Are You a Soft Target for Cyber Attack? Drivers of Susceptibility to Social Engineering-Based Cyber Attack (SECA): A Case Study of Mobile Messaging Application

. A rise in working and studying from home, activities which depend on the Internet, and the exchange of data coupled with a lack of understanding about security for interacting in cyberspace have made cybersecurity one of the most pressing concerns today. One form, in particular, is a social engineering-based cyber attack. Unfortunately, not much research has been conducted on the susceptibility factors that cause this to happen. This study attempts to understand what factors make a person susceptible to cyber attacks that can be seen from three perspectives: habitual perspective, perception perspective, and social and motivation perspective. The objective of the research is to identify speci ﬁ c characteristics and drivers regarding the social engineering-based cyber attack (SECA) susceptibility of a consumer exposed to social media messaging applications. A quantitative survey was employed to test a total of 114 respondents in Indonesia who are categorized as active Internet users. The study found variables within two of the three perspectives that positively contributed to a consumer ’ s susceptibility to cyberattack. These factors will provide valuable insight into prevention and knowledge of related risks of cyberattacks based on social engineering in the future.


Introduction
Due to the COVID-19 pandemic and large-scale restrictions imposed in almost all countries around the world, working and schooling from home has become the new norm. The migration of activities to the online platform is changing people's approach to everyday activities. Teleworking has increased tremendously with the pandemic as a method for companies to adapt to the situation [1]. Thus, individuals and organizations are becoming increasingly dependent on the Internet to carry out their daily work. This has resulted in a huge increase in virtual presence and time spent online [2]. In line with the increasing interactions in cyberspace, the potential risk of cyber attack posed by these specific changes in behavior during the pandemic is increasing globally [3,4]. The psychological anxiety and fear that people experienced during the pandemic actually drove the success of cyberattack incidence [5]. These conditions make cybersecurity one of the most significant issues today. Protecting people and organizations from becoming targets for cybercriminals is a priority for industry and academia [6].
Cybersecurity attacks increased 600% during the pandemic [7]. Nearly all of the world's regions are affected by cyber threats, including the Asia-Pacific region. In fact, Asia was the most targeted region for cyber attacks in 2021, accounting for one in every four attacks worldwide, or 26% [8]. Specifically, in Indonesia, where this study is based, the National Cyber and Crypto Agency recorded an extraordinary number of cyber attacks during 2020. As of August 2020, there were 189 million; however, by November 2020, the total was 423 million attacks. In cases of data breach, during the period from January to August 2020, there were 36,771 data accounts stolen in a number of sectors, including the financial sector. A survey from Palo Alto [9] stated that the biggest challenges of Indonesian cybersecurity are outdated infrastructure and lack of awareness, especially from the public, who have not been made aware of the importance of maintaining security even in the individual sphere.
Cybersecurity threats manifest in many ways. Primary methods of cybersecurity attack include phishing, ransomware, cryptojacking, data breach, malware, disinformation, and other nonmalicious threats. Most of the attacks require technical skills to orchestrate; however, there are also threats that utilize individual weaknesses. One of the most widely used techniques to commit crimes which focus on individual susceptibility is called Social Engineering. The most common attacks, such as phishing, use the techniques of Social Engineering [10]. Social Engineering strategies deceive victims by taking data that are important for access to financial or other data by exploiting the trust, motives, habits, and behavior of individuals to manipulate them [11,12].
Social engineering has emerged as a serious threat in virtual communities and is an effective way to attack information systems [13]. It is considered to be the most effective technique for attacking even the most secure system, since the weakest link of any system is the users [14]. It is one of the highest risks among other threats such as identity theft, key logger, and cyberbullying [15]. Unfortunately, not much has been learned about the factors that cause this to happen [16]. The literature suggests that future study needs to be conducted to analyze factors influencing social engineering susceptibility [17].
The study's objectives are to identify the characteristic and behavioral drivers that influence susceptibility of social engineering-based cyber attack (SECA). It aims to fill the gap by measuring the level of people's susceptibility to the threat of cybersecurity attacks based on social engineering methods, specifically in relation to social media messaging applications. The issue will be investigated from three different perspectives that can influence cyber attack susceptibility based on previous research by Albladi and Weir [18], with modification of scenarios to adapt to social media messaging applications. Data from Statista (2022) revealed that there many mobile messaging applications as of January 2022. Based on the number of monthly active users, WhatsApp is ranked first, with 2 billion users, followed by WeChat, Facebook Messenger, QQ, Snapchat, and Telegram. Accordingly, the study is limited to the most popular mobile messaging application brand, WhatsApp.

