This paper discusses the issues of implied trust in ethical hacking. Unlike many other long-established professions, such as lawyers, doctors, and accountants; ethical hacking is a relatively new profession. As a result, this profession does not currently have a uniformed or mandated code, nor does it require any form of licensing. Because ethical hackers could gain access to highly sensitive and confidential information and there is potential for misuse of such information, the need to ensure professionalism is maintained through ensuring competence and ethical behavior is critical.
Figures - uploaded by Georg Thomas
Author content
All figure content in this area was uploaded by Georg Thomas
Content may be subject to copyright.
Discover the world's research
- 20+ million members
- 135+ million publications
- 700k+ research projects
Join for free
Issues of Implied Trust in Ethical
Hacking
Thomas, Georg
Charles Sturt University, School of Computing and Mathematics
Burmeister, Oliver
Charles Sturt University, School of Computing and Mathematics
Low, Gregory
SQL Down Under
Corresponding Author: Georg Thomas, gethomas@csu.edu.au
Abstract: This paper discusses the issues of implied trust in ethical hacking. Un-
like many other long-established professions, such as lawyers, doctors, and ac-
countants; ethical hackingis a relatively new profession.As a result, this profes-
sion does not currently have a uniformed or mandated code, nor does it require
any form of licensing. Because ethical hackers could gain access to highly sensi-
tive and confidential information and there is potential for misuse of such infor-
mation, the need to ensure professionalism is maintained through ensuring com-
petence and ethical behavior is critical.
Keywords: Ethical hacking, penetration testing, implied trust, professionalism, code of
conduct, regulation.
Citation: Georg, T (2018). Issues of Implied Trust in Ethical Hacking. ORBIT Journal, 2
(1) 10.29297/orbit.v2i1.77
Introduction
Over the past decade, the prevalence and frequency of data breaches has increased. Ac-
cording to the annual Verizon Data Breach Investigations Report (DBIR), 62% of
breaches occur as a result of hacking (Verizon, 2017). Regional reports, such as the Tel-
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 2
stra Cyber Report predict that 59.6% of threatsin Asia and 52.6% of threats in Australia
will originate from external hackers.
Theaverage time it takes to detect a breach isreported to be between 99 and 172 days de-
pending on the region (Mandiant, 2017).This metric is taken from when an organization
is first breached to the time the breach is detected. There are several ways detection can
occur and it isn't limited to the specific detective tools that an organization has imple-
mented.It can also include the disclosure of information on public sources, such as Twit-
ter, Reddit, and Pastebin, or an external party alerting the organization that they have
been breached. .
The first half of 2017 sawsecurity breaches exposing over 16 million records (Identity
Theft Resource Center, 2017). However, in September 2017, consumer credit reporting
agency Equifax reported a breach that affected 145.5 million individuals (Equifax,
2017).In addition, several other security incidents that had devastating effects occurred. A
series of ransomware attacks occurred around the globe in May and June of 2017, the
impact of which was exacerbated by US National Security Agency leaked exploits named
EternalBlue and DoublePulsar (Goodin, 2017). These were subsequently used in ran-
somware named WannaCry and Petya that destroyed systems by encrypting the data on
them and demanding a ransom payment in Bitcoin. Notably, the UK National Health
Service (NHS), global law firm DLA Piper, and global logistics and transport firm TNT
were affected and likely resulted in not only substantial monetary losses, but reputational
harm, and harm to those that these organizations provide services to.The NHS for exam-
ple had difficulties accessing patient records and subsequently had to cancel patient a p-
pointments, non-urgent surgeries, and divert ambulances (Collier, 2017).
What is common in all these examples is that for a breach to be successful a vulnerability
needs to exist that then can be exploited. Vulnerabilities can exist not only as technical
vulnerabilities such as missing security "patches" but can also be vulnerabilities in
processes or people. Technical vulnerabilities can be identified by a number of means;
the developer of the system or platform, security researchers, through 'bug bounty' pro-
grams, or by a hacker. They can either be discovered in labs when the software is being
developed and tested, or in live environments. It is when they are in live environments,
such as being used by an organization that exploitation is the most dangerous.
A number of automated tools or manual techniques can be used to identify technical vul-
nerabilities. Similarly, technology can be used to conduct attacks against people as seen
in email based 'phishing' campaigns, or when an attacker uses a phone to call or send an
SMS message to a potential victim. Attacks can also occur in person, where a hacker tries
to gain access to a physical building. Malicious hackers use the vulnerabilities to carry
out attacks generally for financial gain, personal gain, or to cause mischief.
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 3
It is widely accepted that a multilayered 'defense in depth' approach is needed to protect
against modern threats. This includes not only identifying purely technical vulnerabilities,
but those that are people related. Over the past few years the focus has shifted from just
the technical aspects of information security to include the "human factor" or people-
based aspects (Eminağaoğlu, Uçar&Eren 2009, p223).
Traditionally a defensive approach of implementing technical controls has been used to
protect organizations (Thomas, 2017). This approach leveraged technologies such as
firewalls, antivirus/antimalware software, network segmentation, and access control lists
to defend against unauthorized access. It became apparent that this alone was in sufficient
to protect an organization and although these controls are still fundamental to protecting
an organization, many more controls and approaches are now applied.This includes ad-
dressing the human factor through security awareness training, which aims to educate
users on best security practices and detecting malicious activities such as phishing e-
mails. Phishing involves an attacker sending an email that tricks the recipient into divulg-
ing secret information such as usernames and passwords (Thomas, Burmeister, Low,
2017, p2). This method is the most prevalent form of social engineering attack used (Ve-
rizon, 2017). Phishingcan circumvent many traditional security controls as systems gen-
erally let e-mail in and attackers can often craft their phishing emails to look like legiti-
mate email and therefore bypass detection controls.
There has also been an increase in the use of artificial intelligence in security prevention
and detection tools. Traditional systems leveraged signature-based detection systems, that
only were able to detect previously known threats. This resulted in shortfalls when it
came to unknown threats. Known threats such as previously reported malware was
stopped using these traditional methods, but threats such as brand -new'zero-day' mal-
ware, hackers that had breached systems and were likely using legitimate tools to move
throughout the network, and insiders, which account for 55% of threats to organizations
(Thomas, Duessel, Meier, 2017) (Verizon, 2015) (IBM, 2015). Traditional signature me-
thods are unlikely to detect any of these threat types.
