Measuring the impact of information security awareness on social networks through password cracking

摘要

Since social networks (SNs) have become a global phenomenon in almost every industry, including airlines and banking, their security has been a major concern to most stakeholders. Several security techniques have been invented towards this but information security awareness (hereafter “awareness”) remains the most essential amongst all. This is because users, an important component of awareness, are a big problem on the SNs regardless of the technical security implemented. For SNs to improve on their awareness techniques or even determine the effectiveness of these security techniques, many measurement and evaluation techniques are in place to ascertain that controls are working as intended.While some of these awareness measurement techniques are inexpensive, effective and efficient to some extent, they are all incident-driven as they are based on the occurrence of (an) incident(s). In addition, these awareness measurement techniques may not present a true reflection of awareness, since many cyber incidents are often not reported. Hence, they are generally adjudged to be post mortem and risk-permissive. These limitations are major and unacceptable in some industries such as insurance, airlines and banking, where the risk tolerance level is at its lowest. This study therefore aims to employ a technical method to develop a non-incident statistics approach of measuring awareness efforts. Rather than evaluating the effectiveness of awareness efforts by the success of attacks or occurrence of an event, password cracking is presented and implemented to proactively measure the impacts of awareness techniques in SNs. The research encompasses the development and implementation of an SN – sOcialistOnline, the literature review of the past related works, indirect observation (available information), survey (as a questionnaire in a quiz template), and statistical analysis. Consequently, measurement of awareness efforts is shifted from detective and corrective paradigms to preventive and anticipatory paradigms, which are the preferred information security approaches going by their proactive nature.