The ethics of ethical hacking are discussed here under two themes – the value of ethical hacking (for an organization) and the ethics of professional ethical hacking (for an organization). Both themes are elaborated based on the descriptive ethics of key stakeholder groups within a Canadian university.
This discussion is based on a uOttawa MA in Communication thesis (2015) on ethical hacking communication and management within an organization titled Technoethics and organizing: Exploring ethical hacking within a Canadian university. In-depth, semi-structured interviews were conducted at the participating research site with five IT and information security experts and practitioners with first-hand expert knowledge in ethical hacking teaching and practice. Other data collection methods included a comprehensive organizational document review and a literature review.
- The value of ethical hacking
- The ethics of professional ethical hacking
- The Meta-Ethics of Ethical Hacking Table
You may also be interested in The ethics of ethical hackers.
The value of ethical hacking
The ethics of ethical hacking are understood here as pragmatic ethics, more specifically, as the pragmatic ethics of Mario Bunge’s pragmatic value theory, and thus constitute a risk management decision-making framework comprised of a value theory and a process or technique for prioritizing security risks and countermeasures.
Goals and Possible Side Effects of Ethical Hacking
Participant perceptions about ethical hacking ends (goals) fell under two broad themes, namely, management aspects and technical aspects. Expert A, Expert D, Expert C, and organizational documentation P2 presented ethical hacking mainly as a tool used to pursue management goals (e.g., improvement of information security and protection of data assets). Expert B and Expert E saw it mainly as a tool used to pursue technical goals (e.g., vulnerability assessment).
For Expert A, ethical hacking was used to achieve “continuous improvement of information security, in partnership with the greater community.” For Expert D, Expert C, and according to documentation P2, ethical hacking was used to protect the information assets. The end goal of ethical hacking use was “to make sure that the application that you are trying to protect is protected,” said Expert C. According to organizational documentation P2, information assets, including software, software applications, and data, should be protected from unauthorized alteration or damage–from potential threats to confidentiality, integrity or availability of information. For Expert B, a main goal of ethical hacking was to discover systemic vulnerability sources. Ethical hacking was used to “run in-house vulnerability testing on servers, assess the vulnerabilities in the used software, and explore new sources of vulnerability” (Expert B). For Expert E, in general, the goal of ethical hacking was to identify vulnerabilities and fix them before a hacker exploits them. Ongoing improvement in information security performance is a strategic information security management goal. A second goal is safeguarding the information assets (Dhillon, 2007; Engebretson, 2013; Graves, 2010; Landoll & Landoll, 2005; Peltier, 2004A, 2004B, 2005; Reynolds, 2012).
Perceptions about possible side effects of ethical hacking use in the participating organization entailed sociocultural, technical, and financial perspectives. The primary concern for Expert B and Expert A was sociocultural, namely, that ethical hacking had a PR stigma attached to it. “People may fear their information will be compromised during ethical hacking,” said Expert A. The primary concern for Expert E and Expert C was technical, namely, that ethical hacking can damage the information system or destroy data if not performed properly. Secondarily for Expert C, the system may remain exploited after ethical hacking was performed. A secondary concern for Expert A was technical, namely, accidental damage to the system during ethical hacking procedures. The main concern for Expert D was financial, that documents related to ethical hacking (reports and strategy) can get stolen. A secondary concern for Expert D was financial, that investments were needed to upgrade the system. A secondary concern for Expert E was financial, that ethical hacking may be costly.
Perceived Means of Ethical Hacking
Organizational understandings about ethical hacking means (technologies or methodologies) used in the university focused on the technical application of ethical hacking as a risk assessment methodology using software programs. Expert B, Expert D, Expert E, Expert A, and Expert C agreed both commercial and open source resources were used in information security risk assessment practices. But while Expert B, Expert D, Expert E, and Expert A emphasized the use of open source technologies, Expert C emphasized the use of commercial software.
For Expert A, the organization can use open source technologies for threat risk assessment. Secondarily, the organization can use well established standardized threat risk assessment methodologies. For Expert B, the university would typically use some commercial ethical hacking software, but “when it comes down to the difficult stuff, I think it is mostly open source.” For Expert D, primarily, the “IT professional staff can use open source as long as they consult with their superiors.” Secondarily, the organization can use hacking open source software such as “script kiddy and download” for free, or it can buy commercial software costing up to $5,000. Primarily for Expert C, commercial software may be more suitable than open source because some application programs that are more suitable for the organization are commercial rather than open source, and commercial software vendors are more likely to have more readily available updated security patches than are open source. Secondarily, “budgetary constraints may drive an organization to the open source route.” For Expert E, in general, the information security testing methodology as well as the used software tools were open source based, though commercial tools were also available.