It is clear that there is no single control that can prevent security threats and there is no
silver bullet. Many security architectures are complex, incorporating a mix of detection,
prevention, and administrative controls. The need to ensure continuing improvement of
cyber security programs is clear. Ensuring the effectiveness of the cyber security program
is also important and a key method to do this is through conducting a penetration test.
Penetration tests play an important role by engaging a professional or team of profession-
als to attack an organization as a malicious hacker would (Engebretson, 2013). The aim
of the test is to assess the controls effectiveness and report back any findings. These pr o-
fessionals are commonly known as ethical hackers. Trust is a topic that has had signifi-
cant attention in the ICT ethics literature, for instance Weckert has written extensively on
issues of trust as they affect computing professionals, and how trust is reflected in appro-
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 4
priate codes of ethical conduct (Al -Saggaf et al. 2015; Bowern et al. 2006; Burmeister
and Weckert 2003; Burmeister et al. 2011; Lucas and Weckert 2008; Weckert 2005).
Trust plays an important role when organizations engage the services of ethical hackers.
An organization is effectively inviting a hacker to attack them and gain not only access to
potentially sensitive information, but information about the vulnerabilities the organiza-
tion has. This invitation usually is supplemented with a written authorization (commonly
called the 'get out of jail free card' among ethical hacking circles). As such, a level of
trust needs to be establishedso that the organization will have an adequate level of confi-
dence that the professional will conduct themselves in an ethical manner.
Ethical Hacking Defined
As security programs evolve to include an offensive component, the need for appropriate
professionals to conduct these offensive engagements increased. These professionals are
known as ethical hackers, or penetration testers.
The term hacker was coined in the 1960's by programmers at MIT to describe someone
who had the ability to understand and manipulate technology (Thomas, Burmeister, Low,
2018 p113). Since then, although hackers largely still manipulate technology, the role and
type of hackers has evolved. Hackers have now been separated into categories that cor-
respond with their intent; black, grey, and white hat. Hackers have also expanded outside
of just manipulating technologyto manipulating people, such as the phishing and broader
scope of social engineering.
Black Hat Hackers
The most well-known type of hacker is the black hat hacker. Popularized by TV, movies,
and often in the media, the black hat hacker has motives that are considered malicious.
Also known as 'crackers' (Graves, 2010, p3) they operate illegally, and they are driven
usually by financial gain, personal gain or anarchist desires (Thomas, 2017). Using a v a-
riety of techniques such as social engineering, infecting machines with malware, or
breaking into systems, they obtain confidential information such as credit card numbers,
usernames, passwords, and personal information. This information can then either be
used by the hacker or sold to others for conducting fraudulent activities.
There is no 'typical' hacker and although it is often thought that a hacker is a teenager
that sits in their parent's basement and wears a hoodie. While the teenage hacker no
doubt still exists, many of which were referred to as 'script kiddies' and defined as 14 to
16-year old's and still at school (Barber, 2015, p15), malicious hackers are now often part
of organized crime syndicates and account for over 60% of all external threat actors (V e-
rizon, 2018).
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 5
Grey Hat Hackers
Often also acting illegally, but with motives that aren't purely malicious are grey hat
hackers. Grey hats often start as black hats but transition their skills for good or perceived
good (Thomas, Burmeister, Low, 2018) . A grey hat may identify security vulnerabilities
of an organizations systems without their express permission and then notify them of the
vulnerability. Grey hats often want to highlight security issues and attempt to educate
organizations to properly secure their systems (Graves, 2010, p4).
State sponsored hackers are also considered grey hats. These hackers often act in the i n-
terest of national security for their country and hack a foreign country. Although this
would normally be considered illegal, and is by the target, in the context of achieving
national security it would likely be considered a grey area.
Hacktivists are also categorized as grey hat hackers. Hacktivists may hack and deface a
website to promote a cause or leak information they believe is in the public interest, ra-
ther than to just be malicious (Thomas, Burmeister, Low, 2018).
White Hat Hackers
The last category is the white hat hacker, also known as an ethical hacker or penetration
tester. White hats, like black hats and grey hats use the same tools and techniques, but
unlike the other categories they are given authorization to attack the engaging organiza-
tion. White hats can also have transitioned from black or grey hat hackers; such as well-
known hacker Kevin Mitnick who was once known as the most notorious black hat hack-
er in the world (Thomas, Burmeister, Low, 2018), be directly educated as a hacker
through formal training, or move from other related professions such as Information
Technology.
White hat hackers are professionals used to test th e security controls of an organization
and ensure they are effective. An ethical hacker will identify vulnerabilities such as miss-
ing security updates, poor architecture, misconfigurations, and other weak spots within an
organization. Depending on the engagement, the professional will usually attempt to ex-
ploit any vulnerabilities they discover with the purpose of gaining administrative access
or 'owning' the network, or gaining access to information, especially confidential and
sensitive information.
Once the engagement has finished, the ethical hacker will then create a report of findings
and which will usually include recommendations on what to remediate.
The Importance of Ethics
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 6
With the increased demand for ethical hackers as part of a multilayered security program
combined with the potential sensitive and confidential information an ethical hacker may
gain access to, the need to ensure appropriate ethical conduct is critical.
Consider an ethical hacker engaged to test the security of an organization that holds per-
sonal or highly sensitive information, such as a financial institution or legal firm. Al-
though this question doesn't limit itself to those types of organizations; such information
in the wrong hands could have a multitude of applications for misuse. In this context,
there are several ethical issues that should be consider edincluding;
Should the ethical hacker successfully gain access to sensitive information, what do they
do with that information and potential knowledge obtained?
How does the ethical hacker determine what evidence to take as part of demonstrating
their success of penetrating the organization, and if information that is taken is sensitive,
how is the confidentiality of that information protected?
If the attacker causes some sort of negative condition (e.g. an accidental service disrup-
tion or corruption), how do they handle it?
Ethical hackers may also use questionable means to gain skills and intelligence (Thomas,
Burmeister, Low, 2017). This may include accessing the dark web and interacting with
people with questionable motives. As also discussed, it's not uncommon for a black hat
hacker to become a white hat hacker; could a white hat hacker become a black hat hack-
er?
Given the importance of the role, ensuring that the ethical hacker has adequate skills to
perform the engagement to a satisfactory level is also necessary. As identified, an insuffi-
cient test may increase the chances of vulnerabilities going undiscovered and provide a
false sense of security for the client.
