The simulated security assessment ecosystem:Does penetration testing need standardisation?

Knowles, William and Baron, Alistair and McGarr, Tim (2016) The simulated security assessment ecosystem:Does penetration testing need standardisation? Computers and Security, 62. pp. 296-316. ISSN 0167-4048

[img]
Preview
PDF (ssa-ecosystem-preprint)
ssa_ecosystem_preprint.pdf - Accepted Version
Available under License Creative Commons Attribution.

Download (1MB)

Abstract

Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments, that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients but also to the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation.

Item Type:
Journal Article
Journal or Publication Title:
Computers and Security
Uncontrolled Keywords:
/dk/atira/pure/subjectarea/asjc/1700
Subjects:
ID Code:
83157
Deposited By:
Deposited On:
24 Nov 2016 16:44
Refereed?:
Yes
Published?:
Published
Last Modified:
12 Jul 2020 06:10