Home > Research > Publications & Outputs > The simulated security assessment ecosystem

Electronic data

  • ssa-ecosystem-preprint

    Accepted author manuscript, 1 MB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

Links

Text available via DOI:

View graph of relations

The simulated security assessment ecosystem: Does penetration testing need standardisation?

Research output: Contribution to journalJournal article

Published

Standard

The simulated security assessment ecosystem : Does penetration testing need standardisation? / Knowles, William; Baron, Alistair; McGarr, Tim.

In: Computers and Security, Vol. 62, 09.2016, p. 296-316.

Research output: Contribution to journalJournal article

Harvard

APA

Vancouver

Author

Bibtex

@article{2546ecaaca1c4091bcad6e3bb604fbc6,
title = "The simulated security assessment ecosystem: Does penetration testing need standardisation?",
abstract = "Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments, that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients but also to the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation.",
keywords = "Penetration testing, Security, Evaluation, Standards, Assessment",
author = "William Knowles and Alistair Baron and Tim McGarr",
year = "2016",
month = sep,
doi = "10.1016/j.cose.2016.08.002",
language = "English",
volume = "62",
pages = "296--316",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Ltd",

}

RIS

TY - JOUR

T1 - The simulated security assessment ecosystem

T2 - Does penetration testing need standardisation?

AU - Knowles, William

AU - Baron, Alistair

AU - McGarr, Tim

PY - 2016/9

Y1 - 2016/9

N2 - Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments, that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients but also to the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation.

AB - Simulated security assessments (a collective term used here for penetration testing, vulnerability assessment, and related nomenclature) may need standardisation, but not in the commonly assumed manner of practical assessment methodologies. Instead, this study highlights market failures within the providing industry at the beginning and ending of engagements, which has left clients receiving ambiguous and inconsistent services. It is here, at the prior and subsequent phases of practical assessments, that standardisation may serve the continuing professionalisation of the industry, and provide benefits not only to clients but also to the practitioners involved in the provision of these services. These findings are based on the results of 54 stakeholder interviews with providers of services, clients, and coordinating bodies within the industry. The paper culminates with a framework for future advancement of the ecosystem, which includes three recommendations for standardisation.

KW - Penetration testing

KW - Security

KW - Evaluation

KW - Standards

KW - Assessment

U2 - 10.1016/j.cose.2016.08.002

DO - 10.1016/j.cose.2016.08.002

M3 - Journal article

VL - 62

SP - 296

EP - 316

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -