This paper discusses the issues of implied trust in ethical hacking. Unlike many other long-established professions, such as lawyers, doctors, and accountants; ethical hacking is a relatively new profession. As a result, this profession does not currently have a uniformed or mandated code, nor does it require any form of licensing. Because ethical hackers could gain access to highly sensitive and confidential information and there is potential for misuse of such information, the need to ensure professionalism is maintained through ensuring competence and ethical behavior is critical.

Articles published per year on ethical hacking and implied trust.

Figures - uploaded by Georg Thomas

Author content

All figure content in this area was uploaded by Georg Thomas

Content may be subject to copyright.

ResearchGate Logo

Discover the world's research

  • 20+ million members
  • 135+ million publications
  • 700k+ research projects

Join for free

Issues of Implied Trust in Ethical

Hacking

Thomas, Georg

Charles Sturt University, School of Computing and Mathematics

Burmeister, Oliver

Charles Sturt University, School of Computing and Mathematics

Low, Gregory

SQL Down Under

Corresponding Author: Georg Thomas, gethomas@csu.edu.au

Abstract: This paper discusses the issues of implied trust in ethical hacking. Un-

like many other long-established professions, such as lawyers, doctors, and ac-

countants; ethical hackingis a relatively new profession.As a result, this profes-

sion does not currently have a uniformed or mandated code, nor does it require

any form of licensing. Because ethical hackers could gain access to highly sensi-

tive and confidential information and there is potential for misuse of such infor-

mation, the need to ensure professionalism is maintained through ensuring com-

petence and ethical behavior is critical.

Keywords: Ethical hacking, penetration testing, implied trust, professionalism, code of

conduct, regulation.

Citation: Georg, T (2018). Issues of Implied Trust in Ethical Hacking. ORBIT Journal, 2

(1) 10.29297/orbit.v2i1.77

Introduction

Over the past decade, the prevalence and frequency of data breaches has increased. Ac-

cording to the annual Verizon Data Breach Investigations Report (DBIR), 62% of

breaches occur as a result of hacking (Verizon, 2017). Regional reports, such as the Tel-

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 2

stra Cyber Report predict that 59.6% of threatsin Asia and 52.6% of threats in Australia

will originate from external hackers.

Theaverage time it takes to detect a breach isreported to be between 99 and 172 days de-

pending on the region (Mandiant, 2017).This metric is taken from when an organization

is first breached to the time the breach is detected. There are several ways detection can

occur and it isn't limited to the specific detective tools that an organization has imple-

mented.It can also include the disclosure of information on public sources, such as Twit-

ter, Reddit, and Pastebin, or an external party alerting the organization that they have

been breached. .

The first half of 2017 sawsecurity breaches exposing over 16 million records (Identity

Theft Resource Center, 2017). However, in September 2017, consumer credit reporting

agency Equifax reported a breach that affected 145.5 million individuals (Equifax,

2017).In addition, several other security incidents that had devastating effects occurred. A

series of ransomware attacks occurred around the globe in May and June of 2017, the

impact of which was exacerbated by US National Security Agency leaked exploits named

EternalBlue and DoublePulsar (Goodin, 2017). These were subsequently used in ran-

somware named WannaCry and Petya that destroyed systems by encrypting the data on

them and demanding a ransom payment in Bitcoin. Notably, the UK National Health

Service (NHS), global law firm DLA Piper, and global logistics and transport firm TNT

were affected and likely resulted in not only substantial monetary losses, but reputational

harm, and harm to those that these organizations provide services to.The NHS for exam-

ple had difficulties accessing patient records and subsequently had to cancel patient a p-

pointments, non-urgent surgeries, and divert ambulances (Collier, 2017).

What is common in all these examples is that for a breach to be successful a vulnerability

needs to exist that then can be exploited. Vulnerabilities can exist not only as technical

vulnerabilities such as missing security "patches" but can also be vulnerabilities in

processes or people. Technical vulnerabilities can be identified by a number of means;

the developer of the system or platform, security researchers, through 'bug bounty' pro-

grams, or by a hacker. They can either be discovered in labs when the software is being

developed and tested, or in live environments. It is when they are in live environments,

such as being used by an organization that exploitation is the most dangerous.

A number of automated tools or manual techniques can be used to identify technical vul-

nerabilities. Similarly, technology can be used to conduct attacks against people as seen

in email based 'phishing' campaigns, or when an attacker uses a phone to call or send an

SMS message to a potential victim. Attacks can also occur in person, where a hacker tries

to gain access to a physical building. Malicious hackers use the vulnerabilities to carry

out attacks generally for financial gain, personal gain, or to cause mischief.

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 3

It is widely accepted that a multilayered 'defense in depth' approach is needed to protect

against modern threats. This includes not only identifying purely technical vulnerabilities,

but those that are people related. Over the past few years the focus has shifted from just

the technical aspects of information security to include the "human factor" or people-

based aspects (Eminağaoğlu, UƧar&Eren 2009, p223).

Traditionally a defensive approach of implementing technical controls has been used to

protect organizations (Thomas, 2017). This approach leveraged technologies such as

firewalls, antivirus/antimalware software, network segmentation, and access control lists

to defend against unauthorized access. It became apparent that this alone was in sufficient

to protect an organization and although these controls are still fundamental to protecting

an organization, many more controls and approaches are now applied.This includes ad-

dressing the human factor through security awareness training, which aims to educate

users on best security practices and detecting malicious activities such as phishing e-

mails. Phishing involves an attacker sending an email that tricks the recipient into divulg-

ing secret information such as usernames and passwords (Thomas, Burmeister, Low,

2017, p2). This method is the most prevalent form of social engineering attack used (Ve-

rizon, 2017). Phishingcan circumvent many traditional security controls as systems gen-

erally let e-mail in and attackers can often craft their phishing emails to look like legiti-

mate email and therefore bypass detection controls.

There has also been an increase in the use of artificial intelligence in security prevention

and detection tools. Traditional systems leveraged signature-based detection systems, that

only were able to detect previously known threats. This resulted in shortfalls when it

came to unknown threats. Known threats such as previously reported malware was

stopped using these traditional methods, but threats such as brand -new'zero-day' mal-

ware, hackers that had breached systems and were likely using legitimate tools to move

throughout the network, and insiders, which account for 55% of threats to organizations

(Thomas, Duessel, Meier, 2017) (Verizon, 2015) (IBM, 2015). Traditional signature me-

thods are unlikely to detect any of these threat types.