Ethical Hacking and Trust
The main purpose of ethical hacking is to test and validate the security controls of an or-
ganization. This likely results in the attempt to gain access to confidential and sensitive
information held by the organization. For a client to engage an ethical hacker, there needs
to be a certain level of trust established between the ethical hacker and the organization
engaging them to conduct the test. Trust is conceptualized as the belief of a person that
another party upon whom the individual is dependent will act in his/her interests (Tutzau-
er, n.d, p5).
The engagement of an ethical hacker by an organization is typically reliant on the organi-
zation's need for a professional in the field. A professional has superior knowledge, re-
quiring the other party to trust them. Li, Rong and Thatcher (2012) explain how one party
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 7
has a willingness to be vulnerable to the other to carry out the task irrespective of the
ability to monitor or control them (Li, Rong, Thatcher, 2012, p20).
Becoming a highly skilled ethical hacker requires more than just taking a course. It is a
highly technical and complex field that requires extensive knowledge across not only
computer hardware and software but human behavior. The knowledge required by a high-
ly effective ethical hacker includes detail of how these areas work at their most basic lev-
el, such as the OSI model (the reference model that show the layers of how communica-
tion occurs on a network ("The OSI Model's Seven Layers Defined and Functions Ex-
plained", n.d.), software code, and even electronic signals. Add to this, the number of
ethical consideration and laws that various countries have regarding the safeguarding of
privacy that need to be considered as well (Thomas, Duessel, Meier, 2017, p11), this may
need to be considered by not only the ethical hacker, but the engaging organization, espe-
cially when multi-national organizations are concerned. These complexities may result in
difficulty evaluating the effectiveness and skills of an ethical hacker, especially when the
evaluator doesn't possess the same knowledge. Fabian (2009) highlights that the ability
to evaluate a professional's abilities from the outside can be difficult, if not impossible
and certain level of belief is required (Fabian, 2009, p54).
To date, there has been little research on ethical issues on ethical hacking. However, there
has been some research on ethical issues and issues of professionalism on ICT profes-
sionals. Whilst not solely an ICT profession, ethical hacking crosses into the ICT domain
as many of the systems involved in the hacking process are either ICT systems or leve-
rage the use of ICT systems. It is also commonly categorized as an ICT job.
Taking ICT as an example; there is currently neither a mandatory or unified code of eth-
ics that exists with ICT (Burmeister 2013; Capurro and Britz 2010; Whitehouse et al.
2016). As ICT is a relatively new profession (Burmeister, 2015), it can also be perceived
as immature. The absence of a code of ethics, which has consequences for violations,
increases the risk of a variety of inappropriate behaviors including misrepresentation,
taking credit for others' work, privacy and confidentiality issues, and failure to comply
with laws. Licensing is also not generally a requirement for ICT professionals(Fabian
2009). This is also true of ethical hackers and information securit y professionals more
generally. Like ICT, there are a number of certifications and affiliations that an ethical
hackers and information security professionals can undertake or belong to. EC-Council's
Certified Ethical Hacker (C|EH), ISC2 Certified Information Systems Security Profes-
sional (CISSP), ISACA's Certified Information Security Manager (CISM), and the Aus-
tralian Computer Society (ACS) Cyber Security specialism introduced in September 2017
are all examples of security related certifications that have a code of ethics or conduct,
but they are not uniformed and only required of those that hold the certifications.
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 8
Although the name "Ethical Hacker" implies ethical behavior, this may not always be the
case. For instance, an ethical hacker needs to keep their knowledge of exploits up to date,
and they will likely need to go "underground" to gain this knowledge (Conran 2014).
Because ethical hackers may even utilize questionable means to gain intelligence, their
actions might result in a question of their professional ethics. Although in this sense it can
be argued that ethical hackers are partaking in questionable activities, the rationale for
which is likely justified as being for the greater good, it does raise the question: at what
point may this justified ethical behavior become blurred and the practices of the ethical
hacker become unethical? Given the already identified need for a specialized skill set and
experience to be an effective ethical hacker, it is not out of the question that an 'ethical
hacker' may once have been a black hat/malicious hacker. A good example of this is Ke-
vin Mitnick; Mitnick is now a 'white hat hacker' and security consultant, however, in the
1990's he was a notorious hacker who was arrested by the FBI and convicted of seven
counts of wire and computer fraud. (Gengler, 1999, p6). Many organizations perform
online background checks and review the social networking accounts of applicants as
standard practices (Stuart et al. 2015). This method of screening is flawed as background
checks that are normally conducted are simply police checks that require a court appear-
ance for a record to appear. They also assume the applicant has been previously caught.
Social media review flaws include review of the wrong profile or not having access to a
profile due to privacy settings, non-existent profile, or the use of aliases.
Methodology
To investigate the issue further a review of existing literature was discovered and ana-
lyzed. Google Scholar was selected to take a sample of the current rese arch as the Google
Scholar platform indexes many other databases. Because this research pertains to issues
of professionalism and ethics of ethical hacking, the following keywords and synonyms
were chosen to build the search queries:
• Penetration testing, ethical hacking, red team
• Implied trust
• Professionalism
From these keywords, the following search queries were generated:
• "penetration testing" | "ethical hacking" | "red team"
• ("penetration testing" | "ethical hacking" | "red team") & ("implied trust" | pr ofes-
sionalism)
• ("penetration testing" | "ethical hacking" | "red team") & ("implied trust")
The first query was designed to broadly identify indexed literature on ethical hacking and
related terms. This first query returned 17,300 records, which needed to be further fil-
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 9
tered. To do this, the second query narrowed down those papers that also discussed either
implied trust or professionalism and outputted 677 records. Finally, only those papers that
specifically discussed implied trust were identified by requiring that "implied trust" was a
key word. This resulted in 18 records and represents only 0.1% of all the articles on ethi-
cal hacking. In some instances, there were papers that although were returned as results,
did not discuss ethical hacking and implied trust issues, these were flagged as false posi-
tives and were discarded from the results.
Current Literature
To date, only 0.1% of identified articles written on ethical hacking discuss implied trust
and 3.9% discuss professionalism. Prior to 2001, no literature was identified that dis-
cusses these areas (See Figure 1).In 2013, there were several significant breaches that
occurred that may explain or have influenced the spike in literature that year. This in-
cludes the Target and Adobe breaches where over 822 million records were exposed
(Hawes, 2014).
