Ethical hacking sociotechnology: A technoethical–sociotechnical assessment of ethical hacking teaching practices in Canadian higher education (Apr. 17, 2021)
This is an abridged version of my uOttawa PhD thesis completed at the School of Electrical Engineering and Computer Science (EECS), Faculty of Engineering, titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society, archived in uO Research (uOttawa) on Apr. 17, 2020 (thesis advisory committee: uOttawa professors Rocci Luppicini, Liam Peyton, and Andre Vellino).
Abstract (250 words)
The number of programs teaching ethical hacking in higher education and the number of ethical hacking professionals entering the information security field is growing, yet cyberattacks on the public and private sectors continue to increase in sophistication and frequency, student convictions for hacking crime is on the rise, and Canada suffers from an acute cybersecurity skill shortage. This study presented an examination of opportunities and risks involved in using AI powered ethical hacking technology in current ethical hacking teaching practices in Canadian higher education focusing on two Canadian universities as case studies and applied a social systems theoretical framework (STEI-DMG within the science and technology studies tradition) to perform technology impact assessment and to synthesize implementable policy recommendations to mitigate the potential risks of teaching students hacking skills. A qualitative exploratory case study approach was followed. Data collection consisted of a qualitative systematic review, organizational documentation, and in-depth interviews with ethical hacking university experts, ethical hacking industry practitioners, and policy experts. No consensus in Canadian higher education was found on what might be considered a standard ethical hacking curriculum. A professional ethical hacking training module was explored: OSINT Analyst Cybersecurity Role and Body of Knowledge Foundation Framework. Ethical hacking instruction in higher education should be constructivist in approach, directly engaging with key societal stakeholder groups. A public policy initiative was explored comprised of a networked centre of excellence of ethical hacking communities of practice as a knowledge management and risk management/technology governance approach focused on ethical hacking systematization of knowledge/professionalization.
Keywords: Qualitative Exploratory Case Study, Qualitative Systematic Review, In-depth Interviews, Higher Education, Ethical Hacking, Cybersecurity, Interdisciplinary Research, Sensemaking, Technoethics, Sociotechnology, Science & Technology Studies (STS)
PhD Thesis Defence PowerPoint Presentation (March 9, 2020)
1. Introduction
2. Background
3. Methodology
4. Findings and Discussion
5. Analysis and Recommendations
6. Conclusion
References
How to cite this article (APA style)
1. Introduction
Today, the already demanding task of companies to protect themselves against cyber threats is exacerbated by the phenomenon of the cyber security skill shortage, namely the lack of professionals with the knowledge and skills to perform a cybersecurity job. Companies would like to hire professionals in the cyber security sector but they are struggling to find them due to lack of skills. (Global Cyber Security Center, n.d.)
Contributing to a lack of skilled cybersecurity professionals worldwide, which is nearing 3 million globally according to the International Information Systems Security Certification Consortium (ISC)², are a variety of factors, including rapid technology changes, hiring constraints, inadequate understanding of cybersecurity fundamentals, and the absence of a clear cyber career pathway for those entering the information security field (CISA, 2019). The amount of information can be overwhelming and conflicting. In addition, inconsistent language used in job titles and requirements can add to the uncertainty and discouragement. The limited understanding of prerequisite skills and knowledge required when entering the cybersecurity field, or advancing from an existing cyber role, is a significant hurdle. (CISA, 2019, p. 3)
As programs teaching ethical hacking in higher education continue to grow there is a concern that teaching students hacking skills increases crime risk to society by drawing students toward criminal acts (Hartley, 2015; Logan & Clarkson, 2005; Pashel, 2006; Pike, 2013; Sharma & Sefchek, 2007). Student “expulsions and convictions for hacking activities are on the rise and indicate that more needs to be done to protect students” (Pike, 2013, p. 69). Literature revealed “little guidance in preparing students to responsibly use hacking skills learned in college” (Pike, 2013, p. 69).
Cyber attacks on information assets in the private and public sectors is a growing and evolving threat, warns Public Safety Canada (2013A, 2013B, 2013C). The evolution of cyber-attack tools and techniques has accelerated dangerously in the recent past (PSC, 2013A, The Threat, para. 1). The frequency of hacking attacks increases year after year. And every year “those seeking to infiltrate, exploit or attack our cyber systems are more sophisticated and better resourced than the year before” (PSC, 2013A, Introduction, para. 5).
Society faces an “Increasing Cyber Threat Exposure” due to the expanding interconnectedness of ICTs (the growing number of Internet-connected devices) and their digital integration with industrial control systems and critical infrastructure making an attack on critical infrastructure riskier (CSE, 2018, p. 26). Businesses face an increasing risk of cybercrime (“Data Breaches,” including commercial espionage and social engineering), and “Exploiting Trusted Relationships” in 2019 (CSE, 2018). Key sources of security threat for businesses are large databases, commercial espionage, and whaling. “Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Stolen information is held for ransom, sold, or used to gain a competitive advantage.
Even though more and more computer science (CS), computer engineering (CE), and software engineering (SE) programs in higher education are teaching ethical hacking skills, and more and more ethical hacking practitioners are entering the information security profession, Canada faces an acute shortage of cybersecurity experts, student convictions for hacking crimes is on the rise, and cyber attacks by domestic and foreign threat actors are increasing in frequency and sophistication.
1.1. Cybersecurity threat landscape
The cybersecurity threat landscape can be understood within the context of an emerging surveillance technology/society: 1) Cyber crime risk: Information security risk or risk of privacy/confidentiality attacks on individuals and businesses; 2) political economic risk/business surveillance risk: Political autonomy/privacy rights/the behavior of citizens; and 3) political risk/state surveillance: Political autonomy/privacy rights/the behavior of citizens.
Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society (CSE, 2018)
Emergent ethical hacking technology (intelligence making or surveillance) creates opportunities and risks for society. Ethical hacking technology (through surveillance) holds the promise of security and economic prosperity. Real-time intervention and cybernetic (re)directing can be beneficial to society in various sectors–for example, self-driving cars that update their digital maps through experience (i.e., learning).
Businesses use AI powered ethical hacking technology to expand their capacity to conduct business intelligence to innovate in the generation, collection, mining and processing business intelligence for growth. AI/ML and digitization, especially the ability to generate, gather and analyze large amounts of data and turn it into useful or actionable knowledge (intelligence), has accelerated and intensified value creation from data. AI/ML automates and intensifies the conversion of raw data to useful knowledge–it can autonomously make decisions/construct knowledge. Thanks to digitization,
we can now collect and analyze data in previously unimaginable ways. And the value that can be derived through digital means –from artificial intelligence to machine learning –has made data the most valuable resource in the world. (Bains, 2019, LinkedIn)
Society’s ability to extract value from surveillance data has made privacy and innovation “the duet of the century” (Bains, 2019). On the one hand, ethical hacking technology can facilitate personalized services and more personal choices. On the other hand, surveillance as the business model threatens the autonomy of users and may change user behavior. Given this new reality,
how do we protect people’s privacy and the security of their data, while preserving and even improving the competitiveness of Canadian innovators in this data-driven economy? (Bains, 2019)
The surveillance society technological infrastructure brought ordinary Canadians to the forefront of the cybersecurity battle. Citizens in liberal democracies are seeing their privacy rights squeezed from all sides—government, business, and malicious actors–eroding trust in government.
While some surveillance technologies are useful or beneficial, left to the unregulated market forces, surveillance has come to threaten the core of the liberal political tradition especially the autonomy of citizens and their freedom from political economic oppressive influence (e.g., manipulation of behavior).
Surveillance capitalism commodifies personal clicking behavior–“it unilaterally claims private human experience as a free source of raw material” (Thompson, 2019). Social media sites are “calibrated” for user engagement and interaction. A “shockingly extensive, robust, and profitable surveillance architecture” (Schneier, 2015, p. 56) has emerged out of this technological infrastructure, and is behind the trend of privacy breakdown during the past five years equivalent to “an environmental calamity” (Thompson, 2019). Open source surveillance technologies are widely used in the field of advertising. The advertising industry is based on collecting user data, on profiling users according to behavioral patterns or choices so as to micro-target them with effective messages. For example, cookies, or persistent identifiers are used in web browsers to track user activities. Third-party cookies enable companies to track users across different media platforms. The data broker industry aggregates user data from across public platforms then sells it to marketing and advertising companies. For example, Acxiom Corporation, Little Rock, Arkansas, USA, operates twenty-three thousand computer servers that collect, collate, and analyze more than 50 trillion unique data transactions every year and have amassed profiles on over 700 million consumers worldwide (Goodman, 2016).
