The document discusses a case study conducted to raise awareness of information security risks among organizational leaders. Researchers simulated social engineering attacks targeting executives and staff. The attacks were successful in gaining unauthorized access to offices and IT systems and obtaining confidential information. To prevent such risks, the document recommends that organizations train all staff and leaders on security best practices, raise awareness of social engineering techniques, and ensure security protocols are consistently followed, including strong passwords and document protection. Leaders must be committed to information security for effective prevention.

1. VI International Symposium Engineering Management and Competitiveness 2016
(EMC 2016)
June 17-18, 2016, Kotor, Montenegro
Csaba Kollár
József Poór
THE LEADERS’
AWARENESS OF
INFORMATION
SECURITY

2. INTRODUCTION
• Digital age – information age
• Network environment
• New economic and social models
• Data, information and the subsequent knowledge
have become valuable
• Cyber crimes
• The human factor is a critical area in information
security

3. SOCIAL ENGINEER TECHNIQUES
• Attacker asks some help or information
• Acquire data from the unsuspicious people
– Phishing
– Whaling
• Unauthorised use of privileges (piggybacking)
• Identity theft
• Shoulder surfing
• Dumpster diving
• Etc…

4. RESEARCH
• Between December 2015 and January 2016
• Altogether 406 people (leader)
• Year from 22 to 75
• 85% has higher education qualifications
• 55% regard internet and interactive solutions as
technology
• Less than 1% of them wrote about the dangers of
clouds
• They did not mention the human aspects of
information security or social engineering at all

5. CASE STUDY – CAST
1. a pretty woman who asks help from the
security guard
2. a fellow in suit from the banking authority
who brought a very important letter to the
director
3. a bike courier who soaked in the rain
4. the responsible leader himself, as observer

6. CASE STUDY – TARGET GROUP
1. security guards at concierge desks working in
shifts
2. receptionists working in shifts
3. one of the executives
4. and his secretary
5. unsuspicious staff
6. a fellow adhered to whom the colleague of the
banking authority can get into the building
without being checked.

7. CASE STUDY – MAIN METHODS
1. entering the office block of the company
without identity check
2. entering the room of the chosen executive
without permission
3. collecting information in the office of the
executive
4. logging in the corporate IT system and databases
with the passwords of staff, retrieving
information and sending messages

8. CASE STUDY – TOOLS AND ACCESORIES
1. provocative clothes, high heels and make-up
2. tailored suit, leather shoes and leather bag
3. large envelope in the leather bag for the
targeted executive
4. fake banking authority access card
5. biking clothes with big backpack
6. Device suitable for image recording (smart
phone)

9. CASE STUDY – AIMS
1. to explore the contacts and habits of the
targeted executive
2. to get into the office block of the company
3. to access the IT system of the company and to
retrieve data from it (specifically the confidential
annual plan of a company division)
4. to send fake information on behalf of colleagues
to other colleagues

10. CASE STUDY – MAIN ACTIONS
1. the pretty woman approaches the security guard
and collects information from him about the habits
of the targeted executive
2. on the given day, the young colleague from the
„banking authority” waits until the executive leaves
for lunch, then, not far from the entrance of the
office building, he starts talking to the smokers
3. the 40-some- year-old receptionist lets in the bike
courier - who says he has to use the bathroom
urgently – after recording his data.

11. CASE STUDY – SUCCESS
1. images recorded in the room of the targeted executive
2. his business contact network could have been analysed
3. his hobby was obvious and it could be concluded that
he cheats on his wife at least once a week
4. by knowing his contacts, his partners could have been
called on his behalf, or on behalf of his secretary
5. the bike courier could obtain the relationship network
of a colleague
6. annual leave plan of a division was collected

12. PREVENTION AND CONCLUSION
1. the leaders of the company at all levels should
be committed to information security
2. the security standards should not only be
imposed, but also observed by the leaders
themselves
3. use passwords which cannot be easily found
out, and to set password protection on the
portable devices
4. destroy the unnecessary copies of printed
documents

13. ADVICES
1. Training of security awareness with the aim to raise
attention and teach basic knowledge. It should have the
same content for everybody.
2. During this training, the knowledge can be transferred and
expanded in a more specialized way, the skills can be
developed and the needs of well-defined user groups can be
met.
3. Those who are already professionals can enter further
training. It is their responsibility in their day-to- day work to
successfully implement the above two levels, to develop and
introduce the defense strategy of the company and to carry
out information security checks

14. Thank you for your kind attention!
Please feel free to contact us:
Dr. PhD. Csaba Kollár
Szent István University, Hungary
drkollarcsaba@gmail.com
Prof. Dr. József Poór
Szent István University, Hungary
poorjf@t-online.hu

15. RESOURCES
https://static.securityintelligence.com/uploads/2014/12/businessmanhandusingnewt_126135-900x535.jpg