Refining the PoinTER “human firewall” pentesting framework

Jacqueline M. Archibald (School of Design and Informatics, University of Abertay, Dundee, UK)
Karen Renaud (School of Design and Informatics, University of Abertay, Dundee, UK)

Information & Computer Security

ISSN: 2056-4961

Publication date: 19 June 2019



Penetration tests have become a valuable tool in the cyber security defence strategy in terms of detecting vulnerabilities. Although penetration testing has traditionally focussed on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyberattacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper, the authors reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. This paper aims to propose improvements to refine the framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny


The authors conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet the requirements to have an ethical human pentesting framework, the authors compiled a list of ethical principles from the research literature which they used to filter out techniques deemed unethical.


Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, the authors propose the refined GDPR-compliant and privacy respecting PoinTER framework. The list of ethical principles, as suggested, could also inform ethical technical pentests.


Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.



Archibald, J. and Renaud, K. (2019), "Refining the PoinTER “human firewall” pentesting framework", Information & Computer Security, Vol. ahead-of-print No. ahead-of-print.

Download as .RIS



Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.