Surveillance can influence user behavior in complex ways, including unconsciously–undermining either the information security or the political autonomy of citizens. For example, social media companies are now customizing newsfeeds of social media users based on monitoring and analysis of these users’ surfing behavior (Kool, Timmer, Royakkers, & van Est, 2017). Data surveillance “can unconsciously influence a user’s identity, and lead to ‘filter bubbles’, in which the system only suggests news, information and contacts that match the user’s previous behaviour, choices and interests” (Kool et al., 2017, p. 10).
Surveillance can be understood as a phase in the penetration testing process–as a phase of intelligence making comprised of the intelligence making steps of what NIST (2008) calls the discovery phase: OSINT or reconnaissance, and network enumeration and port scanning. Businesses use AI powered ethical hacking technology (intelligence gathering) technologies in commerce (e.g., BI), and in IT governance of IT network security–in penetration testing.
Penetration testing involves “launching real attacks on real systems and data using tools and techniques commonly used by hackers” (NIST SP 800-115, p. 5-2). Penetration tests begin with an extensive information gathering phase. Open source information on the Internet can be used to build a profile of the target user or system. AI and algorithm based OSINT are used extensively by hackers and penetration testers to gather intelligence about a specific online target. Automated OSINT tools can be used to collect and aggregate, and harvest data from social networks, including names, online handles, jobs, friends, likes/dislikes, locations, pictures, etc. (McLaughlin, 2012). Recon-ng and Maltego are data management tools designed to facilitate the process of gathering, analyzing, and organizing OSINT.
Profiling users involves data collection and analysis of user data from user identity/information related to user ID, email accounts, phone numbers, and other PII and access codes to digital services (typically on the Internet); user history/browsing behavior/user preferences/metrics about interaction with the apps/computer and OS/web/app digital traces/digital footprint/online profiles, location/geo-tracking, events logged, web and app analytics–information that can allow advertisers to micro-target users.
The digital trace and digital profile/footprint/open profiles of citizens leaves them victims to those who harvest privacy data (e.g., on social media) and plot and proceed to rob them. Individuals face a rising risk of theft to their private data and a risk of dwindling autonomy. Canadians face a rising cyber threat of falling victim to cybercrime and to “Malicious Online Influence Activity” (CSE, 2018). The openness of society becomes a vulnerability to intelligence technologies designed to exploit the digital footprints or open profiles/the very browsing behavior of users.
1.2. Study purpose
While the number of academic programs teaching ethical hacking in higher education and the number of ethical hacking practitioners continue to grow, this growth has not been mirrored by a similar growth in scholarly research outlining the roles and responsibilities, and practices, and necessary knowledge and skills of professional ethical hacking practitioners in Canada. Literature that focuses on ethical hacking as a professional practice in a Canadian context is lacking. “Ethical hacking” as an academic discipline remains a grey area. There is no agreement on the meaning of ethical hacking or on what might be called a standard ethical hacking curriculum or body of knowledge (BoK) or agreement on what might be called a standard set of ethical hacking teaching practices.
In the Canadian context, there is no consensus on what is ethical hacking or what it should be and what are the skills and competencies required to function successfully at the various levels of the profession. Confusion arising from differences in perceptions among experts, industry practitioners, and policymakers about what are current ethical hacking teaching practices, what are professional ethical hacking skills, what are the risks to society of teaching students hacking skills, and how to mitigate these risks stifles innovation and effective educational policy development and implementation, which perpetuates the security risks.
This study contributes to “de-greying” professional ethical hacking skills and ethical hacking teaching practices in Canadian higher education. It addresses the research question (RQ), What are current ethical hacking teaching practices? This study offers an empirical exploration of the phenomenon studied (ethical hacking teaching practices) in two Canadian universities as case studies in focus in support of science-based educational policy development.
This study addressed gaps in literature on current ethical hacking teaching practices (“what it is”-a survey of literature and an empirical study), the risks and opportunities of ethical hacking technology to society (a technoethical-sociotechnical assessment), what taught ethical hacking skills “should be” and how hacking skills should be taught in Canadian higher education, as well as gaps in knowledge management and risk management (governance) of ethical hacking technology in society.
Data collection–a qualitative systematic review, in-depth interviews, and organizational documentation–was followed by a technoethical-sociotechnical assessment of opportunities and risks involved in using ethical hacking intelligence-making technology in ethical hacking teaching practices in Canadian higher education applying a social systems theoretical framework (STEI-DMG within the STS SCOT tradition).
Section 2. Background provides a review of the theoretical and historical context of ethical hacking in society (first-level conceptual themes from the findings). Section 3 details the study methodology including data collection and analysis and how the theoretical framework is applied in the study. In section 4. Findings and Discussion, first a qualitative systematic review of current ethical hacking teaching practices in Canadian higher education is conducted, then curricula of CS,CE, and SE bachelor programs in two Canadian universities are surveyed for an exploration of technical and social hacking skills taught (content and instruction). Section 5. Analysis and Recommendations first discusses ethical and social impact assessment of opportunities and risks involved in using ethical hacking technology in teaching practices culminating in pragmatic policy statements to inform educational policy development. Then implementable policy recommendations regarding ethical hacking curricula content and instruction are synthesized (the technical and social hacking skills to be taught or “what it should be”). Section 6. Conclusion focuses on outlining findings summary and implications and research contribution.
2. Background
2.1. Technical/technology perspective
A penetration test is “a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky or illegal end-user behaviour” (Rodger, 2013, p. 41 ).
Penetration tests are typically performed to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Testers may even attempt to use the compromised system to launch subsequent attacks at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation. (Rodger, 2013, p. 41).
OSINT is the first step in the penetration test. The vast majority of OSINT or footprinting activity is passive. Active recon involves social engineering and “anything that requires the hacker to interact with the organization” (Walker, 2017, p. 45). Social engineering is a threat that can exploit an ignorance (skill/knowledge gap) or a credulity (lack of critical thinking/not understanding that reality is socially constructed) vulnerability of a technology user (i.e., a gap in user security awareness). Passive reconnaissance involves gathering information from the public domain in places like Internet registries, Google, newspapers, and public records. At this stage “the target does not even know generally that they are the subject of surveillance.” The first step involves collating technical information on an organization’s public-facing systems. “Internet registries, coupled with services such as Shodan or VPN Hunter, can highlight and identify an organization’s Web servers, mail servers, remote access endpoints and many other Internet-facing devices.” Methods include “gathering of competitive intelligence, using search engines, perusing social media sites, participating in the ever-popular dumpster dive, gaining network ranges, and raiding DNS for information” (Walker, 2017, p. 44). A key argument is that there is no clear cutoff point between passive and active intelligence gathering techniques. The confusion includes whether the use of third parties for services is considered passive testing, whether the process of testing can be traced back to the tester, and whether the information gathering can be performed without the knowledge of the organization under investigation (i.e., stealthy–the key emphasis here is that intelligence gathering does not draw attention and remains undetected).
2.2. Who are ethical hackers?
2.2.1. Professional ethical hacking is legal
2.2.2. Ethical hackers are trustworthy
2.2.3. What do ethical hackers do?
Defined from within the information security field the term ethical hacking most formally refers to penetration testing practices, and less formally to vulnerability assessment and risk assessment processes. The core work of professional ethical hackers involves performing security assessments or audits (vulnerability assessment, risk assessment, and threatscape analysis) and their cybersecurity role in organizations can be seen as “analysts” collecting and analyzing threat data and giving actionable recommendations to mitigate security risks (putting threat intelligence into real-life risk context).
