Human Vulnerabilities to Social Engineering Attacks: A Systematic Literature Review for Building a Human Firewall

Muhammad Shofian Tsauri

doi:10.30871/jaic.v9i4.9585

Authors

Muhammad Shofian Tsauri UIN Syarif Hidayatullah Jakarta

DOI:

https://doi.org/10.30871/jaic.v9i4.9585

Keywords:

Social Engineering, Information Security, Human Vulnerability, Systematic Literature Review, Human Firewall

Abstract

Social engineering attacks exploit human psychology to deceive individuals into compromising information security, making the human element a critical vulnerability in cybersecurity systems. This study aims to identify and analyze patterns of human susceptibility in social engineering through a systematic literature review (SLR). Guided by the PRISMA 2020 protocol, a total of 865 articles were initially retrieved from databases such as Scopus, IEEE Xplore, ResearchGate, and Google Scholar. After applying strict inclusion and exclusion criteria, 39 peer-reviewed articles published between 2020 and 2024 were selected for thematic synthesis. The results reveal recurring human vulnerability factors including low security awareness, emotional manipulation (e.g., fear, urgency), overtrust in authority, and lack of behavioral control. These vulnerabilities manifest in predictable victim profiles and behavioral patterns, which are often exploited through phishing, pretexting, and other deception-based tactics. Furthermore, the review highlights the limitations of current mitigation strategies that focus solely on technical solutions without integrating human behavior models. The findings serve as a conceptual foundation for building a “human firewall,” emphasizing awareness, vigilance, and behavioral training as integral components of social engineering defense. This study also lays the groundwork for the development of a human-centric detection model in future research, particularly in the context of mobile banking.

Downloads

Download data is not yet available.

References

[1] D. K. Kumar, Shruthi, Sathwick, and Prathap, “Outcomes of social engineering: Understanding cybercriminals’ exploitation of human psychology,” INTERANTIONAL J. Sci. Res. Eng. Manag., vol. 08, no. 11, pp. 1–7, Nov. 2024.

[2] S. W. Gabriel Bassett, C. David Hylender, Philippe Langlois, Alex Pinto, “Data Breach Investigations Report (DBIR),” 2022. doi: 10.1142/9789811218712_0009.

[3] Knowbe4, “Grid ® Report for Security Awareness Training | Summer 2023,” 2023.

[4] Z. Wang, H. Zhu, and L. Sun, “Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods,” IEEE Access, vol. 9, pp. 11895–11910, 2021, doi: 10.1109/ACCESS.2021.3051633.

[5] W. Syafitri, Z. Shukur, U. A. Mokhtar, R. Sulaiman, and M. A. Ibrahim, “Social Engineering Attacks Prevention: A Systematic Literature Review,” IEEE Access, vol. 10, pp. 39325–39343, 2022, doi: 10.1109/ACCESS.2022.3162594.

[6] S. Eftimie, R. Moinescu, and C. Racuciu, “Spear-Phishing Susceptibility Stemming From Personality Traits,” IEEE Access, vol. 10, pp. 73548–73561, 2022, doi: 10.1109/ACCESS.2022.3190009.

[7] K. F. Steinmetz, A. Pimentel, and W. R. Goe, “Performing social engineering: A qualitative study of information security deceptions,” Comput. Human Behav., vol. 124, no. 106930, p. 106930, Nov. 2021, doi: 10.1016/j.chb.2021.106930.

[8] S. M. Albladi and G. R. S. Weir, “Predicting individuals’ vulnerability to social engineering in social networks,” Cybersecurity, vol. 3, no. 1, 2020, doi: 10.1186/s42400-020-00047-5.

[9] M. A. Siddiqi, W. Pak, and M. A. Siddiqi, “A Study on the Psychology of Social Engineering-Based Cyberattacks and Existing Countermeasures,” Appl. Sci., vol. 12, no. 12, 2022, doi: 10.3390/app12126042.

[10] K. Chetioui, B. Bah, A. O. Alami, and A. Bahnasse, “Overview of Social Engineering Attacks on Social Networks,” Procedia Comput. Sci., vol. 198, pp. 656–661, 2021, doi: 10.1016/j.procs.2021.12.302.

[11] N. Mashtalyar, U. N. Ntaganzwa, T. Santos, S. Hakak, and S. Ray, “Social Engineering Attacks: Recent Advances and Challenges,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12788 LNCS, Cham: Springer International Publishing, 2021, pp. 417–431. doi: 10.1007/978-3-030-77392-2_27.

[12] C. Sekhar Bhusal, “Systematic Review on Social Engineering: Hacking by Manipulating Humans,” J. Inf. Secur., vol. 12, no. 01, pp. 104–114, 2021, doi: 10.4236/jis.2021.121005.

