My uOttawa PhD thesis, titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society, completed in 2020 at uOttawa engineering (the PhD in DTI uOttawa Program), contributed a set of pragmatic policy statements – recommendations to mitigate the risks of teaching hacking skills to higher education students in computer science and computer engineering disciplines. Three key themes constituting a pragmatic ethical assessment of ethical hacking teaching practices were discussed based on open coding (during data analysis) for Mario Bunge’s (1975) three technoethical rules:
1) goals and possible side effects (of teaching students hacking skills),
2) means and goals (of teaching students hacking skills), and
3) overall value (in terms of efficiency and fairness, representing pragmatic policy statements matching means to goals).
- The ethical case for teaching hacking skills
- Pragmatic policy statements
You may also be interested in The technoethics of Mario Bunge.
The ethical case for teaching hacking skills
Technology assessment of using hacking technology in teaching practices helps facilitate rational public policymaking by articulating the ethical and social aspects of technology use in society in a transparent manner. See Table: The ethical case for teaching higher education students hacking skills, and Table: Ethical Decision-Making Frameworks.
The merits of technology assessments are:
1) Addressing societal concerns;
2) facilitating compliance with legal and other regulatory requirements (e.g. standards) and ethical standards;
3) appealing to public confidence and demonstrating corporate and social responsibility; and
4) being a “best-efforts obligation,” constituting evidence of due diligence which can potentially limit liabilities.
Table: The ethical case for teaching higher education students hacking skills
| Duty | Rights | Virtue | Utilitarian | |
| Society | Society has a moral duty to teach students hacking skills to equip them with skills/knowledge to succeed in life and in employment (skills to protect themselves and their future employers). | Teaching students hacking skills respects their rights to an education that will help them succeed in life and in employment. | Society “has an obligation to develop educational and learning opportunities for citizens to develop their full potential” (May, 2012, p. 27). Students ought to be taught the hacking skills they need to realize their full potential. | Teaching students hacking skills can reduce crime risk to society and thus produce the greatest amount of good with the least harm. |
| Business | Businesses have a moral duty to support training students in the use of hacking technologies in collaboration with higher education and government. | Businesses need to be able to find and recruit ethical hacking talent with hands-on experience in necessary areas of specialization. | Business should find channels to help students self-actualize in collaboration with academia and government, e.g., through cybersecurity talent competitions, internships, and scholarships. | Teaching students the skills the industry needs produces the greatest good and least harm. |
| Higher education | Higher education has a moral duty to teach students hacking skills to help them protect themselves and succeed in a professional career; and to produce a growing number of professionals with information management systems security expertise to secure the national digital infrastructure (Sharma & Sefchek, 2007). | The reputation and financial performance of an institution should not be damaged by bad press. | Higher education should design teaching practices that will help students develop their full potential. | Teaching students hacking skills supports national security efforts and has a net benefit to society. Students would be able to protect themselves and find work which supports an overall good of supporting national security needs. |
| Government | The government has a moral duty to support teaching students hacking skills so as to protect the national digital infrastructure and ensure political stability. | The government needs qualified security talent to safeguard national critical infrastructure and public service institutions. | The government ought to support efforts to give students the opportunities to achieve self-actualization. | Students should know the cyberthreat landscape and the extent of the politicization of personal communication. |
Pragmatic policy statements
The necessity to teach students the same skills as hackers for effective defence underlies an ethical dilemma for ethical hacking curriculum designers and policymakers – to teach or not to teach students computer hacking skills? There is a need for pragmatism.
A set of pragmatic policy statements were derived by applying STEI-DMG as an integrative approach to risk assessment – by weighing goals (opportunities), possible side effects (risks), and means of teaching students hacking skills from the perspective of key stakeholder groups. See Table: Opportunities and risks of teaching students hacking skills. The pragmatic policy statements constitute implementable policy recommendations to reduce the risk of teaching students hacking skills.
Table: Opportunities and risks of teaching students hacking skills
| Goals (opportunities) | Possible side effects (risks) | Means (matched to goals) | |
| Society | *Reduce the risk of students committing hacking crime such as data theft or tampering with academic records. *Protect students from incarceration for committing hacking crime. *Help students protect their information security against cybercrime (e.g., identity theft and ransomware) resulting in personal financial loss/distress. *Help students protect themselves against business and state surveillance jeopardizing their autonomy by domestic and foreign threat actors. *Help students protect themselves against political interference/malicious online influence activity jeopardizing their autonomy by domestic and foreign threat actors. | *A rising student hacking crime. Students may commit crime or unethical acts with the hacking skills learned. | *Teach students hacking as ethical hacking – teach an ethics component/course: countermeasures (ethical-legal consequences and security testing as skills in information assurance) and professional ethics and social values to reduce the risk of students committing unlawful acts. *Teach students across university and college programs the necessary hacking skills to protect their information security – emphasizing self-defence/counter-intelligence skills/knowledge, i.e., OSINT, social engineering, security awareness, and critical thinking. *Teach students the sociopolitical and geopolitical contexts of technology design and use, and teach them about Canada’s cybersecurity threat landscape. *Take a holistic/multi-stakeholder approach to teaching students hacking skills to integrate society’s values/needs. |
