Part 1: Research Project (Literature Review)
Research questions & purpose
This proposed dissertation falls under the category of an investigation and is titled: Investigating the General Public’s and Industry Professional’s Perception of Ethical Hackers. There are three sub research questions specifically chosen these are:
1. What do cyber security professionals and the general public understand about the role of an ethical hacker?
2. Do cyber security professionals have more trust than the general public that ethical hackers will not use their skills to commit crime?
3. What actions do the general public believe ethical hackers could take to gain more of their trust?
These research questions were chosen to reflect the three key aims of this investigation which are as follows:
1. To gain a better understanding of the perception of ethical hackers from a professional and general public view point.
2. To gain an understanding of whether ethical hackers are trusted by security professionals and the general public.
3. What actions could be taken by ethical hackers to gain more trust from the general public.
The purpose of this investigation is to add to a currently limited understanding of the perception of ethical hackers, and to establish whether there is indeed a contrast between the general public’s and industry professionals view of ethical hackers. Currently there is more global attention focussed on the cyber security industry than ever before, this is principally due to year on year increases of cybercrime across the world (Nohe, 2018).
Rationale & research
The validity of this research is quite simple. There are more ethical hackers being trained than ever before to combat cybercrime. Currently there are more cyber security roles worldwide than trained personnel to fill these vacancies, cyber security unemployment stands at 0% (Morgan, 2016). Ethical hackers are entrusted to protect personal data, it is important that the public trust this unique profession because, the very nature of the job they are doing can expose private and confidential details.
The office for national statistics (2018) state that within the United Kingdom (UK), regular internet usage by the adult population stood at 89% in 2017, increasing to 90% in 2018. It is therefore of critical importance to the general public that they firstly understand the risks of cybercrime. Due to more of the population gaining internet access annually, the threat of cybercrime also rises as a direct result. The general public consequently need to be able to put their faith confidently in online entities. It is now commonplace globally for humans to carry out more functions of their lives online (Hanson, 2015). Therefore, it is necessary that the general public understand the role of ethical hackers commonly known as white hat hackers. It is imperative they can trust and understand the role ethical hackers occupy in the effort to combat cybercrime. It is essential that the general public comprehend the distinction with users who have malicious intent.
Ethical hacking is intrinsically linked to hacking. It is the attempt to breach IT infrastructures. The aim is to find vulnerabilities and subsequently place preventative measures to stop unauthorized intrusions exposing these flaws. Any vulnerabilities a network may have could lead to unlawful access which could ultimately lead to data loss, financial loss or legal issues (Smith & Morrison, 2018). Retailers, merchants, social media organisations and other online entities continually acquire personal and confidential data on users. These online entities are constantly being probed and attacked in various forms by malicious users, commonly referred to as black hat hackers. The aim of black hat hackers through targeted cyber-attacks typically is to gain financially (Venue, 2012).
Once data has been accessed and lost it becomes exceptionally difficult to trace. The data can then be resold by the criminal(s) or used personally. Commonly used for identity theft, users who have had data stolen may suffer from financial fraud in their name with products opened or personal bank account fund loss. However, cybercrime is diverse with organisations experiencing differing issues such as ransomware (Yar, 2013).
If the job role of an ethical hacker was carried out without obtaining the correct permissions, it would be classified as illegal within most global territories. Within the United Kingdom this would fall under the Computer Misuse Act (1990) and the Data Protection Act (1998). Previous research is seemingly sparse for this particular area of computing. When proposing the present study’s research question and questioning the understanding of ethical hackers to a small sample of pre-study participants, there was a lot of misconception and pre-conceived ideas about the aforementioned role that were simply incorrect. Therefore, placing a concise and succinct definition of the role of an ethical hacker on the questionnaire consent page seems appropriate.
