Quarto trim size: 174mm x 240mm Volume 32 Number 5 2019 Info ISSN 0959-3845 rm Volume 32 Number 5 2019 a tio n T e Information Technology & People c h n o lo g y & P e o p Information Technology Number 5 le Cybercrimes prevention: promising organisational practices & People Guest Editors: Mahmood Hussain Shah, Paul Jones and Jyoti Choudrie 1125 Guest editorial 1130 Solutions for counteracting human deception in social engineering attacks Cybercrimes prevention: promising organisational Curtis C. Campbell practices 1153 Prevention of cybercrimes in smart cities of India: from a citizen’s perspective Guest Editors: Mahmood Hussain Shah, Sheshadri Chatterjee, Arpan Kumar Kar, Yogesh K. Dwivedi and Hatice Kizgin Paul Jones and Jyoti Choudrie 1184 Preventing identity theft: identifying major barriers to knowledge-sharing in online V retail organisations o lu Abdullah Maitlo, Nisreen Ameen, Hamid Reza Peikari and Mahmood Shah m e 1215 Crime and social media 3 2 Simplice Asongu, Jacinta Nwachukwu, Stella-Maris Orim and Chris Pyke N u m 1234 Shoplifting in mobile checkout settings: cybercrime in retail stores b e John A. Aloysius, Ankur Arora and Viswanath Venkatesh r 5 1262 Organizational practices as antecedents of the information security management 20 1 performance: an empirical investigation 9 Daniel Pérez-González, Sara Trigueros Preciado and Pedro Solana-Gonzalez 1276 Online social network security awareness: mass interpersonal persuasion using a Facebook app Ehinome Ikhalia, Alan Serrano, David Bell and Panos Louvieris 1301 The effect of cybercrime on open innovation policies in technology firms Vanessa Ratten 1318 Cybersecurity economics – balancing operational security spending e Stale Ekelund and Zilia Iskoujina m e ra ld p u b lis h in g .c o m ISBN 978-1-83909-810-9 www.emeraldinsight.com/loi/itp Guest editorial Guest editorial Cybercrimesprevention:promisingorganisationalpractices Contextualisingthespecialissue 1125 Thegrowthofe-commerceworldwidehasenabledmanyorganisationstodeliverproducts andservicesusinginnovative,efficient,fastandcosteffectivebusinessmodels.Thedigital economycontinuestogrowandmakesaconsiderablecontributiontotheworldeconomy. However,this relatively rapidgrowth hasalsocaused evenfaster growth incybercrimes, mainly due to the ease of committing these crimes, lucrative returns and the slowness of preventionefforts.Cybercrimesrepresentanexistentialthreattoe-commerceandtheneed toeffectivelycontroltheirgrowthisurgent.Astherelevantlegislationandcapabilitiesof law enforcement agencies is failing to catch up with the fast changing nature of crimes, businessesneedtoadoptinnovativepreventativestrategies.Thisspecialissuefocuseson howbothlargeorganisationsandSMEsaremakingeffectiveuseofcybercrimeprevention strategies.Italsopresentsnewresearchapproachesandmethodologiescontributingtothe theoryandpracticeinthisimportantemergingresearchdomain. Bera(2019)gaveworldwidefiguresforcybercrimesfortheyear2018,statingthatalmost 700mpeoplewerevictimsofsometypeofcybercrime.Cybercriminalsgeneraterevenuesof $1.5tn annually and cybercrime is estimated to cost $6tnn businesses annually by 2021. Generally, when calculating cybercrimes losses, only reported direct losses are accounted for.Theindirectlossessuchasreductioninsales,areductioninmarketshare,shareprice dropandotherlegalcostshaveasignificantadverseimpactonorganisations;however,they are often overlooked. Many cybercrimes are not reported or are under reported by organisations because of possible reputational damage. Therefore, the figures given here could be under estimated below the real number of cybercrimes or the extent of damage. Nevertheless,thesefiguresdemonstratehowwidespreadthesecrimesare,withtheresulting damagestotheworldeconomyinthetrillions. Doargajudhur and Dell (2019) identify that enhanced awareness of cybercrimes and alarming media reports about losses resulting from these crimes have intensified interest and attracted the attention of consumers, organisations, governments and researchers.Moreover,VahdatiandYasini(2015)stressedthatcybercrimesarethebiggest threat to the survival of e-tailing. Whereas cybercrimes are a fast-evolving problem, preventionstrategiesandimplementationhavebeenslowamongstbusinesses.Thelosses causedbycybercrimescandamageboththefinancesandreputationofbusinesses(Vahdati andYasini,2015).Thesecrimesandresultingfearsalsodiscouragemanycustomersfrom buyinggoodsonline.Spanakietal.