Methods
The study employed a quantitative method using questionnaires which were prepared beforehand with an interview with an expert. There are two steps involved in the process. The first is the development of susceptibility scenarios, and the second is the questionnaire survey. The susceptibility variable is measured by presenting the scenarios of a cyberattack situation and measuring an interviewee's responses. After a careful review of the initial scenarios from Albladi and Weir [18], for the study, we decided to develop a new set of scenarios based on discussion with cybersecurity experts. This new set of scenarios is more relevant to the mobile messaging application and validated by an expert. The next step was to incorporate the scenarios into a quan-titative survey with a unit of analysis of students and/or productive employees.
Interviews were conducted with cybersecurity experts. The aim was to confirm the initial scenario by Albladi and Weir [18]. The expert indicated that the scenarios were not relevant for the context of the study, thus suggesting finding new scenarios for a mobile messaging application context. The research team then curated several scenarios from the media reporting social engineering-based cyber attacks in mobile messaging application contexts.
The scenarios consisted of three types of cyber attack: phishing, clickjacking, and malware. The scenario sets were designed to accommodate at least 6 scenarios with different levels of risk: high, medium, and low. The risk level was set based on the consultation with a cybersecurity expert. These scenarios were part of the survey questions for susceptibility variables that were asked in part 2. Respondents were presented with the scenarios and asked how likely they were to perform the action requested by each scenario. The measurement ranges from 1 for "Never" to 5 for "Definitely". The final development of the scenarios and instruction used in this study is provided in Table 1.
The questionnaire survey was conducted with an analysis unit of students and/or young productive employees who actively use the Internet to study and work in big cities in Indonesia. Data were collected with a total target of 114 respondents and then analyzed with the help of the SmartPLS statistical tool. In taking the sample, the authors used a nonprobability sampling method, a type of convenience sampling.  [12] is all the effort to manipulate a victim's motives, habits, and behavior. The effort requires direct or indirect social interaction between the attacker and victim [19]. Several definitions using interaction as the basis of initiating the attack include Mouton et al. [20], who defined social engineering as a science of using social interaction in order to persuade an individual or organization to perform a specific request. This request might employ one or more methods of social engineering, indirect or direct communication, a target, medium, goal, and principles of compliance. Boshmaf et al. [21] described social engineering as a form of art to gain access to an otherwise secure object by exploiting human psychology. This definition highlights the importance of psychological and behavioral discipline in the method of social engineering. The psychological term that is most commonly used in the definition of social engineering is manipulation. Breda et al. [22] stated that social engineering is the design and application of techniques in order to deliberately manipulate humans. In a cybersecurity context, this technique is used to lure victims in order to disclose confidential data or breach other security protocols including infecting the system and releasing classified information.
The basic classification of SECA consists of humanbased attacks and technology-based attacks [11,23]. There are three methods of attack that can be conducted: social, 2 Human Behavior and Emerging Technologies technical, and physical [23]. A social-based attack involves a scenario in which the attacker tries to persuade an individual target through psychological and emotional manipulation [17]. This is deemed to be more dangerous since humans naturally tend to trust one another compared to computers, making them a soft target for this approach. Another main classification of SECA is direct and indirect attacks. A direct attack is conducted via an interaction between attacker and victim, while an indirect attack is conducted via malware software, email, or messaging services [23]. The stages of SECA start from information gathering, followed by trust building, exploitation, and execution. Similarly, Salahdine and Kaabouch [23] identify the stages as research information collection, relationship development, exploitation, and execution and exit. In preparation of the action, the attackers build a relationship of trust with the victim [11]. The information gathered is then used for specific purposes or trade in the black market of data [23]. Breda et al. [22] further differ-entiated a SECA path attack according to the access that the attackers gain in order to exploit human vulnerabilities. Initially, this is through a social approach, with which the attackers use methods such as tailgating, impersonating, eavesdropping, shoulder surfing, and reverse social engineering, whereas the sociotechnical approach uses techniques such as phishing, baiting, and watering hole. The current study adopted the latter approach, with the three most commonly used techniques, phishing, baiting through malware, and clickjacking.
Phishing is the act of requesting detailed personal information such as the user's personal information, email, credit card details, pin, or password and then using this sensitive information to attack [10]. The lifecycle of a phishing attack includes the phase of planning and setup, the phishing attack itself, break in, data collection, and break out [24].
Clickjacking is an action designed to attract the victim with a shocking post or an essential document that is displayed as a PDF with the mouse pointer placed on the link Table 1: Susceptibility instruction and scenarios. Instructions: read carefully the scenario below. Each scenario describes a situation that commonly occurs when we surf in cyberspace. You are asked to state the action or reaction you are most likely to take when faced with the scenario. The reaction that is measured is the likelihood that you will carry out the desired follow up in the scenario; it can be in the form of filling in the data or clicking the next button. Your honesty when filling out our survey is very helpful, and there are no right or wrong answers in each of these situations. 3 Human Behavior and Emerging Technologies and the actual URL in the status bar indicating that the document is a file that has to be clicked. This type of attack takes advantage of a victim's sense of curiosity using a video click as bait [14]. Once the victim clicks the video or image or post, the control of their computer is taken over by the attacker to acquire sensitive information or files.
Malware attack offers an application that allows users to achieve certain things, for example, to call and message their friends for free, if they give the application permission to access their profile and contact information and ignore the security warning message. Yan et al. [25] investigated malware propagation and found that malware can spread easily and exponentially in social network applications, thus becoming a serious threat in the system.

