Abstract:
Social engineering attacks are a critical threat to organizational security because they exploit human psychological vulnerabilities. Most users are generally unprepared to detect and mitigate the impact of such attacks despite the availability of technical safeguards. It highlights a gap in current practice and prevention strategies. This study employs a mixed-methods approach, which combines a literature review with primary data collected through questionnaires and interviews conducted with 75 participants from diverse professional backgrounds in Sri Lanka, selected through purposive sampling to ensure a representative sample. The term mixed-methods indicates both analysis of open-ended and closed-ended questions through qualitative and quantitative methods. The results showed that 78.7% of respondents were aware of the existing social engineering attacks, but most were less confident in identifying such an attack, with only 25.3% very confident in identifying them. Behavioral factors such as cognitive biases (trust, fear, and urgency) and overconfidence especially gained recognition as one of the key critical factors influencing vulnerability. Users make substandard choices even with knowledge of potential dangers because biases cloud their judgment. On the other hand, real-time simulations and personalized interactive training tools have been identified as more effective for improving user readiness than traditional training methods. These findings have identified the need for user-centered cybersecurity education that integrates psychological and technological measures as a means of better positioning users against the threats of social engineering attacks. Further research should focus on developing such tools and the expansion of adaptive training programs for a wide range of user groups.