It is clear that there is no single control that can prevent security threats and there is no

silver bullet. Many security architectures are complex, incorporating a mix of detection,

prevention, and administrative controls. The need to ensure continuing improvement of

cyber security programs is clear. Ensuring the effectiveness of the cyber security program

is also important and a key method to do this is through conducting a penetration test.

Penetration tests play an important role by engaging a professional or team of profession-

als to attack an organization as a malicious hacker would (Engebretson, 2013). The aim

of the test is to assess the controls effectiveness and report back any findings. These pr o-

fessionals are commonly known as ethical hackers. Trust is a topic that has had signifi-

cant attention in the ICT ethics literature, for instance Weckert has written extensively on

issues of trust as they affect computing professionals, and how trust is reflected in appro-

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 4

priate codes of ethical conduct (Al -Saggaf et al. 2015; Bowern et al. 2006; Burmeister

and Weckert 2003; Burmeister et al. 2011; Lucas and Weckert 2008; Weckert 2005).

Trust plays an important role when organizations engage the services of ethical hackers.

An organization is effectively inviting a hacker to attack them and gain not only access to

potentially sensitive information, but information about the vulnerabilities the organiza-

tion has. This invitation usually is supplemented with a written authorization (commonly

called the 'get out of jail free card' among ethical hacking circles). As such, a level of

trust needs to be establishedso that the organization will have an adequate level of confi-

dence that the professional will conduct themselves in an ethical manner.

Ethical Hacking Defined

As security programs evolve to include an offensive component, the need for appropriate

professionals to conduct these offensive engagements increased. These professionals are

known as ethical hackers, or penetration testers.

The term hacker was coined in the 1960's by programmers at MIT to describe someone

who had the ability to understand and manipulate technology (Thomas, Burmeister, Low,

2018 p113). Since then, although hackers largely still manipulate technology, the role and

type of hackers has evolved. Hackers have now been separated into categories that cor-

respond with their intent; black, grey, and white hat. Hackers have also expanded outside

of just manipulating technologyto manipulating people, such as the phishing and broader

scope of social engineering.

Black Hat Hackers

The most well-known type of hacker is the black hat hacker. Popularized by TV, movies,

and often in the media, the black hat hacker has motives that are considered malicious.

Also known as 'crackers' (Graves, 2010, p3) they operate illegally, and they are driven

usually by financial gain, personal gain or anarchist desires (Thomas, 2017). Using a v a-

riety of techniques such as social engineering, infecting machines with malware, or

breaking into systems, they obtain confidential information such as credit card numbers,

usernames, passwords, and personal information. This information can then either be

used by the hacker or sold to others for conducting fraudulent activities.

There is no 'typical' hacker and although it is often thought that a hacker is a teenager

that sits in their parent's basement and wears a hoodie. While the teenage hacker no

doubt still exists, many of which were referred to as 'script kiddies' and defined as 14 to

16-year old's and still at school (Barber, 2015, p15), malicious hackers are now often part

of organized crime syndicates and account for over 60% of all external threat actors (V e-

rizon, 2018).

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 5

Grey Hat Hackers

Often also acting illegally, but with motives that aren't purely malicious are grey hat

hackers. Grey hats often start as black hats but transition their skills for good or perceived

good (Thomas, Burmeister, Low, 2018) . A grey hat may identify security vulnerabilities

of an organizations systems without their express permission and then notify them of the

vulnerability. Grey hats often want to highlight security issues and attempt to educate

organizations to properly secure their systems (Graves, 2010, p4).

State sponsored hackers are also considered grey hats. These hackers often act in the i n-

terest of national security for their country and hack a foreign country. Although this

would normally be considered illegal, and is by the target, in the context of achieving

national security it would likely be considered a grey area.

Hacktivists are also categorized as grey hat hackers. Hacktivists may hack and deface a

website to promote a cause or leak information they believe is in the public interest, ra-

ther than to just be malicious (Thomas, Burmeister, Low, 2018).

White Hat Hackers

The last category is the white hat hacker, also known as an ethical hacker or penetration

tester. White hats, like black hats and grey hats use the same tools and techniques, but

unlike the other categories they are given authorization to attack the engaging organiza-

tion. White hats can also have transitioned from black or grey hat hackers; such as well-

known hacker Kevin Mitnick who was once known as the most notorious black hat hack-

er in the world (Thomas, Burmeister, Low, 2018), be directly educated as a hacker

through formal training, or move from other related professions such as Information

Technology.

White hat hackers are professionals used to test th e security controls of an organization

and ensure they are effective. An ethical hacker will identify vulnerabilities such as miss-

ing security updates, poor architecture, misconfigurations, and other weak spots within an

organization. Depending on the engagement, the professional will usually attempt to ex-

ploit any vulnerabilities they discover with the purpose of gaining administrative access

or 'owning' the network, or gaining access to information, especially confidential and

sensitive information.

Once the engagement has finished, the ethical hacker will then create a report of findings

and which will usually include recommendations on what to remediate.

The Importance of Ethics

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 6

With the increased demand for ethical hackers as part of a multilayered security program

combined with the potential sensitive and confidential information an ethical hacker may

gain access to, the need to ensure appropriate ethical conduct is critical.

Consider an ethical hacker engaged to test the security of an organization that holds per-

sonal or highly sensitive information, such as a financial institution or legal firm. Al-

though this question doesn't limit itself to those types of organizations; such information

in the wrong hands could have a multitude of applications for misuse. In this context,

there are several ethical issues that should be consider edincluding;

Should the ethical hacker successfully gain access to sensitive information, what do they

do with that information and potential knowledge obtained?

How does the ethical hacker determine what evidence to take as part of demonstrating

their success of penetrating the organization, and if information that is taken is sensitive,

how is the confidentiality of that information protected?

If the attacker causes some sort of negative condition (e.g. an accidental service disrup-

tion or corruption), how do they handle it?

Ethical hackers may also use questionable means to gain skills and intelligence (Thomas,

Burmeister, Low, 2017). This may include accessing the dark web and interacting with

people with questionable motives. As also discussed, it's not uncommon for a black hat

hacker to become a white hat hacker; could a white hat hacker become a black hat hack-

er?