(2019)andTsohouandHoltkamp(2018)identifiedmajor challengesfacedbyconsumerswhentheybecomevictimsofcybercrimes.Theseconsumers facedissuessuchascreditproblems(includingrejectionofloanapplications),disruptionto normalliferoutinesandpsychologicaldifficultyinprovidingpersonaldatatoorganisations andbanksduringaninvestigation. Previous studies focused on issues related to the development and management of identity fraud policies (Njenga and Osiemo, 2013; Coulson-Thomas, 2017). Syed (2018) investigatedtheeffectsofdatabreachesonthereputationoforganisationsonsocialmedia. Moreover, Doherty and Tajuddin (2018) researched prevention approaches including identifying risks and sharing knowledge about information security with other InformationTechnology&People organisations. The majority of these studies are, however, directed at internal fraud in Vol.32No.5,2019 pp.1125-1129 banking and other public and private sectors; there is very limited literature available in ©EmeraldPublishingLimited termsoftheoriesoncybercrimemanagement. 0959-3845 DOI10.1108/ITP-10-2019-564 ITP Njenga and Osiemo (2013) focused on fraud management policies and asserted that 32,5 organisations should consider all stages in fraud management when developing an anti-fraudpolicy.Coulson-Thomas(2017)andChenetal.(2015)suggestedtheimportanceof employees’participationinfraudmanagementplans,whereasSoomroetal.(2016)focused on identity fraud prevention. Jalali et al. (2019) suggested that organisations need to synchronisetheirfraudmanagementplansandprotocolswithotherpartnersintheirvalue 1126 chaintoensurethattherearenoweaklinksforfraudsterstoexploit.Furthermore,Yoonand Kim (2013) investigated information security behavioural intention and suggested that learningopportunitiesforITusershelpsachieveimprovedsecuritybyeliminatingprevious mistakesandaddressinguser-relatedweaknessesinorganisations. Chenetal.(2015)andKolkowskaetal.(2017)researchedtheeffectivenessofinternalaudits and recommended that organisations should develop regular audit processes for improved fraud detection and prevention. Some studies have suggested providing training that can create awareness of cybercrime-related problems (Singh et al., 2013; Chen et al., 2015). Al-Khouri (2014) focused on cybercrime-related difficulties and how these are having an impacton investments inonlineretailing. Khajouei et al. (2017)and Alsmadi and Prybutok (2018) researched frauds in mobile commerce which they claim are different compared to traditionale-commerce-relatedfraudsintermsofmethodsusedbythefraudsters. Theextantliteraturecoveredaboveinvestigatedvariousorganisationalpracticesrelated tofraudwhichisencouraging;however,thefactthatthecyberfraudsarestillgrowingin termsofnumberandresulting financiallossessuggests thatexisting approaches arestill inadequate,hencetheneedforfurtherresearch.Thisspecialissueaimstoservethisneed. Withtherestofthiseditorial,weconsiderthepapersincludedinthisspecialissuewhichare presentedinthefollowingorder. The study by Campbell investigated the three most significant issues related to social engineeringandsecurityapproachesforcounteractingsocialengineeringattacks.Thethree most significant issues produced three target areas for implementing best practices in countering social engineering attacks. The findings offer fresh insights into blending security processes, practices and programmes, and aim to provide leaders with increased understandinginimplementingcounteractions. Chatterjee,Kar,DwivediandKizgin’sstudyidentifiesthefactorsinfluencingthecitizens ofIndiatopreventcybercrimesintheproposedsmartcitiesofIndia.Thestudyproposesa conceptual model identifying factors preventing cybercrimes. The study reveals that “awarenessofcybercrimes”significantlyinfluencesactualusageoftechnologytoprevent cybercrimes in the smart cities of India. The authors suggest that government initiatives andlegalawarenesshavelessimpacttowardsthespreadingofawarenessofcybercrimesto thecitizensofproposedsmartcities. Maitlo, Ameen, Peikari and Shah’s study considers barriers to effective knowledge sharing in preventing identity fraud in online retail organisations using a case study approach.Thestudyproposesaframeworkbasedonareconceptualizationandextensionof the knowledge sharing enablers framework. The findings suggest the major barriers to effective knowledge sharing for preventing identity fraud are poor leadership support, limitedemployeewillingnesstoshareknowledge,lackofemployeeawarenessofknowledge