Auditing the Human Factor as a Part of Setting up an Information Security Management System

Abstract: The human factor is the weakest link in all information systems regarding security but the users are not aware of the risks and the importance of following policies and routines to prevent a security breach. The most common attack vector starts by exploiting the human weakness and plant malware inside the organization. There is a need to nd a good way to audit the human factor to address this issue. Dierent penetration tests will be evaluated in this study; two phishing attacks and one in the form of a survey under a false pretext. The respondents are tricked into thinking that they are answering questions about customer service eciency while they are actually about information security and social engineering. This thesis argues that it is very complicated to measure people's predisposition to fall for social engineering but the survey under a false pretext is an interesting method to use when auditing how vulnerable an organization is to social engineering. It is also good at increasing the security awareness and to be used as a soft-start for the information security management process. The author also argues that all humans can be deceived and trust is something that is crucial for the society to work. It is therefore perhaps more meaningful to audit the users compliance with security policies and not the human behavior.