Implications of Social Engineering on Protecting Personal Information (PII) Social engineering may expose vulnerabilities ranging from individual identity theft to the loss of hundreds of thousands of dollars by large corporations (Ricart, Soulis, & Yves, 2013). These attacks use manipulating techniques such as “persuasion, impersonation, and abuse of trust to gain information or computer-system access through the human interface” (Thompson, 2006) to violate and intrude on the personal information of others. Individuals who fall victim to social engineering often give information and required identification details about themselves, clients, or business organizations that allows the social engineer, or hacker, to gain access to otherwise confidential, personal information (Ricart, Soulis, & Yves, 2013). The use of social engineering violates principal standards of ethics, and is intrinsically unethical due to its perceptive nature. Because social engineering can have tragic implications, it is essential that both individuals and business organizations use the necessary tools such as “awareness, policy, and training” (Thompson, 2006) in prevention efforts, while Protecting Personal Information (PII). Personally Identifiable Information includes a wide range of details. The National Institute of Standards and Technology1 with the U.S. Department of Commerce defines Personally Identifiable Information (PII) as
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information (McCallister, Grance, & Scarfone, 2010).
Social engineering tactics are aimed at securing this type of information from individuals or businesses and can further be defined as the “Art of manipulating an individual into giving access to information or protected sites” (Ricart, Soulis, & Yves, 2013). Access to and exploitation of confidential information such as that listed above means that a social engineering scheme has been successful. The National Institute of Standards and Technology describes individual implications to include “Identity theft, embarrassment, or blackmail,” and those applicable to organizations to include “Loss of public trust, legal liability, or remediation costs” (McCallister, Grance, & Scarfone, 2010). In 2005, social engineering was the number-one security threat (Thompson, 2006). In 2011, the Internet security firm Check Point stated that between 2009 and 2011, 48% of the largest international organizations encountered 25 or more attacks, ultimately costing anywhere from $25,000 to $100,000 per case (Ricart, Soulis, & Yves, 2013). For these reasons both individuals and organizations must be proactive in Protecting Personal Information from social engineering attacks that can exist in many forms.
In some cases, social engineers simply directly request the information from his or her target (Thompson, 2006). Kevin Mitnick, one of the best-known hackers, has confessed that the establishment of trust between his contacts is most vital, and from there securing the necessary information becomes a simple task (Thompson, 2006). Also essential, social engineers use research as a tool to gain necessary background information in order to be taken seriously and sound like a credible source. That being said, social engineers often prey on trust and emotion (Thompson, 2006). “Ethics is a set of beliefs about right and wrong behavior within a society” (Reynolds, 2012). Social engineering has the capacity to have overwhelmingly negative effects on society (Reynolds, 2012) and is therefore unethical. If