Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Cyber Situational Awareness and Cyber Curiosity Taxonomy for Understanding Susceptibility of Social Engineering Attacks in the Maritime Industry

The maritime information system (IS) user has to be prepared to deal with a potential safety and environmental risk that can be caused by an unanticipated failure to a cyber system used onboard a vessel. A hacker leveraging a maritime IS user’s Cyber Curiosity can lead to a successful cyber-attack by enticing a user to click on a malicious Web link sent through an email and/or posted on a social media website. At worst, a successful cyber-attack can impact the integrity of a ship’s cyber systems potentially causing disruption or human harm. A lack of awareness of social engineering attacks can increase the susceptibility of a successful cyber-attack against any organization. A combination of limited cyber situational awareness (SA) of social engineering attacks used against IS users and the user’s natural curiosity create significant threats to organizations. The theoretical framework for this research study consists of four interrelated constructs and theories: social engineering, Cyber Curiosity, Cyber Situational Awareness, and activity theory. This study focused its investigation on two constructs, Cyber Situational Awareness and Cyber Curiosity. These constructs reflect user behavior and decision-making associated with being a victim of a social engineering cyber-attack. This study designed an interactive Web-based experiment to measure an IS user’s Cyber Situational Awareness and Cyber Curiosity to further understand the relationship between these two constructs in the context of cyber risk to organizations. The quantitative and qualitative data analysis from the experiment consisting of 174 IS users (120 maritime & 54 shoreside) were used to empirically assess if there are any significant differences in the maritime IS user’s level of Cyber SA, Cyber Curiosity, and position in the developed Cyber Risk taxonomy when controlled for demographic indicators. To ensure validity and reliability of the proposed measures and the experimental procedures, a panel of nine subject matter experts (SMEs) reviewed the proposed measures/scores of Cyber SA and Cyber Curiosity. The SMEs’ responses were incorporated into the proposed measures and scores including the Web-based experiment. Furthermore, a pilot test was conducted of the Web-based experiment to assess measures of Cyber SA and Cyber Curiosity. This research validated that the developed Cyber Risk taxonomy could be used to assess the susceptibility of an IS user being a victim of a social engineering attack. Identifying a possible link in how both Cyber SA and Cyber Curiosity can help predict the susceptibility of a social engineering attack can be beneficial to the IS research community. In addition, potentially reducing the likelihood of an IS user being a victim of a cyber-attack by identifying factors that improve Cyber SA can reduce risks to organizations. The discussions and implications for future research opportunities are provided to aid the maritime cybersecurity research and practice communities