Figure 1: Articles published per year on ethical hacking and implied trust.
There is currently no uniform or mandatory code of conduct for ethical hacking. This
same concern has been raised regarding ICT professionals, where it has been recom-
mended that ACS code of ethics is mandated through National regulations (Bowern,
Burmeister, Gotterbarn, Weckert, 2006, p175). There is also generally no licensing re-
quirement for ICT professionals (Fabian, 2009, p54) and this applies to ethical hackers
too. In Singapore, however, there has been discussion around introducing the requirement
for licensing, with the government seeking feedback on such a requirement (CSA Singa-
pore, 2017).More closely, Gay (2012), discusses how implied trust exists between so-
called experts and without any standard certification or code of conduct (Gay, 2012, p13).
This research highlights that there is a level of incompetence in the field of digital fore n-
sics, which can lead to issues with investigations and that the lack of a standard code
0
1
2
3
4
5
6
2000 2002 2004 2006 2008 2010 2012 2014 2016 2018
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 10
could contribute to the issue. Additionally, a survey of ICT professionals in the UK,
found that one third of IT personnel misused their privileges and searched the corporate
network for confidential information, including salary information, personal information,
board minutes and personal emails (Survey Reveals Scandal of Snooping IT Staff, 2008,
p24). It would not be uncommon for an ethical hacker to gain access to confidential in-
formation as part of the engagement. Ensuring appropriate ethical behavior whenhandling
such confidential information could be a concern.
Ethical hacking, like digital forensics, falls into the "Information Security" field. They
are simply different subsets, but still prone to the same issues and vulnerabilities such as
misuse of information and the need to ensure competence of the professional. Much of
the literaturediscusses ethical hacking and implied trust but does not actually correlate the
two. The implied trust discussions in the existing literature are focused on the context of
implied trust towards systems and platforms, such as trust toward security platforms (e.g.
authentication systems) and well-known websites (e.g. Facebook) or how implied trust is
taken advantage of by an attacker, such as spoofing an email as part of a phishing attempt
(Cole, 2002, p51).
Much of the existing literature discusses ethics on teaching ethical hacking to students.
Students may use the techniques they have learned irresponsibly, inappropriately or in an
illegal manner, which some security educators consider to be unethical and socially irres-
ponsible (Trabelsi, McCoey, 2016, p3-5). Teaching students to hack provides them with
knowledge of how to cause damage to computer networks (globally) with the help of
university lecturers. According to Jamil, Khan (2011, p3,758) this could pose an "unim a-
ginable threat". (, A study undertaken at a Canadian university, noted that there are con-
cerns about the compromise of personal information by the ethical hacker that may result
from conducting a penetration test (Abu-Shaqra, Luppicini, 2016, p67). When the same
implied trust manipulation a malicious attacker uses to trick a victim when conducting an
email phishing attack, is how an ethical hacker man ipulates a target as part of a test, this
highlights how the ethical lines can be quite blurred.
The focus on education however leaves out one area completely and it might prove fruit-
ful grounds for further research. Namely, "Are these formally trained ethical hackers any
match for the 'real' hackers?" This is an area that does not appear to be addressed in any
of the literature reviewed, and yet would appear to be a logical extension of the 'educa-
tive' focus of several of the article. That is, testing the efficacy of the ethical certifica-
tions currently being spruiked.
Jamil et. al (2011) suggest that mandatory security background checks should be under-
taken for people who are part-taking in ethical hacking courses. Conducting these checks
forms part of good due diligence activities, which many security frameworks such as the
International Organization for Standardization (ISO) ISO27001 framework include (In-
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 11
ternational Standards Organization, n.d). The adoption of such a framework by an organ-
ization however, is not mandatory. Whilst some industries have regulatory bodies that
mandate that background checks are completed, such as the Securities and Exchange
Commission (SEC) and Financial Industry Regulatory Authority (FINRA) in the USA,
and the Australian Securities and Investments Commission (ASIC) and the Australian
Tax Office (ATO) in Australia, this requirement does not apply uniformly across all in-
dustries. Additionally, a background check as discussed previously is not likely to pro-
vide complete protection. It does, however provide a basic level of due diligence and may
assist in lowering risk to an acceptable level for the organization.
Available Codes
There are currently a number of codes of ethics and conduct in the information security
industry. Many of these are recognized across the globe and are operated by industry or-
ganizations that have chapters in many jurisdictions.Some of these codes are explored
below:
Australian Computer Society Code of Ethics
Founded in 1966, the Australian Computer Society is a professional association for the
information, communications, and technology (ICT) industry. Although historically fo-
cusing on specifically ICT professionals, the ACS launched its cyber security certifica-
tion for ICT professionals in September 2017 (Pollitt, 2017). All members of the ACS
must adhere to the code of ethics, which require that all ACS members must place public
interest first, enhance the quality of life of those affected by the members' work, be hon-
est, be competent, continue to develop professionally, and to be professional (Australian
Computer Society, n.d.).
CREST Code of Conduct
CREST is a not for profit organization that originated in the United Kingdom, but has
since launched chapters across Europe, Middle East, Africa and India (EMEA), The
Americas, Asia, and Australia and New Zealand. CREST's purpose is to provide a level
of assurance that organizations and their security staff have a level of competence and
qualification in conducting security work such as penetration testing, threat intelligence
or incident response (CREST®, n.d.). CREST qualified professionals must abide by the
CREST Code of Conduct. The CREST code of conduct is relatively detailed and covers
requirements such ensuring regulatory obligations, adequate project management, compe-
tency, client interests, confidentiality, and ethics (CREST®, 2016).
EC-Council Code of Ethics
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 12
The International Council of E-Commerce Consultants, known as EC-Council was
formed after the September 11, 2001 attacks in the United States, to address cyber-attack
threats (EC-Council, n.d.). EC-Council is best known for its' Certified Ethical Hacker
(CEH) certification, which is recognized as a US Department of Defense (DoD) 8570
cyber security certification. The EC-Council Code of Ethics requires confidentiality of
discovered information, ensuring that any process or software obtained is legal and ethi-
cal, ensuring proper authorization, adequate project management, continuing professional
development, ethical conduct, and not being convicted of any crimes (EC-Council, n.d.).
