Insider Attacks against Non-Financial Organizations

Recently, several public and private sectors such as governments, companies and universities use Information and Communication Technologies (ICT) to transform paper-based systems into electronic services. E-service systems may expose to various electronic attacks such as identity theft and phishing attacks. Attacks are classified into insider and out sider attacks. Several studies show that, insider attackers are more dangerous than out sider attackers. Non-financial organizations such as civil registers and universities organizations have sensitive and valuable information may expose to insider attacks. In this paper, we select Student Information System at Sebha University-Faculty of Science as a case study in order to investigate the susceptibility of end users to insider attacks using social engineering and phishing techniques. We performed two steps to achieve our goal. Firstly, we develop a conceptual model of an attacker instead of performing a real attack.  Secondly, we made a survey questionnaire in order to assess to which extent end users are susceptible to insider attack based on the conceptual model.

The analysis of end user’s responses using statistical tests show that, large number of end users at the target organization is susceptible to insider attack easily. Weak of computer skills and lack of information security culture are the most factors enable insider attack to success attacking the organization. Therefore, Sebha University-Faculty of Science needs to improve the skills as well as security culture of their end users to protect end user’s records as well as resources. Training end users to create their emails and their online accounts by themselves is one possible way to improve skills. Awareness end users with risks of electronic crimes by seminars are another way to improve security culture.