Received March 3, 2020, accepted March 18, 2020, date of publication March 27, 2020, date of current version April 21, 2020. Digital Object Identifier 10.1109/ACCESS.2020.2983280 Analysis and Findings of Social Engineering Industry Experts Explorative Interviews: Perspectives on Measures, Tools, and Solutions HUSSAIN ALDAWOOD , (Member, IEEE), AND GEOFFREY SKINNER , (Member, IEEE) School of Electrical Engineering and Computing, University of Newcastle, Callaghan, NSW 2308, Australia Corresponding author: Hussain Aldawood (hussain.aldawood@uon.edu.au) ABSTRACT Social engineering is one of the biggest threats organizations face today, as more and more organizations are adopting digitalization. In the context of cyber security, social engineering is the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal. For better implementation methods against social engineering, this qualitative study will attempt to provide measures against information security challenges faced by organizations. The analysis is then provided by the answers of interviewed experts in the field of cyber security and social engineering. The research herein focuses on the human element of cyber security threats, recognizing that hackers exploit the vulnerabilities and lack of awareness of staff. Then using these issues to create security loopholes and engineer cyber-attacks that include the interruption or infection of information systems, transfer of unauthorized funds, and stealing of credentials. The results of this qualitative study highlight that there is a positive relationship between social engineering and user awareness. The findings build upon the researchers’ ongoing work, which postulates that as an increase in contextual social engineering knowledge leads to a decrease in being victims of social engineering and is, therefore, one of the most effective mechanisms for managing social engineering. INDEX TERMS Cyber security social engineering, training and awareness programs, information security awareness programs. I. INTRODUCTION With the changing landscape in the operation of businesses, digitalization is a must for most sectors and nearly all organizations [1]. However, within such a digital environment, it is difficult to comprehend each aspect of operations and interactions that are taking place. The cyber-world and technological infrastructure are complex, spanning a network of custommade tools and technology that may be on-premise within an organization, on the cloud or in a combination of internal and external data storage. While operating in the cyber world, organizations need to protect information and secure the privacy of their operations. The challenges of securing information today can be observed by the increase in the extent and nature of cyber-crimes [2]. Information systems today are more exposed to cyber-crimes than ever before. The number of cyber-crimes against organizations has been increasing according to many scholars. Cyber-crimes include intrusion into organizations’ computer networks and The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. VOLUME 8, 2020 disseminating computer viruses [3]. Computer network-based attacks primarily exploit protected organizational information. Hackers usually start analyzing an entire network infrastructure of an organization to collect as much information as possible and exploit open ports or vulnerabilities. Networkbased attacks also include unauthorized access to organizational resources [4], [5]. Information systems of modern organizations also face threats from viruses that are disseminated by hackers to access sensitive information, misuse data, or even send malicious information. Cyber-attacks may target the technical part of a system, but other types of attacks are designed to target the human element and rely on personnel vulnerabilities. These attacks are considered socially engineered incidents. Humans are psychologically manipulated to perform a specific action that can potentially lead to leakage of confidential information [6]. Socially engineered attacks are designed for employees to leak classified information that can be used to damage an organization’s resources or harm its reputation. The nature of most social engineering attacks is spontaneous. Attackers select their targeted organizations on the This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ 67321 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews basis of ease of access to sensitive data in the due process. Organizations with information systems that have few security measures to secure their data appeal to and become great targets for social engineers [7]. II. THE RATIONALE FOR THE RESEARCH The advancement of technology and the ubiquitous presence of digital devices have increased the need for cyber security. Frumento [8] listed statistics on social engineering attacks, estimating the number of cyber-attacks on private or government organizations. He highlighted that hackers are more inclined to use human vulnerabilities in an attempt to gain access to organizational systems than to focus on the lapses in a system’s hardware or software. He also claimed that only 3% of the attacks target the technical infrastructures of organizations. On the other hand, 97% of malware attacks targeted users through social engineering hacking attempts. The motivation