Social Engineering Threats in the Insurance Sector: Human-Centric Risks and Organisational Resilience
Tuominen, Marja (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121536277
https://urn.fi/URN:NBN:fi:amk-2025121536277
Tiivistelmä
This thesis examines social engineering risks in a Finnish insurance company and focuses on customer-facing work in claims handling, customer service and sales. The purpose of the development work is to support the commissioning organisation in strengthening its human-centric information security by analysing how social engineering risks appear in everyday customer interactions. The purpose of this development work is to examine how social engineering manifests in the everyday operations of a Finnish insurance company and to identify human-centric vulnerabilities in customer-facing roles. The aim is to analyse existing practices in data protection, information security, staff training and facility security, and to produce concrete, role-specific recommendations that strengthen the organisation’s resilience against social engineering.
The development task is to generate concrete, role-specific recommendations that support employee training, managerial work and the organisation’s security culture. The theoretical framework combines technical, psychological and organisational perspectives. The framework draws on theories of influence, organisational culture and information security practices, which are applied to the insurance industry context. The methods used include a mixed-methods approach: document analysis of 18 internal policies and guidelines, a staff survey, email interviews with experts and managers, and an observation round at the company’s headquarters.
The findings indicate that while technical and regulatory frameworks are largely in place, challenges remain in staff awareness, supervisory practices and the consistent application of facility security guidelines. Hybrid work was highlighted as an area that increases vulnerabilities, especially in the handling of sensitive data. The results emphasis the need for recurring and concise training, stronger supervisory engagement, and a clearer integration of facility and information security policies.
In conclusion, the thesis recommends that insurance companies adopt a more holistic security culture, strengthening the link between technical measures, human awareness and organisational practices. This requires not only compliance with existing regulations but also a proactive approach to security culture and supervisory responsibility.
The development task is to generate concrete, role-specific recommendations that support employee training, managerial work and the organisation’s security culture. The theoretical framework combines technical, psychological and organisational perspectives. The framework draws on theories of influence, organisational culture and information security practices, which are applied to the insurance industry context. The methods used include a mixed-methods approach: document analysis of 18 internal policies and guidelines, a staff survey, email interviews with experts and managers, and an observation round at the company’s headquarters.
The findings indicate that while technical and regulatory frameworks are largely in place, challenges remain in staff awareness, supervisory practices and the consistent application of facility security guidelines. Hybrid work was highlighted as an area that increases vulnerabilities, especially in the handling of sensitive data. The results emphasis the need for recurring and concise training, stronger supervisory engagement, and a clearer integration of facility and information security policies.
In conclusion, the thesis recommends that insurance companies adopt a more holistic security culture, strengthening the link between technical measures, human awareness and organisational practices. This requires not only compliance with existing regulations but also a proactive approach to security culture and supervisory responsibility.