Given the importance of the role, ensuring that the ethical hacker has adequate skills to

perform the engagement to a satisfactory level is also necessary. As identified, an insuffi-

cient test may increase the chances of vulnerabilities going undiscovered and provide a

false sense of security for the client.

Ethical Hacking and Trust

The main purpose of ethical hacking is to test and validate the security controls of an or-

ganization. This likely results in the attempt to gain access to confidential and sensitive

information held by the organization. For a client to engage an ethical hacker, there needs

to be a certain level of trust established between the ethical hacker and the organization

engaging them to conduct the test. Trust is conceptualized as the belief of a person that

another party upon whom the individual is dependent will act in his/her interests (Tutzau-

er, n.d, p5).

The engagement of an ethical hacker by an organization is typically reliant on the organi-

zation's need for a professional in the field. A professional has superior knowledge, re-

quiring the other party to trust them. Li, Rong and Thatcher (2012) explain how one party

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 7

has a willingness to be vulnerable to the other to carry out the task irrespective of the

ability to monitor or control them (Li, Rong, Thatcher, 2012, p20).

Becoming a highly skilled ethical hacker requires more than just taking a course. It is a

highly technical and complex field that requires extensive knowledge across not only

computer hardware and software but human behavior. The knowledge required by a high-

ly effective ethical hacker includes detail of how these areas work at their most basic lev-

el, such as the OSI model (the reference model that show the layers of how communica-

tion occurs on a network ("The OSI Model's Seven Layers Defined and Functions Ex-

plained", n.d.), software code, and even electronic signals. Add to this, the number of

ethical consideration and laws that various countries have regarding the safeguarding of

privacy that need to be considered as well (Thomas, Duessel, Meier, 2017, p11), this may

need to be considered by not only the ethical hacker, but the engaging organization, espe-

cially when multi-national organizations are concerned. These complexities may result in

difficulty evaluating the effectiveness and skills of an ethical hacker, especially when the

evaluator doesn't possess the same knowledge. Fabian (2009) highlights that the ability

to evaluate a professional's abilities from the outside can be difficult, if not impossible

and certain level of belief is required (Fabian, 2009, p54).

To date, there has been little research on ethical issues on ethical hacking. However, there

has been some research on ethical issues and issues of professionalism on ICT profes-

sionals. Whilst not solely an ICT profession, ethical hacking crosses into the ICT domain

as many of the systems involved in the hacking process are either ICT systems or leve-

rage the use of ICT systems. It is also commonly categorized as an ICT job.

Taking ICT as an example; there is currently neither a mandatory or unified code of eth-

ics that exists with ICT (Burmeister 2013; Capurro and Britz 2010; Whitehouse et al.

2016). As ICT is a relatively new profession (Burmeister, 2015), it can also be perceived

as immature. The absence of a code of ethics, which has consequences for violations,

increases the risk of a variety of inappropriate behaviors including misrepresentation,

taking credit for others' work, privacy and confidentiality issues, and failure to comply

with laws. Licensing is also not generally a requirement for ICT professionals(Fabian

2009). This is also true of ethical hackers and information securit y professionals more

generally. Like ICT, there are a number of certifications and affiliations that an ethical

hackers and information security professionals can undertake or belong to. EC-Council's

Certified Ethical Hacker (C|EH), ISC2 Certified Information Systems Security Profes-

sional (CISSP), ISACA's Certified Information Security Manager (CISM), and the Aus-

tralian Computer Society (ACS) Cyber Security specialism introduced in September 2017

are all examples of security related certifications that have a code of ethics or conduct,

but they are not uniformed and only required of those that hold the certifications.

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 8

Although the name "Ethical Hacker" implies ethical behavior, this may not always be the

case. For instance, an ethical hacker needs to keep their knowledge of exploits up to date,

and they will likely need to go "underground" to gain this knowledge (Conran 2014).

Because ethical hackers may even utilize questionable means to gain intelligence, their

actions might result in a question of their professional ethics. Although in this sense it can

be argued that ethical hackers are partaking in questionable activities, the rationale for

which is likely justified as being for the greater good, it does raise the question: at what

point may this justified ethical behavior become blurred and the practices of the ethical

hacker become unethical? Given the already identified need for a specialized skill set and

experience to be an effective ethical hacker, it is not out of the question that an 'ethical

hacker' may once have been a black hat/malicious hacker. A good example of this is Ke-

vin Mitnick; Mitnick is now a 'white hat hacker' and security consultant, however, in the

1990's he was a notorious hacker who was arrested by the FBI and convicted of seven

counts of wire and computer fraud. (Gengler, 1999, p6). Many organizations perform

online background checks and review the social networking accounts of applicants as

standard practices (Stuart et al. 2015). This method of screening is flawed as background

checks that are normally conducted are simply police checks that require a court appear-

ance for a record to appear. They also assume the applicant has been previously caught.

Social media review flaws include review of the wrong profile or not having access to a

profile due to privacy settings, non-existent profile, or the use of aliases.

Methodology

To investigate the issue further a review of existing literature was discovered and ana-

lyzed. Google Scholar was selected to take a sample of the current rese arch as the Google

Scholar platform indexes many other databases. Because this research pertains to issues

of professionalism and ethics of ethical hacking, the following keywords and synonyms

were chosen to build the search queries:

Penetration testing, ethical hacking, red team

Implied trust

Professionalism

From these keywords, the following search queries were generated:

"penetration testing" | "ethical hacking" | "red team"

("penetration testing" | "ethical hacking" | "red team") & ("implied trust" | pr ofes-

sionalism)

("penetration testing" | "ethical hacking" | "red team") & ("implied trust")

The first query was designed to broadly identify indexed literature on ethical hacking and

related terms. This first query returned 17,300 records, which needed to be further fil-

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 9

tered. To do this, the second query narrowed down those papers that also discussed either

implied trust or professionalism and outputted 677 records. Finally, only those papers that

specifically discussed implied trust were identified by requiring that "implied trust" was a

key word. This resulted in 18 records and represents only 0.1% of all the articles on ethi-

cal hacking. In some instances, there were papers that although were returned as results,

did not discuss ethical hacking and implied trust issues, these were flagged as false posi-

tives and were discarded from the results.