This research is being conducted to understand the differences if there are any between, the general public and industry professionals’ perceptions of ethical hackers. This body of research is in the public interest to raise awareness to any opinions and biases found and to try and educate the public on the discipline. When conducting this research, the aim will be to draw conclusions and look to give recommendations should they be necessary in line with the study’s three sub research questions. This research will add to the academic knowledge and understanding of the role of an ethical hacker.
Cyber security is an area that grows annually, the employment market currently finds demand is not meeting supply (Morgan, 2016). Therefore, there is a shortage of professional penetration testers within the UK. I t is therefore important to communicate this to the general public, so this career option is communicated and clarified ensuring the skills gap can be met.
Literature review methodology
In order to be able to choose an appropriate investigation for this dissertation piece several well established reflective practice models were consulted. This was completed to ensure that the ongoing needs of this project could be adequately assessed. Reflective practice models were consulted to check that this body of work was viable and to allow any adjustments to the work deemed necessary. Three models that were focussed on in particular were Gibbs model, Schon’s model, and Rolfe’s simplistic model. Rolfe’s simplistic model was found to be the most fitting for this specific project’s needs. The model consists of What, So what, Now what (Williams et al., 2012). Upon selection of the investigation’s research question the three steps of the model were followed. Research was undertaken, this research was then subsequently reflected upon ultimately decided on which path this dissertation would follow. When researching it was found there was an adequate amount of previous academic work to give a framework to build upon and also to ensure that that investigation’s research question was unique.
This project made use of the online reflection zone that is afforded to students to check with the programme leader that the proposed research question is feasible. The research question was thoroughly described including the ensuing three sub questions with my aims for the project. These initial plans received encouraging feedback with ethical approval.
It was decided that a thorough literature review was required in order to give this project credence. In order to achieve this a wide variety of educational, professional and literary sources were consulted and reviewed. The following literature review made use of many outlets and publications these were consulted to collect information for the literature review. These include;
Books – Accessed through Amazon Books, Google Books, Safari Books and Jstor
Journals – Accessed through Manchester Metropolitan University library, Google Scholar
Websites – Sources accessed originally through searching through Google
This access ensured a broad and thorough examination of key literature in the area. Within the literature review process both quantitative data collected through studies, and qualitative data such as professional opinions were reviewed, to safeguard neutrality.
Ethical hacking otherwise referred to as penetration testing is an ethical way of testing the IT security infrastructure of an entity. Ethical hackers are charged with finding any security vulnerabilites that could be exploited, ethical hackers attempt to imitate attacks and breach networks they are employed to secure. The purpose behind this is to try and diminish external threats from malicious hackers and avoid unauthorised intrusions (Simpson et al., 2010).
Whitaker & Newman (2005) state that ethical hackers work together with organisations primarily as a pre-emptive procedure to prevent intrusions. Unauthorised access by malicious users may result in the loss of data from an entity. This can have profound implications. Stolen data can be resold published or used for further exploitation. This can lead to reputational loss and fines with both leading to financial loss.
Ethical hackers may work in a lone capacity or as part of a team, a common trend is for penetration testers to be employed as external contractors. Often penetration testers are employed as a preventative measure as aforementioned however often penetration testers are employed after an entity becomes aware of a cyber security breach. Penetration testers carry out through network testing and are then charged with writing a thorough report with recommendations to network owners (InfoSec, 2018.)
Ethical hacking is a unique subdivision of the cyber security sector. Although hacking is widely discussed within the media the general public are perceived to not understand the differences between malicious hacking and ethical hacking. The term of “hacking” is often used in the media when disclosing information on the latest cyber security breach of an entity. This tends to give the public a negative outlook around the term of “hacking” and it is important ethical hackers are not tarred with the same brush and the public are able to identify the differences (Collins, 2018).
Collins (2018) states that there are far more ethical hackers than hackers and it is important that the general public understand the difference between the two practices. Little research has been carried out to garner the views of the general public in relation to ethical hacking however with most opinions based upon visual verbal and written media public perceptions may be warped.
