A Multi-Level Theoretical Framework for Understanding Social Engineering Attacks in Corporate IT Environments

Abstract

Social engineering (SE) attacks have emerged as a critical threat to corporate information technology (IT) security, exploiting human vulnerabilities rather than technological flaws. Unlike conventional cyberattacks, SE leverages psychological manipulation to bypass security protocols, with tactics such as phishing, pretexting, and baiting responsible for a significant proportion of corporate breaches. This paper presents a comprehensive theoretical exploration of SE by synthesising multi-disciplinary literature across psychology, cybersecurity, and organisational behaviour. A three-layered conceptual framework is developed to analyse how micro-level (individual cognitive traits), meso-level (organisational structures), and macro-level (technological and societal factors) contribute to SE susceptibility across the attack lifecycle. The findings reveal significant gaps in existing models, especially regarding context-specific defences and the influence of emergent technologies like generative AI. This work contributes to the academic discourse by integrating behavioural, organisational, and technological factors, while also offering practical insights to guide policy formulation and risk mitigation in corporate environments.

Introduction

Social engineering (SE) poses a major cybersecurity threat by exploiting human psychological vulnerabilities rather than technical flaws. Common tactics like phishing, pretexting, and baiting leverage manipulation principles such as authority, urgency, and social proof. SE attacks bypass technological defenses by targeting human behavior, which is often less protected.

Theoretical models from psychology and information systems—such as the Elaboration Likelihood Model and SE attack lifecycle frameworks—describe how attacks progress from reconnaissance to execution. However, the rise of AI technologies, including generative AI and deepfakes, has significantly increased the sophistication and reach of SE attacks, necessitating updates to existing models.

Research gaps include limited understanding of how organizational culture, communication patterns, and structural factors influence employee susceptibility to SE. Most models focus on individuals, overlooking meso-level (organizational) and macro-level (societal, technological) influences. Moreover, few studies examine cross-sector differences or long-term effectiveness of SE training and defense.

The study proposes an integrated, multi-level framework that combines individual cognitive biases, organizational culture and policies, and broader societal and technological trends, mapped against the SE attack lifecycle stages. This comprehensive approach aims to enhance theoretical understanding and inform practical defense strategies, emphasizing that SE resilience requires addressing vulnerabilities at all levels—from personal awareness to organizational readiness and evolving technological threats.

Conclusion

This study provides a theoretically grounded, multi-level framework for understanding and mitigating the impact of social engineering attacks on corporate IT security. It departs from reductionist models that treat SE as a purely psychological or technical issue, instead offering a systemic perspective that links individual vulnerabilities, organizational dynamics, and macro-environmental factors across the lifecycle of an attack. The conceptual synthesis demonstrates that effective SE defence requires more than security awareness or technical barriers. It demands a cultural and structural alignment across the enterprise—spanning employee education, trust governance, regulatory adaptation, and anticipatory technological design. In doing so, this work contributes both to academic discourse and to the actionable insights needed by cybersecurity practitioners. Future research should build on this foundation by empirically validating the model through comparative case studies, simulations, or longitudinal assessments across industries. Additionally, expanding the framework to account for adversarial adaptation and attacker profiling could enhance predictive power and resilience planning. In sum, this research advances the theoretical sophistication of social engineering studies while promoting an integrated, context-sensitive approach to cybersecurity strategy. As SE techniques continue to evolve, so too must our frameworks for understanding and resisting them.