Current Literature

To date, only 0.1% of identified articles written on ethical hacking discuss implied trust

and 3.9% discuss professionalism. Prior to 2001, no literature was identified that dis-

cusses these areas (See Figure 1).In 2013, there were several significant breaches that

occurred that may explain or have influenced the spike in literature that year. This in-

cludes the Target and Adobe breaches where over 822 million records were exposed

(Hawes, 2014).

Figure 1: Articles published per year on ethical hacking and implied trust.

There is currently no uniform or mandatory code of conduct for ethical hacking. This

same concern has been raised regarding ICT professionals, where it has been recom-

mended that ACS code of ethics is mandated through National regulations (Bowern,

Burmeister, Gotterbarn, Weckert, 2006, p175). There is also generally no licensing re-

quirement for ICT professionals (Fabian, 2009, p54) and this applies to ethical hackers

too. In Singapore, however, there has been discussion around introducing the requirement

for licensing, with the government seeking feedback on such a requirement (CSA Singa-

pore, 2017).More closely, Gay (2012), discusses how implied trust exists between so-

called experts and without any standard certification or code of conduct (Gay, 2012, p13).

This research highlights that there is a level of incompetence in the field of digital fore n-

sics, which can lead to issues with investigations and that the lack of a standard code

0

1

2

3

4

5

6

2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 10

could contribute to the issue. Additionally, a survey of ICT professionals in the UK,

found that one third of IT personnel misused their privileges and searched the corporate

network for confidential information, including salary information, personal information,

board minutes and personal emails (Survey Reveals Scandal of Snooping IT Staff, 2008,

p24). It would not be uncommon for an ethical hacker to gain access to confidential in-

formation as part of the engagement. Ensuring appropriate ethical behavior whenhandling

such confidential information could be a concern.

Ethical hacking, like digital forensics, falls into the "Information Security" field. They

are simply different subsets, but still prone to the same issues and vulnerabilities such as

misuse of information and the need to ensure competence of the professional. Much of

the literaturediscusses ethical hacking and implied trust but does not actually correlate the

two. The implied trust discussions in the existing literature are focused on the context of

implied trust towards systems and platforms, such as trust toward security platforms (e.g.

authentication systems) and well-known websites (e.g. Facebook) or how implied trust is

taken advantage of by an attacker, such as spoofing an email as part of a phishing attempt

(Cole, 2002, p51).

Much of the existing literature discusses ethics on teaching ethical hacking to students.

Students may use the techniques they have learned irresponsibly, inappropriately or in an

illegal manner, which some security educators consider to be unethical and socially irres-

ponsible (Trabelsi, McCoey, 2016, p3-5). Teaching students to hack provides them with

knowledge of how to cause damage to computer networks (globally) with the help of

university lecturers. According to Jamil, Khan (2011, p3,758) this could pose an "unim a-

ginable threat". (, A study undertaken at a Canadian university, noted that there are con-

cerns about the compromise of personal information by the ethical hacker that may result

from conducting a penetration test (Abu-Shaqra, Luppicini, 2016, p67). When the same

implied trust manipulation a malicious attacker uses to trick a victim when conducting an

email phishing attack, is how an ethical hacker man ipulates a target as part of a test, this

highlights how the ethical lines can be quite blurred.

The focus on education however leaves out one area completely and it might prove fruit-

ful grounds for further research. Namely, "Are these formally trained ethical hackers any

match for the 'real' hackers?" This is an area that does not appear to be addressed in any

of the literature reviewed, and yet would appear to be a logical extension of the 'educa-

tive' focus of several of the article. That is, testing the efficacy of the ethical certifica-

tions currently being spruiked.

Jamil et. al (2011) suggest that mandatory security background checks should be under-

taken for people who are part-taking in ethical hacking courses. Conducting these checks

forms part of good due diligence activities, which many security frameworks such as the

International Organization for Standardization (ISO) ISO27001 framework include (In-

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 11

ternational Standards Organization, n.d). The adoption of such a framework by an organ-

ization however, is not mandatory. Whilst some industries have regulatory bodies that

mandate that background checks are completed, such as the Securities and Exchange

Commission (SEC) and Financial Industry Regulatory Authority (FINRA) in the USA,

and the Australian Securities and Investments Commission (ASIC) and the Australian

Tax Office (ATO) in Australia, this requirement does not apply uniformly across all in-

dustries. Additionally, a background check as discussed previously is not likely to pro-

vide complete protection. It does, however provide a basic level of due diligence and may

assist in lowering risk to an acceptable level for the organization.

Available Codes

There are currently a number of codes of ethics and conduct in the information security

industry. Many of these are recognized across the globe and are operated by industry or-

ganizations that have chapters in many jurisdictions.Some of these codes are explored

below:

Australian Computer Society Code of Ethics

Founded in 1966, the Australian Computer Society is a professional association for the

information, communications, and technology (ICT) industry. Although historically fo-

cusing on specifically ICT professionals, the ACS launched its cyber security certifica-

tion for ICT professionals in September 2017 (Pollitt, 2017). All members of the ACS

must adhere to the code of ethics, which require that all ACS members must place public

interest first, enhance the quality of life of those affected by the members' work, be hon-

est, be competent, continue to develop professionally, and to be professional (Australian

Computer Society, n.d.).

CREST Code of Conduct

CREST is a not for profit organization that originated in the United Kingdom, but has

since launched chapters across Europe, Middle East, Africa and India (EMEA), The

Americas, Asia, and Australia and New Zealand. CREST's purpose is to provide a level

of assurance that organizations and their security staff have a level of competence and

qualification in conducting security work such as penetration testing, threat intelligence

or incident response (CREST®, n.d.). CREST qualified professionals must abide by the

CREST Code of Conduct. The CREST code of conduct is relatively detailed and covers

requirements such ensuring regulatory obligations, adequate project management, compe-

tency, client interests, confidentiality, and ethics (CREST®, 2016).

EC-Council Code of Ethics

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 12

The International Council of E-Commerce Consultants, known as EC-Council was

formed after the September 11, 2001 attacks in the United States, to address cyber-attack

threats (EC-Council, n.d.). EC-Council is best known for its' Certified Ethical Hacker

(CEH) certification, which is recognized as a US Department of Defense (DoD) 8570

cyber security certification. The EC-Council Code of Ethics requires confidentiality of

discovered information, ensuring that any process or software obtained is legal and ethi-

cal, ensuring proper authorization, adequate project management, continuing professional

development, ethical conduct, and not being convicted of any crimes (EC-Council, n.d.).