Perceived Value of Ethical Hacking
The value of ethical hacking for the organization can be located in its utility in risk assessment processes, and can be understood from management and technical perspectives. From a management perspective, the organizational value of ethical hacking can be located in its utility as a value system (as a risk based approach) for decision making about suitable security defenses and countermeasures. From a technical perspective, the value of ethical hacking can be located in its utility as a process to understand and prioritize security risks.
Expert B and Expert C emphasized the use of ethical hacking as a pragmatic value system to help make decisions about suitable countermeasures by weighing the risks of being attacked and associated damage costs against the cost and effectiveness of countermeasures, that is, by weighing the costs against benefits. To determine value, estimate how likely is an attack to happen, what are the consequences of that happening, and what would be the cost of preventing this from happening, said Expert B. Secondarily for Expert B and Expert C, ethical hacking was a process or a methodology to help decision makers understand and prioritize risks. The organization cannot perform ethical hacking against all the applications in the environment, they said. “You have to prioritize,” argued Expert C. “The Internet layer should be protected first, and then you can work on other things.” Similarly, Expert E and organizational documentation P2 emphasized the use of ethical hacking as a process to help decision makers understand and prioritize risks. Expert E argued the professional hacker “asks the client about the value of the assets, assesses the threats and the potential attacks on the assets, and examines the security mechanisms.” The organizational documentation P2 emphasized the utility of ethical hacking as a process of risk assessment–as a process of determining the different threats to the information assets, estimating the probability of their occurrence and potential consequences, and determining the costs of increased protection. Secondarily for Expert E and organizational documentation P2, the value of ethical hacking can be found in its utility as a pragmatic, risk based value system for decision making.
The ethics of professional ethical hacking
Organizational understandings about the ethics of professional ethical hacking fell under two general themes. It is ethical in that it follows a technical process (of risk assessment), and it is ethical in that it is follows a legal process (of authorized risk assessment). In other words, ethical hacking as a technical process of risk assessment (Expert E, Expert B, and Expert A), and ethical hacking as a legal process of authorized risk assessment (Expert D, Expert E, and Expert C).
Expert E recognized ethical hacking as a technical process of threat risk assessment, arguing it was “a systematic approach to understanding a) what are the threats, b) what are the assets, c) what is the value of the assets, and d) what is the possibility people will attack these assets.” Expert B argued there was nothing ethical about ethical hacking, “it is a technical process” of risk assessment. Expert A argued “the ethics is about the process of hacking, not the reason the hacking is being done.” The ethical hacking process for Expert A, a) does not harm and there is no intent to do harm; b) stipulates an ethical responsibility to avoid harm; c) reports on the findings; d) “recognizes that there are guidelines about what you can do”; e) “recognizes that there is a moral imperative toward the public good”; and f) “recognizes that it is done at a professional capacity.”
Expert D and Expert C emphasized the legal aspects of ethical hacking. For Expert D, ethical hackers a) have legal authorization from top level management to perform hacking. They can “hack the system officially; in the legal sense”; b) follow best practices; c) follow organizational policies; and d) recommend to mitigate information security holes. For Expert C, ethical means following a policy or a legally binding agreement. “Ethical is legal.” Ethical hackers follow a legal process. They must have permission to hack. “They must have a contract signed with an organization giving them permission to expose company data before starting to hack.” Secondarily for Expert E, ethical hackers are usually invited by the asset owner to perform hacking to find vulnerabilities and fix them. They get access legally to the resource, and communicate the results to the owner of the assets.
For key stakeholder groups: 1) Ethical hacking was ethical in that it followed a technical-pragmatic process of risk assessment (Expert E, Expert B, and Expert A). Expert B argued that there was nothing ethical about ethical hacking, “it is a technical process.” Expert A argued “the ethics is about the process of hacking, not the reason the hacking is being done”; 2) ethical hacking was ethical for being a legal process (Expert D, Expert E, and Expert C). For Expert C, “ethical is legal.” Ethical hackers “must have a contract signed with an organization giving them permission to expose company data before starting to hack.” For Expert E, ethical hackers are usually invited by the asset owner to perform hacking to find vulnerabilities and fix them.
A meta-ethical analysis can further help clarify the ethics of ethical hacking. Garner and Rosen (1967) outline three key meta-ethical questions that can be used to conduct a meta-ethical analysis: 1) What is the meaning of moral terms or judgments? 2) what is the nature of moral judgments? And 3) how may moral judgments be defended? These meta-ethical questions are elaborated in a table (The Meta-Ethics of Ethical Hacking Table) from several perspectives, including theoretical, empirical, scholarly, and commercial.