for this study is driven by professional experience, clearly identified contemporary issues in the research domain, and a very strong personal interest in the area. The rationale for the research derives from the key problem of numerous organizations worldwide seeking ways to address overall employee lack of awareness of cyber security social engineering vulnerabilities. The first author was working professionally as an information and cyber security professional at Saudi Aramco, the largest oil-producing company in the world, for eight years, which gave him a solid experience in the field. During his professional life, the world witnessed the worst hack ever seen in history. Saudi Aramco was hit with an extensive cyber-attack back in August 2012. Officials later confirmed that the virus’s goal was to shut down oil and gas distribution to regional and international markets. The final investigation report was released stating that the virus (Shamoon-1) was behind the attack. In a matter of hours, 35,000 computers were partially wiped or totally destroyed. This particular incident gave him clear insight into why such huge corporations need to secure their data. Managing supplies, shipping, and contracts with governments and business partners during the crisis was forced to happen manually on paper. The company confirmed at a later stage that one of the main causes of this particular incident was the lack of staff information and security awareness. He was part of the IT and security recovery teams during this crisis and it took them a significant amount of time to recover all the systems. Until the information systems were completely recovered, the cost was extremely high, especially as the production and distribution of oil to international markets was disrupted for almost two weeks. Recognizing employees’ lack of information security awareness pushed him to seek to conduct further research on the subject. The researchers of this project opted to interview professional information security experts about their deep experience in the field and present it in an academic setting in order to find new methods to address the issue. Additionally, it has been confirmed in literature that various techniques of social engineering cause issues of 67322 cyber security threats in diverse environments [5]. As social engineering manipulation techniques are evolving with the evolution of cyber technologies, this research is critical in highlighting social engineering threats to organizations. Today, those threats are becoming the mainstream method of attacking dedicated organizational cyber systems across the globe. This study is imperative as it also sheds light on hackers’ ability to attack organizational security design at various complex levels by exploiting their human layer of security [9]–[11]. This study will further lead to an exploration of measures and solutions that help organizations mitigate such cyber-attacks and highlight susceptible patches that organizations need to address on their human resource level. The study will also investigate the significance of employees’ information security awareness in determining the efficiency of safeguards established by organizations. It will highlight that as the efficiency of socially engineered attacks is dependent on the person or virtual psychological manipulations of employees, their containment measures should also be developmental in nature such as user-specific interventions. Furthermore, for better implementation methods against social engineering, this study will attempt to provide measures against challenges faced by organizations [12]–[14]. III. METHODOLOGY A. THE OBJECTIVE OF THE ONLINE INTERVIEW QUESTIONNAIRE Qualitative research approach was used to obtain subjective views on understanding human behavior related to cyber security and more specifically to social engineering awareness. This research performs a qualitative analysis of recognized cyber security professionals’ responses to formulated interview questions in the context of social engineering awareness. Additionally, the aim of this study is to find the best working tools to mitigate social engineering threats besides awareness programs and then provide reliable solutions to create such a safe work environment. The researchers sought participants from senior information security professionals in organizations that have substantive business processes dependent on information and communication technology (ICT) systems to share their experiences of the latest practical solutions to protect from social engineering threats. B. HYPOTHESES A. Cyber security professionals rate social engineering as one of the highest contemporary security threats. B. Cyber security professionals endorse and advocate user awareness programs as the most effective countermeasure for addressing cyber security social engineering threats. C. RESEARCH DESIGN AND DATA COLLECTION PROCESS Semi-structured online questions in this research were guided by the use of a pre-constructed thematic theoretical framework based on a literature search along with the VOLUME 8, 2020 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews component-model of cyber security. Questions were structured regarding different scenarios in which users experience security demands in their organizations, primary and secondary