Global Information Assurance Certification Code of Ethics

Global Information Assurance Certification (GIAC) provide some of the most well-

known and highly regarded certifications in the security industry. These certifications

include penetration testing, security management and digital forensic certifications. Es-

tablished in 1999, GIAC was established to provide assurance of the skills of information

security professionals (GIAC, n.d.). The GIAC Code of Ethics is broken into four se c-

tions; respect for the public, respect for the certification, respect for the employer, and

respect for oneself. The code mandates that professionals will take responsibility and act

in the public's best interests, ensure ethical and lawful conduct, maintaining confiden-

tiality, competency, accurate representation of skills and certifications, and avoiding con-

flicts of interest (GIAC, n.d.).

ISACA Code of Professional Ethics

The ISACA is a professional body established in 1969 with over 140,000 members

worldwide that focuses on IT governance (ISACA, n.d.) . Formerly known as the Infor-

mation Systems Audit and Control Association and focused on IT audit and assurance,

ISACA now also includes training and certification for information security and cyber

security professionals. The ISACA Code of Professional Ethics mandates that com-

pliance with standards and procedures is maintained, due diligence and professional is

taken, legal conduct, confidentiality is maintained, competency, and continuing profes-

sional development (ISACA, n.d).

ISC2 Code of Ethics

The ISC2 is an international, non-profit organization with over 125,000 members in the

information security profession (ISC2, n.d.). ISC2's Code of Ethics consists of four direc-

tives; protecting society and public interest, acting honorably, honestly, justly, responsi-

bly and legally, being competent, and advancingthe protection of the profession (ISC2,

n.d.).

The certifications provided by each of these bodies generally infer some level of trust and

confidence. Without considering the subjective reputation of each certification, it is gen-

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 13

erally implied that someone who hold a certification has some level of baseline know-

ledge that allows them to perform the assigned task. As identified by Fabian (2009) that

knowledge can be almost impossible to assess by those who rely on the professional and

there is an implied trust that comes with that.

Certifications without Codes

Although many security certifications have an associated code through their issuing body,

this is not always the case. An example is Offensive Security, who provide in-depth train-

ing and certification on ethical hacking; their examination is regarded as one of the most

difficult and highly regarded certification involving successful passing of a hands-on lab

test in order for a candidate to obtain the credential. Offensive Security don't have an

advertised code of ethics. For those codes that do exist; although they contain similar

directives, they are all different and include different levels of detail. All these courses

generally teach ethical principles within their courses.

The Need for aMandatory, Uniformed Code

As identified, there are codes of conduct and ethics available from numerous professional

and certification bodies. These codes, however, are only mandatory to those who are

members or certified by the respective body and therefore considered voluntary . There

are many similarities between codes, but they are not completely in alignment. Analyzing

each code does not identifyany direct conflict between codes and there are useful

attributes from each code.These codes could be combined and augmented to form a uni-

form code of conduct for ethical hackers and cyber security professionals alike. For the

code to be effective, it would need to be mandatory and have adequate oversight as dem-

onstrated by the ethics committees of GIAC and ISACA who review matters that don't

comply with their respective codes. This could be achieved more broadly through a com-

bination of regulation and licensing by the government.

In other professions such as lawyers, doctors, and accountants we see such mandatory

codes.These codes need to develop and adapt to economic changes, government influ-

ence, and changes within the profession (Backof, Martin, 1991) and such development

and change would be needed in a cyber security code. In Australia, legislation such as the

Legal Profession Uniform Law is in force and must be adhered to (New South Wales

Government, 2015). This legislation applies to all practicing lawyers and must be com-

plied with. The purpose of the legislation is to ensure all lawyers act ethically and comply

with the provisions required and such a requirement of ethical hackers who can potential-

ly access highly confidential and sensitive information and are entrusted to do so should

have similar requirements applied.

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 14

Unlike most doctors, lawyers and accountants, many cyber security professionals engage

with organizations across borders, either locally or internationally. This is especially true

when engaged by multi-national companies to review and test their security. This in-

creases the importance of a unified code that is suitable on a global scale and applies to

all cyber security professionals engaging in practices such as ethical hacking.

A unified code and subsequent regulation would likely benefit the profession and help

address some of the issues.

"By chartering and coming together as a regulated professional organization,

you can explore whether things like insurance, standards, and discipline are

mandatory.Effectively like doctors and lawyers, which is to say that you are not

entitled to practice without this certification." (Partner (Law Firm), Australia)

However, it is important to also ensure that this process is not only strict, but also access-

ible. Many smaller security organizations may be sensitive to cost, and while it is impor-

tant to ensure a certain minimum standard of skills and ethical conduct, it should be

available to all organizations and individuals that wish to practice. Although not a gov-

ernment regulation, CREST attempts to provide such a minimum standard and provide a

level of confidence, but there is a significant cost involved.

"CREST can be very expensive to an organization like ours. If each exam is

$3000, you make the assumption that most people will fail the first exam, which is

already optimistic given that the fail rate is 2/3. So I mean you're talking about

close to $9000 per exam. Then you've got a $10,000 membership fee." (Director

(Security Firm), Australia)

The need to combine the ethical requirements of the current bodies, and providing a level

of assurance such as that provided by CREST that is available to all security profession-

als by a regulatory entity would be valuable. The intent would be to increase the adoption

of a standardized approach to assurance and improve the profession across the board.

Conclusion

The use of ethical hackers as part of a good security strategy is evident and the use of

them is likely to increase as organizations strengthen their cyber security programs . Con-

sidering the volume of information that could be at risk even over a very short period of a

few days, the need to reduce this time as much as possible is crucial and engaging an eth-

ical hacker to identify weaknesses in system can help to ensure those weaknesses are re-

mediated before they are exploited by a malicious actor. Because ethical hackers use the

same techniques as malicious attackers, such as the email spoofing example, and often

research and gain intelligence through the same questionable challenges, there is a fine

line between an ethical white hat hacker, and a malicious black hat hacker; this further

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 15

highlights the importance of appropriate professionalism and ethical behavior and the

many ethical implications need to be considered

Because of the implied trust relationship between an ethical hacker and the client, the

ethical hacker is at an advantageous position and effectively given permission to access

any information they can, much of which could be confidential or sensitive in nature. It

has been identified, that ICT professionals have misused their privileges in the past, and

there is no reason why an ethical hacker could not do the same and further research in

this area is warranted.