| Business/industry | *Address a cybersecurity skill gap that threatens sustainable business innovation/economic vitality. *Businesses need postsecondary graduates with hacking skills for protecting the IT infrastructure (mobile/remote computing, cloud computing, third-party apps, mobile devices), the data assets, and databases against cybercrime (including commercial data theft and commercial espionage). *Businesses need security professionals with skills/knowledge in both security testing and security auditing so as to achieve compliance with the relevant privacy and security regulations. | *Misusing hacking skills in spying or in committing insider’s data breaches (of R&D information, financial information, business communication, company confidential information, and trade secrets). *Cyberattacks can result in reputational damage, productivity loss, intellectual property theft, theft of personal information, operational disruptions, financial losses/recovery expenses, and may trigger regulatory actions or lawsuits. Technical risk *Ethical hacking can unintentionally damage information systems or data integrity or availability (accidental damage) or confidentiality (the penetration tester may see confidential information); a computer system may remain exploited (compromised) after ethical hacking has been performed. Financial risk *During ethical hacking documents and equipment may be damaged. Afterwards, investments may be needed to upgrade or repair the information system. | *Teach students the skills businesses need (see Professional ethical hacking body of knowledge foundation framework). *Equip students with skills to guard against key information security risks/threats to businesses: 1) DoS and other network attack techniques against information confidentiality, integrity, and availability; 2) a combination of social engineering and malware, especially ransomware; and 3) identity theft through social engineering and phishing schemes. *Teach students database security skills: designing and implementing network security controls, such as firewalls and network-based intrusion detection systems, as well as access management controls. *Teach students both outsider and insider attack skills/techniques. *Teach students vulnerability discovery and exploitation skills within software and computer networks as well as mitigation skills (offensive and defensive skills). *Teach students using the same hacking tools and techniques being used in the wild (hands-on training). Ethics instruction *Teach students about the ethical and legal consequences of unauthorized hacking. *Teach students security testing as skills in quality assurance/information assurance and as auditing skills. *Teach students professional practice ethics, skills, and codes of conduct, as well as the social context of technology design and use (see The ethics of ethical hackers). *Teach students information security risk governance skills: cybersecurity regulations and IT governance frameworks that facilitate compliance as part of an ethical hacking course. |
| Higher education | *Prepare students for success in life: -equip students with the skills and knowledge necessary for employment (Weingarten & Hicks, 2018); -help students become employable; -prepare students for success in their future employment; -help students protect the data assets of their future employers (Logan & Clarkson, 2005); and -help students protect themselves against cybercrime, surveillance, and political interference using botnets and false news disseminators – i.e., against information privacy and autonomy attacks. *Produce “a growing number of professionals with information management systems security expertise” (Sharma & Sefchek, 2007, p. 290). *Protect databases and data assets about students, employees, research, financial information, confidential business communication, and trade secrets of higher education institutions against phishing and social engineering attacks. | *Students may commit hacking crime without realizing it if they are not clear on the ethical-legal ramifications of hacking to themselves and to society. Sociocultural risk *Teaching students computer hacking skills may raise stakeholder and community concerns for fear of hacking activities by students and a corollary reputational damage. Technical risk *Ethical hacking can unintentionally damage the information system or compromise data assets, potentially triggering regulatory actions or lawsuits. Financial risk *Documents and testing equipment may be damaged or stolen; hacking may cause delays or downtime. Afterwards, investments may be needed to upgrade the system or to repair damage. | *Teach an ethical hacking course across disciplines/programs. *Teach ethical hacking skills across disciplines/programs. *Take an integrated/systems approach to teaching students hacking skills by integrating technical and social hacking skills in instruction. *Teach ethics (see Ethics instruction) *Teach students across disciplines/programs self-defence/counter-intelligence skills/knowledge, i.e., OSINT, social engineering, security awareness, and critical thinking. *Teach students vulnerability discovery and exploitation skills within software and computer networks as well as mitigation skills (offensive and defensive skills). *Teach students information security risk mitigation skills (see Cybersecurity risk mitigation framework). *Conduct end-user security awareness training. Teach about the need to know and follow an organization’s information security policy and usage policy, relevant privacy and security regulations/regulatory requirements, phishing and social engineering schemes, and malware threats. *Use compartmentalized systems for hacking training to avoid disrupting or damaging the organizational network. |
| Government | *Help Canada achieve its National Cyber Security Strategy objectives regarding security and resilience, cyber innovation, and leadership and collaboration (Shull, 2019). *Support the training of a growing number of ethical hacking professionals with information management systems security expertise to secure the national digital infrastructure against cyberattacks (Sharma & Sefchek, 2007). *Address a rising national need for information security professionals able to protect Canada’s critical infrastructure, such as power grids, defence facilities, and health services, against DoS and information security attacks. *Address a need to protect sensitive information and essential services within public service institutions – such as government departments, universities, and hospitals – against cybercrime (including data theft and espionage) and cyberwarfare/cyberattacks by domestic and foreign threat actors. | *When employed by governments, students might jeopardize national security/safety in acts of treason (e.g., espionage) or terrorism (e.g., attacking critical infrastructure or public service institutions) for ideological reasons or for personal gains. *The consequences of cyberattacks on society can be “severe and wide-reaching” with the potential to compromise public safety and result in significant economic damage (CSE, 2018). | *Support broad-based multi-stakeholder research programs to systematize/standardize an ethical hacking body of knowledge. *There is a need to contextualize technical instruction within a social and global (geopolitical) context, emphasizing and being explicit about core Canadian values at stake. *Promote higher education in information assurance and security (Sharma & Sefchek, 2007) as a holistic governance approach to managing organizational information security needs. *There is a need for skills to counter cyberwarfare/political interference by domestic and foreign threat actors—how to recognize and mitigate malicious online influence activity using botnets and false news disseminators – skills in computer programing and exploit script writing as well as critical thinking skills and broad political awareness. |
Related content
Canadian identity as an academic idea
Ethical decision-making theories: Introduction to normative ethics
Professional ethical hacking body of knowledge
The ethical teaching of ethical hacking
The technoethics of Mario Bunge
Back to DTI Courses