Global Information Assurance Certification Code of Ethics
Global Information Assurance Certification (GIAC) provide some of the most well-
known and highly regarded certifications in the security industry. These certifications
include penetration testing, security management and digital forensic certifications. Es-
tablished in 1999, GIAC was established to provide assurance of the skills of information
security professionals (GIAC, n.d.). The GIAC Code of Ethics is broken into four se c-
tions; respect for the public, respect for the certification, respect for the employer, and
respect for oneself. The code mandates that professionals will take responsibility and act
in the public's best interests, ensure ethical and lawful conduct, maintaining confiden-
tiality, competency, accurate representation of skills and certifications, and avoiding con-
flicts of interest (GIAC, n.d.).
ISACA Code of Professional Ethics
The ISACA is a professional body established in 1969 with over 140,000 members
worldwide that focuses on IT governance (ISACA, n.d.) . Formerly known as the Infor-
mation Systems Audit and Control Association and focused on IT audit and assurance,
ISACA now also includes training and certification for information security and cyber
security professionals. The ISACA Code of Professional Ethics mandates that com-
pliance with standards and procedures is maintained, due diligence and professional is
taken, legal conduct, confidentiality is maintained, competency, and continuing profes-
sional development (ISACA, n.d).
ISC2 Code of Ethics
The ISC2 is an international, non-profit organization with over 125,000 members in the
information security profession (ISC2, n.d.). ISC2's Code of Ethics consists of four direc-
tives; protecting society and public interest, acting honorably, honestly, justly, responsi-
bly and legally, being competent, and advancingthe protection of the profession (ISC2,
n.d.).
The certifications provided by each of these bodies generally infer some level of trust and
confidence. Without considering the subjective reputation of each certification, it is gen-
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 13
erally implied that someone who hold a certification has some level of baseline know-
ledge that allows them to perform the assigned task. As identified by Fabian (2009) that
knowledge can be almost impossible to assess by those who rely on the professional and
there is an implied trust that comes with that.
Certifications without Codes
Although many security certifications have an associated code through their issuing body,
this is not always the case. An example is Offensive Security, who provide in-depth train-
ing and certification on ethical hacking; their examination is regarded as one of the most
difficult and highly regarded certification involving successful passing of a hands-on lab
test in order for a candidate to obtain the credential. Offensive Security don't have an
advertised code of ethics. For those codes that do exist; although they contain similar
directives, they are all different and include different levels of detail. All these courses
generally teach ethical principles within their courses.
The Need for aMandatory, Uniformed Code
As identified, there are codes of conduct and ethics available from numerous professional
and certification bodies. These codes, however, are only mandatory to those who are
members or certified by the respective body and therefore considered voluntary . There
are many similarities between codes, but they are not completely in alignment. Analyzing
each code does not identifyany direct conflict between codes and there are useful
attributes from each code.These codes could be combined and augmented to form a uni-
form code of conduct for ethical hackers and cyber security professionals alike. For the
code to be effective, it would need to be mandatory and have adequate oversight as dem-
onstrated by the ethics committees of GIAC and ISACA who review matters that don't
comply with their respective codes. This could be achieved more broadly through a com-
bination of regulation and licensing by the government.
In other professions such as lawyers, doctors, and accountants we see such mandatory
codes.These codes need to develop and adapt to economic changes, government influ-
ence, and changes within the profession (Backof, Martin, 1991) and such development
and change would be needed in a cyber security code. In Australia, legislation such as the
Legal Profession Uniform Law is in force and must be adhered to (New South Wales
Government, 2015). This legislation applies to all practicing lawyers and must be com-
plied with. The purpose of the legislation is to ensure all lawyers act ethically and comply
with the provisions required and such a requirement of ethical hackers who can potential-
ly access highly confidential and sensitive information and are entrusted to do so should
have similar requirements applied.
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 14
Unlike most doctors, lawyers and accountants, many cyber security professionals engage
with organizations across borders, either locally or internationally. This is especially true
when engaged by multi-national companies to review and test their security. This in-
creases the importance of a unified code that is suitable on a global scale and applies to
all cyber security professionals engaging in practices such as ethical hacking.
A unified code and subsequent regulation would likely benefit the profession and help
address some of the issues.
"By chartering and coming together as a regulated professional organization,
you can explore whether things like insurance, standards, and discipline are
mandatory.Effectively like doctors and lawyers, which is to say that you are not
entitled to practice without this certification." (Partner (Law Firm), Australia)
However, it is important to also ensure that this process is not only strict, but also access-
ible. Many smaller security organizations may be sensitive to cost, and while it is impor-
tant to ensure a certain minimum standard of skills and ethical conduct, it should be
available to all organizations and individuals that wish to practice. Although not a gov-
ernment regulation, CREST attempts to provide such a minimum standard and provide a
level of confidence, but there is a significant cost involved.
"CREST can be very expensive to an organization like ours. If each exam is
$3000, you make the assumption that most people will fail the first exam, which is
already optimistic given that the fail rate is 2/3. So I mean you're talking about
close to $9000 per exam. Then you've got a $10,000 membership fee." (Director
(Security Firm), Australia)
The need to combine the ethical requirements of the current bodies, and providing a level
of assurance such as that provided by CREST that is available to all security profession-
als by a regulatory entity would be valuable. The intent would be to increase the adoption
of a standardized approach to assurance and improve the profession across the board.
Conclusion
The use of ethical hackers as part of a good security strategy is evident and the use of
them is likely to increase as organizations strengthen their cyber security programs . Con-
sidering the volume of information that could be at risk even over a very short period of a
few days, the need to reduce this time as much as possible is crucial and engaging an eth-
ical hacker to identify weaknesses in system can help to ensure those weaknesses are re-
mediated before they are exploited by a malicious actor. Because ethical hackers use the
same techniques as malicious attackers, such as the email spoofing example, and often
research and gain intelligence through the same questionable challenges, there is a fine
line between an ethical white hat hacker, and a malicious black hat hacker; this further
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 15
highlights the importance of appropriate professionalism and ethical behavior and the
many ethical implications need to be considered
Because of the implied trust relationship between an ethical hacker and the client, the
ethical hacker is at an advantageous position and effectively given permission to access
any information they can, much of which could be confidential or sensitive in nature. It
has been identified, that ICT professionals have misused their privileges in the past, and
there is no reason why an ethical hacker could not do the same and further research in
this area is warranted.
