Date of Award


Document Type

Open Access Thesis


Moore School of Business


College of Engineering and Computing

First Advisor

Matt Thatcher


Social Engineering has become a significant threat to the security of business, government, and academic institutions. As vulnerabilities to social engineering attacks increase, organizations must incorporate risk mitigation strategies to their portfolios of Information Systems Security Countermeasures (ISSC). The goal is to implement mitigation strategies that balance the cost of implementation, the privacy of employees, and the resulting expected costs of social engineering attacks. In this paper we develop an analytical model that calculates the total cost of protection, including the trade-off between the cost of implementing protection strategies and the resulting expected cost of social engineering attacks. We use the model to examine the sensitivity of total costs to various model parameters, including costs of training, knowledge retention and depreciation rate, and number of employees.

This model builds on prior work from the Ponemon Institute examining the economic costs of social engineering attacks and the methods implemented to reduce the risk and mitigate the costs of such attacks. In particular, we leverage the empirical analysis presented in Ponemon Institute(2015) to develop a model that examines the economic impacts of various mitigation strategies and the resulting economic trade-offs. This works illustrates that knowledge and awareness among users is an effective method for controlling social engineering threats. The scenarios highlighted in this work illustrated how costs play a role in protection using knowledge as a countermeasure and found the most cost-effective solutions using the same model used by Ponemon(2015). This analysis may help companies develop efficient ways to protect themselves from social engineering attacks while efficiently managing resources in the social engineering realm.


© 2018, Christopher Artejus Sanders