Penetration tests have become a valuable tool in any organisation’s arsenal, in terms of detecting vulnerabilities in their technical defences. Many organisations now also “penetration test” their employees, assessing their resilience and ability to repel human-targeted attacks. There are two problems with current frameworks: (1) few of these have been developed with SMEs in mind, and (2) many deploy spear phishing, thereby invading employee privacy, which could be illegal under the new European General Data Protection Regulation (GDPR) legislation. We therefore propose the PoinTER (Prepare TEst Remediate) Human Pentesting Framework. We subjected this framework to expert review and present it to open a discourse on the issue of formulating a GDPR- compliant Privacy-Respecting Employee Pentest for SMEs.
|Title of host publication||Proceedings of the Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018)|
|Editors||Nathan Clarke, Steven Furnell|
|Place of Publication||Plymouth|
|Publisher||Centre for Security, Communications & Network Research, University of Plymouth|
|Number of pages||11|
|Publication status||Published - 9 Sep 2018|
|Event||12th International Symposium on Human Aspects of Information Security & Assurance - Dundee Business School, Abertay University, Dundee, United Kingdom|
Duration: 29 Aug 2018 → 31 Aug 2018
Conference number: 12
|Conference||12th International Symposium on Human Aspects of Information Security & Assurance|
|Abbreviated title||HAISA 2018|
|Period||29/08/18 → 31/08/18|
Archibald, J., & Renaud, K. (2018). POINTER: a GDPR-compliant framework for human pentesting (for SMEs). In N. Clarke, & S. Furnell (Eds.), Proceedings of the Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018) (pp. 147-157). Centre for Security, Communications & Network Research, University of Plymouth.