The Meta-Ethics of Ethical Hacking Table
| Perspective | Ethics Type (What is the nature of moral judgments?) | Ethical is… | Meta-ethics (What is the meaning of moral terms or judgments?) | Philosophy/ Epistemology/Axiology (How may moral judgments be defended?) |
| TEI-KW (Technoethical Theory paired with Weick’s Sensemaking model) | Normative (prescriptive) | Ethical is effective. Effective: Efficient and fair. | Efficient and fair according to TEI steps 1-3: Efficient: On weighing goals against side effects, and means against ends, the output (overall value) balances the input.Fair: refers to stakeholder perceptions about fairness in implementing ethical hacking practices in the organization. | Teleological-Pragmatic-Instrumental |
| TEI-DMG (TEI Decision-making Grid) | Normative (prescriptive) | Ethical decision-making is effective decision-making. Effective: Holistic/efficient and fair. | Holistic means multi-disciplinary and inter-disciplinary (systemic). A holistic approach supports efficient decision-making by virtue of being more informed decision making.Fairness refers to a broader inclusion of perspectives and stakeholder priorities in the decision-making process about ethical hacking organizational practices. | Teleological-Pragmatic |
| Ethical Hacking as Information Security Risk Assessment | Normative (prescriptive) | From a technical perspective, ethical hacking is a process to understand and prioritize security risks. The goal of risk assessment is “to identify which investments of time and resources will best protect the organization from its most likely and serious threats” (Reynolds, 2012, p. 103). From a management perspective, ethical hacking is a pragmatic value framework for ethical hacking decision-making. According to the General Security Risk Assessment Guidelines (ASIS International, 2003) the basic components or steps in a security risk assessment protocol include: identifying assets; specifying loss events (threats); frequency of events; impact of events; options to mitigate; feasibility of options; cost/benefit analysis; and decision. | Ethical action is action effective in achieving a reasonable risk level. Risk levels help risk managers select appropriate security controls and countermeasures to lower the risk to an acceptable level (Landoll &Landoll, 2005; Peltier, 2005). | Teleological-Pragmatic-Risk-based; Instrumental-Rational |
| Certification/Commercial According to the International Council of Electronic Commerce Consultants (EC-Council) (www.eccouncil.org) | Descriptive Ethics | A Certified Ethical Hacker is “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of the target system(s).” An “Ethical Hacker” is “an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker.” | Ethical hackers are skilled and knowledgeable (IT and information security) professionals usually employed with an organization and who look for vulnerabilities in target systems and can be trusted to “undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker”; and who use the same knowledge and tools as malicious hackers but in a lawful and legitimate manner to assess the security posture of target systems. | Teleological-Pragmatic; Virtue Ethics |
| Literature Review Graves (2010), Harris (2007), and Palmer (2001). | Descriptive Ethics | Ethical hackers should address both systemic vulnerabilities as well as preventive measures (Harris, 2007; Palmer, 2001). The practices of professional ethical hackers are governed by a legal framework. Ethical hackers should always obtain permission from the data owner before attempting to access the computer system or network (Graves, 2010; Palmer, 2001). Ethical hackers should gain the trust of clients (Graves, 2010; Palmer, 2001). And they should take “all precautions to do no harm to their systems during a pen test” (Graves, 2010, para. 1). | Ethical hacking is holistic and strategic. Ethical hacking is legal. Ethical hacking is virtuous action. | Teleological-Pragmatic-Systemic; Rational/Legal; Virtue Ethics. |
| Interview Participants | Descriptive Ethics | For key stakeholder groups: 1) Ethical hacking was ethical in that it followed a technical-pragmatic process of risk assessment (Expert E, Expert B, and Expert A). Expert B argued that there was nothing ethical about ethical hacking, “it is a technical process.” Expert A argued “the ethics is about the process of hacking, not the reason the hacking is being done.” 2) Ethical hacking was ethical for being a legal process (Expert D, Expert E, and Expert C). For Expert C, “ethical is legal.” Ethical hackers “must have a contract signed with an organization giving them permission to expose company data before starting to hack.” For Expert E, ethical hackers are usually invited by the asset owner to perform hacking to find vulnerabilities and fix them. | Ethical hacking constitutes economical and legal organizational choices in information security risk management. | Rational-Instrumental |
Related content
Canadian identity as an academic idea
Ethical assessment of teaching ethical hacking
Ethical decision-making theories: Introduction to normative ethics
Professional ethical hacking body of knowledge
The ethical teaching of ethical hacking
The ethics of teaching ethical hacking
The technoethics of Mario Bunge
Back to DTI Courses