sharing, inadequate learning/training opportunities, insufficient trust in colleagues, poor information-sourcing opportunities and information and communications technology infrastructure, inferior knowledge sharing culture, insufficient evaluation on performance andinadequatejobrotation.Theresearchofferssolutionsforremovingexistingbarriersto knowledgesharinginpreventingidentityfraud. Asongu, Nwachukwu, Orim and Pyke’s study complements the limited macroeconomic literature on the development outcomes of social media by examining the relationship between Facebook penetration and violent crime levels in a study of 148 countries using a quantitative analysis. The study noted a negative relationship between Facebook penetration Guest editorial andcrime.Furthermore,whenthedatasetisdecomposedintoregionsandincomelevels,the negative relationship is evident in the Middle East and North Africa, whereas a positive relationshipisconfirmedforSub-SaharanAfrica.Studiesonthedevelopmentoutcomesofsocial mediaaresparsebecauseofalackofreliablemacroeconomicdataonsocialmedia. Aloysius, Arora and Venkatesh’s study found that, in a smartphone checkout setting, intention to shoplift was driven by experiential beliefs and peer influence. Experiential 1127 beliefs and peer influence was recognised as having a stronger effect for prospective shoplifterswhencomparedtoexperiencedshoplifters.Thefindingsalsoindicatedthatinan employee-assistedmobilecheckoutsettingintentiontoshopliftwasdrivenbyexperiential beliefs. Moreover, peer influence and experiential beliefs had a stronger effect for prospectiveshoplifterswhencomparedtoexperiencedshoplifters. Pérez-González, Trigueros Preciado and Solana-Gonzalez’s study expanded current knowledge regarding security organisational practices and analysed its effects on informationsecuritymanagementperformance.Theauthorsproposeatheoreticalresearch modeltogetherwithhypotheses.Theresultsvalidatethatinformationsecurityknowledge sharing, information security education/training and information security visibility and security organisational practices have a positive effect on management performance. The considerationoforganisationalaspectsofinformationsecurityshouldbetakenintoaccount by academics, practitioners and policymakers in SMEs. The study further recognises the needtodevelopempiricalresearchoninformationsecurityfocusedonSMEsandtheneedto identifyorganisationalpracticesthatimproveinformationsecurity. Ikhalia, Serrano, Bell and Louvieris employ mixed methods to evaluate a Facebook applicationincludingsurveys,laboratoryexperimentsandsemi-structuredinterviews.The escalation of social engineering malware encourages a demand for end-user security awareness measures. Online social network (OSN) users have a higher propensity to malware threats due to the trust and persuasive factors that underpin OSN models. A Facebook video animation application (e.g. Social Network Criminal) creates security awarenessandimprovesthethreatavoidancebehaviourofOSNusers.Resultsvalidatethe effectiveness of OSNs applications utilising a TTAT–MIP model – specifically the mass interpersonal persuasive (MIP) attributes. Practitioners are able to develop security awarenesssystemsthatmoreeffectivelyleveragetheintra-relationshipmodelofOSNs.SNC enable persuasive security behaviour amongst employees and avoid potential malware threats. SNC support consistent security awareness practices by identification of new threatswhichmayinspirecreationofnewsecurityawarenessvideos.ThestructureofOSNs ismakingiteasierformalicioususerstoundertaketheiractivitieswithoutthepossibilityof detection. Thus, building a security awareness programme, using the TTAT–MIP model, organisationscanproactivelymanagesecurityawareness. Ratten’s study examines the impact of open innovation on cybercrime in technology firmsusingsemi-structuredin-depthinterviews.Thestudyseekstounderstandtheroleof open innovation in terms of technology scouting, horizontal collaboration and vertical collaboration on cybercrime activity. The study found that there is a dilemma most technologyfirm’sfaceinhavingaopeninnovationstrategyandhowtomanagecybercrime. Thismeansthatacoopetitionstrategyisutilisedthathelpstobalancetheneedtohaveopen innovationbutalsoprotectintellectualproperty.Thus,managersoftechnologyfirmsneed to encourage open innovation as a strategy but manage the cybercrime that comes from