My uOttawa PhD thesis exploring ethical hacking teaching practices in Canadian higher education, completed in 2020 at uOttawa engineering (the PhD in DTI uOttawa Program), contributed a set of implementable policy recommendations to inform effective ethical hacking teaching practices in computer science, computer engineering, and software engineering undergraduate programs – spanning instruction (approach), curricula content (what professional ethical hacking skills taught should be), and S&T innovation/technology governance (a public policy initiative). This here is a discussion of the recommendations for the instruction approach or the ethical teaching of ethical hacking.
The implementable policy recommendations were synthesized from literature reviews, in-depth interviews, organizational document reviews, a technology impact assessment using STEI-DMG, and theory (STEI-KW as a knowledge-making epistemology or technology). See The case study methodology. Situated within the science and technology studies (STS) social construction of technology (SCOT) tradition, ethical hacking technology is understood as sociotechnology, a socially constructed technology mirroring society in social properties (social structure and social values). Curricula should teach and apply in teaching society’s social properties/values. See Table: Theoretical justifications for the instruction approach recommendations.
The purpose of these recommendations is to help bridge a Teaching vs Practice cybersecurity skill/knowledge gap in Canadian higher education underlying societal vulnerability to cybercrime, a rising student hacking crime, and a cybersecurity skill gap.
You may also be interested in Canadian identity as an academic idea.
Table: Theoretical justifications for the instruction approach recommendations
| Social system properties | Teaching should be constructivist in approach, directly engaging with key stakeholder groups in knowledge making | Ethical hacking instruction should be interdisciplinary and holistic, taking a systems approach | Make teaching ethical hacking skills/a cybersecurity course a program requirement | Include more offensive hacking skills in the curricula | Instruction should emphasize hands-on/project-based training | Instruction should emphasize in-demand skills/specializations | Adopt an ethical hacking paradigm to teaching students hacking skills |
| Social structure (political decision-making/knowledge making/governance) | |||||||
| Liberalism/stakeholder-based governance (democracy) Open society Pluralism Society as a social system | Y (Yes) | Y | |||||
| Social values (sociopolitical values, ethical values/ethics, scientific values) | |||||||
| Sociopolitical values 1. Liberalism, openness, pluralism 2. Multi-stakeholder interests/values/needs | Y | Y | Y | Y | Y | ||
| Ethics 1. Pragmatic ethics 2. Deontology/duty ethics 3. Rights ethics 4. Virtue ethics 5. Utilitarianism | Y | Y | Y | Y | Y | ||
| Scientific values 1. Scientific method steps/process 2. Characteristics of the scientific method 3. Scientific method theory/principles: non-justificationist epistemology underlying a constructivist theory of knowledge making (empirical pragmatism as constructivism) Scientific knowledge making entails: a systematic approach to knowledge management; collaborative/democratic/inclusive knowledge making; knowledge/truth is what the group investigating it would agree to (Dewey); knowledge has a sociocultural/intersubjective ontology (Dewey); project-based learning and hands-on training (learning by doing/Dewey’s transactional realism; knowledge has a subjective ontology); tacit values made explicit (to reduce equivocality/uncertainty); learning as a problem-solving inquiry (Dewey). | Y |
Recommendations for the instruction approach of ethical hacking
1. Ethical hacking instruction should be constructivist in approach, directly engaging with key societal stakeholder groups (society, higher education, business/industry, and government) in the knowledge making/curriculum development process to integrate their interests/values/needs.
2. Ethical hacking instruction should be interdisciplinary and holistic, taking a systems approach.
Ethical hacking skills should be taught in a social science context. Instruction should emphasize open technologies in instruction. Addressing the emerging national and international challenges of a rising and increasingly more complex and internationalized cybersecurity threat landscape will require a broader approach to education “which may not be achieved through dedicated cybersecurity programs” (Radziwill et al., 2015, p. 5). Sociopolitical changes “are introducing new expectations of the current and entering workforce at the same time that they are bringing their own shifting expectations of the workplace. All these changes are creating new opportunities and threats and demanding a reinvention of human resource management” (EDUCAUSE, 2019). Professional ethical hackers increasingly need a strong interdisciplinary foundation to cybersecurity education and governance.
“Penetration testing is a highly technical and complex field. An ethical hacker requires deep knowledge across many areas, including, but not limited to software, hardware, networking, and even human behavior” (Thomas, Burmeister, & Low, 2018, p. 3). Cyber defense research teams increasingly need skills/knowledge beyond computer science, electrical engineering, software and hardware security, “but also political theory, institutional theory, behavioral science, deterrence theory, ethics, international law, international relations, and additional social sciences” (Kallberg & Thuraisingham 2012, p. 2).
Synthesis of ethical hacking as an interdisciplinary research field, as a social construction, is inclusive (integrates interests/values of societal stakeholder groups) and puts technology in its theoretical and historical context, as a technology for social progress. Interdisciplinary synthesis contextualizes technology use by integrating knowledge from multiple literature streams to give a holistic picture about ethical technology use in society. The composite engineer (Habash, 2019) or technologist has a balanced mix of technical and social hacking skills. Further, higher education should take a holistic approach to cybersecurity education by giving the necessary information security education and training to higher education students for self-protection (against privacy attacks) by integrating ethical hacking teaching across all curricula and/or by offering students security awareness training where the credits are counted toward their total credit requirements.