[13] H. Aldawood and G. Skinner, “Reviewing cyber security social engineering training and awareness programs-pitfalls and ongoing issues,” Futur. Internet, vol. 11, no. 3, 2019, doi: 10.3390/fi11030073.

[14] A. Alzahrani, “Coronavirus social engineering attacks: Issues and recommendations,” Int. J. Adv. Comput. Sci. Appl., vol. 11, no. 5, pp. 154–161, 2020, doi: 10.14569/IJACSA.2020.0110523.

[15] H. Aldawood and G. Skinner, “An Advanced Taxonomy for Social Engineering Attacks,” Int. J. Comput. Appl., vol. 177, no. 30, pp. 1–11, Jan. 2020, doi: 10.5120/ijca2020919744.

[16] Y. Choi, “Social Engineering Cyber Threats,” J. Glob. Aware., vol. 4, no. 2, pp. 1–12, Dec. 2023, doi: 10.24073/jga/4/02/08.

[17] K. Saidi and Y. Prayudi, “Analisis Indikator Utama Dalam Information Security - Personality Threat Terhadap Phishing Attack,” JUSTINDO (Jurnal Sist. dan Teknol. Inf. Indones., vol. 6, no. 1, pp. 21–30, Jun. 2021, doi: 10.32528/justindo.v6i1.3801.

[18] M. Jari, “A Comprehensive Survey of Phishing Attacks and Defences: Human Factors, Training and the Role of Emotions,” Int. J. Netw. Secur. Its Appl., vol. 14, no. 5, pp. 11–24, Sep. 2022, doi: 10.5121/ijnsa.2022.14502.

[19] B. Coatesworth, “The psychology of social engineering,” Cyber Secur. A Peer-Reviewed J., vol. 6, no. 3, p. 261, Mar. 2023, doi: 10.69554/aktg1392.

[20] A. Naz, M. Sarwar, M. Kaleem, M. A. Mushtaq, and S. Rashid, “A comprehensive survey on social engineering-based attacks on social networks,” Int. J. Adv. Appl. Sci., vol. 11, no. 4, pp. 139–154, Apr. 2024, doi: 10.21833/ijaas.2024.04.016.

[21] F. A. Permana and A. Jamaludin, “Personal Data Vulnerability in the Digital Era: Study of Modus Operandi and Mechanisms to Prevent Phishing Crimes,” J. Al-Hakim J. Ilm. Mahasiswa, Stud. Syariah, Huk. dan Filantr., vol. 5, no. 2, pp. 201–216, Nov. 2023, doi: 10.22515/jurnalalhakim.v5i2.7074.

[22] K. Sarpong Adu-Manu, R. Kwasi Ahiable, J. Kwame Appati, and E. Essel Mensah, “Phishing Attacks in Social Engineering: A Review,” J. Cyber Secur., vol. 4, no. 4, pp. 239–267, 2022, doi: 10.32604/jcs.2023.041095.

[23] R. O. Oveh and G. O. Aziken, “Mitigating Social Engineering Attack: A Focus on the Weak Human Link,” in Proceedings of the 5th International Conference on Information Technology for Education and Development: Changing the Narratives Through Building a Secure Society with Disruptive Technologies, ITED 2022, Nov. 2022. doi: 10.1109/ITED56637.2022.10051202.

[24] T. Mokoena, T. Zuva, and M. Appiah, “Analysis of Social Engineering Attacks Using Exploit Kits,” in Advances in Intelligent Systems and Computing, vol. 1224 AISC, Cham: Springer International Publishing, 2020, pp. 189–204. doi: 10.1007/978-3-030-51965-0_16.

[25] P. López-Aguilar and A. Solanas, “Human susceptibility to phishing attacks based on personality traits: The role of neuroticism,” in Proceedings - 2021 IEEE 45th Annual Computers, Software, and Applications Conference, COMPSAC 2021, Jul. 2021, pp. 1363–1368. doi: 10.1109/COMPSAC51774.2021.00192.

[26] W. Fuertes et al., “Impact of Social Engineering Attacks: A Literature Review,” in Developments and Advances in Defense and Security, vol. 255, Singapore: Springer Singapore, 2022, pp. 25–35. doi: 10.1007/978-981-16-4884-7_3.

[27] I. Tjostheim and J. A. Waterworth, “Predicting personal susceptibility to phishing,” in Advances in Intelligent Systems and Computing, vol. 1137 AISC, Cham: Springer International Publishing, 2020, pp. 564–575. doi: 10.1007/978-3-030-40690-5_54.

[28] M. R. Arabia-Obedoza, G. Rodriguez, A. Johnston, F. Salahdine, and N. Kaabouch, “Social Engineering Attacks A Reconnaissance Synthesis Analysis,” in 2020 11th IEEE Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, UEMCON 2020, Oct. 2020, pp. 0843–0848. doi: 10.1109/UEMCON51285.2020.9298100.

