# Social Engineering Assessments One-sentence definition: Controlled tests of user/process susceptibility to phishing, vishing, smishing, and onsite attempts. ## Key Facts - Get legal/HR approval; limit data collection; provide awareness follow-up. - Measure click rates, report rates, credential submission attempts. - Onsite: badge tailgating tests, clean desk, visitor control checks. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose training + process fixes over blame. **Mnemonic:** “**Test → teach → trend**.” ## Mini Scenario Q: High click but high report rate—interpretation? A: Detection present; improve blocking and just-in-time prompts. ## Revision Checklist - Approval requirements. - Two metrics. - Ethical boundary. ## Related [[Physical Security Assessments and Walkthroughs]] · [[Reporting and Executive Summaries]] · [[Security Metrics for Testing Programs]] · [[Third-Party Assessment and Vendor Risk Testing]] · [[Red Team vs Blue Team vs Purple Team]] · [[Domain 6 - Index]]