Developing and implementing social engineering-prevention policies: a qualitative study

Social engineering, or the use of deception to circumvent information security measures, has become a significant concern for organizations. Many organizations have implemented information security policies to mitigate the risks posed by social engineering attacks. This study uses a grounded theory-based approach to examine qualitative interviews with security auditors, IT security professionals, and social engineers (n = 54) to thematically catalog their insights on developing and supporting security policies. Results indicate that effective IT security policies are (1) properly communicated, (2) tested to find gaps in policy directives and their implementation, (3) buttressed by tools to facilitate good security decision-making among members, (4) written simply and concisely while being kept up-to-date, (5) supported through adequate staffing and expertise, (6) supported by organizational leadership, and (7) accompanied by an organizational structure which allows for policy to be overseen and implemented consistently.