Abstract

Penetration testing is an increasingly common strategy adopted by organizations to mitigate security risks including those posed by social engineering—the deception of individuals for the purposes of circumventing information security measures. Drawing from 54 interviews with security auditors, IT professionals, and social engineers, this study explores participant descriptions of the (1) importance of social engineering penetration tests, (2) measurement of assessment outcomes, (3) use of penetration tests as part of security awareness programs, and (4) attitude social engineers should adopt in working with client organizations and their employees. Implications for security research and penetration testing are considered.

摘要

渗透测试是一种越来越普遍的策略，被组织用来减轻安全风险，包括社会工程带来的风险——为了规避信息安全措施而欺骗个人。根据对安全审计员、IT 专业人员和社会工程师的 54 次采访，本研究探讨了参与者对以下内容的描述：(1) 社会工程渗透测试的重要性，(2) 评估结果的衡量，(3) 使用渗透测试作为安全意识计划，以及 (4) 社会工程师在与客户组织及其员工合作时应采取的态度。考虑了对安全研究和渗透测试的影响。