causes of social engineering threats and then best measures used to mitigate these threats. Experts in the field were identified by conducting an Internet search (using Google, Google Scholar, LinkedIn, Twitter) of individuals with strong expertise in cyber security. Their contact information was known from their personal websites, publications, Twitter or LinkedIn pages. Identified experts were sent email invitations along with the information statement of the project. Those who agreed to participate by replying in the affirmative to the email were sent a second email containing a URL Hyperlink and a 6-digit code to complete an anonymous online questionnaire. The 6-digit code was only used to gain authorized (not authenticated) access to the questionnaire and was the same non-identifiable code for all participants. The questions were based around one’s insights, opinions and experiences regarding the most up-to-date measures, tools and solutions against social engineering threats. We were particularly interested to know if the theoretical solutions, which we investigated from the literature, correlate with industrial and commercial solutions used to mitigate social engineering threats. We anticipated their responses that were formulated on their professional experience as it pertains to cyber security. All questions were factual and as such, no sensitive or personal information was to be collected in the questionnaire. TABLE 1. Participants’ characteristics. D. POPULATION AND SAMPLE The researchers sought to have 10 to 20 participants from all of the stakeholder groups combined. As this study would be conducting thematic analysis, more interviews than the minimum number will improve the overall quality of the research. Also, a number of participants between 10-20 is more commonly seen in semi-structured studies in information systems domain i.e. human-computer interaction (HCI) [15]. The researchers ended up receiving 21 full participants that can be used for this study. E. PARTICIPANTS’ CHARACTERISTICS As mentioned earlier that twenty one cyber security experts completed the online questionnaire successfully. Regarding the highest level of educational qualification, eleven participants had a master’s degree and ten had a Ph.D. The majority of the security experts had more than fifteen years of experience in cyber security. All security experts were full-time employees. Table 1 summarizes the participants’ profiles. Figure I categorizes the industry type that our participants belong to while figure 2 shows their education qualifications. F. QUESTIONS The researchers used eight questions in the online questionnaire, which are included in Table 2. VOLUME 8, 2020 G. METHOD OF DATA ANALYSIS The received information was analyzed statistically as a qualitative approach was followed. Theoretical thematic analysis was used to analyze and interpret the data because of its flexibility to be utilized across a range of epistemological and theoretical approaches, its ability to identify emergent themes to aid improvement of the theoretical frameworks, as well as its ability to reinforce existing components of the framework [16]. After the targeted number of participants was reached, their data were coded into categories, themes, and concepts [16]–[18]. Thematic analysis is defined as ‘a method for systematically identifying, organizing, and offering insight into patterns of meaning (themes) across a dataset’ [16]. 67323 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews TABLE 2. Interview questions. FIGURE 1. Industry types of participants. FIGURE 2. Participants’ level of education. H. CODING AND SEARCHING FOR TERMS TO IDENTIFY THEMES Themes were identified and elaborated, as shown in Table 3. IV. RESULTS AND DISCUSSION A. CURRENT SOCIAL ENGINEERING IMPACT In the last five years, there have been several cyber security issues and threats with advancements in technology. With the expansion of data use, there is a massive breach of data, and as a result, selling of personal data on the dark web has become a very normal practice. According to most of the respondents of our interview questions, the biggest threats of cyber security include ransomware, phishing attacks, botnets, computer viruses, worms, and leakage of data. While one of the respondents cited in the interview that ‘‘Information security threats can be divided into technical cyber-attacks and social engineering attacks,’’ one of the critical reasons for social engineering is the lack of awareness of end-users. This deficiency of awareness has made social engineering very easy for attackers. In the field of cyber security, social engineering plays a significant role. However, this type of threat can be avoided by providing proper awareness programs. Through the interviews, participants elucidated that the majority of individuals and organizations invest a lot 67324 of time, money and efforts in securing the technical tools and ignore the most important factor, which is developing the human knowledge. One of the respondents stated in the interview that, ‘‘Without investing time, money and efforts in the social engineering attacks, we are not secure.’’ The same respondent also stated ‘‘Phishing and pretexting combined account for 98% of social engineering attacks. Personally, I believe that the risk of social engineering is higher than any other cyber attacks since there is no button that we can click to enable the human firewall.’’ Interview participants also indicated that the victims are usually not aware of the consequences of replying to or clicking a link to update some sensitive information. For other respondents, phishing emails were the biggest threat causing damage to the infrastructures of information systems. Furthermore, respondents pointed out that the major cyber security incidents include the incidents which took place in Stuxnet, Target Sony, Facebook and subsidiary Instagram security and privacy malpractices and leaks, Uber database leak, Adobe leak, Careem, Yahoo mail credentials leak, Equifax, NetEase, LinkedIn, Anthem, RS, spyware, DDOS attack, and Cambridge Analytica. VOLUME 8, 2020 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews TABLE 3. Searching for terms to identify themes. Respondents confirmed that due to the unpredictable nature of social engineering threats, leading to the loss of confidential data, intellectual property, and consumer credibility could be an expected consequence. Conclusively, it was indicated that there is a need for individuals and organizations to be more mature in handling threats of social engineering. Comprehensively, social engineering plays a significant role in addressing the set of actions necessary to avoid such risks. B. THE FUTURE ROLE OF SOCIAL ENGINEERING It was observed from the interview that targeting the human knowledge will remain a significant threat in the next five years. Trading of personal data in the dark web and subsequent breach of the data will be the most significant issues of cyber security. However, a few respondents were not clear about whether social engineering will continue to be the primary determinant as individuals are becoming more aware of those attacks. One respondent stated, ‘‘One can predict that the attackers will exploit various techniques and combine them to gain access to personal data.’’ New attacks which the industries must be aware of include the hacking of the blockchain, crypto hacking, machine learning attacks, and AI-based attacks, while in the current time, social engineering plays a major role. Henceforth, there is a need to provide training to staff so that they can better recognize these attacks. There were also some other respondents who highlighted that phishing emails could be the next upcoming threat since the victims fail to identify the well-designed social engineering attacks. For example, one of the respondents manifested in the interview that, ‘‘Social engineering needs to address numerous actions in order to handle sensitive data and ensure it is encrypted.’’ However, from the interview, it was discerned that threats like ransomware, impersonation/pretexting, phishing, leakage of data, hacking and insider threat continue to be the major threats for companies. One of the interviewees also cited that, ‘‘It will be the same thing given people like to pontificate about how great users can be while ignoring the systemic failings of their security programs.’’ Additionally, organizations, which have insufficient controls and security procedures against revealing sensitive information will continue having their vital user data leaked. Furthermore, it was mentioned in the answers that companies must be aware of social engineering threats and hence must maintain a sufficient level of awareness of their users. Therefore, in order to identify such threats as responding to generous rewards or feeling pressured to act immediately to suspicious emails, one needs to be aware of the social engineering techniques. It was also learned from the interview that some of the recent and trending threats included accessing free and public Wi-Fi and supply chain attacks. Very critically, one of the respondents elucidated in the interview that, ‘‘Moving forward the element of deception is likely to be more VOLUME 8, 2020 67325 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews emphasized. My reasoning for this is that the major solution offered against social engineering is through education and awareness. I do not believe that these are successful. Instead, the criminals will play upon the established trust and confidence that users may gain through this education. A current example is the fake AV software. One might argue that education often makes people consider that they are in danger, without training them how to respond appropriately.’’ Additionally, Internet of Things (IoT) is an everaugmenting technology that is offering both economic and technological advantages. The primary reason for their increase is that more devices are becoming connected and hence creates more and more attack surfaces while the social engineering threat agents are becoming smarter as their methods and strategies are evolving. One of the interviewees also stated ‘‘In addition to the diversity and simplicity of the techniques and forms that can be followed in social engineering, the human is the weakest link in cyber security so in my point of view it has an absolutely huge impact.’’ C. MITIGATING THE ISSUES OF SOCIAL ENGINEERING According to the majority of the respondents, technical solutions alone are not sufficient, although they are necessary. The respondents very clearly highlighted that raising awareness of end-users is one of the most effective methods of mitigating the threat. Overall, training and the enhancement of the information security culture are necessary in mitigating the threats of social engineering. One of the respondents mentioned a few useful counters to phishing emails and other social engineering attacks. One suggested countermeasure was staff training so employees can recognize phishing attempts. Respondents also included some other solutions to mitigate the overall issue with social engineering, suggesting having strong security policies in place and using custom anti-phishing solutions to detect suspicious emails that contain unknown links or requests for information from social engineers. Henceforth, according to the interviewed experts, there is a high need for the enforcement of policies. Raising awareness and training end-users with the sole purpose of understanding malicious intents is essential to maintain a reasonable level of awareness. On the other hand, updating the technical tools could also help in mitigating the threats and closing some of the gaps. For example, one of the respondents manifested in the interview that, ‘‘In my opinion, social engineering plays an important role. However, some purely technical solutions will require another level of protection, such as encryption and encapsulation.’’ Since social engineering is complicated, varied and comes from different platforms, technical solutions alone cannot resolve it. It was pointed out from the study that governments should step in to help regulate and enforce security laws to improve the desired actions against social engineering. There is also a need for educational organizations and schools to provide related training. With regards to this, one of the respondents stated, ‘‘Educational organizations and schools provide the best way of educating Internet 67326 users about Internet security and Spyware awareness. These educational organizations could introduce nationwide programs that would provide information for their students through certain courses and materials about Internet security. These educational organizations can have much influence. The knowledge of students at educational institutions of awareness of Internet security issues has been increasing in recent years, as explained.’’ Moreover, the same expert further pointed out that, ‘‘Providers of antivirus and anti-spyware protection software should include easy understanding instructions with their software. The user interface of the software should be easy to use according to a user’s level of experience. It is important that protection software is both easy to use and efficient in order to provide higher levels of protection against Internet attacks. A good and usable user interface will increase a user’s confidence in operating the software and also their knowledge of Spyware and similar threats. A user will be more likely to use the software appropriately if it is not difficult to use, thereby leading to greater protection against malicious attacks.’’ Conclusively, government awareness campaigns, educational institutions, corporate training programs, and social awareness events in improving user awareness levels play a major role in developing human knowledge. Subsequently, those types of programs and events provide examples of how to identify social engineering attempts. D. IMPACT OF USER AWARENESS IN MANAGING CYBER SECURITY INCIDENTS The results of the interview conducted highlighted important information. The majority of the respondents stated that user awareness plays a significant role in managing or preventing cyber security incidents. Primarily, it helps in the mitigation of human mistakes, and helps users detect threats and report them, especially in the realm of security. One of the interviewed experts stated, ‘‘Security training allows organizations to influence behavior, mitigate risk, and ensure compliance. There are countless benefits of initiating security awareness training in your company.’’ Respondents emphasized that keeping information safe is not only the responsibility of information security professionals but also the responsibility of everyone within the organization. Therefore, all users must be aware, not only of their roles and responsibilities in protecting information resources, but also how they can protect information and respond to any potential security threat or problem. One respondent shared that ‘‘In my opinion, I believe that the responsibility of making the data of any organization secured is everybody’s responsibility inside the organization. Absolutely, user awareness is essential to increase their level of knowledge of dealing with security threats.’’ Awareness helps in reducing undesired mistakes made by end-users. Awareness is also the last defense line wherein all the technological solutions will fail when a social engineer invites others to click a link, install malware, or simply give away their credentials. VOLUME 8, 2020 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews E. EFFECTIVENESS OF USER AWARENESS PROGRAMS AND TRAINING It was found from the respondents that the current practices of user awareness programs could be improved by adopting modern awareness programs. Hence, there is a need for contemporary techniques that utilize gamification and rewards until cyber security protection becomes a social norm. These user awareness programs are primarily useful in offering benefits like reducing errors, enhancing security, increasing the level of awareness of staff, and overall protecting the company’s intellectual properties. Additionally, the experts confirmed that in order to have a positive impact, training should be a continuous process because after a few months, the users will most likely go back to their original state. One of the respondents stated, ‘‘I feel it is effective, in a way that if the users become aware . . . Humans are the weakest link! The more they become aware, the less the issues regarding social engineering become prevalent.’’ Another respondent stated, ‘‘User awareness programs have shown their effectiveness in the organization where I work and similar organizations. We have seen significant improvement in users being able to detect social engineering attempts and resisting the pressure.’’ Additionally, organizations need to have a transparent process in measuring their user’s capabilities of dealing with security threats by doing fake threats scenarios frequently. Conclusively, effective implementation of security awareness programs helps in the reduction of the risks of cyber threats targeted at exploiting people. F. TYPES OF USER AWARENESS MEASURES THAT ARE MOST EFFECTIVE IN COMBATING CYBER SECURITY THREAT. The primary role of awareness campaigns is to provide a suitable means of improving user awareness. Users must be introduced to the sensitivity of data and how revealing a small amount of sensitive information can lead to full-blown social engineering attacks. According to the interviewed experts, there are different types of user awareness programs that exist. The most common types of cyber security awareness are traditional programs and non-traditional programs. Traditional programs tend to be face-to-face trainings. Relatable measures include training workshops, gathering sessions, and courses. Non-traditional programs include simulations, gamification and reward programs, and online training. Primarily, the company should first develop an effective security strategy to ensure that every employee within the company understands the importance of cyber security and the far-reaching impact. Next, the company should keep defensive practices up-to-date, and subsequently should adopt modern non-traditional security awareness training. One of the respondents, while conducting the interview, cited that ‘‘I feel the training and simulation of social engineering attacks internally would be fruitful to enhance the overall effectiveness of combating social engineering.’’ One of the other respondents cited in the interview that ‘‘Phishing VOLUME 8, 2020 campaign exercise time to time. Until culture changes I do not believe that the positive effects of current user awareness initiatives. It should be retained as is, but new techniques need to be explored to guide behavior’’. Conclusively, SETA (Security, Education, Training, Awareness) is determined to be the most effective tool in combating cyber security threats. G. CYBER SECURITY AND SOCIAL ENGINEERING AWARENESS TRAINING Pertaining to whether cyber security and social engineering awareness training should be compulsory for all or not, critical answers and insights were observed during the course of interviewing the experts. One of the respondents critically replied to this by stating ‘‘No! I believe that awareness programs should be designed in a way that they can sell themselves without the need to force individuals to adopt them. If they are designed using gamification or reward systems, individuals will adopt them as they find enjoyment in engaging with such programs.’’ Respondents also weighed in on the frequency of training programs. Some of the respondents stated that training should be done on a monthly basis. Others think quarterly works better while some others argued that the cycle of awareness should take place once a year. Each group justified their answers. For example, one of the responses stated that ‘‘Awareness programs should be compulsory on a monthly basis and if employees made a mistake or violated what has been demonstrated in training, they lose some points toward their yearly performance. On the other hand, another expert stated that ‘‘I think it depends on the user role and department, some users have to be made aware of general things like viruses more frequently (quarterly), however, those who carry advanced security knowledge like IT and security staff should be reminded and updated once a year.’’ In short, the most significant point was that these programs should be continuous in the process of having passive engagement, and then embed awareness into the process of securing sensitive data. Social engineering training should be a requirement for all staff including new hires with a refresher on a regular basis. Also, testing employees and training them through emailing them fake phishing scenarios can help keep employees conscious. Regardless of frequency, a good security awareness program must have a clear objective of raising staff awareness on corporate security policies and procedures for working with information technology (IT) and the policies pertaining to the user awareness programs must be kept updated. Moreover, the interviews confirmed that the status of how well an organization is maintaining a reasonable awareness level can be measured by the number of incidents over time. H. CONCLUSIVE THOUGHTS The last question the experts were asked was if they want to add any comments regarding social engineering and user awareness. Most of them confirmed that social engineering does not require any technical background, and it is a very easy, cheap and effective way to gain unauthorized access 67327 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews to sensitive information. As a result, investing in humans is the key, no matter what advanced technology one uses for protection. There is a need to raise staff awareness on cyber threats. Another point experts emphasized was the need to ensure that procedures and policies are followed correctly in organizations. As the complexity and sophistication of social engineering increases, so should the user awareness. It was observed from the experts’ comments that by using and adopting these measures, the number of data breaches can be potentially reduced. Most of them also indicated that social engineering will be a hot security issue forever. Overall, awareness is by far the best solution for mitigating the risk. However, user awareness is only a partial solution. Henceforth, new solutions should be explored in complementing this necessary factor. With regard to this, one of the interviewees also stated ‘‘I believe cyber security awareness is everyone’s responsibility. So, awareness should start at home as we have to make our children aware to know how to stay safe online and warn each other of any cyber security tips that could keep us secure.’’ This battle of cyber security cannot be won with just one weapon, instead, integration of contemporary education and technology are all needed. Conclusively, there is a positive relationship between social engineering and user awareness as an increase in knowledge leads to a decrease in being victims of social engineering. V. CONCLUSION Today, organizations are greatly dependent on information systems. This reliance has led to vulnerability to information security threats that put data and people at risk. Furthermore, social engineering fraud has been increasing with advancements in technology. Social engineering is defined in several studies as manipulating and persuading people to disclose sensitive information through online networks or by granting access to restricted areas or systems. Criminals are getting more sophisticated in finding new ways to attack. As a result, organizations have been increasing their investments in cyber security initiatives to safeguard their data. Additionally, some governments such as Australia have started legislating different laws and regulations against cyber criminals to ensure the protection of citizens and organizations from social engineering attacks and other cyber-related crimes. However, keeping up with perpetrators is challenging. Information security awareness is a crucial step towards having a secure cyber environment in which all types of computer users’ (end-users, technical users, employees in different departments, etc.) skill aptitude levels can freely use technology to conduct positive and self-developing activities. This research aims to find the best working tools to mitigate social engineering threats and to find reliable solutions to create safe work environments. The researcher sought participants who are senior IT cyber security professionals in organizations that have substantive business processes dependent on information and communication technology (ICT) systems to share their experiences with the latest practical solutions to protect against social engineering threats. 67328 The results of this study highlight that there is a relationship between social engineering and user awareness. Based on the authors’ ongoing research and coupled with Industry experts’ responses provided in this paper, it is believed that an increase in targeted contextual social engineering awareness and cyber security organizational culture leads to a decrease in being victims of social engineering. ACKNOWLEDGMENT Hussain Aldawood would like to acknowledge the full scholarship from the Saudi Ministry of Education to study the Ph.D. degree with the Faculty of Engineering and Built Environment, University of Newcastle, Australia. The authors would like to thank our colleagues in GulfNet Solutions (GNS) Company Limited, who provided expertise that greatly assisted the research. They have to express out appreciation to Mr. O. Aldulaijan, GNS General Manager, for sharing his pearls of wisdom with us during the course of this research. REFERENCES [1] Z. L. Svehla, I. Sedinic, and L. Pauk, ‘‘Going white hat: Security check by hacking employees using social engineering techniques,’’ in Proc. 39th Int. Conv. Inf. Commun. Technol., Electron. Microelectron. (MIPRO), May 2016, pp. 1419–1422, doi: 10.1109/MIPRO.2016.7522362. [2] F. Breda, H. Barbosa, and T. Morais, ‘‘Social engineering and cyber security,’’ in Proc. EM Conf., Int. Technol., Educ. Develop. Conf., 2017, pp. 1–8. [3] G. N. Reddy and G. J. U. Reddy, ‘‘A study of cyber security challenges and its emerging trends on latest technologies,’’ 2014, arXiv:1402.1842. [Online]. Available: http://arxiv.org/abs/1402.1842 [4] H. Aldawood and G. Skinner, ‘‘Educating and raising awareness on cyber security social engineering: A literature review,’’ in Proc. IEEE Int. Conf. Teach., Assessment, Learn. Eng. (TALE), Dec. 2018, pp. 62–68, doi: 10. 