Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end‐users

The purpose of this case study paper is to demonstrate that, no matter how complex computer security systems are, effort should be concentrated and focused on employees to improve their security awareness. Each employee needs to become a “Security Deputy” to the company's computer security staff and he or she needs to take some responsibility for preventing security breaches – whether inside the workplace or not. It is easy to unwittingly spread a virus, or open security vulnerabilities, and such actions might damage a company's systems perhaps even more than malicious employees, through simple ignorance of security issues.

A series of surveys and questionnaires were designed along with practical exercises and security awareness training sessions.

Following their involvement in the exercises and awareness training, employees demonstrated improvement in security awareness. Users were made explicitly aware of the realities of IT security with pertinent questions asked in order to force them evaluate their own reactions to a situation which may escalate into a security incident.

The research was undertaken in a typical medium‐large sized company within the energy business sector, but it is possible that results may be different in other sectors.

It is clear that security technologies alone cannot prevent incidents and therefore employees need good quality security awareness training in order to protect the organisation.

It is becoming increasingly important that employees are taken through a more rigorous security‐awareness training programme, in order to protect business computer systems and to “protect them from themselves”.