3. Make teaching ethical hacking/a cybersecurity course a program requirement.
There was no requirement to teach a cybersecurity course in the surveyed CS, CE, and SE programs, even though cybersecurity professionals are currently in high demand (Radziwill et al., 2015). There was wide agreement within literature (Hartley, 2015; Logan & Clarkson, 2005; Pashel, 2006; Pike, 2013; Sharma & Sefchek, 2007) – and all interviewed ethical hacking experts and practitioners concurred – that teaching students hacking skills carries a net benefit to society.
4. Include more offensive hacking skills in the curricula.
Not understanding how offensive computer hacking technologies are used in the wild amounts to a national security vulnerability (PPT11, PPT12). It is through practicing offensive hacking that a student can learn effective defence.
Interview Participants by Area of Expertise
Interviewed participants from both camps–those who teach and those who practice ethical hacking or hire ethical hackers–supported the need to teach higher education students studying in CS and CE disciplines offensive hacking skills but with seemingly different levels of emphasis. Industry practitioners seemed generally more emphatic or explicit about the need for real-life offensive skills.
“The stuff you see in school is defensive that’s being taught, how to secure systems” (PPT11).
If an organization wants to do it right … you want to get the people who could do it for malicious reasons. It’s the same skill sets. If you don’t have the same skill sets, the danger is adding it in such a way that would leave security holes or will leave potential attacks or potential attack surface which won’t be revealed. (PPT12)
For PPT12, teaching students hacking skills would entail teaching them how to find holes in software and network systems and how to conduct a full-blown attack on an IT infrastructure or information management system. “For me, ethical hacking is done in an organization who wants to improve their security posture by doing full-blown cybersecurity attacks on their infrastructure.”
Basically finding holes in either the software infrastructure, could be the network infrastructure, could be the hardware involved as well. It could involve bad procedures which could lead eventually to a security hole and I would also include social hacking techniques as part of ethical hacking. (PPT12)
In comparison to interviewed ethical hacking industry practitioners, university experts seemed less emphatic about the need to teach students more offensive hacking skills.
As a professional engineer, I’m bound by the PEO code of ethics, and among the items in that, I shouldn’t bring the profession into disrepute. So one has to be careful to be completely above-board, and make sure that one doesn’t, for example, get bad press for teaching hacking. Because that could be considered to be bringing the profession into disrepute. I’m also bound by the software engineering code of ethics, the ACM code of ethics, the IEEE code of ethics … I’m bound by a number of codes of practice. (PPT3)
The university experts’ general endorsement of teaching more offensive computer hacking skills can be construed from a combination of key words or expressions they used, and a seeming emphasis on certain defensive concepts such as vulnerability discovery, developing secure code, and security testing.
Interviewed ethical hacking university experts on teaching students offensive hacking skills (table)
5. Instruction should emphasize hands-on/project-based training and offer in-demand cybersecurity specializations.
Interviewed ethical hacking industry practitioners emphasized the necessity of hands-on training and cybersecurity specializations in education.
You need some hands-on experience, and that’s where things like co-op programs come in. I’ve hired a number of co-op students, and if after two or three work terms, yes, they’re market ready, but they need to have the hands-on, practical, in-the-field experience in security. (PPT11)
PPT6 says “right now, I mean, it’s really hard to get that job right out of university because you don’t have the skillsets or the experience … You have to do all these other certifications, and even then you’re not necessarily ready, you’re just kind of ready.”
6. Higher education should adopt an ethical hacking paradigm to teaching students hacking skills.
This entails two things. First, CS, CE, and SE programs should teach students technical hacking skills in conjunction with mitigation countermeasures – the ethical and legal consequences of misusing hacking skills (a prevention component), and hacking taught as a comprehensive audit/skills in assurance (QA/IA governance approaches). Technical hacking instruction should be contextualized within ethical and social hacking skills. From the perspective of software security, CS programs should teach students hacking skills as skills in assurance (Radziwill et al., 2015). Students need to learn vulnerability discovery as well as mitigation and defence skills as part of a QA approach. Students should be able to “perform vulnerability assessments on the entire spectrum of data assets: Applications, policies, procedures, and physical infrastructure,” but hacking performed on a network “should be part of a larger security audit process designed to reveal vulnerabilities and improve security policies and procedures” (Logan & Clarkson, 2005, p. 158). Second, CS, CE, and SE programs should integrate professional values/ethics of ethical hackers and the social science context of technology use (the sociopolitical, ethical, and scientific values underlying the behavior of professional practitioners. The programs should also integrate business interests/values/ethics/needs in curricula (safety, security, and social responsibility).
7. There is a need to standardize/systematize an ethical hacking body of knowledge and to professionalize the ethical hacking occupation via licensing, certification, and accreditation programs.
8. Instruction should be explicit about the tacit sociopolitical, ethical, and scientific values underlying the behavior of professional ethical hacking practitioners in alignment with (to reproduce) society’s values. Curricula should be explicit about the values that ought to be reflected in technology use/design (e.g., the rights to privacy and free speech).
Related content
Canadian identity as an academic idea
Ethical assessment of teaching ethical hacking
Professional ethical hacking body of knowledge
Back to DTI Courses