[29] M. Mattera and M. M. Chowdhury, “Social Engineering: The Looming Threat,” in IEEE International Conference on Electro Information Technology, May 2021, vol. 2021-May, pp. 56–61. doi: 10.1109/EIT51626.2021.9491884.

[30] P. Y. Leonov, A. V. Vorobyev, A. A. Ezhova, O. S. Kotelyanets, A. K. Zavalishina, and N. V. Morozov, “The main social engineering techniques aimed at hacking information systems,” in Proceedings - 2021 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology, USBEREIT 2021, May 2021, pp. 471–473. doi: 10.1109/USBEREIT51232.2021.9455031.

[31] A. S. V. Nair and R. Achary, “Social Engineering Defender (SE.Def): Human Emotion Factor Based Classification and Defense against Social Engineering Attacks,” in 2023 International Conference on Artificial Intelligence and Applications, ICAIA 2023 and Alliance Technology Conference, ATCON-1 2023 - Proceeding, Apr. 2023, pp. 1–5. doi: 10.1109/ICAIA57370.2023.10169678.

[32] S. A. Duman, R. Hayran, and I. Sogukpinar, “Impact Analysis and Performance Model of Social Engineering Techniques,” in ISDFS 2023 - 11th International Symposium on Digital Forensics and Security, May 2023, pp. 1–6. doi: 10.1109/ISDFS58141.2023.10131771.

[33] A. Bishnoi, Garv, S. Bishnoi, and N. Gupta, “Comprehensive Assessment of Reverse Social Engineering to Understand Social Engineering Attacks,” in Proceedings - 5th International Conference on Smart Systems and Inventive Technology, ICSSIT 2023, Jan. 2023, pp. 681–685. doi: 10.1109/ICSSIT55814.2023.10061054.

[34] S. Longtchi, Theodore Tangie and Rodriguez, Rosana Montañez and Al-Shawaf, Laith and Atyabi, Adham and Xu, “Internet-Based Social Engineering Psychology, Attacks, and Defenses: A Survey,” Proc. IEEE, vol. 112, no. 3, pp. 210–246, 2024, doi: 10.1109/JPROC.2024.3379855.

[35] T. V. Tulupieva, “Psychological Aspects of the Organization’s Information Security in the Context of Socio-engineering Attacks,” Adm. Consult., no. 2, pp. 123–128, Mar. 2022, doi: 10.22394/1726-1139-2022-2-123-138.

[36] R. Ribeiro, N. Mateus-Coelho, and H. Mamede, “Improving Social Engineering Resilience In Enterprises,” ARIS2 - Adv. Res. Inf. Syst. Secur., vol. 3, no. 1, pp. 34–65, Aug. 2023, doi: 10.56394/aris2.v3i1.30.

[37] N. AKYEŞİLMEN and A. ALHOSBAN, “Non-Technical Cyber-Attacks and International Cybersecurity: The Case of Social Engineering,” Gaziantep Univ. J. Soc. Sci., vol. 23, no. 1, pp. 342–360, Jan. 2024, doi: 10.21547/jss.1346291.

[38] K. Mahanta and H. B. Maringanti, “Social engineering attacks and countermeasures,” in Perspectives on Ethical Hacking and Penetration Testing, IGI Global, 2023, pp. 307–337. doi: 10.4018/978-1-6684-8218-6.ch013.

[39] K. Thakur, J. Shan, and A. S. K. Pathan, “Innovations of phishing defense: The mechanism, measurement and defense strategies,” Int. J. Commun. Networks Inf. Secur., vol. 10, no. 1, pp. 19–27, Apr. 2018, doi: 10.17762/ijcnis.v10i1.2991.

[40] J. Vargis and D. Murphy, “Mitigating Social Engineering Attacks on the Elderly: Personalized Countermeasures to Enhance Cyber Situational Awareness,” in The European Conference on Aging & Gerontology 2023: Official Conference Proceedings, Sep. 2023, pp. 43–53. doi: 10.22492/issn.2435-4937.2023.5.

[41] A. Șandor, G. Tont, and E. Simion, “A Mathematical Model for Risk Assessment of Social Engineering Attacks,” TEM J., vol. 11, no. 1, pp. 334–338, Feb. 2022, doi: 10.18421/TEM111-42.

[42] K. F. Steinmetz, “The Identification of a Model Victim for Social Engineering: A Qualitative Analysis,” Vict. Offenders, vol. 16, no. 4, pp. 540–564, May 2021, doi: 10.1080/15564886.2020.1818658.

Human Vulnerabilities to Social Engineering Attacks: A Systematic Literature Review for Building a Human Firewall

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Similar Articles

submit

tools

issn