The public understanding of ethical hackers was further blurred in May 2017 when the much publicised NHS ransomware attack known as “Wannacry” took place. A young ethical hacker by the name of Marcus Hutchins was hailed as a hero when he discovered how the attack could be mitigated. He passed this information on for free and allowed the NHS core services, along with other organisations to begin operations again. This was positive publicity for the ethical hacking community, however shortly after Mr Hutchins was credited with the “Wannacry” fix he was indicted on charges in the USA. Mr Hutchins was accused of creating banking malware by the name of “Kronos” designed to steal banking credentials, he was arrested in August 2017. It is therefore easy to see why the public misunderstand the role of ethical hacking (BBC, 2018).
Professionals working within the computing industry, but not specifically as ethical hackers have a better understanding of the role of an ethical hacker in contrast to the general public. Working within IT environments professionals will have greater fundamental knowledge of security processes and the work that is conducted and produced by ethical hackers. Ethical hackers may work for large companies, governments, security orientated organisations and other IT infrastructures. Ethical hackers are employed to keep their information secure. Employers require ethical hackers to legally penetrate networks to look at the overall network security. Tasked with finding weaknesses, ethical hackers must then present solutions, however it is not up to the ethical hackers to implement these solutions that is down to the individual organisations network engineers (Towers, 2018).
Harris (2017) states “the word hacker fills the business industry with dread”. Paul Harris, who is the managing director of Manchester based cyber security company Secarma, employs over fifty ethical hackers and admits that there is a disparity between the professional view of ethical hackers and the general public. Harris (2017) describes ethical hackers as “a rare commodity” and acknowledges the work of ethical hackers is essential to be able to keep networks secure.
Ethical hackers have first hand experience of the discipline, they are in the best situation to advise on the perception of ethical hacking from their viewpoint. When interviewed in 2016 Jamie Woodruff an ethical hacker from Lancashire, UK gave a personal insight. (Woodruff, 2016) argues strongly about the ethics that are involved within his profession. And raises the point that awareness around ethical hacking needs to be built, ethical hacking Is still largely unknown to the general public.
Tanya Jancer a senior level penetration tester was interviewed in 2018 and stated similarly to Mr Woodruff that the ethics when carrying out penetration testing must be adhered to emphasising confidentiality and agreement with organisations before any testing can take place (Jancer, 2018). It is believed that if the general public were to be educated on the complex and vetted procedure of ethical hacker there may be greater understanding of ethical hacking.
Conclusion of literature
Organisations are becoming more interconnected, leaving more opportunities for malicious black hat hackers to exploit new and aging IT infrastructures. It is therefore of paramount importance that ethical hackers carry out their security work. The perception of ethical hackers from the general public appears to be one of confusion and fear. Not understanding the role enough to be able to draw conclusions and being constantly inundated with media describing organisations who have been hacked lead to fear. It seems there is misinformation within the media, and this is preventing learning around the discipline of ethical hacking. More troublesome perhaps is the fact that within the UK there is a lack of trained ethical hackers, cyber security has a zero percent rate of unemployment (Morgan, 2016). This can only emphasise the fact greater communication and resources are needed to fill these vacancies and protect infrastructures.
Primary research methodology
This study’s proposed methodology is an online questionnaire design whereby participants are asked a series of questions related to the research questions proposed at the start of this investigation. There are several key strengths in the use of online questionnaires opposed to other forms of research some of these key strengths are; online surveys are quick and easy as you can collect data online there is no barrier in place as long as participants have the internet and a device to access the survey link (Baker et al., 2013).
Online surveys are inexpensive, many websites such as SurveyHero (2018) which will be used for this research do not charge any fees at all for usage. From an accessibility perspective a large target audience can be reached with just a single web address. In conjunction with social media the survey can target vast audiences to ensure participation. SurveyHero like many other free survey sites also offer statistical analysis of participant response which also can save on money in regard to further statistical analysis of data gathered.