sharingtoomuchinformationinanonlinecontext. Ekelund and Iskoujina demonstrate how to find the optimal investment level in protecting an organisations asset. This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics. It combines theory and empirical findings to establish a new approach to ITP determining optimal securityinvestment levels. Theresults indicatethat optimalsecurity 32,5 investmentlevelscanbefoundthroughcomputersimulationwithhistoricalincidentdatato find value at risk. By combining various scenarios, the convex graph of the risk cost function hasbeenplotted, wheretheminimumofthegraphrepresentstheoptimalinvest level for an asset. The results can be used by business practitioners to assist them with decisionmakingoninvestmenttotheincreasedprotectionofanasset.Theoriginalityofthis 1128 researchisinitsnovelwayofcombiningtheorieswithhistoricaldatatocreatemethodsto measuretheoreticalandempiricalstrengthofacontrol(orsetofcontrols)andtranslatingit tolossprobabilitiesandlosssizes. In conclusion, the manuscripts collected here confirms the complexity of cybercrime threatwithitsimplicationsforcitizens,consumers,firmsandtheiremployees,publicsector entities, cities, states, governments, technology and social media providers. Cybercrime represents an ongoing and significant threat driven by multiple agents. Several of the studies presented here offer recommendations and best practice frameworks to combat cybercrime.However,itisapparentthatthecybercrimeliteratureremainsnascentandthe academiccommunitymustendeavourtoworkwithallpartiestoofferongoingbestpractice. MahmoodHussainShah SchoolofStrategyandLeadership,CoventryUniversity,Coventry,UK PaulJones SchoolofManagement,SwanseaUniversity,Swansea,UK,and JyotiChoudrie HertfordshireBusinessSchool,UniversityofHertfordshire,Hatfield,UK References Al-Khouri,A.M.(2014),“Identitymanagementintheretailindustry:theladdertomovetothenextlevel intheinterneteconomy”,JournalofFinance&InvestmentAnalysis,Vol.3No.1,pp.51-67. Alsmadi,D.andPrybutok,V.(2018),“Sharingandstoragebehaviorviacloudcomputing:securityand privacyinresearchandpractice”,ComputersinHumanBehavior,Vol.85,August,pp.218-226. Bera, A. (2019), “Terrifying cybercrime statistics”, March 12, available at: https://safeatlast.co/blog/ cybercrime-statistics/(accessed2May2019). Chen, Y., Ramamurthy, K. and Wen, K. (2015), “Impacts of comprehensive information security programs on information security culture”, The Journal of Computer Information Systems, Vol.55No.3,pp.11-19. Coulson-Thomas,C.(2017),“Fraud,securityrisksandcorporateresponses”,inAhluwalia,J.S.(Ed.), Corporate Ethics & Risk Management in an Uncertain World, IOD Publishing, Mumbai, pp.67-76. Doargajudhur,M.S.andDell,P.(2019),“ImpactofBYODonorganizationalcommitment:anempirical investigation”,InformationTechnology&People,Vol.32No.2,pp.246-268. Doherty,N.F.andTajuddin,S.T.(2018),“Towardsauser-centrictheoryofvalue-driveninformation securitycompliance”,InformationTechnology&People,Vol.31No.2,pp.348-367. Jalali,M.S.,Siegel,M.andMadnick,S.(2019),“Decision-makingandbiasesincybersecuritycapability development: evidence from a simulation game experiment”, The Journal of Strategic InformationSystems,Vol.28No.1,pp.66-82. Khajouei,H.,Kazemi,M.andMoosavirad,S.H.(2017),“Rankinginformationsecuritycontrolsbyusing fuzzy analytic hierarchy process”, Information Systems and e-Business Management, Vol. 15 No.1,pp.1-19. Kolkowska,E.,Karlsson,F.andHedström,K.(2017),“Towardsanalysingtherationaleofinformation security non-compliance: devising a value-based compliance analysis method”, Journal of StrategicInformationSystems,Vol.26No.1,pp.39-57. Njenga,N.andOsiemo,P.(2013),“Effectoffraudriskmanagementonorganizationperformance:a Guest editorial case of deposit-taking microfinance institutions in Kenya”, International Journal of Social SciencesandEntrepreneurship,Vol.1No.7,pp.490-507. Singh,A.N.,Picot,A.,Kranz,J.,Gupta,M.P.andOjha,A.(2013),“InformationSecurityManagement (ISM)practices:lessonsfromselectcasesfromIndiaandGermany”,GlobalJournalofFlexible SystemsManagement,Vol.4No.4,pp.225-239. Soomro, Z.A., Shah, M.H. and Ahmed, J. (2016), “Information security management needs a more 1129 holistic approach: A literature review”, International Journal of Information Management, Vol.36No.2,pp.215-225. Spanaki,K.,Gürgüç,Z.,Mulligan,C.andLupu,E.(2019),“Organizationalcloudsecurityandcontrol:a proactiveapproach”,InformationTechnology&People,Vol.32No.3,pp.516-537. Syed,R.