It is clear that implied trust is an issue, and there is merit in further research in this area.
This research could include identifying whether there is merit in developing a mandatory,
unified code of conduct that applies to ethical hackers and helps ensure appropriate ethi-
cal behavior and levels of competence before an ethical hacker can or should be engaged,
some form of licensing requirement, or a combination of both.
References
Abu-Shaqra, B., &Luppicini, R. (2016). Technoethical Inquiry into Ethical Hacking at a
Canadian University. International Journal of Technoethics (IJT), 7(1), 62-76.
Al-Saggaf, Y., Burmeister, O. K., and Weckert, J. 2015. "Reasons Behind Unethical
Behaviour in the Australian Ict Workplace: An Empirical Investigation," Journal
of Information, Communication & Ethics in Society (13:3/4), pp. 235-255.
Australian Computer Society, (2010) "ACS Code of Ethics", Retrieved from:
https://www.acs.org.au/content/dam/acs/acs-documents/Code-of-Ethics.pdf
Backof, J. F., & Martin, C. L. (1991). Historical perspectives: development of the codes
of ethics in the legal, medical and accounting professions. Journal of Business
Ethics, 10(2), 99-110.
Bowern, M., Burmeister, O. K., Gotterbarn, D., &Weckert, J. (2006). ICT Integrity:
Bringing the ACS Code of Ethics up to date. Australasian Journal of Information
Systems, 13(2).
Burmeister, O. K., 2015. "Improving Professional It Doctorate Completion Rates," Aus-
tralasian Journal of Information Systems (19), 2015-08-18, pp. 55-70.
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 16
Burmesiter, O.K.,2013. "Achieving the Goal of a Global Computing Code of Ethics
through an International-Localisation Hybrid," Ethical Space: The International
Journal of Communication Ethics (10:4), pp. 25-32.
Burmeister, O. K., and Weckert, J. 2003. "Applying the New Software Engineering Code
of Ethics to Usability Engineering: A Study of 4 Cases," Journal of Information,
Communication & Ethics in Society (3:3), pp. 119-132.
Burmeister, O. K., Weckert, J., and Williamson, K. 2011. "Seniors Extend Understanding
of What Constitutes Universal Values," Journal of Information, Communication
& Ethics in Society (9:4), pp. 238-252.
Capurro, R., and Britz, J. B. 2010. "In Search of a Code of Global Information Ethics:
The Road Travelled and New Horizons," Ethical Space: The International
Journal of Communication Ethics (7:2/3), pp. 28-36.
Cole, E. (2002). Hackers beware. Sams Publishing.
Collier, R. (2017). NHS ransomware attack spreads worldwide. CMAJ Jun 2017, 189
(22) E786-E787; DOI: 10.1503/cmaj.1095434
Conran, B. 2014. "Why You Shouldn't Hire an Ethical Hacker," Security (51:3), Mar
2014
CREST®, n.d., "About CREST". Retrieved from: http://www.crest -approved.org/about-
crest/about-crest/index.html
CREST®, 2016, "Code of Conduct for CREST Qualified Individuals". Retrieved from:
https://www.crest-approved.org/wp-content/uploads/Code-of-
Conduct_Individual.pdf
CSA Singapore (2017). MCI and CSA Seek Public Feedback on Proposed Cybersecurity
Bill. Retrieved from https://www.csa.gov.sg/news/press-releases/mci-and-csa-
seek-public- feedback-on-proposed-cybersecurity-bill
EC-Council (n.d.). "About EC-Council". Retrieved from:
https://www.eccouncil.org/about/
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 17
EC-Council (n.d.). "Code of Ethics – EC-Council". Retrieved from
https://www.eccouncil.org/code-of-ethics/
Eminağaoğlu, M., Uçar, E., &Eren, Ş. (2009). The positive outcomes of information se-
curity awareness training in companies–A case study. Information security tech-
nical report, 14(4), 223-229.
Engebretson, P. (2013). The basics of hacking and penetration testing: ethical hacking
and penetration testing made easy. Elsevier.
Equifax (2017). "Cyber Security Incident & Important Information".
https://www.equifaxsecurity2017.com/frequently-asked-questions/
Fabian, R. (2009). Professional Essence. IT Professional, 11(3), 54-56.
Gay, J. R. (2012). A Code of Conduct for Computer Forensic Investigators(Doctoral dis-
sertation, University of East London).
GIAC, (n.d.), "About GIAC". Retrieved from: https://www.giac.org/about
GIAC, (n.d.), "GIAC Code of Ethics". Retrieved from: https://www.giac.org/about/ethics
Gengler, B. (1999). Cyber attacks from outside and inside. Computer Fraud & Security,
1999(5), 6-7.
Goodin, D. (2017). NSA-leaking Shadow Brokers just dumped its most damaging release
yet. ArsTechnica . Retrieved 31 July, 2017 from
https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-
brokers-just-dumped-its-most-damaging-release-yet/
Graves, K. (2010). Certified Ethical Hacker Study Guide. Wiley Publishing Inc, Indiana,
USA
Hawes, J. (2014). "2013 an epic year for data breaches with over 800 million records
lost.", "naked security by Sophos". Retrieved from
https://nakedsecurity.sophos.com/2014/02/19/2013-an-epic-year -for -data-
breaches-with-over-800-million-records-lost/
IBM. (2015). IBM 2015 Cyber Security Intelligence Index.
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 18
Identity Theft Resource Center (2017). "2017 – Breach Category Summary".
International Standards Organization (n.d.), ISO/IEC27000 family – Information Security
Management Systems. Retrieved from: https://www.iso.org/isoiec-27001-
information-security.html
ISACA, (n.d.). "About ISACA". Retrieved from: http://www.isaca.org/about-
isaca/Pages/default.aspx
ISACA, (n.d.). "Code of Professional Ethics.", Retrieved from
http://www.isaca.org/certification/code-of-professional-ethics/pages/default.aspx
ISC2, (n.d.), "Cybersecurity and IT Security Professional Organization | (ISC)2. Re-
trieved from: https://www.isc2.org/About
Jamil, D. A. N. I. S. H., & KHAN, M. N. A. (2011). Is ethical hacking ethical?. Interna-
tional Journal of Engineering Science and Technology (IJEST), 3(5)
Li, X., Rong, G., & Thatcher, J. B. (2012). Does Technology Trust Substitute Interper-
sonal Trust?: Examining Technology Trust's Influence on Individual Decision-
Making. Journal of Organizational and End User Computing (JOEUC), 24 (2),
18-38.