Behavioral
Perspective of SECA: Habitual, Perception, and Socioemotional. Studies have argued that a person can be a victim of social engineering due to human weakness related to social-psychological factors [26]. These factors are the reason humans act in certain ways and can be affected by personality types, demographic variables, and motivations and drives.
The conceptual model of this study was based on three perspectives. The first is the habitual perspective, which measures the susceptibility of society to social engineering through the level of involvement, number of connections, and social network experience. Second is the perception perspective, which includes risk perception, competence, and cybercrime experience. The third is the social-emotional perspective, which consists of trust and motivation.
Habitual perspective is taken from the consumer behavior area, which refers to consumer decisions that are driven by habit, that is, decisions that are taken without much deliberation and comparison, other than what is considered repeating the same purchase out of habit. A related concept is consumer involvement, whereas low involvement might result in habitual behavior. In this study, the involvement of respondents in their social network is taken into account for social engineering susceptibility. It is hypothesized that higher involvement, connections, and experience contribute to higher susceptibility to a cyber attack (H 1 ).
Perception is defined as a person's understanding of the world around them [27]. The study of Alqarni et al. [28] on a social-media user's perception of a stranger's invitation found that the basis of accepting an invitation from a stranger is the perception risk arising from assessing their credibility. The perception of risk comprised the measure of severity should the event occur and the probability or likelihood of a cyberattack occurring. Furthermore, De Lange et al. [29] stated that a decision based on perception is strongly facilitated by experience. Thus, the evaluation of risk, competence, and previous experience formed a perception perspective based on the first hypothesis in this research. The hypotheses (H 2 , H 3 , and H 4 ) therefore suggested that perception perspective variables have a positive and significant relationship with susceptibility of SECA.
Along with habitual and perception perspectives, social and emotional state of being was believed to contribute to susceptibility of cyber attack. Previous studies found that motiva-tion and trust in engaging with social media might contribute to one's susceptibility to cyberattack. Motivation is one of important factors to be investigated to predict certain behavior and therefore would provide insight into controlling SECA. Albladi and Weir's [18] expert's opinion suggested that one's motivation in engaging with a social network with low preventive measures can lead to cyber attack.
A study of consumer behavior defines motivation as utilitarian and hedonic [30,31]. In the same light, Algarni et al. [26] categorized motivation of SECA into two types: need based and emotion-based behavior. Hedonic motivation results from the sensations one feels when engaging in social media messaging, while utilitarian motivation is derived from the function or "need" state of using the social media messaging application. Due to this typology, the motivation variable is hyphotize to comprise of hedonic and utilitarian motivation significantly contribute to the susceptibility of SECA (H 5 ).
Moreover, trust in technology is also identified as important variable which might contribute to one's susceptibility to cyber attack. The study of Pyke et al. [32] showed that propensity to trust is linked to the severity of cyber attacks. The current study aimed at differentiating between trust to the provider of technology (in this case, a social media provider) and trust to the member of the network (H 6 and H 7 ).