(2018),“Enterprisereputationthreatsonsocialmedia:acaseofdatabreachframing”,The JournalofStrategicInformationSystems,Vol.28No.3,pp.257-274,availableat:https://doi.org/ 10.1016/j.jsis.2018.12.001 Tsohou, A. and Holtkamp, P. (2018), “Are users competent to comply with information security policies? An analysis of professional competence models”, Information Technology & People, Vol.31No.5,pp.1047-1068. Vahdati,S.andYasini,N.(2015),“Factorsaffectinginternetfraudsinprivatesector:acasestudyin cyberspacesurveillanceandscammonitoringagencyofIran”,ComputersinHumanBehavior, Vol.51,PartA,pp.180-187. Yoon,C.andKim,H.(2013),“Understandingcomputersecuritybehaviouralintentionintheworkplace: anempiricalstudyofKoreanfirms”,InformationTechnology&People,Vol.26No.4,pp.401-419. AbouttheGuesteditors Dr Mahmood Hussain Shah is Senior Lecturer in e-business within the School of Strategy and Leadership, Coventry University, UK. Previously he has held academic posts at the University of Central Lancashire, Cranfield University and the University of Hertfordshire. He is acting as Consultant to several UK banks and online retailers on information security and e-banking management-relatedissues.Hispresentresearchinterestsincludeidentifytheftpreventioninonline retailingande-bankingaswellasinhealthinformationsystemsandISstrategy.Hehaspublished several books in the area of information security, e-banking and mobile technologies. He has also published many papers in high quality journals such as the Computer and Human Behaviour, European Journal of Information Systems, International Journal of Simulation Modelling, Health InformaticsandtheInternationalJournalofInformationManagement. PaulJonesisProfessorofEntrepreneurshipandInnovationatSwanseaUniversityandHeadofthe BusinessDepartment.HeiscurrentlyEditoroftheInternationalJournalofEntrepreneurialBehaviourand ResearchandAssociateEditoroftheInternationalJournalofManagementEducation.ProfessorJonesisan activeResearcherandpublisheswidelyonissuesrelatedtoentrepreneurialbehaviourandsmallbusiness management.PaulJonesisthecorrespondingauthorandcanbecontactedat:[email protected] Jyoti Choudrie is Professor of Information Systems in Hertfordshire Business School. Professor Choudriehasmaintainedanactivemediaprofileinissuessuchasthedigitaldivide,socialinclusion, entrepreneurship,innovationandbroadbanddevelopment.Shehasalsoattainedexpertiseinthenon- adopters and adopters research area that has led her to understand the digital divide where her research influence lies. Professor Choudrie has published widely in international journals such as InformationSystemsFrontiers,JournalofBusinessResearchandGovernmentInformationQuarterly, whereherworkiswellcited.ProfessorChoudrieispresentlyresearchingolderadultsandinformation communicationtechnologieswhereherinterestisontheadoptionanddiffusionoftechnologies,with anemphasisonentrepreneurshipforolderadults.ProfessorChoudrieisalsofocusedonexaminingand understandingthedigitaldividebyconsideringinternetaccessforolderadults. ThecurrentissueandfulltextarchiveofthisjournalisavailableonEmeraldInsightat: www.emeraldinsight.com/0959-3845.htm ITP Solutions for counteracting 32,5 human deception in social engineering attacks 1130 Curtis C. Campbell School of Advanced Studies, University of Phoenix, Tempe, Arizona, USA Received4December2017 Revised18January2018 23February2018 Abstract 23May2018 Accepted3June2018 Purpose–Thepurposeofthispaperistoinvestigatethetopthreecybersecurityissuesinorganizations related to social engineering and aggregate solutions for counteracting human deception in social engineeringattacks. Design/methodology/approach–Atotalof20expertswithinInformationSystemSecurityAssociation participatedinathree-roundDelphistudyforaggregatingandcondensingexpertopinions.Threerounds movedparticipantstowardconsensusforsolutionstocounteractsocialengineeringattacksinorganizations. Findings – Three significant issues: compromised data; ineffective practices; and lack of ongoing education produced three target areas for implementing best practices in countering social engineering attacks.Thefindingsoffercounteractionsbyincludingeducation,policies,processesandcontinuoustraining insecuritypractices. Research limitations/implications – Study limitations include lack of prior data on effective social engineeringdefense.Researchimplicationsstemfromthepsychologyofhumandeceptionandtrustwiththe abilitytodetectdeception. Practical implications – Practical implications relate to human judgment in complying with effective securitypoliciesandprogramsandconsistenteducationandtraining.Futureresearchmayincludeexploring financial,operationalandeducationalcostsofimplementingsocialengineeringsolutions. Socialimplications–Socialimplicationsapplyacrossallknowledgeworkerswhobenefitfromtechnology andaretrustedtoprotectorganizationalassetsandintellectualproperty. Originality/value–Thisstudycontributestothefieldofcybersecuritywithafocusontrustandhuman deceptiontoinvestigatesolutionstocountersocialengineeringattacks.Thispaperaddstounder-represented cybersecurityresearchregardingeffectiveimplementationforsocialengineeringdefense. KeywordsITstrategy,Security,Trust,Human–computerinteraction(HCI),Phishing PapertypeResearchpaper Introduction Cybercrimeandsecuritybreachescontinuouslygeneratenewsmediaheadlinesandhave become routine reporting. One of the three most pressing risks to organizational performanceisthethreatsofcyberattacks(FMGlobal,2017).Thecostofacybersecurity breach to unlucky organizations varies from the millions to the trillions, depending on reports. In 2014, the estimated cost of cybercrime in the USA was around $100bn; however, by 2019, the estimated cost for cybercrime as projected at $2 trillion (Morgan, 2016).Inthepastdecade,USgovernmentspendingoncybercrimeattackdefensetotaled $100bn, with $14bn budgeted for 2016 alone (Morgan, 2016). While there are projected costsforincreasingcybercrimedefense,therearebiggercoststoprotectthesafetyofthe publicandsecurityofthenation,ifeffortsarenotmade(Shackelfordet al.,2014). Withincybercrime,thereisagrowingtrendtowardsocialengineering,auniqueformof cyberattack, because of the simple low cost and high benefit in committing the crime. To bypass networks and technical controls, hackers utilize social engineering attacks throughvarious formsofonlinecommunications, technologyanddeception techniques to persuade and trick individuals to grant access to the company network (Parmar, 2013). InformationTechnology&People Vol.32No.5,2019 Social engineeringattemptstoinfluenceworkerstoperformanactionthatmayharmthe pp.1130-1152 ©EmeraldPublishingLimited organization(Hadnagy,2014).Bytargetingindividualswhooftenmaynotknowthevalue 0959-3845 of the information they are giving away (Mitnick and Simon, 2006), workers may DOI10.1108/ITP-12-2017-0422 misinterpret theintent thatprovidinginformation carrieslittle costtothehelper (Mitnick Humandeception andSimon,2006),failingtokeepanotherwisesecurecomputersystemsafefrommalicious in social intent(Orgilletal.,2004). engineering Leveraging trust and the psychology of human behavior and decision making, social attacks engineersaimtopenetratesecuritynetworksbymanipulatingthehumaninsidertoobtain confidential information (Allsopp, 2009). While many companies are aware of external hackingorcyberattacks,manycompaniesfailtoaddresssecuritycontrolsinternallyatthe 1131 employee level (Luo et al., 2013). Once compromised, organizations may lose data, competitive advantage and suffer financial losses. All it takes for cybercrime to be successfulisonesecurityexploitorvulnerability. Theescalationofcybercrimeattackstargetinghumandeceptionsupportsresearching counter defense approaches to social engineering in organizations. Different from direct networkhacking,socialengineeringattacksexploithumandecisionmakingandtrustto persuadethevictimininadvertentlydivulgingsensitiveinformation(MitnickandSimon, 2006). These attacks revolve around an instant of decision making in whether or not to trust an action by opening or clicking a link. There is a relationship between an individual’s trust level and an individual’s performance in a computer-supported environment(Chengetal.,2017). Compared to the availability of the literature for IT security for cybercrime, the lack of peer-reviewed publications for social engineering defense for social engineering attacks justified the needforthe study.GoogleScholar returned2.5m peer-reviewed articles forIT securityincybercrimepublishedoverthelastdecade.Refiningthesearchtoreflectliterature relatingspecificallytosocialengineeringattacksforthesameperiod,GoogleScholarreturned 496,000peer-reviewedarticles,one-fifthofthequantityofreferencesforthebroadtopicofIT security.Since2016,GoogleScholarreflectedonly22,000peer-reviewed,publishedarticleson thetopicofsocialengineeringdefenseorpreventionand39,000peer-reviewedarticlesrelated to social engineering