The paper “Social Engineering and Security Management ” is an excellent example of a literature review on management.
1. Information will be considered useful and valuable if it contributes effectively towards good decision making and provides the data support that is required. The value of information refers to the difference that exists between the value of the project with information and the value of the project without information, coupled with the cost incurred in the acquisition of the information (www.agiweb.org). Hence valuing information would basically require that an assessment is made about the usefulness of the information that is being used in carrying out the project, especially in the context of the expenses that are made in acquiring the information.
In a study that was conducted to examine data resource management (DRM), in the context of distributed processing, four variables were investigated – namely, intersite data dependence, the centralization of IS decisions, the concentration of these IS resources and DRM related autonomy (Jain et al, 1998). All of these aspects may be seen to impact upon the cost-effectiveness of the process of information acquisition that would be an aid in carrying out a project and provide an idea of whether they would be considered useful in enhancing the project value.
The results of this investigation (Jain et al, 1998), showed that organizations with the right combination of these four variables were more likely to have higher levels of success in the management of their data resources and in extracting the maximum benefit from the information. In the context of ensuring data availability, Dineley (2007) points out that human error is one of the most often cited reasons why information available from data sources is not fully capitalized upon, and this factor is ranked right after software failures which are also an often cited cause for failure to extract the full value of information.
Hence valuing information involves an assessment of costs of extracting useful information from the glut of information available and the degree to which it is able to contribute to project management and ensure savings in costs.
2. Social engineering is the term used to refer to the methods that samurai and crackers, – both terms used to refer to hackers that can be hired to carry out legal hacking jobs – use in order to gain access to confidential information, especially from government sites that contain confidential financial and national security information. (Castelluccio, 2002).
The use of social skills and human interaction in order to gain access to information is a characteristic feature of social engineering. Since the protection measures have become increasingly stringent, such as for example, passwords that may be hard to crack, these hackers are resorting instead to trickery to persuade insiders to reveal the passwords. Gross (2007) points out how IRS employees were recently a target of these hackers. Over 60% of the employees changed their passwords when they received calls from people who posed as help desk workers.
In Grant’s study, the measures that were recommended in a report prepared by the Treasury Inspector General for Tax Administration office included enhancing security awareness among employees (Grant 2007). The incorporation of internal social engineering tests and providing awareness training to employees were the measures that were recommended for the IRS to follow in order to prevent such security lapses. The one sure way to effectively prevent social engineering attacks is to beware of anyone soliciting information, whether by phone, visits or emails, about confidential organizational or financial matters.
Any kind of personal, financial or confidential company information should not, as a rule, be provided to any individual/s seeking such information unless their authorization to obtain such information is conclusively established. In the case of the IRS employees, as mentioned above, employees were aware that they were not to disclose passwords but did not realize that changing their passwords could also compromise the information that was to be protected (Grant, 2007). Hence, social engineering attacks can only be prevented by exercising the utmost caution and rigidly adhering to the rule that no information of any kind is to be disclosed to any individuals unless their authorization to possess such information is established.
3. Multi-layered security is a recent concept that has been developing together with recent technological changes, such as the emergence of open communication protocols and the development of open-source software. As a result, the existing interoperability among IP networks is also being extended to cover other areas such as security, so that a combination of both electronic and physical measures have led to the development of security at different levels. As Gips pointed out by Gips (2005), safety and security are natural allies, hence when these departments work together within an organization, it can enhance internal security by providing both physical and technological security.
In terms of improving the security of data, this could include measures such as introducing multi-level passwords or using passwords together with encrypted systems and virtual networks. The secure systems provide a layer of protection that is reinforced through the additional security measure of passwords, and these could sometimes be passwords at two different stages of access to materials. In this way, even if the security at one level is breached, it would still not be adequate to gain access to unauthorized information.