It is clear that implied trust is an issue, and there is merit in further research in this area.

This research could include identifying whether there is merit in developing a mandatory,

unified code of conduct that applies to ethical hackers and helps ensure appropriate ethi-

cal behavior and levels of competence before an ethical hacker can or should be engaged,

some form of licensing requirement, or a combination of both.

References

Abu-Shaqra, B., &Luppicini, R. (2016). Technoethical Inquiry into Ethical Hacking at a

Canadian University. International Journal of Technoethics (IJT), 7(1), 62-76.

Al-Saggaf, Y., Burmeister, O. K., and Weckert, J. 2015. "Reasons Behind Unethical

Behaviour in the Australian Ict Workplace: An Empirical Investigation," Journal

of Information, Communication & Ethics in Society (13:3/4), pp. 235-255.

Australian Computer Society, (2010) "ACS Code of Ethics", Retrieved from:

https://www.acs.org.au/content/dam/acs/acs-documents/Code-of-Ethics.pdf

Backof, J. F., & Martin, C. L. (1991). Historical perspectives: development of the codes

of ethics in the legal, medical and accounting professions. Journal of Business

Ethics, 10(2), 99-110.

Bowern, M., Burmeister, O. K., Gotterbarn, D., &Weckert, J. (2006). ICT Integrity:

Bringing the ACS Code of Ethics up to date. Australasian Journal of Information

Systems, 13(2).

Burmeister, O. K., 2015. "Improving Professional It Doctorate Completion Rates," Aus-

tralasian Journal of Information Systems (19), 2015-08-18, pp. 55-70.

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 16

Burmesiter, O.K.,2013. "Achieving the Goal of a Global Computing Code of Ethics

through an International-Localisation Hybrid," Ethical Space: The International

Journal of Communication Ethics (10:4), pp. 25-32.

Burmeister, O. K., and Weckert, J. 2003. "Applying the New Software Engineering Code

of Ethics to Usability Engineering: A Study of 4 Cases," Journal of Information,

Communication & Ethics in Society (3:3), pp. 119-132.

Burmeister, O. K., Weckert, J., and Williamson, K. 2011. "Seniors Extend Understanding

of What Constitutes Universal Values," Journal of Information, Communication

& Ethics in Society (9:4), pp. 238-252.

Capurro, R., and Britz, J. B. 2010. "In Search of a Code of Global Information Ethics:

The Road Travelled and New Horizons," Ethical Space: The International

Journal of Communication Ethics (7:2/3), pp. 28-36.

Cole, E. (2002). Hackers beware. Sams Publishing.

Collier, R. (2017). NHS ransomware attack spreads worldwide. CMAJ Jun 2017, 189

(22) E786-E787; DOI: 10.1503/cmaj.1095434

Conran, B. 2014. "Why You Shouldn't Hire an Ethical Hacker," Security (51:3), Mar

2014

CREST®, n.d., "About CREST". Retrieved from: http://www.crest -approved.org/about-

crest/about-crest/index.html

CREST®, 2016, "Code of Conduct for CREST Qualified Individuals". Retrieved from:

https://www.crest-approved.org/wp-content/uploads/Code-of-

Conduct_Individual.pdf

CSA Singapore (2017). MCI and CSA Seek Public Feedback on Proposed Cybersecurity

Bill. Retrieved from https://www.csa.gov.sg/news/press-releases/mci-and-csa-

seek-public- feedback-on-proposed-cybersecurity-bill

EC-Council (n.d.). "About EC-Council". Retrieved from:

https://www.eccouncil.org/about/

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 17

EC-Council (n.d.). "Code of Ethics – EC-Council". Retrieved from

https://www.eccouncil.org/code-of-ethics/

Eminağaoğlu, M., UƧar, E., &Eren, Ş. (2009). The positive outcomes of information se-

curity awareness training in companiesA case study. Information security tech-

nical report, 14(4), 223-229.

Engebretson, P. (2013). The basics of hacking and penetration testing: ethical hacking

and penetration testing made easy. Elsevier.

Equifax (2017). "Cyber Security Incident & Important Information".

https://www.equifaxsecurity2017.com/frequently-asked-questions/

Fabian, R. (2009). Professional Essence. IT Professional, 11(3), 54-56.

Gay, J. R. (2012). A Code of Conduct for Computer Forensic Investigators(Doctoral dis-

sertation, University of East London).

GIAC, (n.d.), "About GIAC". Retrieved from: https://www.giac.org/about

GIAC, (n.d.), "GIAC Code of Ethics". Retrieved from: https://www.giac.org/about/ethics

Gengler, B. (1999). Cyber attacks from outside and inside. Computer Fraud & Security,

1999(5), 6-7.

Goodin, D. (2017). NSA-leaking Shadow Brokers just dumped its most damaging release

yet. ArsTechnica . Retrieved 31 July, 2017 from

https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-

brokers-just-dumped-its-most-damaging-release-yet/

Graves, K. (2010). Certified Ethical Hacker Study Guide. Wiley Publishing Inc, Indiana,

USA

Hawes, J. (2014). "2013 an epic year for data breaches with over 800 million records

lost.", "naked security by Sophos". Retrieved from

https://nakedsecurity.sophos.com/2014/02/19/2013-an-epic-year -for -data-

breaches-with-over-800-million-records-lost/

IBM. (2015). IBM 2015 Cyber Security Intelligence Index.

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 18

Identity Theft Resource Center (2017). "2017 – Breach Category Summary".

International Standards Organization (n.d.), ISO/IEC27000 family – Information Security

Management Systems. Retrieved from: https://www.iso.org/isoiec-27001-

information-security.html

ISACA, (n.d.). "About ISACA". Retrieved from: http://www.isaca.org/about-

isaca/Pages/default.aspx

ISACA, (n.d.). "Code of Professional Ethics.", Retrieved from

http://www.isaca.org/certification/code-of-professional-ethics/pages/default.aspx

ISC2, (n.d.), "Cybersecurity and IT Security Professional Organization | (ISC)2. Re-

trieved from: https://www.isc2.org/About

Jamil, D. A. N. I. S. H., & KHAN, M. N. A. (2011). Is ethical hacking ethical?. Interna-

tional Journal of Engineering Science and Technology (IJEST), 3(5)

Li, X., Rong, G., & Thatcher, J. B. (2012). Does Technology Trust Substitute Interper-

sonal Trust?: Examining Technology Trust's Influence on Individual Decision-

Making. Journal of Organizational and End User Computing (JOEUC), 24 (2),

18-38.