attack success. The gap in the literature was specific to solutions to implementforcounteringsocialengineeringattackstargetinghumandeception.Itisthisgap intheresearchindeliveringeffectivesocialengineeringdefenseandsolutionstocounteract attackswhichservedastheaimofthestudy. Leadersmustunderstandthepsychologybehindthesetargetedintrusionsandaccount for why humans are easily deceived. Therefore, this study investigates the three most important issues related to social engineering and explores future solutions for counter defense. It provides an important contribution as it addresses the under-researched phenomenonofsolutionsforcounterdefenserelatedtosocialengineeringattacksthatcan beappliedtoanyorganization. Thespecificproblemiswithoutorganizationalstrategiesorsolutionstodelivereffective countermeasures,thekeycybersecurityrisksofunauthorizedaccesstoclassified,sensitive or personal data from social engineering attacks will continue to increase (LeClair and Keeley, 2015). Leaders may lack effective security strategies and solutions to eliminate humandeceptionandtheriskofsuccessinsocialengineeringattacks. Reviewoftheliterature In past few decades, the advent of the computer brought about the need for secure communication that was private. Secure communication led to data confidentiality, data integrityandauthentication(BellareandRogaway,2005).Theseledtothedevelopmentof cryptographyorencryptiontoblockdatafrombeingdecipheredonATMcards,computer passwordsandelectroniccommerce.Duringthisperiod,informationsecurityprocessesand proceduresweretechnicaldesignstoprevententry. Overtime,informationsecurityprocessesevolvedfromatechnicaldesigntobehavioral factors(DunkerleyandTejay,2011).Thisevolutionrecognizedthehumanindividualinthe ITP informationsecurityinvestment(DunkerleyandTejay,2011).Nextcametheadvancement 32,5 andadoptionoftheeaseandfamiliarityofsharinginformationthroughtechnology. Organizations began to implement technical controls and human-based controls to prevent gaps in computer systems (Dhillon et al., 2007). Technical controls included hardwareorsoftwareforpreventingandreducingcybercrimemostcommonlyknownas password tools, encryption, firewall and anti-virus software. Human-based controls 1132 included formal controls such as organizational policies for acceptable behavior, acceptableuseandemployeeandsupervisorresponsibilitiesandinformalcontrolssuchas ethical issues and attitude awareness, self-control, accountability and proper conduct (Dhillonet al.,2007). Technicalcontrolsinsecuritydefense From 1998 to 2007, technology developments for preventing intrusion dominated information security research (Wang, 2012). During that decade, the main research topics were information security assessment and management, information security economics, technical aspects of information security, development and monitoring of information systems(IS)andcryptographictechnologydesign(Wang,2012). Duringthatsametime,globalinternetthreatstransitionedfromdisablinginfrastructure to targeting people and organizations, endangering businesses and governments (Bhatia et al., 2011). Developments in technology included common security infrastructure and intrusion detection systems designed to detect multiple operating systems in information technology(Bhatiaetal.,2011).Honeypotdatacollectiontechnologies,computerornetwork servicesusedastrapsfordetectinganddetouringrobotnetworks(botnets),werediscussed alongwiththeirdevelopmentalimportanceforthefutureofIS(Bhatiaetal.,2011). Cryptography. Cryptography became a technical control for blocking secure communication with attackers (Rivest, 1990). It involved constructing and analyzing protocolsthatblockattackersbychanginginformationfromareadablestatetounreadable (Bellare and Rogaway, 2005). Over time, cryptography became known as encryption (Bellare and Rogaway, 2005) to describe a method for changing the readable state to a protectedandunreadablestate. Non-technicalcontrolsininformationsecuritydefense Previously,securityissueswereaddressedfromatechnicalstandpointbutlaterextended past technology to the information security management role (Soomro et al., 2016). The literature review for this study focused on the extension of non-technical factors of information security defense such as organizational factors, behavioral factors and environmentalfactorsundermanagementresponsibility(Soomroetal.,2016).Forsuccessful