Lucas, R., and Weckert, J. 2008. "Regulation in the Ict Industry," Centre for Applied
Philosophy and Public Ethics, Australian National University, Canberra.
Mandiant (2017). "M-Trends 2017" https://www.fireeye.com/current-threats/annual-
threat-report/mtrends.html
Pollitt, E. (2017). ACS Launches world-first cyber certification. Retrieved September 30,
2017 from https://ia.acs.org.au/article/2017/acs-launches -world-first-cyber-
certification--.html
Survey Reveals Scandal of Snooping IT Staff. (2008). Software World, 39(4), 24
Telstra (2017). "Telstra Cyber Security Report 2017"
"The OSI Model's Seven Layers Defined and Functions Explained", n.d., Microsoft. Re-
trieved from https://support.microsoft.com/en-us/help/103884/the-osi-model-s-
seven-layers -defined-and-functions-explained
ORBIT Journal DOI: 10.29297/orbit.v2i1.77 19
Thomas, G. A. (2017) "An ethical hacker can help you beat a malicious one", The Con-
versation.
Thomas G., Burmeister, O. K., Low, G. (2017). Issues of Implied Trust in Ethical Hack-
ing: Proceedings for the Australasian Conference on Information Systems 2017
conference. Hobart.
Thomas G., Low G., Burmeister O. (2018) "Who Was That Masked Man?": System
Penetrations—Friend or Foe?. In: Prunckun H. (Eds) Cyber Weaponry. Advanced
Sciences and Technologies for Security Applications. Springer, Cham
Thomas, G., Duessel, P., & Meier, M. (2017). Ethical Issues of User Behavioral Analysis
Through Machine Learning. Journal of Information System Security, 13(1).
Trabelsi, Z., &McCoey, M. (2016). Ethical Hacking in Information Security Curricula.
International Journal of Information and Communication Technology Education
(IJICTE), 12(1), 1-10.
Tutzauer, C. (n.d.) The Role of Trust in the Successful Implementation of Information
Systems. Retrieved from
http://www.academia.edu/747081/The_Role_of_Trust_in_the_Successful_Imple
mentation_of_Information_Systems
Verizon. (2015). 2015 Data Breach Investigations Report. Verizon.
Verizon (2017). "Verizon Data Breach Investigations Report 2017"
http://www.verizonenterprise.com/verizon-insights -lab/dbir/2017/
Verizon (2018). "Verizon Data Breach Investigations Report 2018"
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
Copyright:Copyright remains with the authors. This is an openaccess article distributed
under the terms of the Creative Commons Attribution License, which permits unrestricted
use, distribution, and reproduction in any medium, provided the original author and
source are credited.
... It is imperative to improve cybersecurity performance to combat the increasing sophistication and stealth approaches of malicious individuals compromising a system. The following study concurs with the Verizon data breach report that shows insiders caused 62% of breaches [44] The report also demonstrated that 60% and 53% of threats were from Asia and Australia, respectively. The Identity Theft Resource Centre (2017) identified 850 breaches that resulted in 16 million exposed records [45]. ...
-
![Syed (Shawon) M. Rahman]()
Organizations face the probability of being hacked because of weak and inadequate cybersecurity implementations. Hackers are still able to breach a system when security tools such as firewalls, SIEM, anti-virus software, encryption, and IDPS are readily in place within an organization. Digital criminals are responsible for increased network breaches using elusive security tools to penetrate secure environments with sophistication. Cyberattacks are continually increasing due to the sophistication and innovation of cyber attackers. Many vulnerable areas must be reinforced against cybercriminals, Insider threats, inadequate employee training, and negligence. Monetary investment in cybersecurity and management support plays a significant role in assuring the implementation of information security throughout any organizational processes. The implication for practice can provide organizations with approaches on how to mitigate cyber exploits and safeguard the confidentiality, integrity, and availability of information by bridging the gap between incident detection and response.
... However, any expansion of the scope of the test or any emergency situation may need choosing unstructured, more creative and less convention-bound strategy. This way, any ethical concerns may be simply ignored [51,[54][55][56]. ...
Cybersecurity and cybercrime cannot exist without each other. They are not contraries, but rather two opposite poles of the same idea. Although it may seem that it is a rather black and white kind of relationship, the measures aimed at protecting innocent people raise a myriad of ethical dilemmas. This paper presents the results of a horizon scanning study aimed at identifying the ethical and human rights dilemmas that may arise in relation to cybersecurity and cybercrime; in the paper, the identified "weak signals" have been presented, that is, the ideas or concerns which are less obvious, not widely researched or present in the media. The cybersecurity-related ethical issues arise as part of the relations between the affected people and other entities; thus, in this paper, the identified dilemmas have been organized according to the nature of the relations.
As networks are expanding day by day, the need for security is attaining more attention. Hackers have always been renowned as a severe security threat. Ethical hacking is an important form of hacking. It is a type of hacking that doesn't hurt any individual, association, or gathering. It is done with a positive intent to find out the security loop-holes in the current infrastructure of some organizations. The organization may patch its security vulnerabilities accordingly as suggested by ethical hackers. In this research work, a comparative analysis has been conducted for ethical hacking techniques. It classifies the existing techniques based on their working principles and compares the working mechanisms of all techniques. Graphical analysis of ethical hacking tools along with a score-based comparison is also part of this research. Moreover, the research can be useful in suggesting the most appropriate tool to be used for a particular scenario.
This chapter explores a range of hacking techniques that can be used for either malicious or good purposes. It focuses on the role of the penetration tester, also known as a white hat hacker, or an ethical hacker. The discussion highlights the need to employ ethical hackers to expose system vulnerabilities so that they can be addressed before they are exploited by criminals or other threat actors. Because the techniques and methods used by ethical hackers are largely the same as those used by malicious hackers, there are some risks that need to be considered. Moreover, that there is a need for improving the standard of professionalism amongst ethical hackers, through certification, education and validation. Professionals in this area of IT assist organizations to mitigate cyber threats, not only by testing systems, but also in reviewing policies, procedures and controls. Ethical hackers are thus, an integral component of a mature security program.