Key practices of ethical hackers include 1) Risk assessment usually against known vulnerabilities/threats; 2) Discover unknown vulnerabilities/threats; 3) Compliance with privacy and security regulations and standards–government regulations (e.g., Privacy Act, 1983; PIPEDA, 2000), industry regulations (e.g., PCI DSS, ISO/NIST), and in-house standard procedures and best practices; and 4) Audit performance of security controls.
2.3. Philosophical and theoretical underpinnings
The Epistemological Roots of STEI-KW as a Sociotechnical Theory of Society
The social construction of technology
The study analyzes technology in the science and technology studies (STS) tradition (Quan-Haase, 2016). The study adopts the STS approach of the social construction of technology. STS analyzes technology in its unique social context of “complex societal influences and social constructs, entailing a host of political, ethical, and general theoretical questions” (Quan-Haase, 2016). The field of STS “emphasizes that artifacts are socially constructed, mirroring the society that produces them. At the same time, tools shape society itself, as well as its values, norms and practices” (Quan-Haase, 2016, p. 43).
2.4. Historical perspective
A view from outside of the information security field (i.e., from the social sciences and humanities) of how uses of the term hacking have influenced its conceptual development includes a view of the role of the mass media and law enforcement in changing the original positive connotation of the term hacking from around the late 1980s and through the early 1990s to connote unlawful or criminal acts (Coleman & Golub, 2008; Thomas, 2005), as well as an anthropological analysis (taxonomy) of various hacker ethic based on idioms and practices (Coleman & Golub, 2008) and the pioneering historical work of Steven Levy (1984) on hacker culture.
Coleman and Golub (2008) saw various hacker ethic as representative of the subjective self. In that vein, they conceptualize three liberal moral expressions of hackers and hacking (cultural sensibilities or hacker ethics) revealed variably in the context of computer hacking: Cryptofreedom, free and open source software, and the hacker underground.
Several social and historical factors underlie an identity and legitimacy crisis for professional ethical hacking practitioners. An identity crisis can be understood as a crisis of confusion regarding who are professional ethical hackers and what do they do (what is ethical hacking). A legitimacy crisis can be understood as a crisis of confusion regarding the ethics and values of professional ethical hackers, and regarding their value (contributions) to organizations and to society at large.
2.5. Social perspective
Social digitization (Kool et al., 2017) follows the cybernetic control logic (Royakkers & van Est, 2020): An ongoing push toward more digital control of communication/information channels and flows (the logic underlies or “rationalizes” Industry 4.0 technological infrastructure): 1) A new wave of digitization–cybernetic loop, real-time analysis and intervention in the surveillance cycle in an autonomous way; and 2) a new wave of rationalization–digitization as rationalization leading to increased loss of autonomy–more rationalization in the process of data generation, collection, analysis, acting/applying (more delegation of decision making to machines/less humans or human agency in the cybernetic loop).
Kool et al. (2017) argue that the digitization of society has entered a cybernetic phase, thanks to a host of emergent technological innovations in computing and communications together generating a new wave of digitization. The concept of digitization refers to a large cluster of digital technologies such as robotics, IoT, AI, and Big Data.
While initially digitization processes consisted of “the large-scale collection of data on the physical, biological and social world,” a new wave of digitization characterized by continuous, cybernetic, feedback loops is focused on the large-scale analysis and application of that data. Today “we can analyse this data on a large scale and apply the acquired knowledge directly in the real world” (p. 43). Although “digitization has been going on for decades,” recently it has become “easier to intervene real time in the physical world at an increasingly detailed level.” This “ushered in a new phase in the development of the digital society; a phase in which a cybernetic loop exists between the physical and the digital world” (p. 44).
A new phase in the development of the digital society rests on self-correcting cybernetic loops operating in real time (real-time monitoring) existing between the physical and the digital worlds, that is, on the hybridization or convergence of the physical and digital worlds (Kool et al., 2017). This means that, “processes in the physical world are measured, the resulting data is analysed, and then real time intervention takes place based on that data analysis.” The impact of the intervention “can subsequently be measured, analysed and adjusted, before rejoining the following cybernetic loop cycle” (p. 43)–that is, surveillance whereby companies track user actions, profiling them, and on that basis show real-time ‘appropriate’ information, products, or prices. A new wave of digitization is “leading to a world in which continuous feedback and realtime management and control are increasingly important principles for a range of services.” This exerts “a strain on important public values” such as privacy and autonomy.
The new wave of digitization and the ensuing cybernetic loop means biological, social, and cognitive processes can be understood in terms of information processes and systems, and thus digitally programmed and controlled. Royakkers and van Est’s (2020) analysis focuses on how ongoing social digitization and rationalization by the digitization of society can lead to a loss of autonomy. Their analysis shows 1) how biological, social, and cognitive processes existing in digital form as data flowing through the integrated digital network of society can be subject to exploitation, for example, in profiling users via analyzing their data and intervening autonomously in response (e.g., in targeting users); and 2) how human agency is influenced/various ways the digital technologies “Internet-of-Things, robotics, biometrics, persuasive technology, and digital platforms” might lead to a loss of autonomy.
Cybernetic thinking or the digital control paradigm is increasingly becoming a technological reality “because of the far-reaching interrelationship between the physical and the digital or virtual world” (p. 60). Digital control “offers society and the individuals in that society a multitude of opportunities, but also brings new social and ethical challenges” (p. 59). Important public values closely linked to fundamental and human rights are at stake. “This digital control paradigm laid the symbolic basis for engineering the information revolution and “has led to the rationalization of each aspect of our lives” (p. 60).
In the footsteps of Weber, Royakkers and van Est (2020) are “concerned about the so-called ‘digital or cybernetic cage of rationality’, the idea that digitization as rationalization can undermine human flourishing” (p. 60). Autonomy refers to “the ability to have control over your own life and decisions: to set goals in life and choose the means of achieving them” (p. 60). A loss of autonomy can happen when digitization as rationalization “overshoots its mark and leads to socio-technical systems that become anti-human or even destructive to humans” (p. 60).
The New Digital Wave of Rationalization: A Loss of Autonomy (Royakkers & van Est, 2020)
Royakkers and van Est (2020) distinguish four ways in which digitization can put human autonomy under pressure. They then provide some potential solutions to safeguard human autonomy. Human autonomy can come under pressure through digitization if humans are put on the loop (three ways) or out of the loop (the fourth way). When humans are on the loop, the use of digital technologies can influence human autonomy in each of the three phases of the cybernetic loop: 1) Measuring people by collecting data, 2) profiling people through analyzing data, and 3) intervening in humans’ behavior.
Broad effects of surveillance technology include,
- A systemic emphasis on privacy data as a cash cow/value creating commodity and convergence of the economic (business innovation) with the political (liberty/autonomy/personal privacy).
- A handful of Big Media conglomerates control communication channels/information flows (e.g., Facebook, Twitter)–few key players who form alliances to achieve economies of scale/scope/cross promotion and act as gatekeepers of information.
- Convergence (digital in nature) of traditionally disparate communications media/channels/services. The commerce chain is now one with telecoms, media, Internet, and WIFI broadcasting.
- More data is generated/produced from servers and sensors everywhere (IoT/Big Data/data driven AI/AI and digitization/a knowledge-based economy).
- More data generation, collection/measurement, analysis/profiling users, and autonomous intervention and exploitation of intelligence.
- It is easier than ever to control communication/information channels and flows.
3. Methodology
The study followed the qualitative exploratory case study approach (Creswell, 2003, 2007; Stake, 1995; Yin, 2003) to study ethical hacking teaching practices in Canadian higher education focusing on two Canadian universities as case studies. A case study is “an empirical inquiry that investigates a contemporary phenomenon within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident” (Yin, 2003, p. 13). The case study qualitative research method exemplifies the researcher preference for depth, detail, and context, often working with smaller and more focused samples in comparison to the large samples of primary interest to statistical researchers. The qualitative exploratory case study methodology is particularly appropriate when there is a scarcity in the literature on the subject (Stebbins, 2011). Exploratory research is suitable for problems or phenomena that are in the formative stages to help clarify primary issues surrounding the problem or to establish priorities, clarify trends or map a field and develop operational definitions (Shields & Rangarjan, 2013).