securityprocesses,specificmanagerialactivitiesmayplayanimportantrole(Soomroetal., 2016). However, non-technical factors of a successful implementation have received less attentionfromtheresearchcommunity. Formal controls. Formal controls evolved from organizational measures such as acceptablebehaviorpolicies,proceduresandstandardsforchecksandbalances(Beebeand Rao,2005).Later,theITsecurityinfrastructureexpandedtoincludeformalcontrolssuchas organizationalriskmanagementpolicies,ISsecuritypolicies,standards,checklistsandthe technologyaspectsofsecurity(DunkerleyandTejay,2011).Today,formalcontrolsinclude physicalsecurityandinformationsecurity,andthehuman’sknowledgeisrelatedtohisor her technical expertise and user awareness of security policies and organizational regulations(DunkerleyandTejay,2011). Organizationalfactors.Theorganizationalareasofcultureandsecurityawarenessalso received attention (Dunkerley and Tejay, 2011). Organizational optimization is also important in a successful information security implementation. Research in this area Humandeception suggestedthatorganizationalgoalsandinformationsecuritycontrolsshouldbeinbalance in social topromotethedeliveryofvaluebytheorganization(DunkerleyandTejay,2011). engineering Informal controls. Informal controls include ethical issues and attitude awareness, attacks self-control, accountability and proper conduct in organizations. In information security, informal controls in technology are a result of direct and easy access for individuals to interact with one another. Physical barriers have eroded as technological limitations and 1133 virtualbordersarenowcompletelyopenwhereoneusercancommunicatearoundtheglobe withanotherinmilliseconds(BojanicandBudimir,2011). Overall, the advances of cyber-related technologies have caused social engineering efforts(RobertsandJackson,2008),creatingnewmoralandethicalconsequences,andthe need for different psychological competence (Roberts and Jackson, 2008). Most major cyberattacks on US corporations within the past three years included social engineering (O’Harrow,2012).RecentsocialengineeringhacksincludeMacEwanUniversity,defrauded outof$11.8m(Seals,2017),Googleandsecuritygiant,RSASecurity(O’Harrow,2012).Often, the human deception occurs without the individual realizing the manipulation. No matter how much funding and resources are spent on network security with firewalls, security appliances and encryption, the human sitting behind the phone or computer remains vulnerabletodatatheftfromhackersusingsocialengineeringtechniques. SecuritytrendsrequireaholisticapproachtocoverthevariousvulnerabilitiesinanIS infrastructure(Ifinedo,2012).Thisholisticapproachwouldtypicallyincludeorganizational riskmanagementpolicies,ISsecuritypolicies,standardsandchecklistsfororganizational employeesandthetechnologyaspectsofsecurity(DunkerleyandTejay,2011).Accordingto Ifinedo (2012), organizations that consider technical and non-technical aspects of information security are typically more successful in their efforts to secure their informationassets. Theoreticalframework Toguidetheresearch,twotechnicalandtwonon-technicaltheoriesservedastheanalytical framework.ThegeneraldeterrencetheoryandDhillon’stheoryofbalancedcontroldescribe technical processes in implementing security measures (Lee et al., 2004) and balancing technical,formalandinformaltypesofcontrolsorganizationsmayimplementasprotection anddefense(Dhillonetal.,2007). Generaldeterrencetheory The general deterrence theory was developed to describe the technology and processes involved in implementing security measures to prevent computer abuse (Lee et al., 2004). Theaimisgeneralpreventionusingpunishmentorotherconsequencetodetertheactivity. Thus, using anti-virus software, enforcing password and computer securities policies, organizations attempt to deter attacks from the outside and protect individuals from yieldingtoamessage(Leeetal.,2004). Balancedcontroltheory Dhillon’sbalancedcontroltheorypositedthatunintentionalinsiderthreatsresultfromthe imbalance of technical, formal and informal controls. The aim is to cover all technical options and human controls. The design of the IT security program includes technical systems, formal policies and company culture as opposed to a physical security-based monitoring. The principles surrounding Dhillon’s balanced control theory identified that balance is needed and that negative effects may result from an imbalance in the three controls(Dhillonetal.,2007).