1109/TALE.2018.8615162. [5] H. Aldawood, T. Alashoor, and G. Skinner, ‘‘Does awareness of social engineering make employees more secure?’’ Int. J. Comput. Appl., vol. 177, no. 38, pp. 45–49, Feb. 2020, doi: 10.5120/ijca2020919891. [6] S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs, ‘‘Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions,’’ in Proc. 28th Int. Conf. Hum. Factors Comput. Syst. (CHI), 2010, pp. 373–382. [7] A. Farooq, J. Isoaho, S. Virtanen, and J. Isoaho, ‘‘Information security awareness in educational institution: An analysis of students’ individual factors,’’ in Proc. IEEE Trustcom/BigDataSE/ISPA, vol. 1, Aug. 2015, pp. 352–359, doi: 10.1109/Trustcom.2015.394. [8] E. Frumento, R. Puricelli, F. Freschi, D. Ariu, N. Weiss, C. Dambra, I. Cotoi, P. Roccetti, M. Rodriguez, and L. Adrei. The Role of Social Engineering in Evolution of Attacks. [Online]. Available: https://www.dogana-project.eu/images/PDF_Files/D2.1-The-role-ofSE-in-the-evolution-of-attacks.pdf [9] K. Thomas, A. Moscicki, D. Margolis, V. Paxson, E. Bursztein, F. Li, A. Zand, J. Barrett, J. Ranieri, L. Invernizzi, Y. Markov, O. Comanescu, and V. Eranti, ‘‘Data breaches, phishing, or malware?: Understanding the risks of stolen credentials,’’ in Proc. ACM SIGSAC Conf. Comput. Commun. Secur. (CCS), 2017, pp. 1421–1434. [10] R. Heartfield, G. Loukas, and D. Gan, ‘‘An eye for deception: A case study in utilizing the human-as-a-security-sensor paradigm to detect zero-day semantic social engineering attacks,’’ in Proc. IEEE 15th Int. Conf. Softw. Eng. Res., Manage. Appl. (SERA), Jun. 2017, pp. 371–378. [11] A. Tsohou, M. Karyda, and S. Kokolakis, ‘‘Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs,’’ Comput. Secur., vol. 52, pp. 128–141, Jul. 2015. [12] R. Alavi, S. Islam, H. Mouratidis, and S. Lee, ‘‘Managing social engineering attacks-considering human factors and security investment,’’ in Proc. HAISA, 2015, pp. 161–171. VOLUME 8, 2020 H. Aldawood, G. Skinner: Analysis and Findings of Social Engineering Industry Experts Explorative Interviews [13] I. Ghafir, V. Prenosil, A. Alhejailan, and M. Hammoudeh, ‘‘Social engineering attack strategies and defence approaches,’’ in Proc. IEEE 4th Int. Conf. Future Internet Things Cloud (FiCloud), Aug. 2016, pp. 145–149, doi: 10.1109/FiCloud.2016.28. [14] D. D. Caputo, S. L. Pfleeger, J. D. Freeman, and M. E. Johnson, ‘‘Going spear phishing: Exploring embedded training and awareness,’’ IEEE Secur. Privacy, vol. 12, no. 1, pp. 28–38, Jan. 2014. [15] A. Blandford, ‘‘Semi-structured qualitative studies,’’ in The Encyclopedia of Human-Computer Interaction, M. Soegaard and R. F. Dam, Eds., 2nd ed. Aarhus, Denmark: The Interaction Design Foundation. 2013. [Online]. Available: http://www.interactiondesign.org/encyclopedia/semistructured_qualitative_studies.html [16] V. Braun and V. Clarke, ‘‘Using thematic analysis in psychology,’’ Qualitative Res. Psychol., vol. 3, no. 2, pp. 77–101, Jan. 2006. [17] M. B. Miles, A. M. Huberman, M. A. Huberman, and M. Huberman, Qualitative Data Analysis: A Methods Sourcebook. Thousand Oaks, CA, USA: SAGE, 1994. [18] B. L. Berg and H. Lune, Qualitative Research Methods for the Social Sciences. Harlow, U.K.: Pearson, 2012, p. 408. HUSSAIN ALDAWOOD (Member, IEEE) received the B.S. degree in management information systems from The University of Arizona, Tucson, AZ, USA, in 2009, and the M.S. degree in business administration from Florida Atlantic University, Boca Raton, FL, USA, in 2015. He is currently pursuing the Ph.D. degree in information systems (cyber security) with the University of Newcastle, Callaghan, NSW, Australia. From 2010 to 2018, he was an Information Security Professional with Saudi Arabian Oil Company (Saudi Aramco). Since January 2019, he has been a Casual Academic with the School of Electrical Engineering and Computing, University of Newcastle. He has also been the Director of Cyber Security in GulfNet Solutions Company (GNS), VOLUME 8, 2020 since December 2019. He is the author of several cyber security articles. His research interests include cyber security, social engineering threats and solutions, and information security awareness programs. Mr. Aldawood became a member of ACM, in 2018. He is also a member of various committees and institutions on information security, cyber security engineering, and project management. He was a recipient of many prestigious and international honors and awards. He is also internationally and professionally certified by ISACA, ISO, PMI, PECB, CompTIA, EC-Council, including the following certifications: CISM, CISA, PMP, DRP, Security+, ISO27001, ISO27005, ECIH, and others. He is a Research Reviewer of several journals. GEOFFREY SKINNER (Member, IEEE) received the B.E. degree in computer engineering from the University of Newcastle, Callaghan, NSW, Australia, and the Ph.D. degree from the Curtin University of Technology, Bentley, WA, Australia. Since 2006, he has been working as an Academic with the School of Electrical Engineering and Computing, University of Newcastle. His research interest includes cyber security, data security, security, software development, and information privacy. 67329