3.1. Data collection and analysis
Data collection consisted of a qualitative systematic review; organizational documentation of two Canadian universities; and in-depth interviews with 14 subject matter experts comprised of ethical hacking (penetration testing) university experts and industry practitioners, and policy experts. Numerous secondary resources were also consulted including government policy reports and industry white papers.
3.1.1. A qualitative systematic review was conducted for the research question, What are current ethical hacking teaching practices? The research database SCOPUS was used to locate relevant literature. The keyword search involved using synonyms from the RQ to construct Boolean searches such that the search strings are appropriately derived from the research question. The search strategy first identified 99 publications. These were reduced to 14 core peer-reviewed articles retained for the synthesis based on their relevance and quality, after applying the inclusion criteria and disregarding duplicates. The inclusion criteria specified peer-reviewed journal articles published between 2010 and 2020. This excluded unpublished research and research published before 2010, articles not directly addressing the research question, and articles lacking a rigorous methodology or theoretical contribution.
3.1.2. Organizational documentation consisted of 50 webpages concerning cybersecurity degree specialization (majors) offered in CS, CE, and SE bachelor programs, and course requirements and course descriptions in CS, CE, and SE curricula (3 credit courses) taught in English for 2019-2020 at the two participating higher education institutions.
Bachelor degree programs in CS, CE, and SE disciplines were surveyed for inclusion of security majors/specializations. Program requirements for CS, CE, and SE majors were examined for required courses in technical hacking skills and social hacking skills, including ethics and social science. Online course descriptions at the two participating research institutions were surveyed for technical and social hacking skills focusing on network penetration testing high-level concepts. Courses not directly teaching computer network skills were excluded from the analysis (courses with “security” or “secure” in their title were retained for examination given their direct relevance). Finally, the study focused on courses cross-referenced between the two participating universities.
See Organizational Document Review.
3.1.3. In-depth, semi-structured interviews were conducted between December 7, 2018 to April 15, 2019 with 14 interview participants (a fifteenth participant contributed via email) comprised of four ethical hacking university experts, four ethical hacking industry practitioners, and six policy experts. The interview participants were recruited by email with the aid of a formal recruitment letter and a consent agreement to participate in the research. The study employed the validation protocol member checking (Stake, 1995) which gave the interview participants the opportunity to review their quotes for accuracy. In-depth, semi-structured interviews were conducted within a set time (1 hour) in person or by phone. The interviews were audio recorded and transcribed for accuracy. Further, hand-written notes were taken during the interviews.
Interview Participants by Area of Expertise (table)
3.2. Applying the theoretical framework STEI-KW in the analysis
As a sociotechnical theory of society, STEI-KW situates the technoethics of Mario Bunge (1975/1977), his philosophy of technology (sociotechnology, 1998, 1999, and sociotechnical systems, 1999) within the STS SCOT tradition (Bijker, 1997, 2009; Pinch & Bijker, 1984; Quan-Haase, 2016).
As a social systems theory, STEI-KW further integrates Weick’s (1969/1979, 1995) sensemaking model, Bunge’s (1979) systemism which conceptualizes social structure, along with Popper’s (1966) political philosophy (open society) and Popper’s (1963/2003) scientific philosophy (theory of falsification).
STEI-KW takes a comprehensive systems view of technology in that it defines the current meaning and value of technology in society by tracing its conceptual development and how it was shaped by various social, technological, intellectual, and cultural inventions, innovations, and influences.
As a social systems theoretical framework, STEI-KW, guided data collection and analysis. STEI-DMG, a special articulation of STEI-KW, guided technology assessment. The two iterations of the theoretical framework are used to place ethical hacking technology in its historical and theoretical context to define it in society to guide ethical technology use and governance. STEI-DMG is based on Bunge’s (1975/1977) technoethical approach (the three technoethical rules). Bunge (1975) suggested three technoethical rules of conduct for the responsible technologist: 1) “To assess a goal, evaluate it jointly with the side effect”; 2) “Match the means to the goal both technically and morally: employ only worthy practical means and optimal knowledge”; and 3) “Eschew any action where the output fails to balance the input, for it is either inefficient or unfair” (p. 78).
1) Data collection: Multi-perspective/multi-stakeholder/systems approach. The study takes a constructivist approach and directly engages with ethical hacking university experts and business practitioners, and policy experts.
2) Analysis: An examination of opportunities and risks (technology assessment) involved in using hacking technology in current ethical hacking teaching practices in higher education in Canada.
3) Synthesis of recommendations (pragmatic policy statements) to mitigate the risks of teaching students hacking skills based on ethical and social impact assessment of technology. STEI-DMG guides interdisciplinary synthesis that integrates in knowledge making current state of knowledge on ethical hacking teaching practices in Canadian higher education, social values (sociopolitical and scientific values), ethical perspectives (duty/deontology, rights, virtue, and utilitarianism), and interests/values/needs of key stakeholder groups–students of higher education, higher education (university experts), business (industry practitioners), government, and society. Ethical and social impact assessment of opportunities and risks involved in using ethical hacking technology in teaching practices culminated in pragmatic policy statements to inform educational policy development.
4) Synthesis of implementable policy recommendations drawing on data collected from literature, in-depth interviews, and organizational documents, and informed by STEI-KW to mitigate the risks of teaching students hacking skills. Recommendations were synthesized for ethical hacking teaching practices or what professional ethical hacking taught in higher education “should be” to meet society’s needs: Content in curricula of computer science and computer engineering disciplines (technical and social hacking skills) and instruction approach.
Open coding was performed during the first pass through the data for three main themes: 1) Intended ends (opportunities/potential benefits) and possible side effects (risks) of teaching students hacking skills; 2) Means and intended ends in terms of technical and nontechnical aspects (moral, social); and 3) Overall technology assessment in society (overall value) in terms of efficiency and fairness.
4. Findings and Discussion
This study addressed the RQ What are current ethical hacking teaching practices? Firstly, a qualitative systematic literature review of current ethical hacking teaching practices in higher education in Canada was conducted. Secondly, this study surveyed curricula of CS, CE, and SE bachelor programs in two Canadian universities as case studies in focus for an exploration of “ethical hacking teaching practices” or technical and social hacking skills taught (content and instruction).
4.1. The qualitative systematic literature review findings
Ethical hacking as a broadly recognized curriculum or BoK within the field of information security is not generally taught in higher education in CS, CE, and SE programs in Canada at the undergraduate level (the focus of the study). CS, CE, and SE curricula variably make references to cybersecurity, information security, IT security, software security, Internet security, and network security.
Ethical hacking skills are taught in various CS, CE, and SE curricula in the apparent absence of a broad strategic organizing or governing framework. Cybersecurity is seemingly the dominant term for things information security and things hacking (e.g., see Canadian Cybersecurity Course Directory 2015 by SERENE-RISC, an NCE funded network centre of excellence hosted by the Université de Montréal, Quebec.).
Information security certification bodies have stepped in to fill a gap left open by academia and are the sitting authority on what is ethical hacking or what it should be, as the various certification bodies see it (e.g., OSCP, CEH, PenTest+, GPEN, etc.). Industry certification has become a necessary credential recruiters look for in job applicants in information security. A survey by Global Knowledge in 2018 found that 83 percent of IT professionals in the U.S. and Canada hold an IT certification; 44 percent of IT decision makers say certifications result in employees performing work faster; 33 percent of IT decision makers say certification results in more efficiency when implementing systems; and 23 percent of IT decision makers say certification helps deploy products and services faster with fewer errors.
Ethical hacking as an academic discipline is “non-existent at this point. Needed, but non-existent,” says PPT11. “I hire a bunch of co-op students” to perform ethical hacking activities but “I’ve not seen anybody who’s specifically done course work in ethical hacking.” “I have not seen any professional development programs for it … the people that I work with that do ethical hacking tend to be people who have learned it on their own.” Ethical hacking “is pretty much a black art that people learn kind of on their own.” PPT11 says he does not think that higher education in Canada is teaching ethical hacking but it is something that is needed because currently it is a grey area.
It’s not like there’s ethical hacking and there’s non-ethical hacking … there’s some grey spaces in the middle, and I think that by putting in place some kind of certification, or some kind of educational program, it helps delineate it better because I certainly know people who slide from the white hat a little bit to the grey, and back. It would be very helpful, I think, for some professional development programs to help kind of delineate what’s needed out there, and bring it out of the shadows too. (PPT11)
4.2. Case studies findings
Organizational documentation of University 1 and University 2 comprised of 50 web pages were examined for an understanding of ethical hacking teaching practices: 1) Course descriptions were examined for ethical hacking high-level concepts (focusing on network penetration testing skills); 2) program requirements were examined for ethical hacking/cybersecurity (information security) course requirements; and 3) listings of bachelor degree majors in CS and computer engineering programs were surveyed for specializations (especially in cybersecurity).
4.2.1. Ethical hacking high-level concepts: Online course descriptions of select courses in CS, CE, and SE curricula at the two participating universities were surveyed for technical and social hacking skills taught focusing on network penetration testing skills against a provisional framework of skillsets, “Ethical Hacking High-Level Concepts (3 Levels of Abstraction).”
The findings are summarized in Table: Ethical Hacking Skills/Knowledge High-Level Concepts in CS/CE/SE Programs.
The key highlights are,
- Ethical hacking skills and methods for protecting information and technological infrastructure of information systems were dispersed across surveyed CS, CE, and SE curricula.
- The most common concepts taught in the surveyed courses were Network protocols, TCP/IP model, and Access management, at about 70% of examined courses.
- The second most frequent concepts taught relate to defense in depth strategies access management/identity and access management, at about 50% of examined courses.
- The third most frequent concepts taught relate to IT security governance and the application of iterative, collaborative and holistic process management frameworks, including IA/QA approaches to IT security, and SDLC/agile software development approaches, both at about 35% of total examined courses.
- Less than 10% of surveyed courses (1/14) had explicit reference to social hacking skills. A course on designing secure computer systems (3 units) referenced “Ethical issues in computer security” which is a risk mitigation (prevention) component.
CS, CE, and SE programs should teach students hacking skills in conjunction with suitable mitigation countermeasures: The ethical-legal consequences of misusing hacking skills (a prevention component), and hacking should be taught as a comprehensive audit/skills in assurance (QA/IA approaches). Technical hacking instruction should be contextualized with ethical and social hacking skills.
Interviewed ethical hacking university experts (PPT3, PPT8, and PPT14) discussed two approaches to teaching ethics to undergraduate students studying in CS, CE, and SE programs: Countermeasures integrated with CS, CE, and SE technical instruction, and as a separate course (e.g., professional practice). A two-prone approach to the instruction of social hacking skills includes instruction of a cybersecurity countermeasures component (the ethical-legal consequences of misusing hacking skills, and QA/IA approaches to information security), and instruction of Professionalism/Professional Practice in Society–as a program course requirement.
There was broad agreement among interviewed ethical hacking experts and practitioners on the need to teach ethics. PPT6 suggested a double-prone approach should be taken for ethics instruction in higher education in computer science and computer engineering disciplines. First, as a component of technical instruction. “I think every course needs ethics in it” (PPT6). Second, as a standalone course taught to all higher education students.
I think we all have to take at university an intro to writing course in our undergrad, we all had to take it. English 1501 or whatever it was. Sure that’s important … But the thing, to me, is, if you’re a Canadian citizen at least, and you’re in the English program, you’ve graduated from an English school, which means you’ve written papers in your life. (PPT6)
4.2.2. Ethical hacking/cybersecurity (information security) course requirements: Course requirements for CS, CE, and SE degree programs were surveyed for courses on technical and social hacking skills and whether the courses were compulsory, optional, or elective.
- There was no requirement to teach an information security course. Surveyed CS, CE, and SE programs did not require cybersecurity coursework to graduate, even though cybersecurity professionals are currently in high demand (Radziwill et al., 2015), and there is a wide agreement that teaching students hacking skills has a net benefit to society (Hartley, 2015; Logan & Clarkson, 2005; Pashel, 2006; Pike, 2013; Sharma & Sefchek, 2007; all interviewed ethical hacking experts and practitioners agreed).
- There were no “ethical hacking” courses per se taught in the explored Canadian universities.
- There was a compulsory ethics course (professional practice) taught to everyone in CS, CE, and SE programs which places the professional practice and conduct of computer scientists and engineers within a social science context (the composite engineer).
4.2.3. Cybersecurity (information security) bachelor degree specialization/majors in CS, CE, and SE programs: No cybersecurity bachelor degree major or specialization was offered within surveyed CS, CE, and SE undergraduate programs at the participating institutions.
5. Analysis and Recommendations
Firstly, ethical and social impact assessment using STEI-DMG of opportunities and risks involved in using ethical hacking technology in teaching practices in Canadian higher education culminated in pragmatic policy statements to inform educational policy development. Secondly, implementable policy recommendations regarding ethical hacking curricula content and instruction (the technical and social hacking skills to be taught or “what it should be”) were synthesized.
5.1. Technology assessment: An integrative approach
A technology impact assessment using STEI-DMG examined the opportunities and risks involved in using ethical hacking technology in ethical hacking teaching practices in Canadian higher education from the perspectives of key stakeholder groups against a sociotechnical perspective to inform policy development.
See STEI-DMG: Opportunities and Risks of Teaching Students Hacking Skills.
STEI-DMG guides interdisciplinary synthesis that integrates in knowledge making current state of knowledge on ethical hacking teaching practices in Canadian higher education, social values (sociopolitical and scientific values), ethical perspectives (duty/deontology, rights, virtue, and utilitarianism), and interests/values/needs of key stakeholder groups–students of higher education, higher education (university experts), business (industry practitioners), government, and society.
Technology assessment helps facilitate rational public policy decision making by articulating the ethical-social dimensions of technological challenges in a transparent manner–to teach or not to teach CS and computer engineering students hacking skills with justifications for perceived value: Do the opportunities (intended ends) outweigh the risks (possible side effects)?
Three key themes were discussed: 1) Intended ends and possible side effects of teaching students hacking skills; 2) Means and intended ends; and 3) Overall technology assessment in society in terms of efficiency and fairness.
1) Intended ends and possible side effects of teaching students hacking skills.
Intended ends of teaching students hacking skills
From society’s perspective. First, to help Canada address a national cybersecurity skill/knowledge gap, a national security vulnerability. Second, to address a cybersecurity skill gap that threatens to disrupt a stable business and government environment. Third, to reduce the risk of students committing criminal acts or performing unethical hacking (Logan & Clarkson, 2005; Pike, 2013; Sharma & Sefchek, 2007). Fourth, to help protect students from incarceration for committing hacking crime.
From the government’s perspective. First, to help Canada achieve its national security objectives. The Government of Canada’s national cybersecurity agenda set out in the National Cyber Security Strategy released in June 2018 links security, innovation, and prosperity with focus on three policy themes (Shull, 2019, p. 5): i) Security and resilience (to enhance cybersecurity capabilities to better protect Canadians and defend critical government and private sector systems); ii) cyber innovation (to position Canada as a global leader in cyber security); and iii) leadership and collaboration especially in the international arena. Second, to provide Canada with ethical hacking professionals with the necessary skills to address a rising national need for information security education–to reduce vulnerability in the national information infrastructure “by promoting higher education in information assurance and security, and to produce a growing number of professionals with information management systems security expertise” (Sharma & Sefchek, 2007, p. 290). Third, to provide Canada with ethical hacking professionals able to secure the digital infrastructure so as to maintain a stable political system based on trust in light of a worsening crisis of trust.
From the students’ perspective. First, to help students protect themselves against confidentiality and autonomy type privacy attacks by equipping them with the skills to control their public profile. Second, to help students protect data assets and the computer network infrastructure of future employers, as well as the national critical infrastructure–teaching hacking as “a method of teaching students how to protect the data assets of future employers” (Logan & Clarkson, 2005, p. 157). “Courses have been designed to teach students to hack, with the implication that it is a necessary security practice and that it will improve employability as a network administrator charged with protecting valuable corporate assets” (p. 157). Third, to help students become employable. Fourth, to prepare students for success in their future employment.
