ferguson, I.Y., (2017). The Effectiveness of Social Engineering as a Cyber - Attacking Vector: People Do Use Unknown USB Drive, They Find, available at: http://www.diva- (accessed 4 June 2020).

Fouss, B., Ross, D., Wollaber, A., and Gomez, S. (2019). "PunyVis: A Visual Analytics Approach for Identifying Homograph Phishing Attacks", 2019 IEEE Symposium on Visualization for Cyber Security (VizSec), Vancouver, BC, Canada, 2019, pp. 1-10.

Furnell, S., and Clarke, N. (2012). “Power to the people? The evolving recognition of human aspects of security”, Computers & Security, Vol. 31 No. 8, pp. 983-988.

Gardner, B. and Thomas, V. (2014). Building an information security awareness program: Defending against social engineering and technical threats, Syngress, New York, NY.

Gartner Inc. (2018). Gartner forecasts worldwide information security spending to exceed $124 billion in 2019, available at: (accessed 11 August 2019)

Gilstrap, J.B. and Hart, T.A. (2020). "How employee behaviors effect organizational change and stability", Journal of Business Research, Vol. 109, pp. 120-131.

Gioia, D.A., Patvardhan, S.D., Hamilton, A.L., and Corley, K.G. (2013). "Organizational Identity Formation and Change", Academy of Management Annals, Vol. 7 No. 1, pp. 123-193.

Gundu, T., Flowerday, S., and Renaud, K. (2019). Deliver Security Awareness Training, then Repeat: Deliver; Measure Efficacy, IEEE.

Harrison, L.M. (2011). “Transformational leadership, integrity, and power”. New Directions for Student Services, No. 135, pp. 45-52.

Hadnagy, C. and Wilson, P. (2010). Social Engineering: The Art of Human Hacking, Wiley, Hoboken, NJ Henningsen, E.K. (2013). The Defense and Popularity of Social Engineering in Norway, available at:
cfb050d920048.pdf, accessed 4 June 2020.

Ifinedo, P. (2012). “Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory”, Computers & Security, Vol. 31 No. 1, pp. 83-95.

Ifinedo, P. (2014). “Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition”, Information & Management, Vol. 51 No. 1, pp. 69-79.

IPSOS MORI (2016). “Cyber Resilience: Are your people your most effective defense?” available at: (accessed 11 August 2019).

IT Security for Higher Education: A Legal Perspective (2003). available at: (accessed 11 August 2019)

Jackson, R. A. (2018). "PULLING STRINGS: High-level hackers are using social engineering tactics to manipulate employees into giving up vital information." Internal Auditor Gale Academic Onefile, Vol. 75 No. 4, p. 34

Karjalainen, M., Sarker, S., and Siponen, M.T. (2019). "Toward a Theory of Information Systems Security Behaviors of Organizational Employees: A Dialectical Process Perspective", Information Systems Research, Vol. 30, No. 2, pp. 687-704.

Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A., and Spector, P.E. (2020). "Information security climate and the assessment of information security risk among healthcare employees", Health Informatics Journal, Vol. 26 No. 1, pp. 461-473.

Kroenke, D. and Boyle, R. (2016). Experiencing MIS. Harlow, Essex, England: Pearson.

Kumar, N., Mohan, K., and Holowczak, R. (2008), “Locking the door but leaving the computer vulnerable: factors inhibiting home users' adoption of software firewalls”, Decision Support Systems, Vol. 46 No. 1, pp. 254-264.

Lebek, B., Uffen, J., Neumann, M., Hohler, B., & H. Breitner, M. (2014). “Information security awareness and behavior: a theory-based literature review”, Management Research Review, Vol. 37 No. 12, pp. 1049-1092.

Lefkowitz, J. (2013). “Values and ethics of a changing I‐O psychology: A call to (further) action”, Olson‐Buchanan, J. B., Foster Thompson, L. and Koppes, L.L. (Ed.s), Using industrial‐organizational psychology for the greater good: Helping those who help others, Routledge, NY, pp. 13–42.

