A Framework to Secure Business Assets Against Social Engineering Attacks in State Corporations in Kenya
Abstract
Purpose. To develop a framework for securing business assets against social engineering attacks in state corporations in Kenya.
Method: Mixed methods.
Findings. The study found a rise in social engineering (SE) attacks, with phishing being the most common. Employee awareness and training were identified as the most critical factors in managing SE threats, supported by awareness programs, reporting practices, and integration with other training initiatives.
Theoretical Implications. A lack of tailored frameworks and methods for addressing SE attacks in Kenyan state corporations was identified, underscoring the need for an effective cybersecurity framework.
Practical implications. The study provides insights for cybersecurity professionals to better prevent, detect, and respond to SE attacks, while helping state corporations strengthen security, promote cybersecurity culture, and improve policy and governance.
Value. It highlights the importance of employee compliance with security policies and skills in mitigating SE threats to business assets.
Future Research. Further work should focus on advanced detection techniques, such as machine learning, and the impact of emerging technologies like AI chatbots on SE methods.
Downloads
References
ENISA (2021). Social Engineering: Exploiting the weakest links. Enisa.europa.eu. Retrieved from: http://www.enisa.europa.eu/publications/archive/social-engineering. Retrieved on: 14/06/2024.
Jamshed, & Jahangir (2021). Cultural Implications of China Pakistan Economic Corridor. Vol. 2. no. 4.
Carey, B. (2017). Protect or disclose? Confidential information in the Cayman Islands. Trusts and Trustees. ttw229. doi:10.1093.
Garcia-Alfaro, J., & Navarro-Arribas, G. (2009). A Survey on Cross-Site Scripting Attacks. Retrieved from: http://arxiv.org/abs/0905.4850.
Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering attacks. Vol. 22. Journal of Information Security and Applications. https://doi.org/10.1016/j.jisa.2014.09.005.
Pathak et. al (2014). E-governance, Corruption and Public Service Delivery: A Comparative Study of Fiji and Ethiopia. Joaag, vol. 3. no. 1.
Cheruiyot, K. (2023). CS Owalo admits cyberattack on eCitizen portal insists data secure. Daily Nation. Retrieved from: https://www.nation.africa.
Gooding, M. (2023). Anonymous Sudan DDoS cyberattacks cripple Kenya’s new e-Citizen digital infrastructure. Retrieved from https://techmonitor.ai/technology/cybersecurity/anonymous-sudan-kenya-ddos-cyberattack-ecitizen.
Matthews, B., & Ross, L. (2014). Research methods. Pearson Higher Ed.
Berg, B. (2009). Qualitative Research Methods. 7 ed. Boston: Allyn and Bacon.
Cooper, C. R., & Schindler, P. S. (2008). Business Research Methods. 10 ed. McGraw-Hill.
Kombo, D. K., & Tromp, D. L. (2006). Proposal and thesis writing: An introduction. Nairobi: Paulines Publications Africa. pp10-45.
Tongco, M. D. (2007). Purposive sampling as a tool for informant selection. vol. 5. Ethnobotany Research and applications.
Mugenda, O. & Mugenda, A. (2019). Research methods: quantitative and qualitative approaches.
Padgett, D. K. (2016). Qualitative methods in social work research. Sage Publications vol. 36.
Anastasiadou, S. D. (2011). Reliability and Validity Testing of a New Scale for Measuring Attitudes Toward Learning Statistics with Technology. Acta Didactica Napocensia. vol. 4. no. 1. pp 1–10.
Fienberg, S. E. (2012). Statistics for Social and Behavioral.
Creswell, J. W. & Clark, V. P. (2007). Designing and conducting mixed methods research.
Nunnally, J. (1978). Psychometric theory. New York: McGraw-Hill 2nd ed.
Miryala, N., & Gupta, D. (2022). Data Security Challenges and Industry Trends. International Journal of Advanced Research in Computer and Communication Engineering. https://doi.org/10.17148/ijarcce.2022.111160.
Mphatheni, M., & Maluleke, W. (2022). Cybersecurity as a Response to Combating Cybercrime. International Journal of Research in Business and Social Science.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.
Mitnick, K., & Simon, W. (2011). The Art of Deception: Controlling the Human Element of Security. Wiley, New York.
Mang'ira, R. (2014). Towards establishment of a full-fledged disaster management department for Moi University libraries.
Javaheri, D., Fahmideh, M., Chizari, H., Lalbakhsh, P., & Hur, J. (2024). Cybersecurity Threats in Fintech: A Systematic Review. Expert Systems with Applications. 241, Article ID: 122697.
Aldawood, H., & Skinner, G. (2020). Contemporary Cyber Security Social Engineering Solutions, Measures, Policies, Tools and Applications: A Critical Appraisal. 26th International Conference on Systems Engineering. Sydney, 8-20 December, 1-6. https://doi.org/10.1109/ICSENG.2018.8638166.
Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers and Security. vol. 98. Retrieved from: https://doi.org/10.1016/j.cose.2020.102003.
Kimwele, M. M. (2011). Information Technology (IT) Security Framework for Kenyan Small and Medium Enterprises (SMEs). Int. J. Comput. Sci. Secur. vol. 5.
Peltier, T. R. (2005). Implementing an Information Security Awareness Program. Information Systems Security. Vol. 14. no. 2. pp 37-49.
Hu, Q. D. (2012). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences. vol 43. no. 4. pp 615-660.
Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Academic Press.
Abstract views: 45 PDF Downloads: 13
Copyright (c) 2025 John Maiyo, Satwinder Singh Rupra, Daniel Otanga
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors agree with the following conditions:
1. Authors retain copyright and grant the journal right of first publication (Download agreement) with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
2. Authors have the right to complete individual additional agreements for the non-exclusive spreading of the journal’s published version of the work (for example, to post work in the electronic repository of the institution or to publish it as part of a monograph), with the reference to the first publication of the work in this journal.
3. Journal’s politics allows and encourages the placement on the Internet (for example, in the repositories of institutions, personal websites, SSRN, ResearchGate, MPRA, SSOAR, etc.) manuscript of the work by the authors, before and during the process of viewing it by this journal, because it can lead to a productive research discussion and positively affect the efficiency and dynamics of citing the published work (see The Effect of Open Access).