From the business/industry perspective. The need to address a cybersecurity skill gap. Professional ethical hackers/cybersecurity professionals are needed for IT security functions with knowledge/skills in software security testing and network security testing and network monitoring. Students need skills in IA/QA holistic approaches to security management. Hacking skills “should be promoted as a means to develop skills in assurance, application design, and quality assurance” (Radziwill et al., 2015).
From the perspective of higher education. First, to address a national cybersecurity skill gap. The primary purpose of higher education is to prepare college and university students with the skills and knowledge necessary for employment (Weingarten & Hicks, 2018)–as well as to equip them with skills and tools to investigate and think critically so as to be socially responsible, productive, and engaged citizens, that is, to self-actualize. Second, to address a national need for security education–that is, “to produce a growing number of professionals with information systems security expertise” so as to reduce vulnerability in critical infrastructure and to protect the digital infrastructure (Sharma & Sefchek, 2007, p. 290).
Possible side effects of teaching students hacking skills
- Rising student hacking crime;
- Students could commit hacking crime without realizing it if they were not clear on the ramifications of hacking to themselves and to society;
- Ethical hacking skills/technologies can be used in spying on businesses;
- Performing real attacks on real systems carries a higher risk that must be weighed carefully against the intended benefits. It must be justified on a cost-benefit basis by a security analyst with broad and interdisciplinary knowledge about the social threat landscape, human behavior, sociopolitical conflicts, in addition to the technical knowledge. Penetration testing can compromise data integrity or availability (accidental damage) or confidentiality (the penetration tester sees confidential information just by virtue of performing the test).
- Students might spy on the government as employees or as outsiders; and
- A social stigma around hacking can drive down enrollment in cybersecurity disciplines and discourage professors from highlighting their hacking skills and experience. News of hacking training can raise concerns about the reputation of institutions due to the social stigma associated with hacking activities.
2) Means and intended ends.
Three key arguments are used in justification for teaching hacking skills in information security courses at both the undergraduate and graduate levels: 1) Hacking skills are equivalent to audit skills “as both are designed to discover flaws in the protection of data and secure operation of a system”; 2) knowledge of hacking skills and practice improves security by informing network administrators how an exploit can be executed; and 3) a systems administrator must possess the same skills as the attacker to provide the best security defense (Logan & Clarkson, 2005, p. 157). Teaching hacking skills focuses on the need to better understand hackers and hacking attacks (Logan & Clarkson, 2005; Pike, 2013). By understanding how to hack, a student understands how a hacker might attempt an attack a system, and can identify the signs of a security breach–enabling them to identify and correct security flaws.
3) Overall technology assessment in society in terms of efficiency and fairness.
Intended ends of teaching students hacking skills
- Support national security by having a skilled population of ethical hacking professionals graduate of higher education;
- Protect the national ICT digital infrastructure;
- Prevent cyber attacks against national critical infrastructure;
- Lower crime risk to society: By empowering students with the necessary skills/ability to protect themselves (their privacy) on the ICT grid as well as to protect their future employer’s data assets and network infrastructure;
- Help students become employable;
- Help students achieve success with their future employers; and
- Address a cybersecurity skill gap.
- Duty perspective: Doing the right thing means teaching students the necessary hacking skills to empower them to protect themselves and society–to support national security;
- Rights perspective: Teaching students hacking skills is ethical because this respects their right to education that will help them succeed in life;
- Virtue perspective: Society “has an obligation to develop educational and learning opportunities for citizens to develop their full potential” (May, 2012, p. 27). Students ought to be given the opportunities to achieve self-actualization–they ought to be taught hacking skills to enable them to realize their full potential; and
- Utilitarian perspective: Teaching students hacking skills is ethical because it reduces crime risk to society and thus produces the greatest amount of good with the least harm.
Possible side effects of teaching students hacking skills
- Students could spy on the government as employees or as outsiders;
- Rising student hacking crime;
- Students could commit hacking crime without realizing it if they were not clear on the ramifications of hacking to themselves and to society;
- AI/ML based intelligence technologies can be used in spying on businesses; and
- Social stigma can drive down enrollment in hacking disciplines and discourage professors from highlighting their hacking careers.
- Duty perspective: There may be a tendency to underestimate the need to weigh the benefits against the potential risks of using the various hacking and surveillance technologies–some are more dangerous than others;
- Rights perspective: Students may commit crime or unethical acts. The risks have to be weighed against the potential benefits;
- Virtue perspective: Because it emphasizes the importance of role models and education to ethical behavior, it can sometimes merely reinforce current cultural norms as the standard of ethical behavior. Emphasizing virtues can make it more difficult to resolve disputes, as there can often be more disagreement about virtuous traits than ethical actions; and
- Utilitarian perspective: Some harm might be done and hence a need to consider how everyone’s rights are respected.
5.2. Implementable policy recommendations
5.2.1. Course content of technical and social hacking skills taught
A modular baseline framework (foundational ethical hacking BoK framework) for professional ethical hacking education/training was explored: OSINT Analyst Cybersecurity Role and BoK Foundation Framework. The framework can serve as a basis for an introduction course to cybersecurity in undergraduate CS, CE, and SE programs or as a baseline framework for security awareness training in higher education.
OSINT Analyst Cybersecurity Role and BoK Foundation Framework
5.2.2. The instruction method of ethical hacking
5.2.2.1. Undergraduate computer science and computer engineering disciplines should include more offensive hacking skills in the curricula. Not understanding offensive hacking technologies and how they are used in the wild amounts to a national security vulnerability (PPT11, PPT12).
Interviewed participants from both camps–those who teach and those who practice ethical hacking or hire ethical hackers–supported a need to teach higher education students studying in CS and CE disciplines offensive hacking skills but with seemingly different levels of emphasis. Industry practitioners seemed generally more emphatic or explicit about the need for real-life offensive skills.
“The stuff you see in school is defensive that’s being taught, how to secure systems” (PPT11).
If an organization wants to do it right … you want to get the people who could do it for malicious reasons. It’s the same skill sets. If you don’t have the same skill sets, the danger is adding it in such a way that would leave security holes or will leave potential attacks or potential attack surface which won’t be revealed. (PPT12)
For PPT12, teaching students hacking skills would entail teaching them how to find holes in software and network systems and how to conduct a full-blown attack on an IT infrastructure or information management system. “For me, ethical hacking is done in an organization who wants to improve their security posture by doing full-blown cybersecurity attacks on their infrastructure.”
Basically finding holes in either the software infrastructure, could be the network infrastructure, could be the hardware involved as well. It could involve bad procedures which could lead eventually to a security hole and I would also include social hacking techniques as part of ethical hacking. (PPT12)
In comparison, university experts seemed less emphatic about the need to teach students more offensive hacking skills.
As a professional engineer, I’m bound by the PEO code of ethics, and among the items in that, I shouldn’t bring the profession into disrepute. So one has to be careful to be completely above-board, and make sure that one doesn’t, for example, get bad press for teaching hacking. Because that could be considered to be bringing the profession into disrepute. I’m also bound by the software engineering code of ethics, the ACM code of ethics, the IEEE code of ethics … I’m bound by a number of codes of practice. (PPT3)
The university experts’ general endorsement of teaching more offensive computer hacking skills can be construed from a combination of key words or expressions they used, and a seeming emphasis on certain defensive concepts such as vulnerability discovery, developing secure code, and security testing.
Interviewed ethical hacking university experts on teaching students offensive hacking skills (table)
5.2.2.2. Interviewed ethical hacking industry practitioners emphasized the necessity of hands on/specializations in cybersecurity skill training (in software and network security and security testing).
You need some hands-on experience, and that’s where things like co-op programs come in. I’ve hired a number of co-op students, and if after two or three work terms, yes, they’re market ready, but they need to have the hands-on, practical, in-the-field experience in security. (PPT11)
PPT6 says “right now, I mean, it’s really hard to get that job right out of university because you don’t have the skillsets or the experience … You have to do all these other certifications, and even then you’re not necessarily ready, you’re just kind of ready.”
