Refining the PoinTER “human firewall” pentesting framework

Jacqueline M. Archibald*, Karen Renaud

*Corresponding author for this work

Research output: Contribution to journalArticle

166 Downloads (Pure)

Abstract

Purpose
Penetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.

Methodology
We conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.

Findings
Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.

Originality
Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.
Original languageEnglish
Pages (from-to)575-600
Number of pages26
JournalInformation and Computer Security
Volume26
Issue number4
Early online date19 Jun 2019
DOIs
Publication statusPublished - 25 Sep 2019

Fingerprint Dive into the research topics of 'Refining the PoinTER “human firewall” pentesting framework'. Together they form a unique fingerprint.

  • Profiles

    No photo of Jacqueline Archibald

    Jacqueline Archibald

    • SDI - School Head of Teaching Quality and Learning Enhancement

    Person: Academic

    Cite this