The Influence of Personal Characteristics and Other Factors on the Susceptibility of Public Sector Employees to Cyber-Social Engineering Through LinkedIn: A Mixed-Methods Sequential Explanatory Study

Abstract

To date, career-oriented social networking sites (CSNS) have not received sufficient attention from cybersecurity researchers. In today's world of increased online professional networking and communication, this means an increase of cybercrime incidents. The phenomenon of user susceptibility to cyber-based attacks in the form of malicious persuasive messages is still not well understood, particularly when users access SNS/CSNS in public sector organisations. This study addresses this gap in the extant literature, and the research findings provide a theoretical contribution in the field of information system security (ISS). This research seeks to understand how and to what extent personal characteristics and other factors play a role in an employee's susceptibility to cyber-social engineering (CSE) victimisation when accessing professional SNS, such as LinkedIn, in the workplace. This study extends a validated model by Saridakis et al. (2016) by adding five personality traits (FFM), two motivational factors, two additional behavioural factors and two additional demographic factors. The study approach is pragmatic, combining aspects of both positivism and interpretivism. Thus, it employs a mixed-methods sequential explanatory approach which combines quantitative and qualitative data in a single case study. In the first phase of the research, the quantitative data were collected via a survey questionnaire (N = 394). The findings from the survey data were investigated in more detail in the qualitative phase, in which 15 semi-structured interviews were conducted. The findings from this research in some cases confirm those of other studies, and in others contradicts those reported in previous work. Study findings show 7 factors (neuroticism, agreeableness, extraversion, openness to experience, risky information security habitual behaviour, professional advancement and gender) had positive associations with CSE susceptibility over LinkedIn, while 4 factors (conscientiousness, IT self-efficacy, age and structural power/level of work) had negative associations with susceptibility to CSE victimisation over LinkedIn. This study also revealed significant differences with regard to 4 demographic variables (age, gender, nationality, structural power). Gender, followed by age, had the most significant impact on employee susceptibility to CSE victimisation over LinkedIn. Male employees were at greater risk of susceptibility to CSE victimisation. Main contributions include: Model of Susceptibility to CSE Victimisation on LinkedIn; Favouritism as a motivating factor for professional advancement; First study to examine structural power as a factor in CSE susceptibility. Implications for organisations include: Organisations should incorporate validated psychometric evaluations as part of their recruitment platform; Organisations should conduct IS awareness training that fosters an understanding of CSE and risks associated with CSNS.