5.2.2.3. Ethical hacking instruction in higher education should be holistic, and interdisciplinary in approach. Ethical hacking skills should be taught in a social science context, as it exists at the intersection of various disciplinary areas, taking an interdisciplinary approach.
Addressing the emerging national and international challenges of a rising and increasingly more complex and internationalized cybersecurity threat landscape will require a broader approach to education “which may not be achieved through dedicated cybersecurity programs” (Radziwill et al., 2015, p. 5). Sociopolitical changes “are introducing new expectations of the current and entering workforce at the same time that they are bringing their own shifting expectations of the workplace. All these changes are creating new opportunities and threats and demanding a reinvention of human resource management” (EDUCAUSE, 2019). Professional ethical hackers increasingly need a strong interdisciplinary foundation to cybersecurity education and governance.
“Penetration testing is a highly technical and complex field. An ethical hacker requires deep knowledge across many areas, including, but not limited to software, hardware, networking, and even human behavior” (Thomas, Burmeister, & Low, 2018, p. 3). Cyber defense research teams increasingly need skills/knowledge beyond computer science, electrical engineering, software and hardware security, “but also political theory, institutional theory, behavioral science, deterrence theory, ethics, international law, international relations, and additional social sciences” (Kallberg & Thuraisingham 2012, p. 2).
Synthesis of ethical hacking as an interdisciplinary research area within the information security field, as a social construction, is inclusive (integrates interests/values of societal stakeholder groups) and puts technology in its theoretical and historical context, as a tool for social progress. Interdisciplinary synthesis contextualizes technology use by integrating knowledge from multiple literature streams and traditions to give a holistic picture about technology use in society. An interdisciplinary approach can help anchor the role of ethical hacking practitioners in historical and theoretical context. For Habash (2019), the composite engineer has a balanced mix of technical and social hacking skills. Further, higher education should take a holistic approach to cybersecurity education by giving the necessary information security education and training to higher education students for self-protection (against privacy attacks) by integrating ethical hacking teaching across all curricula or by offering students security awareness training where the credits are counted toward their total credit requirements (most data breaches are insider’s).
5.2.2.4. CS, CE, and SE curricula should be explicit about the tacit scientific and sociopolitical values that ought to be reflected in the technology design and use (e.g., curricula should mirror society as open, liberal, democratic, scientific, and knowledge making).
5.2.2.5. Ethical hacking instruction in higher education should be constructivist in approach, directly engaging with key societal stakeholder groups in the decision-making/knowledge-making process to integrate their interests/values/needs so as to bridge Teaching vs Practice cybersecurity skill needs.
5.2.3. S&T Innovation initiatives
A public policy initiative was explored comprised of a networked centre of excellence of ethical hacking communities of practice as a knowledge management and risk management/technology governance approach focused on ethical hacking systematization of knowledge/professionalization, including such measures as the certification/licensing and accreditation of skills of professional ethical hacking practitioners to establish credentials.
The standardization and systematization of ethical hacking as a body a knowledge open for scrutiny and peer review is analogous to how the open source community works and its philosophy (PPT11). If you have a proprietary set of skills, and a proprietary set of tools, and a proprietary set of methodology, it’s not going to be widespread and shared, and improved across the industry. But by “bringing it out in the open” by having “a standardized methodology of teaching, a standardized base line of teaching, it allows the opportunity to be peer reviewed, and to be improved, and to be constantly updated” (PPT11).
6. Conclusion
6.1. Summary and implications of the findings
This study explored what are current ethical hacking teaching practices in Canadian higher education (technical and social hacking skills taught and instruction method/approaches) and focused on CS, CE, and SE programs and curricula taught in two Canadian universities as case studies (“what it is”).
A qualitative exploratory case study approach was followed. Data collection consisted of a qualitative systematic review, organizational documentation (course descriptions, course requirements, and bachelor degree majors in CS, CE, and SE programs), and in-depth interviews with ethical hacking university experts, ethical hacking industry practitioners, and policy experts.
The study applied a social systems theoretical framework (STEI-DMG within the STS SCOT tradition) to perform a technoethical-sociotechnical assessment of opportunities and risks involved in using AI powered ethical hacking intelligence-making technology in ethical hacking teaching practices.
Findings shed light on the nature and potential causes of a Teaching vs Practice cybersecurity skill gap in higher education curricula and how to bridge it (“what it should be”).
First, findings pointed to gaps in ethical hacking literature in the Canadian higher education context and in organizational teaching practices at the participating universities regarding what are current ethical hacking teaching practices in CS/CE/SE programs. The study found ethical hacking as an academic discipline remains a grey area. In the Canadian context, there is no agreement on the meaning of ethical hacking or on what might be called a standard ethical hacking curriculum or BoK or on what might be called a standard set of ethical hacking teaching practices.
A survey of CS, CE, and SE undergraduate curricula and programs at the participating higher education institutions for technical and social hacking skills taught found no set of skills or knowledge body of ethical hacking. The most common ethical hacking high-level concepts taught focusing on network penetration testing skills were Network protocols, TCP/IP model, and Access management, at about 70% of examined courses–followed by defense in depth strategies access management/identity and access management, at about 50% of examined courses. A survey of course requirements found there were no “ethical hacking” courses or curricula taught and no requirement to teach a cybersecurity course. No cybersecurity bachelor degree majors were offered.
Second, the study found no national governing framework or policy initiatives to regulate hacking technology use in teaching practices to ensure society’s needs are met (to address a cybersecurity skill gap and a corollary cybersecurity risk to information and to democracy in society).
The noted knowledge/skills/governance gaps need to be addressed or else the status quo constitutes a national security risk due to a cybersecurity skill gap affecting business viability (information security and financial viability/competitiveness), student security and employability/cybersecurity career success, and broader society.
More research is needed to further identify/understand the knowledge and governance gaps, differences in meanings and value perceptions among key stakeholder groups, and to build communities of practice to lead knowledge management and risk management of emergent hacking technologies by expanding data collection and analyses scope and sample size.
6.2. Research contribution
This study addressed 1) a gap in literature on what are current ethical hacking teaching practices in Canadian higher education (content/skills taught and instruction method or approaches) by conducting a qualitative systematic review and an empirical study informed by in-depth interviews and an organizational documentation review of two Canadian universities as case studies; 2) a gap in literature regarding the risks and opportunities of ethical hacking technology to society; 3) a gap in literature on what taught ethical hacking curricula/content and instruction that meets the needs of society should be (a foundational BoK for professional ethical hacking education); and 4) a national gap in governance policy of ethical hacking technology in society.
This study contributed a public policy initiative to regulate ethical hacking technology use in society comprised of a NCE of ethical hacking communities of practice as a knowledge management and risk management/governance approach tasked with the systematization/standardization of an ethical hacking BoK and ethical hacking professional practice, including the certification/licensing and accreditation of skills of ethical hacking practitioners to establish credentials.
6.2.1. Contribution to the field of information security (cybersecurity)
A social science approach and theoretical framework (STEI-KW in the STS SCOT tradition) were used to integrate social relevance into ethical hacking technology definition/role in society as a contribution to the technical field of information security in support of educational policy development.
STEI-KW represents an interdisciplinary synthesis of theoretical strands from the academic disciplines and fields of STS, information security, ethics, and communication studies. It was applied to conceptualize a holistic and interdisciplinary understanding of ethical hacking technology in society–furnishing the foundations of an ethical hacking BoK as an interdisciplinary research area within the information security field.
STEI-KW was applied to conceptualize ethical technology as sociotechnology/social technology mirroring society in properties (structure and values), hence mirroring society in knowledge making/instruction (curriculum development) approach and in values/needs in the produced knowledge (this study theorized technology as a knowledge-making epistemology). This approach to produce knowledge can be used to design ethical hacking teaching practices in support of national security because it addresses society’s needs.
Knowledge making mirrors society in social structure – empirical pragmatic liberal (democratic) epistemology that is inclusive/communal/collaborative, and transparent, and so it integrates the interests/values/needs of key stakeholder groups—students, business/industry, government, and higher education institutions—from problem/technology definition to drafting solutions and implementation by end users, and hence more likely to be broadly accepted and more likely to be fair and efficient.