Lucas, R., and Weckert, J. 2008. "Regulation in the Ict Industry," Centre for Applied

Philosophy and Public Ethics, Australian National University, Canberra.

Mandiant (2017). "M-Trends 2017" https://www.fireeye.com/current-threats/annual-

threat-report/mtrends.html

Pollitt, E. (2017). ACS Launches world-first cyber certification. Retrieved September 30,

2017 from https://ia.acs.org.au/article/2017/acs-launches -world-first-cyber-

certification--.html

Survey Reveals Scandal of Snooping IT Staff. (2008). Software World, 39(4), 24

Telstra (2017). "Telstra Cyber Security Report 2017"

"The OSI Model's Seven Layers Defined and Functions Explained", n.d., Microsoft. Re-

trieved from https://support.microsoft.com/en-us/help/103884/the-osi-model-s-

seven-layers -defined-and-functions-explained

ORBIT Journal DOI: 10.29297/orbit.v2i1.77 19

Thomas, G. A. (2017) "An ethical hacker can help you beat a malicious one", The Con-

versation.

Thomas G., Burmeister, O. K., Low, G. (2017). Issues of Implied Trust in Ethical Hack-

ing: Proceedings for the Australasian Conference on Information Systems 2017

conference. Hobart.

Thomas G., Low G., Burmeister O. (2018) "Who Was That Masked Man?": System

Penetrations—Friend or Foe?. In: Prunckun H. (Eds) Cyber Weaponry. Advanced

Sciences and Technologies for Security Applications. Springer, Cham

Thomas, G., Duessel, P., & Meier, M. (2017). Ethical Issues of User Behavioral Analysis

Through Machine Learning. Journal of Information System Security, 13(1).

Trabelsi, Z., &McCoey, M. (2016). Ethical Hacking in Information Security Curricula.

International Journal of Information and Communication Technology Education

(IJICTE), 12(1), 1-10.

Tutzauer, C. (n.d.) The Role of Trust in the Successful Implementation of Information

Systems. Retrieved from

http://www.academia.edu/747081/The_Role_of_Trust_in_the_Successful_Imple

mentation_of_Information_Systems

Verizon. (2015). 2015 Data Breach Investigations Report. Verizon.

Verizon (2017). "Verizon Data Breach Investigations Report 2017"

http://www.verizonenterprise.com/verizon-insights -lab/dbir/2017/

Verizon (2018). "Verizon Data Breach Investigations Report 2018"

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

Copyright:Copyright remains with the authors. This is an openaccess article distributed

under the terms of the Creative Commons Attribution License, which permits unrestricted

use, distribution, and reproduction in any medium, provided the original author and

source are credited.

... It is imperative to improve cybersecurity performance to combat the increasing sophistication and stealth approaches of malicious individuals compromising a system. The following study concurs with the Verizon data breach report that shows insiders caused 62% of breaches [44] The report also demonstrated that 60% and 53% of threats were from Asia and Australia, respectively. The Identity Theft Resource Centre (2017) identified 850 breaches that resulted in 16 million exposed records [45]. ...

  • Syed (Shawon) M. Rahman Syed (Shawon) M. Rahman

Organizations face the probability of being hacked because of weak and inadequate cybersecurity implementations. Hackers are still able to breach a system when security tools such as firewalls, SIEM, anti-virus software, encryption, and IDPS are readily in place within an organization. Digital criminals are responsible for increased network breaches using elusive security tools to penetrate secure environments with sophistication. Cyberattacks are continually increasing due to the sophistication and innovation of cyber attackers. Many vulnerable areas must be reinforced against cybercriminals, Insider threats, inadequate employee training, and negligence. Monetary investment in cybersecurity and management support plays a significant role in assuring the implementation of information security throughout any organizational processes. The implication for practice can provide organizations with approaches on how to mitigate cyber exploits and safeguard the confidentiality, integrity, and availability of information by bridging the gap between incident detection and response.

... However, any expansion of the scope of the test or any emergency situation may need choosing unstructured, more creative and less convention-bound strategy. This way, any ethical concerns may be simply ignored [51,[54][55][56]. ...

Cybersecurity and cybercrime cannot exist without each other. They are not contraries, but rather two opposite poles of the same idea. Although it may seem that it is a rather black and white kind of relationship, the measures aimed at protecting innocent people raise a myriad of ethical dilemmas. This paper presents the results of a horizon scanning study aimed at identifying the ethical and human rights dilemmas that may arise in relation to cybersecurity and cybercrime; in the paper, the identified "weak signals" have been presented, that is, the ideas or concerns which are less obvious, not widely researched or present in the media. The cybersecurity-related ethical issues arise as part of the relations between the affected people and other entities; thus, in this paper, the identified dilemmas have been organized according to the nature of the relations.

As networks are expanding day by day, the need for security is attaining more attention. Hackers have always been renowned as a severe security threat. Ethical hacking is an important form of hacking. It is a type of hacking that doesn't hurt any individual, association, or gathering. It is done with a positive intent to find out the security loop-holes in the current infrastructure of some organizations. The organization may patch its security vulnerabilities accordingly as suggested by ethical hackers. In this research work, a comparative analysis has been conducted for ethical hacking techniques. It classifies the existing techniques based on their working principles and compares the working mechanisms of all techniques. Graphical analysis of ethical hacking tools along with a score-based comparison is also part of this research. Moreover, the research can be useful in suggesting the most appropriate tool to be used for a particular scenario.

This chapter explores a range of hacking techniques that can be used for either malicious or good purposes. It focuses on the role of the penetration tester, also known as a white hat hacker, or an ethical hacker. The discussion highlights the need to employ ethical hackers to expose system vulnerabilities so that they can be addressed before they are exploited by criminals or other threat actors. Because the techniques and methods used by ethical hackers are largely the same as those used by malicious hackers, there are some risks that need to be considered. Moreover, that there is a need for improving the standard of professionalism amongst ethical hackers, through certification, education and validation. Professionals in this area of IT assist organizations to mitigate cyber threats, not only by testing systems, but also in reviewing policies, procedures and controls. Ethical hackers are thus, an integral component of a mature security program.

Ransomware is a type of malicious software that holds access to computer resources for a ransom amount. This is accomplished through encrypting the personal files or denying access to the user interface. The access is reinstated only once ransom amount is paid to the attacker. There is a significant increase in ransomware attacks involving crypto ransomware, which encrypt the personal files present on a host or network attached storage and demand ransom in cryptocurrency. Improvements are being made by ransomware in the encryption algorithms, key exchange mechanisms and modes of lateral movement as time progresses. This change has to be reflected in the detections mechanisms to effectively defend against the attacks. Ransomware has become one of the highest damaging types of cyber-attack in the present time and organizations across the world have lost billions of dollars in damages caused due to disruption in business operations. Attackers have earned millions of dollars in ransom money from their victims. Effective detection of ransomware and preventing data loss through encryption is a leading field of research. This paper summarizes the latest research, security products and practices in the prevention, mitigation, and containment of ransomware attacks.

  • Oliver K. Burmeister Oliver K. Burmeister

Professional doctorates in Information Technology (IT) have been a relatively recent phenomenon, giving IT professionals career management choices not previously available to them. However, successful completion rates are the lowest of all disciplines. Completed doctorates rate in quality equivalent to PhDs, and retention has been identified as a major obstacle to completion. This qualitative study, involving 44 semi-structured interviews with students, supervisors and institutional support personnel, investigated the obstacles. Amongst the strategies discovered to improve completion rates were retention, student engagement with supervisors, feedback on progress, student engagement in the course, and student involvement in institutional communities of practice.

  • Danish Jamil
  • Muhammad Numan
  • Ali Khan

This paper explores the ethics behind ethical hacking and whether there are problems that lie with this new field of work. Since ethical hacking has been a controversial subject over the past few years, the question remains of the true intentions of ethical hackers. The paper also looks at ways in which future research could be looked into to help keep ethical hacking, ethical.

Due to the ever-growing risk of data leakage and sabotage by internal employees, insider threat detection is receiving increasing attention. Solutions are typically asset-centric and rule-based, providing limited detection capabilities and significant maintenance efforts. Content-based anomaly detection over user behavior is an alternative, but raises ethical questions that need to be addressed before deployment. In this contribution, user-centric content-based behavioral anomaly detection utilizing four ethical dimensions reveals that it requires integration with the organization's data privacy organization, a binding code of conduct for administrative personnel, integration with the organization's security incident management and continuous oversight by management.

  • Baha Abu-Shaqra
  • Rocci Luppicini

Business and academic organizations are in a constant pursuit of efficient and ethical technologies and practices to safeguard their information assets from the growing threat of hackers. Ethical hacking is one important information security risk management strategy they use. Most published books on ethical hacking have focused on its technical applications in risk assessment practices. This paper addressed a scarcity within the organizational communication literature on ethical hacking. Taking a qualitative exploratory case study approach, the authors explored ethical hacking implementation within a Canadian university as the case study in focus, applying technoethical inquiry theory paired with Karl Weick's sensemaking model as a theoretical framework. In-depth interviews with key stakeholder groups and a document review were conducted. Findings pointed to the need to expand the communicative and sociocultural considerations involved in decision making about ethical hacking organizational practices, and to security awareness training to leverage sensemaking opportunities and reduce equivocality.

Teaching offensive security (ethical hacking) is becoming a necessary component of information security curricula with a goal of developing better security professionals. The offensive security components extend curricula beyond system defense strategies. This paper identifies and discusses the learning outcomes achieved as a result of hands-on lab exercises which focus on attacking systems. The paper includes the ethical implications associated with including such labs. The discussion is informed by analyses of log data on student malicious activities, and student survey results. The examination of student behavior after acquiring these skills demonstrates that there is potentially a high risk of inappropriate and illegal behavior associated with this type learning. While acknowledging these risks and problems, the paper recommends that curricula should opt for a teaching approach that offers students both offensive and defensive hands-on lab exercises in conjunction with lecture material. The authors propose steps to minimize the risk of inappropriate behavior and reduce institutional liability.

  • Oliver K. Burmeister Oliver K. Burmeister

Attempts to create a global computing code of ethics have failed repeatedly over the last 25 years. Some focused on professional ethics and others on common values across cultures. In this paper professional ethics are seen as normative, yet subject to cultural diversity, and the place of values is seen as a promising way forward. A hybrid is proposed following the two-fold formula for codes of ethics advocated by the International Federation of Information Processing. The international-localisation hybrid suggests that it is possible to achieve a common set of values, yet allow diversity through interpretations of acceptable professional behaviour.

While an increasing number of trust studies examine technological artifacts as trust recipients, there is still a lack of basic understanding of how technology trust relates to traditional trust and its role within the broader nomological net articulated in trust research. This paper suggests that technology trust is distinct from interpersonal trust i.e., trust in humans due to the different core characteristics of the trustees. To examine these differences, the authors first develop and validate a measure of technology trust comprised of IT-specific belief sources. Then, they articulate a research model that compares and contrasts technology trust and interpersonal trust. This study provides evidence that technology trust is associated with, yet distinct from, interpersonal trust. The authors found technology trust plays a dual role in the nomological net tied to individual intended behavior-exerting a direct and an indirect influence on a trust outcome. Rather than suggesting that technology trust substitutes for interpersonal trust, the findings suggest that technology trust complements interpersonal trust in affecting purchase intention.

One of the key factors in successful information security management is the effective compliance of security policies and proper integration of "people", "process" and "technology". When it comes to the issue of "people", this effectiveness can be achieved through several mechanisms, one of which is the security awareness training of employees. However, the outcomes should also be measured to see how successful and effective this training has been for the employees.In this study, an information security awareness project is implemented in a company both by training and by subsequent auditing of the effectiveness and success of this training (which focussed on password usage, password quality and compliance of employees with the password policies of the company). The project was conducted in a Turkish company with 2900 white-collar employees. Each employee took information security training including password usage. Also, there were several supporting awareness campaigns such as educational posters, animations and e-messages on the company Intranet, surveys and simple online quizzes. The project was carried out over a 12 month period and three password security strength audits were made during this period. The results were comparatively and statistically analysed. The results show us the effectiveness of the project and the impact of human awareness on the success of information security management programmes in companies. This study gives us some crucial results, facts and methods that can also be used as a guideline for further similar projects.