Social engineering and the disclosure of personal identifiable information: Examining the relationship and moderating factors using a population-based survey experiment
| Published date | 01 June 2023 |
| DOI | http://doi.org/10.1177/26338076231162660 |
| Author | Rick van der Kleij,Susanne van ‘t Hoff—De Goede,Steve van de Weijer,Rutger Leukfeldt |
| Date | 01 June 2023 |
| Subject Matter | Articles |
Social engineering and the
disclosure of personal
identifiable information:
Examining the relationship
and moderating factors
using a population-based
survey experiment
Rick van der Kleij
Centre of Expertise Cyber Security, The Hague University of Applied
Sciences (THUAS), The Hague, the Netherlands;
Department of Networked Organisations, Netherlands Organisation for
Applied Scientific Research (TNO), The Hague, the Netherlands
Susanne van ‘t Hoff—De Goede
Centre of Expertise Cyber Security, The Hague University of Applied
Sciences (THUAS), The Hague, the Netherlands
Steve van de Weijer
Netherlands Institute for the Study of Crime and Law Enforcement
(NSCR), Amsterdam, the Netherlands
Rutger Leukfeldt
Centre of Expertise Cyber Security, The Hague University of Applied
Sciences (THUAS), The Hague, the Netherlands;
Netherlands Institute for the Study of Crime and Law Enforcement
(NSCR), Amsterdam, the Netherlands
Corresponding author:
Rick van der Kleij, Centre of Expertise Cyber Security, The Hague University of Applied Sciences (THUAS),
The Hague, the Netherlands.
Email: Rick.vanderkleij@tno.nl
Article
Journal of Criminology
2023, Vol. 56(2-3) 278–293
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/26338076231162660
journals.sagepub.com/home/anj
Abstract
People tend to disclose personal identifiable information (PII) that could be used by cyber-
criminals against them. Often, persuasion techniques are used by cybercriminals to trick peo-
ple to disclose PII. This research investigates whether people can be made less susceptible to
persuasion by reciprocation (i.e., making people feel obligated to return a favour) and author-
ity, particularly in regard to whether information security knowledge and positive affect mod-
erate the relation between susceptibility to persuasion and disclosing PII. Data are used from a
population-based survey experiment that measured the actual disclosure of PII in an experi-
mental setting (N=2426). The results demonstrate a persuasion–disclosure link, indicating
that people disclose more PII when persuaded by reciprocation, but not by authority.
Knowledge of information security was also found to relate to disclosure. People disclosed
less PII when they possessed more knowledge of information security. Positive affect was
not related to the disclosure of PII. And contrary to expectations, no moderating effects
were found of information security knowledge nor positive affect on the persuasion–disclos-
ure link. Possible explanations are discussed, as well as limitations and future research
directions.
Keywords
Cybersecurity, data breach, self-disclosure, cybercrime, persuasion techniques, information
security knowledge, positive affect
Date received: 25 August 2022; accepted: 21 February 2023
Introduction
People are the first line of defence for cybersecurity, but simultaneously also the most access-
ible means for cybercriminals to gain access to computer systems (Clarke & Knake, 2010;
DeBeaubien & Spitzner, 2022; Van der Kleij et al., 2021). Evidence to back up this claim
has been amassed by Verizon (2022), which describes in its annual data breach investigation
report that roughly 82% of all data breaches in 2021 involved a human actor. One popular
means by which criminals get people to cooperate in their crime-commission-process is via
social engineering attempts, which aim to persuade people, for instance, to click on malicious
links in phishing emails, download malicious attachments or transfer organisational funds
(Williams et al., 2018). Hence, the success of a social engineering attack often depends on a
target being tricked into disclosing personal identifiable information, or PII in short. PII is
defined in this study as any information that can identify or trace an individual directly.
Examples are names, addresses, Social Security Numbers and email addresses.
The current study aims to contribute to a better understanding of the factors that influence
the susceptibility of people to social engineering attacks. These insights may help to provide
better guidance for hardening people and processes against social engineering attacks and
the subsequent adverse effects of falling victim to social engineering. The remainder of this
introduction gives a short overview of the state of the art of disclosure of PII in relation to
our study variables, which is followed by a description of our data collection method and mea-
surements. We then present our research findings and conclude with a discussion of the impli-
cations of our work and provide directions for future research on the topic of reducing the
susceptibility of people to social engineering attacks.
van der Kleij et al. 279
To continue reading
Request your trial