Results
The survey gathered 114 respondents through an online questionnaire and processed the responses for further analysis. The respondents' gender was 44.74% male and 55.26% women. Most respondents were young adults, aged 20-25 years (41.23%). The most recent education of the respondents was high school graduate (61.40%) followed by bachelor's (25.44%). The majority of respondents were in the group with monthly expenses of <USD 100, at 38.60%, followed by USD 100-200, at 28.07%, which is categorized as middle and lower-middle income class in Indonesia, which is the largest socioeconomic group. The current study conducted tests on whether demographic factors (age, gender, education, SES, and job position) influence susceptibility. The results show that all demographic variables have no influence on susceptibility since all results found were not significant.

Outer Model Analysis.
The outer model result was tested against the criteria for reliability and validity. Cronbach's alpha was used as a measure of reliability. All variables had a Cronbach's alpha of more than 0.5 (>0.5), which suggests that the variables are reliable in measuring the construct. Composite reliability was tested as a measure of internal consistency with criteria larger than 0.7 (>0.7). The results show that all variables have a high internal consistency. Average variance extracted (AVE) was used to assess convergent validity. The value should be at least 0.5 (>0.5). Rounded values of all variables were shown to meet the criteria. The loading value of indicators should be larger than 0.5 (>0.5). The results omitted indicators that fell below 0.5 and retained a total of 37 indicators that met the criteria. Table 2 shows the mean and standard deviation of each 4 Human Behavior and Emerging Technologies  indicator. It can be concluded that the listed indicators were reliable and valid, and thus were ready to be further processed and analyzed for the inner (structural) model.

Inner
Model. The inner model aims at testing the relationship between the latent variables as hypothesized. The bootstrapping process determines the significance of each relationship (T value), and the coefficient value measures the correlation between each variable. From the results (Figure 1), the variables that indicate a significant and positive relationship with susceptibility are habitual perspective, risk perception, and cyber attack experience. On the other hand, competence, motivation, and trust have been found not to significantly affect susceptibility. These findings are elaborated further in Section 3.3.

Discussion
3.3.1. Susceptibility. Susceptibility scenarios have become the main measurement of susceptibility to cyber attack based on social engineering. In this study, there were six scenarios developed based on a scale of 1 to 5, where 1 means never and 5 means definitely would carry out the instructions requested in the scenario developed. As seen in Table 3, the results showed that 56.2% of respondents indicated that they were aware that the situation given in the scenario was suspicious and could lead to a method of attack via the chat messaging app; therefore, they chose not to fulfill the task requested in the scenario. However, the rest of the answers varied, which implies that some respondents are still susceptible to an attack. More-over, the most susceptible scenario of selecting answers 4 and 5 (combined) is high. It was found that vulnerabilities were displayed when the respondent answered scenario 3, which offered WhatsApp stickers, followed by scenario 4, which invited users to download Netflix premium, and scenario 6, about a company's offer.
Further analysis shows that all scenarios were valid and reliable indicators of the susceptibility variable. The higher the value of the answers, the more susceptible the person is to social engineering-based cyberattack. In the next section, the relationship between the three perspectives and susceptibility is discussed to provide more insight into the driving factor of this construct.

Demographic
Profile. The study found that the demographic variables were not validated as an indicator of one's susceptibility in this sample set. This finding contradicts Darwish et al., who found that demographic factors such as age, gender, education, and personality affect one's susceptibility to phishing attacks [33]. However, Gratian et al. [34] found no correlation between age and the user's effort for device securement, thus supporting the current research.

