I do agree with the facts that social engineering, as a part of penetration testing, is risky. No matter how one argues, inviting hackers into your organization to perform a penetration test has inherent risks (Johnson, 2019). Unethical use of such skills by penetration testers has resulted in cyber-attacks on individuals and organizations. Threats have also been made by pen testers on people, which is ethically wrong. Due to the recklessness of penetration testers, there have been significant catastrophic outages and damage to machinery. Such outages may result to huge losses or even loss of human life when machines malfunction. Companies may also lose customers due to phishing attacks where customers no longer trust the company with their data.
As for results, they may not be very useful. There is likelihood that a penetration tester, despite their prowess in cyber security, will not find all the vulnerabilities in the system. (Wilkinson, 2015). In some cases, penetration testing may offer a false sense of security. Organizations may tend to think that they have the safest systems until a real attack occurs. Software malfunction may also show that a system is safe whereas it is not.
Social engineering is one of the biggest challenges facing network security because it exploits the natural human tendency to trust (Salahdine & Kaabouch, 2019). Their main aim is getting individuals to give sensitive data for the gain of cyber criminals. Human beings are considered the weakest link when it comes to cyber security. The rationale of this statement lies in the fact that humans tend to trust other humans as compared to computers. Eventually, we do realize that we are after systemic issues. What better way to solve systemic issues other than simulation?