Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies

Eliana Stavrou; Andriani Piki; Panayiotis Varnava

doi:10.5220/0012410300003648

Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies

Eliana Stavrou, Andriani Piki, Panayiotis Varnava

2024

Abstract

Cybersecurity policies play a fundamental role in fostering organizational cyber governance and cyber resilience. Cybersecurity awareness-raising and training policies specify upskilling requirements and explicitly address persistent threats such as social engineering attacks. While cybersecurity awareness-raising and training activities complement the objectives of security policies, challenges including stakeholder diversity, budget constraints, generic messaging and low user engagement hinder their effectiveness. For successful policy adoption it is crucial for the workforce to grasp the relevance of these policies within their work context, understand how social engineering attacks are deployed, and apply policy rules appropriately. However, existing awareness-raising and training policies often lack specificity, leading to gaps in employee engagement and behavioural change, especially regarding social engineering threats. To address these issues, the paper proposes a dedicated social engineering awareness-raising policy, guided by Merrill’s Principles of Instructions. This work aims to merge policy and practice, offering tailored examples of social engineering attacks, explicitly connecting them to relevant cybersecurity policies and making the content more engaging and relevant to the workforce. This is envisioned as a cost-effective resource for organizations with a limited training budget, which can be utilized as a starting point to enhance employee awareness, engagement, and foster a stronger organizational cyber resilience culture.

Download

Paper Citation

in Harvard Style

Stavrou E., Piki A. and Varnava P. (2024). Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies. In Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP; ISBN 978-989-758-683-5, SciTePress, pages 179-186. DOI: 10.5220/0012410300003648

in Bibtex Style

@conference{icissp24,
author={Eliana Stavrou and Andriani Piki and Panayiotis Varnava},
title={Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies},
booktitle={Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP},
year={2024},
pages={179-186},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012410300003648},
isbn={978-989-758-683-5},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP
TI - Merging Policy and Practice: Crafting Effective Social Engineering Awareness-Raising Policies
SN - 978-989-758-683-5
AU - Stavrou E.
AU - Piki A.
AU - Varnava P.
PY - 2024
SP - 179
EP - 186
DO - 10.5220/0012410300003648
PB - SciTePress