Lefkowitz, J. (2016). “News flash: Work psychology discovers workers”, Industrial and Organizational Psychology, Vol. 9, No. 1, pp. 137–144

McCormac, A., Butavicius, M., Pattinson, M., and Jerram, C. (2014). “Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)”, Computers & Security, No. 42, pp. 165-176.

McShane, S.L. and Von Glinow, M. A. Y. (2017). Organizational Behavior, McGraw-Hill Education.

Mickelberg, K., Pollard, N., and Schive, L. (2014). US cybercrime: Rising risks, reduced readiness. US State of cybercrime Survey, available at: (accessed 4 June 2020).

Mishra, S., and Soni, D. (2020). “Smishing Detector: A security model to detect smishing through SMS content analysis and URL behavior analysis”. Future Generation Computer Systems, Vol. 108, pp. 803-815.

Mitchell, M., Palacios, V., and Leachman, M. (2014). States are still funding higher education below pre- recession levels. Center on Budget and Policy Priorities.

Moul, K. (2019). “Avoid Phishing Traps”, Proceedings of the 2019 ACM SIGUCCS Annual Conference, SIGUCS, pp. 199-208.

Nohlberg, M., Wangler, B,. and Kowalski, S. (2011). "A Conceptual Model of Social Engineering", Journal of Information System Security; Journal of Information System Security, Vol. 7 No. 2, pp. 3-13.O’Hagan, L. (2018), “Angler Phishing: Criminality in Social Media”, ECSM 2018 5th European Conference on Social Media, pp. 192-194.

Okenyi, P.O. and Owens, T.J. (2007). "On the Anatomy of Human Hacking", Information Systems Security, Vol. 16 No. 6, pp. 302-314.

Pollard, N. and Schive, L. (2014). US cybercrime: Rising risks, reduced readiness. US State of cybercrime Survey, available at: cybercrime.pdf (accessed 26 May 2020).

Ruan, K. (2019). “Digital Asset Valuation and Cyber Risk Management”, Academic Press, Cambridge, MA, pp. 75-86.

Rozenberg, Y. (2012). “Challenges in PII data protection”, Computer Fraud & Security, Vol. 2012, No. 6, pp. 5-9.

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., and Herawan, T. (2015). “Information security conscious care behaviour formation in organizations”, Computers & Security, Vol. 53, pp. 65-78.

Sahingoz, O., Buber, E., Demir, O., and Diri, B. (2018). “Machine learning based phishing detection from URLs”, Expert Systems with Applications, Vol 117, pp. 345-357.

Skotnes, R.Ø. (2015). "Management commitment and awareness creation – ICT safety and security in electric power supply network companies", Information Management & Computer Security, Vol. 23 No. 3, pp. 302-316.

Soomro, S., Shah, J., and Ahmed, J. (2016). “Information security management needs more holistic approach: A literature review”, International Journal of Information Management Vol. 36 No. 2, pp. 215-225.

Tessem, M. and Skaraas, K. (2005). “Creating a security culture”, Telektronikk, Vol. 101 No. 1, pp. 15-22.

Testik, Ö. M., Öğütçü, G., and Chouseinoglou, O. (2016). “Analysis of personal information security behavior and awareness”, Computers & Security, Vol. 56, pp. 83-93.

Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E. and Bailey. M. (2016). “Users Really Do Plug in USB Drives They Find”, IEEE Symposium on Security and Privacy (SP), San Jose, CA, pp. 306-319.

Tetri, P. and Vuorinen, J. (2013). "Dissecting social engineering", Behaviour & Information Technology, Vol. 32 No. 10, pp. 1014-1023.

Torten R., Reaiche, C., and Boyle, S. (2018). “The impact of security awareness on information technology professionals’ behavior”. Computers & Security, Vol. 79, pp. 68-79.

Wilson, R.L. (2017). Principles of Business Management. Salem Press. A Division of EBSCO Information Services, Inc. Ipswich, Massachusetts.

Workman, M. (2007). "Gaining Access with Social Engineering: An Empirical Study of the Threat", Information Systems Security, Vol. 16 No. 6, pp. 315-331.