Cyber Security

What is the impact of "Social Engineering" in a modern penetration testing report?

GL Asked by Gloria Jenkins · 04-01-2025
0 upvotes 10,196 views 0 comments
The question

Our security team wants to include phishing and vishing (voice phishing) in our next engagement. How do we quantify the risk of a successful social engineering attack to the board? Is it enough to just say "5% of people clicked," or should we be looking at deeper impact metrics?

3 answers

0
VI
Answered on 06-01-2025

Clicking a link is just the "entry" metric; the real impact is what happens next. You need to track "Payload Execution" and "Credential Harvest." For example, if 5% clicked but 100% of those entered their corporate credentials into a fake login page, that’s a critical failure. Furthermore, measure "Lateral Movement" potential. If you gain access to one workstation via phishing, how far can you go? Can you reach the domain controller? The board cares about the "Crown Jewels." Showing that a single phishing email led to the compromise of the CFO’s mailbox is far more impactful than just showing a high click rate percentage.

0
PH
Answered on 08-01-2025

Reporting is one thing, but how do you handle the potential "employee backlash" when people feel tricked or embarrassed by the security team?

VI 10-01-2025

This is where the "Ethical" part is crucial. You must ensure the results are anonymized in the final report. Never "name and shame" individual employees to management. Instead, frame it as a systemic training gap. Use the results to justify better technical controls, like hardware MFA, which would have neutralized the stolen credentials anyway. The goal is to build a "blame-free" culture where employees feel comfortable reporting mistakes rather than hiding them out of fear of being fired.

0
LO
Answered on 11-01-2025

Include a "Time to Compromise" metric. Showing that it took only 15 minutes from sending the email to gaining admin access really highlights the speed of modern threats.

GL 12-01-2025

That’s a powerful metric, Louis. It demonstrates to leadership that detection time is just as important as prevention.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: India

Book Free Session