Habitual Perspective.
The findings of this study show that habitual perspective has a significant and positive influence on susceptibility. This result implies that when the habitual perspective increases, one's susceptibility to SECA also increases, in the context of using a social media messaging application. This study is in accordance with research conducted by Albladi and Weir [18] and Molodetska et al. [35], which found frequent status updates and a high  Human Behavior and Emerging Technologies number of contacts that comprise a habitual perspective can increase the level of susceptibility to SECA. Another study that indirectly supports this finding is by Darwish et al. [33], who found that a higher frequency of online shopping also leads to greater susceptibility to phishing attacks.

Perception
Perspective: Risk Perception, Competence, and Cyberattack Experience. Perception perspective consists of risk perception, competence, and cyberattack experience. The study found that risk perception has a significant and negative influence on susceptibility. This indicates that when risk perception of a situation increases, the SECA decreases. Increasing one's perception of risk increases a person's ability to detect cyber threats or attacks, in other words, promoting precautionary behavior, which in turn makes a person less susceptible to cyber attacks [15,18,36].
Another driver of SECA susceptibility is cyberattack experience. The current result confirmed that experience has significant and positive effects on susceptibility to social engineering-based cyber attack. This implies that the more extensive the experience of cyberattacks, the more susceptible one is to cyber attack. It seems that when a person is targeted for a cyberattack, they have characteristics that increase their susceptibility to SECA.
Interestingly, competence was not found to have a significant effect on susceptibility. A previous study by Broadhurst et al. [37] explained that information technology (IT) competence did not greatly affect susceptibility. The participants who took part in the IT study indicated that IT competence would be significant, but most had no effect on security perceptions of susceptibility. A possible explanation, in this case, where cyber attacks use social engineering methods, is that some people carry out their actions by manipulation; thus, greater knowledge of IT has no relation to whether a person can be manipulated or not.
3.3.5. Socioemotional Perspective: Motivation and Trust. The results show that the susceptibility to social engineeringbased cyberattacks is not caused by motivation or trust in the context of the current study. The motivation of someone to engage in social media messaging applications has not proven to be a determinant of their susceptibility to SECA. It implies that whether the motivation for engaging in social media messaging is hedonic, or utilitarian does not affect the likelihood of a cyberattack based on social engineering. In this context, it will be interesting to further elaborate whether low self-control is a better predictor of sustainability than motivation, as in the study of Nodeland [38]. In addition, the level of trust in the application provider or in a fellow user of social media messaging will not have an effect on SECA susceptibility. Although trust in online services is a factor to be considered by the users [39], it was not proved in the current study to be a determinant of one's SECA susceptibility.

Conclusions
The study's objective was to determine whether one's characteristics or behavior can be an identifying factor or a driving factor of susceptibility to social engineering-based cyberattack in the context of social media messaging services. The results of the current study imply that no demographic characteristic has an influence on susceptibility. Thus, a person's age, gender, education level, job position, and socioeconomic status might not indicate anything about the possibility of the person being more or less susceptible to SECA.
On the other hand, the study found three driving factors of susceptibility to SECA. The first is habitual: the habit of updating one's WhatsApp status and the number of contacts one has can increase one's susceptibility to SECA. The second is the perception of risk, the realization of severity, and the likelihood of the risk becoming an attack which can reduce susceptibility to SECA. The third is the experience of attack: as the occurrence and variability increase, it can also mean that a person is more susceptible to SECA. Interestingly, the study found that competence in IT is not a guarantee that a person is less susceptible to SECA, nor motivation and trust.
The results highlighted the important implications of increasing literacy in relation to cyber security. Siddiqi et al. [40] suggested methods to counter SECA and concluded that training and educating individuals about cybersecurity measures and SECA is the top priority. With greater knowledge of the risk of attacks, a person can be more alert to SECAs. This will be the responsibility of not only the government but also private institutions which There are ten aspects involved in the policies taxonomy, including access control policy and privacy policy [41]. The current study is not without limitations. Future studies could increase the sample size and the variety of user characteristics. Other types of social media providers could also be investigated to complement social media messaging. Further research could aim to identify other behavioral drivers of one's susceptibility to SECA, such as social influence, personality, or self-control.

Data Availability
The survey data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare no potential conflict of interest.