Ethical hacking as a social construction integrates the skill/knowledge needs of business/industry–technical and social hacking skills/social context and thus supports professional practice and conduct (professional ethics are social/business values).
The content synthesized through this social science approach to knowledge making mirrors society in values–in liberal values, especially sociopolitical and scientific values underlying the behavior of technology use. Content/curricula should be designed for an open, scientific, knowledge making society–and mirrors society in its nature, so curricula should emphasize skills/knowledge relevant to open hacking technologies.
6.2.2. Contribution to the field of STS
The STEI-KW framework as a social systems theory integrates/situates Bunge’s technoethics (1975/1977), philosophy of technology/sociotechnology (1998, 1999), and social systems as sociotechnical systems (1999) within the STS SCOT tradition (Bijker, 1997, 2009; Pinch & Bijker, 1984; Quan-Haase, 2016).
The theoretical framework STEI-KW as a carefully crafted academic idea formalizes a fair and efficient process of knowledge making and political decision making in sociotechnical systems. The framework is explicit regarding how society ought to organize for governance and what sociopolitical and scientific values are at stake. Accountability and transparency are achieved, which is the liberal way of governance.
The theoretical framework takes a comprehensive approach to defining technology/technology’s role in society–by placing technology in its historical and theoretical context to inform policy development.
This is done by understanding technology as sociotechnology imbued with social values –or technology as value, meaning 1) technology is conceptualized in the human mind in relation to its utility and the consequences of its use, 2) technology as a social construction captures the social beliefs, norms, etc. of its society–its use and value are defined and understood within its social context, and 3) a technology exists in various emergent technological ontologies (competing and conflicting meanings and values): ethical hacking technology as technological artifact can have several meanings, e.g., penetration testing, vulnerability assessment, social engineering, etc.; and can manifest as a tool (e.g., a penetration testing piece of software or hardware/machine), as a process or a method or methodologies, as a system, as theories, as ethics, as knowledge, etc.
As a system, ethical hacking would be an emergent system acquiring meaning and value through the ongoing interaction of its components/(sub)systems (including systems of meanings and societal concepts/other social contradictory and competing values) and through its interaction with its environment and other extraneous systems. These technological ontologies are not mutually exclusive, it should be clear, and can co-exist in competition and in reciprocal and interdependent (contextual) relations, influencing each other’s meaning(s).
This is why a systems approach is needed, to capture the emergent holistic meaning of a technology in society–how its meaning emerges from the interaction of its components among themselves and with other concepts and systems of meanings over time.
We can thus consider ethical hacking technology as a tool of penetration testing and as a process (this study has focused on the intelligence making or discovery phase of the penetration testing process), as the most prevalent definition of ethical hacking from within the information security field.
The holistic meaning of ethical hacking technology only emerges when we study ethical hacking meaning(s) from outside a technical information security field and anchor it in its historical and theoretical context–when, as we have done in this study, anchor its meaning/role/utility/nature in a conception of society in a broad theoretical and philosophical sense (see Table STEI-KW and Society) to eventually conceptualize it as a teleological, problem-solving process of knowledge making or an educational technology.
STEI-KW was applied in the study in three main ways: 1) As a social systems theory of Canadian society with core system properties/liberal values of an open/liberal, scientific, knowledge-making/rational-constructivist sociotechnical society—which is an epistemology of empirical pragmatism and transactional realism “reconciling” rationalism and empiricism; 2) as “technology,” a knowledge-making epistemology–technology use as ethical knowledge making/ethical intelligence making (as ethical penetration testing); and 3) as a technology impact assessment and governance framework (STEI-DMG).
6.2.3. Contribution to pedagogy across disciplines in higher education
This study contributed a value sensitive design (VSD) framework based on STEI-KW for the effective design of teaching practices, curricula content and instruction (see Table: VSD knowledge management framework based on Bunge’s philosophy of technology as sociotechnology).
6.2.3.1. Situated within the STS SCOT tradition, technology is understood as sociotechnology, a socially constructed technology mirroring the society that produces it in social properties (values, knowledge making/decision making, and social structure).
6.2.3.2. The study proposes a new approach toward teaching ethical hacking, which will have direct impact on institutions of higher education as an important contribution to pedagogy (Quan-Haase, personal communication, February 28, 2020). The study employs a constructivist approach grounded in STS and directly engages with key stakeholder groups including industry practitioners, university experts, and policy experts in the knowledge making and risk assessment process throughout the life cycle of the technology innovation process–from formalizing foundational definitions, problem definition, research/technology assessment, and policy development, to knowledge dissemination and technology implementation by end users.
Thus communities of practice as a knowledge management approach integrates the interests of key stakeholder groups in the knowledge making process and bridges Teaching and Practice. The approach is a way of knowledge mobilization that reinforces the links between research, policy, and practice. Knowledge dissemination happens as part of collaborative multi-stakeholder research. As such, the approach bridges theory and practice–bridges technology design and use.
6.2.3.3. Instruction in higher education should take a systemic, holistic, and interdisciplinary approach to knowledge making. Thus this study integrated a social science context into ethical hacking technology meaning/use/value within the STS tradition via interdisciplinary synthesis by defining ethical hacking as an interdisciplinary area.
6.2.3.4. Technology’s role/utility in society is defined through a comprehensive systems approach by placing it in its historical and theoretical context, thus seeing technology as an educational tool (technology), as a social system, as knowledge, and as a teleological knowledge making process designed for social progress.
6.3. Limitations of the study
Theorizing ethical hacking as a social construct ultimately improves national security and public safety through improved knowledge management. It facilitates effective (fair and efficient) use/governance of technology in society. Key strengths of ethical hacking as a social construct include 1) it would reflect society/society’s needs by integrating interests/values/needs of key societal/stakeholder groups thus help bridge the Teaching vs Practice cybersecurity skill gap; 2) it supports professional practice–it embodies or reflects the professional ethics and the sociological context of using technology (social properties); and 3) it can improve the likelihood of success because it would be more likely to gain broad public acceptance.
Methodological limitations include sample size (organizational documentation and interview participants/stakeholder participation), for example, in course description surveys it could not be determine whether social hacking skills were integrated (contextualized) with technical hacking skills and if so to what extent. A deeper understanding of instruction of ethical hacking in Canadian universities needs a larger sample size to detect patterns and associations.
Key methodological limitations pertain to the validation of findings: The findings can be further validated via expanding the number of participating higher education institutions in future studies investigating ethical hacking teaching practices and the cybersecurity skill gap, and increasing the number of interview participants (expanding the sample size as well as incorporating the perspective of CS, CE, and SE recent university graduates especially regarding their views on skills around a Teaching vs Practice gap).
A principal theoretical study limitation would be the specificity of STEI-KW for Canadian society or liberal democracies–it needs development within an international and global governance framework to integrate cultural differences.
Other study limitations include a limited treatment of business intelligence and state intelligence and their effect on society–how they present a cybersecurity risk to information security privacy (confidentiality and autonomy) and how to mitigate these risks through VSD using STEI-KW; not performing a SWOT analysis of privacy regulations in Canada and the U.S.; and not including a more expanded analysis of AI applications in network security intelligence gathering.
6.4. Future research directions
To address a cybersecurity skill gap and a rising crime risk to society, including a rising risk of student hacking crime, higher education should lead the process of ethical hacking knowledge management in society by focusing on establishing effective ethical hacking teaching practices in higher education–specifically, by way of a public policy initiative to standardize and systematize an ethical hacking BoK and establish criteria and procedures for the licensing and accreditation of professional ethical hacking.
Two main lines of research are proposed. First, ethical hacking research management (technology governance via policy innovation): The “dichotomy” between society and technology: How science and technology shape society (social impact), and how in turn society shapes the course of science and technology innovation (governance). Second, further develop the professional ethical hacking battery of skills framework and analysis (and social theories) to further shed light on the nature and causes of a rising cybersecurity risk in society, including a cybersecurity skill gap between teaching and practice and how to bridge it.
References
Citation
Cite this article
Cite the original PhD thesis