Ransomware is a type of malicious software that holds access to computer resources for a ransom amount. This is accomplished through encrypting the personal files or denying access to the user interface. The access is reinstated only once ransom amount is paid to the attacker. There is a significant increase in ransomware attacks involving crypto ransomware, which encrypt the personal files present on a host or network attached storage and demand ransom in cryptocurrency. Improvements are being made by ransomware in the encryption algorithms, key exchange mechanisms and modes of lateral movement as time progresses. This change has to be reflected in the detections mechanisms to effectively defend against the attacks. Ransomware has become one of the highest damaging types of cyber-attack in the present time and organizations across the world have lost billions of dollars in damages caused due to disruption in business operations. Attackers have earned millions of dollars in ransom money from their victims. Effective detection of ransomware and preventing data loss through encryption is a leading field of research. This paper summarizes the latest research, security products and practices in the prevention, mitigation, and containment of ransomware attacks.
-
![Oliver K. Burmeister]()
Professional doctorates in Information Technology (IT) have been a relatively recent phenomenon, giving IT professionals career management choices not previously available to them. However, successful completion rates are the lowest of all disciplines. Completed doctorates rate in quality equivalent to PhDs, and retention has been identified as a major obstacle to completion. This qualitative study, involving 44 semi-structured interviews with students, supervisors and institutional support personnel, investigated the obstacles. Amongst the strategies discovered to improve completion rates were retention, student engagement with supervisors, feedback on progress, student engagement in the course, and student involvement in institutional communities of practice.
- Danish Jamil
- Muhammad Numan
- Ali Khan
This paper explores the ethics behind ethical hacking and whether there are problems that lie with this new field of work. Since ethical hacking has been a controversial subject over the past few years, the question remains of the true intentions of ethical hackers. The paper also looks at ways in which future research could be looked into to help keep ethical hacking, ethical.
Due to the ever-growing risk of data leakage and sabotage by internal employees, insider threat detection is receiving increasing attention. Solutions are typically asset-centric and rule-based, providing limited detection capabilities and significant maintenance efforts. Content-based anomaly detection over user behavior is an alternative, but raises ethical questions that need to be addressed before deployment. In this contribution, user-centric content-based behavioral anomaly detection utilizing four ethical dimensions reveals that it requires integration with the organization's data privacy organization, a binding code of conduct for administrative personnel, integration with the organization's security incident management and continuous oversight by management.
- Baha Abu-Shaqra
- Rocci Luppicini
Business and academic organizations are in a constant pursuit of efficient and ethical technologies and practices to safeguard their information assets from the growing threat of hackers. Ethical hacking is one important information security risk management strategy they use. Most published books on ethical hacking have focused on its technical applications in risk assessment practices. This paper addressed a scarcity within the organizational communication literature on ethical hacking. Taking a qualitative exploratory case study approach, the authors explored ethical hacking implementation within a Canadian university as the case study in focus, applying technoethical inquiry theory paired with Karl Weick's sensemaking model as a theoretical framework. In-depth interviews with key stakeholder groups and a document review were conducted. Findings pointed to the need to expand the communicative and sociocultural considerations involved in decision making about ethical hacking organizational practices, and to security awareness training to leverage sensemaking opportunities and reduce equivocality.
Teaching offensive security (ethical hacking) is becoming a necessary component of information security curricula with a goal of developing better security professionals. The offensive security components extend curricula beyond system defense strategies. This paper identifies and discusses the learning outcomes achieved as a result of hands-on lab exercises which focus on attacking systems. The paper includes the ethical implications associated with including such labs. The discussion is informed by analyses of log data on student malicious activities, and student survey results. The examination of student behavior after acquiring these skills demonstrates that there is potentially a high risk of inappropriate and illegal behavior associated with this type learning. While acknowledging these risks and problems, the paper recommends that curricula should opt for a teaching approach that offers students both offensive and defensive hands-on lab exercises in conjunction with lecture material. The authors propose steps to minimize the risk of inappropriate behavior and reduce institutional liability.
-
![Oliver K. Burmeister]()
Attempts to create a global computing code of ethics have failed repeatedly over the last 25 years. Some focused on professional ethics and others on common values across cultures. In this paper professional ethics are seen as normative, yet subject to cultural diversity, and the place of values is seen as a promising way forward. A hybrid is proposed following the two-fold formula for codes of ethics advocated by the International Federation of Information Processing. The international-localisation hybrid suggests that it is possible to achieve a common set of values, yet allow diversity through interpretations of acceptable professional behaviour.
While an increasing number of trust studies examine technological artifacts as trust recipients, there is still a lack of basic understanding of how technology trust relates to traditional trust and its role within the broader nomological net articulated in trust research. This paper suggests that technology trust is distinct from interpersonal trust i.e., trust in humans due to the different core characteristics of the trustees. To examine these differences, the authors first develop and validate a measure of technology trust comprised of IT-specific belief sources. Then, they articulate a research model that compares and contrasts technology trust and interpersonal trust. This study provides evidence that technology trust is associated with, yet distinct from, interpersonal trust. The authors found technology trust plays a dual role in the nomological net tied to individual intended behavior-exerting a direct and an indirect influence on a trust outcome. Rather than suggesting that technology trust substitutes for interpersonal trust, the findings suggest that technology trust complements interpersonal trust in affecting purchase intention.
One of the key factors in successful information security management is the effective compliance of security policies and proper integration of "people", "process" and "technology". When it comes to the issue of "people", this effectiveness can be achieved through several mechanisms, one of which is the security awareness training of employees. However, the outcomes should also be measured to see how successful and effective this training has been for the employees.In this study, an information security awareness project is implemented in a company both by training and by subsequent auditing of the effectiveness and success of this training (which focussed on password usage, password quality and compliance of employees with the password policies of the company). The project was conducted in a Turkish company with 2900 white-collar employees. Each employee took information security training including password usage. Also, there were several supporting awareness campaigns such as educational posters, animations and e-messages on the company Intranet, surveys and simple online quizzes. The project was carried out over a 12 month period and three password security strength audits were made during this period. The results were comparatively and statistically analysed. The results show us the effectiveness of the project and the impact of human awareness on the success of information security management programmes in companies. This study gives us some crucial results, facts and methods that can also be used as a guideline for further similar projects.
Posted by: emagerolde0197931.blogspot.com
Source: https://www.researchgate.net/publication/328586361_Issues_of_Implied_Trust_in_Ethical_Hacking