References

[1] ‘60+ Social Engineering Statistics [Updated 2025]’, Secureframe. Accessed: Apr. 30, 2025. [Online]. Available: https://secureframe.com/blog/social-engineering-statistics [2] M. Schmitt and I. Flechais, ‘Digital deception: generative artificial intelligence in social engineering and phishing’, 2024. [3] A. Alshammari, M. Hussain, and K. Salah, “An Enhanced Analysis of Social Engineering in Cyber Security: Research Challenges, Countermeasures—A Survey,” IEEE Access, vol. 13, pp. 22534–22560, 2025. doi: 10.1109/ACCESS.2025.3305678 [4] N. Abu Hweidi and D. Eleyan, “Social Engineering Attacks and Defence Mechanisms: Literature Review,” International Journal of Computer Applications, vol. 177, no. 40, pp. 1–8, 2020. [5] A. Salahdine and B. Kaabouch, “Social Engineering Attacks: A Survey,” Future Internet, vol. 11, no. 4, p. 89, 2019. doi: 10.3390/fi11040089 [6] A. Alneami, “The Triggers of Social Engineering Attacks in the Context of National Culture: A Conceptual Framework,” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 12, no. 2, pp. 648–656, 2021. doi: 10.14569/IJACSA.2021.0120275 [7] B. Wang, T. Duong, and R. Safavi-Naini, “A Systematic Literature Review on the Human-aspects of Social Engineering Attacks,” in Proc. 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 220–231, 2023. doi: 10.1109/EuroSPW59978.2023.00032 [8] [9] A. Abass, “Social Engineering: The Neglected Human Factor for Information Security,” Journal of Information Security Research, vol. 9, no. 2, pp. 63–70, 2018. [10] L. Atkins and W. Huang, “A Study of Social Engineering in Online Frauds,” Open Journal of Social Sciences, vol. 1, no. 3, pp. 79–84, 2013. doi: 10.4236/jss.2013.13014 [11] “Social Engineering Statistics: Phishing, Baiting & Human Hacking,” Secureframe, 2024. [Online]. Available: https://secureframe.com/blog/social-engineering-statistics [12] M. P. Król and D. S. Cruzes, “Social Engineering Attack Concepts, Frameworks and Awareness: A Systematic Literature Review,” Journal of Systems and Software, vol. 201, p. 111427, 2024. doi: 10.1016/j.jss.2023.111427 [13] Y. Li, S. Kumar, and J. Lin, “AI in Cybersecurity: Opportunities and Risks in Phishing and Deepfake Threats,” Artificial Intelligence Review, 2024. [Online]. Available: https://link.springer.com/article/10.1007/s10462-024-10973-2 [14] M. U. Adil, S. Ali, A. Haider, M. A. Javed, and H. Khan, “An Enhanced Analysis of Social Engineering in Cyber Security: Research Challenges, Countermeasures—A Survey,” Asian Bulletin of Big Data Management, vol. 4, no. 4, pp. 321–331, Dec. 2024. doi: 10.62019/abbdm.v4i4.274. [15] R. F. Abu Hweidi and D. Eleyan, “Social Engineering Attack Concepts, Frameworks, and Awareness: A Systematic Literature Review,” Int. J.Comput. Dig. Sys., vol. X, pp. 1–18, 2020. [Online]. Available: http://journals.uob.edu.bh [16] W. Syafitri, Z. Shukur, U. A. Mokhtar, R. Sulaiman, and M. A. Ibrahim, “Social Engineering Attacks Prevention: A Systematic Literature Review,” IEEE Access, vol. 10, pp. 39325–39340, Apr. 2022. doi: 10.1109/ACCESS.2022.3162594. [17] V. Karhadkar, R. Kale, C. Talakokkula, and S. A. Khan, “Social Engineering: Bridging the Gap Between Psychology and Cybersecurity,” in Int. Res. J. Eng. Technol. (IRJET), vol. 12, no. 1, pp. 308–312, Jan. 2025. [Online]. Available: https://www.researchgate.net/publication/388457521 [18] A. Yasin et al., “Understanding and Deciphering of Social Engineering Attack Scenarios,” Security and Privacy, vol. 4, no. 2, pp. e161, Mar. 2021. doi: 10.1002/spy2.161 [19] H. Aldawood and G. Skinner, “Contemporary Cyber Security Social Engineering Solutions, Measures, Policies, Tools and Applications: A Critical Appraisal,” International Journal of Security (IJS), vol. 10, no. 1, pp. 1–12, 2019. [20] N. Patel, “Social Engineering as an Evolutionary Threat to Information Security in Healthcare Organizations,” Jurnal Administrasi Kesehatan Indonesia, vol. 8, no. 1, pp. 56–64, Jun. 2020. doi: 10.20473/jaki.v8i1.2020.56-64 [21] S. Gupta, M. Moharir, A. Shrivastava, A. Kumar, M. Pritwani, and M., “A Comprehensive Analysis of Social Engineering Attacks: From Phishing to Prevention—Tools, Techniques and Strategies,” in Proc. Int. Conf. on Intelligent Computing and Informatics (ICoICI), Bengaluru, India, Aug. 2024. doi: 10.1109/ICoICI62503.2024.10696444 [22] Mustapha, A., & Sinha, A. (2024). Cyberfraud in the Nigerian banking sector: The techniques and preventive measures. International Journal of Innovative Science and Research Technology, 9(8), 171–179. https://doi.org/10.38124/ijisrt/IJISRT24AUG395

Copyright

Copyright © 2025 Rajkumar Paswan, Prerna Dusi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.