User Awareness Measurement Through Social Engineering

TUBITAK National Research Institute of Electronics and Cryptology (UEKAE) Department of Information Systems Security makes social engineering attacks to Turkish public agencies within the frame of “Information Security Tests” [19]. This paper will make an analysis of the social engineering tests that have been carried out in several Turkish public agencies. The tests include phone calling to sample employees by the social engineer and trying to seize employees’ sensitive information by exploiting their good faith. The aim of this research is to figure that the employees in Turkish public agencies have a lack of information security awareness and they compromise the information security principles which should be necessarily applied for any public agencies. Social engineering, both with its low cost and ability to take advantage of low technology, has taken its place in the information security literature as a very effective form of attack [8].

💡 Research Summary

This paper presents a systematic analysis of social‑engineering (SE) penetration tests carried out by the Turkish National Research Institute of Electronics and Cryptology (UEKAE) on six major Turkish public agencies over a three‑year period. The authors, Tolga Mataracioglu and Sevgi Ozkan, describe how a “social engineer” impersonated a new IT department employee and called a sample of agency staff to solicit login credentials and other sensitive information. In total, 56 employees were contacted by phone; 38 of them (approximately 68 %) disclosed passwords. Success rates varied by agency: Agency A 80 %, Agencies B and E 50 % each, Agency C 60 %, Agency D 75 %, and Agency F 100 %. The paper argues that these high compromise rates demonstrate a severe lack of security awareness among civil servants, confirming the long‑standing notion that humans are the weakest link in information security.

The authors outline the classic SE attack lifecycle—research, trust building, exploitation, and evaluation—and map the specific techniques used in their tests. The research phase involved harvesting publicly available data from agency websites, organizational charts, and external partner information. Trust was established through tailored social interaction, often exploiting empathy, urgency, or the victim’s desire for free tools. Attack vectors included direct requests for credentials, “reverse‑tricking” (leaving a callback number to prompt the victim to call back), and the use of low‑cost hardware such as USB memory sticks or keyloggers. The paper also discusses how attackers may combine technical tools (password‑cracking software, spyware) with psychological manipulation to increase success rates.

In the protection section, the authors propose a multi‑layered defense strategy. Core to this is a continuous security‑awareness program that delivers periodic training covering password hygiene, phishing, and SE tactics, reinforced by visual cues (posters, intranet banners, security‑themed screensavers). Organizational measures include mandatory ID‑card wear, visitor escort policies, strict password policies, regular data classification and risk‑analysis exercises, and the establishment of a dedicated information‑security division with an incident‑notification center. Crucially, the authors advocate for regular, formalized SE testing (e.g., mock phone calls) to identify gaps, provide feedback, and measure improvement over time.

The discussion emphasizes that technical controls (firewalls, antivirus, encryption) cannot compensate for low user awareness. The authors cite U.S. statistics on industrial espionage and social‑engineering‑related incidents to contextualize their findings globally. They argue that the cost‑effective nature of SE attacks, combined with the ease of obtaining personal or organizational data online, makes SE a persistent threat to any sector, especially those handling critical infrastructure.

In conclusion, the study quantifies the proportion of Turkish public‑sector employees who willingly disclose sensitive information under SE pressure and identifies the psychological fallacies that drive such behavior. It calls on information‑security professionals to prioritize human‑centric defenses, institutionalize periodic SE drills, and embed security awareness into the organizational culture. By doing so, agencies can reduce the likelihood of successful SE attacks, protect critical assets, and mitigate the broader economic and reputational damages associated with information‑theft incidents.