How many people accept being subjected to a social driven vulnerability assessment?

Written by Enrico Frumento - CEFRIEL

At a certain point, during the social engineering vulnerability assessment, the penetration tester and the company have to debrief the deceived persons, to share the results of the tests and transforms the whole experience in a positive one, also somehow delivering an awareness experience to the persons. Since the beginning of the field-tests we have had the wish to understand how many people would have accepted of being “victimized” by an SDVA test, even if it was for good.

The negative experiences in this direction exist, the most famous of which is what happened to ABN Amro.

In December 2017, a phishing simulation was sent to the bank’s employees. It was supposedly about a Christmas present, rewarding their excellent performance. It was a well targeted and believable attack, typical of a sophisticated “spear phishing” campaign. Many employees “clicked the link” and were surprised to find out that it was a training simulation. However, Amro did not anticipate the tsunami of adverse reactions and emotions they received from their employees. It created an internal trust issue crisis which rolled out to the press. Margot van Kempen, the chairman of the council of employees, said bluntly, “This is very annoying for people who feel offended by it.” The result was not the outcome that the security managers of ABN Amro wished for. However, insult is not the only emotion that poorly implemented phishing simulation practices can lead to. Some employees can also actively sabotage training efforts by publishing the phishing email on the company’s internal communication channels or on Facebook to forewarn colleagues, who then do not “click the link.” This may be a positive collegial reaction, but it is also one that will hurt the training efforts and therefore put the company at risk.

Situations like Amro may lead to a worsening of the cybersecurity posture of the company, which is the opposite of the original wish.

In DOGANA, we tested four critical end-users, belonging to different categories:

  • HMOD, military
  • GNS, public sector
  • DBI, critical infrastructure
  • RATB, public services

During the field tests, we debriefed the involved end-users asking them the level of anxiety, rage, and satisfaction right after discovering that they were subjected to a social engineering vulnerability assessment. We did the same with the legal department of those companies.

Actually, the great effort spent building an ethically and legally compliant framework rewarded us, because 100% of the interviewed di not complain at all. This is an excellent result in our opinion and a proof that the European ethical and legal dimensions of an SDVA are relevant.


by Enrico Frumento (CEFRIEL)


This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618




The DOGANA phishing videogame

Want to try it?
Read more here and contact us


Phishing: awareness through play

Want to try it?
Read more here and contact us


Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels