Virtuous human hacking: The ethics of social engineering in penetration-testing

Abstract This paper offers a virtue ethics analysis of social engineering in penetration-testing. It begins by considering previous research on this topic and argues that such attempts misconstrue or more often overlook this Aristotelian tradition. It articulates the core tenets of virtue ethics and applies them to an analysis of white hat social engineering. A virtue ethics analysis requires that individuals and the firms that initiate the penetration-test be placed within a larger communal context which obligates individuals who are potential human hacking victims to participate in the constitution and flourishing of larger communities. As such, for virtue ethics consent is not a necessary condition for the positive ethical status of white hat social engineering. If methods are consistent with moderation (i.e. the golden mean) manipulation at lower orders within the hierarchy of communities can be justified if it can reasonably be understood as part of an individual's participatory obligation and the results of this participation is essential to ensure the eudaimonia of the larger community. Nevertheless, the golden mean requires that robust mitigation strategies lessen the degree of harm inflicted on social engineering victims. Where possible, a degree of consent should be attained as part of this mitigation. Finally, penetration-testing firms must be able to demonstrate that a robust ethical training program governs its use of social engineering.

[1]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[2]  B. Chu,et al.  Character Education for Cyberspace: Developing Good Netizens , 2002 .

[3]  Hardik Jhaveri,et al.  Sybil Attack and its Proposed Solution , 2014 .

[4]  Tobias Lauinger,et al.  Honeybot, Your Man in the Middle for Automated Social Engineering , 2010, LEET.

[5]  A. Macintyre,et al.  After Virtue: A Study in Moral Theory. , 1981 .

[6]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[7]  Seema Bawa,et al.  Who Regulates Ethics in the Virtual World? , 2015, Sci. Eng. Ethics.

[8]  John R. Drake,et al.  Asking for Facebook Logins: An Egoist Case for Privacy , 2015, Journal of Business Ethics.

[9]  Kevin F. Steinmetz,et al.  "It Doesn't Have to Be This Way": Hacker Perspectives on Privacy , 2015 .

[10]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[11]  Deepak Sharma,et al.  Study of Automated Social Engineering, its Vulnerabilities, Threats and Suggested Countermeasures , 2013 .

[12]  Katie Shilton,et al.  Anticipatory Ethics for a Future Internet: Analyzing Values During the Design of an Internet Infrastructure , 2014, Science and Engineering Ethics.

[13]  Joseph M. Hatfield Social engineering in cybersecurity: The evolution of a concept , 2018, Comput. Secur..

[14]  Zouheir Trabelsi,et al.  Ethical Hacking in Information Security Curricula , 2016, Int. J. Inf. Commun. Technol. Educ..

[15]  M. Johnson Aristotle on Teleology , 2006 .

[16]  Shawn F. Clouse,et al.  White Hats Chasing Black Hats: Careers in IT and the Skills Required to Get There. Advisory from Professionals , 2013 .

[17]  Wolter Pieters,et al.  Cyber Security as Social Experiment , 2014, NSPW '14.

[18]  Sonam Chauhan,et al.  Ethics in Behavioural Targeting: Mapping Consumers Perceptions , 2014, Int. J. Online Mark..

[19]  Nicholas J. P. Race,et al.  Susceptibility to Email Fraud: A Review of Psychological Perspectives, Data-Collection Methods, and Ethical Considerations , 2015, Int. J. Cyber Behav. Psychol. Learn..

[20]  R. Hursthouse On Virtue Ethics , 1999 .

[21]  Amir Herzberg,et al.  Ethical Considerations when Employing Fake Identities in Online Social Networks for Research , 2014, Sci. Eng. Ethics.

[22]  Ronnie Cohen,et al.  Lost in cyberspace: ethical decision making in the online environment , 2009, Ethics and Information Technology.

[23]  Cameron Lawrence,et al.  Advisory from Professionals: White Hats Chasing Black Hats: Careers in IT and the Skills Required to Get There , 2013, J. Inf. Syst. Educ..

[24]  Yair Levy,et al.  Assessing Ethical Severity of e-Learning Systems Security Attacks , 2013, J. Comput. Inf. Syst..

[25]  Mathew Nicho,et al.  Identifying Vulnerabilities of Advanced Persistent Threats: An Organizational Perspective , 2014, Int. J. Inf. Secur. Priv..

[26]  Aristotle,et al.  The politics and the constitution of Athens , 1996 .

[27]  Michael Workman,et al.  How perceptions of justice affect security attitudes: suggestions for practitioners and researchers , 2009, Inf. Manag. Comput. Secur..

[28]  Rocci Luppicini,et al.  Technoethical Inquiry into Ethical Hacking at a Canadian University , 2016, Int. J. Technoethics.

[29]  Wolter Pieters,et al.  Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace , 2015, Science and Engineering Ethics.

[30]  Mark Johnson,et al.  Cyber Crime, Security and Digital Intelligence , 2013 .

[31]  Joseph E. Brenner,et al.  Information: A Personal Synthesis , 2014, Inf..

[32]  Mark Christopher Shaw,et al.  Critical Theory as an Approach to the Ethics of Information Security , 2013, Science and Engineering Ethics.

[33]  Hein S. Venter,et al.  Social engineering from a normative ethics perspective , 2013, 2013 Information Security for South Africa.

[34]  Hein S. Venter,et al.  Necessity for ethics in social engineering research , 2015, Comput. Secur..

[35]  D. Davidson,et al.  Psychology as Philosophy , 1974 .