There can also be limiting factors with online surveys in regard to other forms of research. Survey statistics can be influenced by rogue parties; however, this should be picked up with further statistical analysis. Participants may also be dishonest with the answers that they give to the online survey questions. A further identifiable weakness may be lack of depth in response, as the online questionnaires will be closed response with only yes or no answers applicable. Finally, internet questionnaires can be inaccessible to some demographics such as the elderly who cannot take part (Evans and Mathur, 2018).
A questionnaire design will be used for this study as it will allow data to be collected about the perceptions people have of ethical hackers which will should effectively answer the proposed research questions.
The questionnaire from this study will collect quantitative data which will allow for a large sample to be collected, this should mean conclusions can be drawn from the collected responses because the data is likely to be generalisable. However, quantitative data can be limited as it does not provide in depth information. Quantitative data is the most appropriate for this study because this investigation does not require in depth qualitative data in line with the research question.
The participants will be internet respondents aged between 18-65. The survey data will be collected using SurveyHero and posted on social media platforms such as Facebook & LinkedIn. A precisely designed questionnaire will be used for this study to gauge responses in accordance with the research questions.
To analyse this data, this study will use IBM’s software package SPSS. SPSS is dedicated to the analysis of statistical data with a comprehensive set of statistical tools (Brace et al., 2016). This statistical data will aim to answer the main research question and three sub questions of this investigation. SPSS is used at the highest of academic levels, government institutions and private entities. Offering this research an Integrated interface to run descriptive statistics, regression, and advanced statistical modelling it should cater for the full analytical needs of this project. The aim of using SPSS will primarily be to input survey responses allowing this data to then be interpreted.
It is understood that when undertaking any research ethical considerations needs to be adhered to This investigation will therefore establish several measures to ensure that the research is valid and compliant. Three key ethical concerns for this research are: gaining consent, anonymity and confidentiality (Cirt, 2018). Firstly, the study must gain the consent of all individuals taking part and ensure they are 18-65. This will be achieved by adding a check box and outlining the research at the start of the online survey, the survey questions will be completely inaccessible without participant consent. The study will advise that all data will be confidential and secure.
This research will gather personal data from the general public and industry professionals to establish age ranges, gender and opinions through online questionnaires this therefore allows for demographic analysis while keeping data anonymous. However, this data is sensitive and confidential and must be kept secure. A password protected SurveyHero account will be used to gather the data. This data will then be exported to a password protected and encrypted external hard drive to statistically analyse the data after collection to draw summative conclusions.
There will be separate survey links for industry professionals and the general public, so the study can distinguish between the two data sets. As stated, LinkedIn private messaging will be used to primarily to contact industry professionals, this is to ensure the messages are private and confidential and to safeguard a secure industry professional response without compromising the integrity of the research. The aim is to generate fifty respondents from the general public and fifty industry professionals. The data gathered from industry professionals will be stored securely in the same way as the general public’s response. When contacting industry professionals, they will be contacted personally through private messages. However, there will be no way of telling from whom the data has been collected with the survey responses to safeguard anonymity. The research has gained ethical consent from the University as of December 2018. Any data collected only for the research project will be erased upon completion of the project in line with the Data Protection Act (1998).
Baker, R Brick, J. M, Bates, N. A Battaglia, M Couper, M. P Dever, J. A Tourangeau, R. (2013). Summary report of the AAPOR Task Force on Non-probability Sampling. Journal of Survey Statistics and Methodology. 1, pp. 90-143.
Brace, N Snelgar, R Kemp R (2016). SPSS for Psychologists: And Everybody Else. 6th ed. UK: Palgrave Macmillan. pp.1-2.
Computer Misuse Act. (1990). Available: https://www.legislation.gov.uk/ukpga/1990/18/contents. Last accessed 25/11/2018.
Data Protection Act (2018). Available: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Last accessed 04/12/2018.
Evans, R. Joel, Mathur, Anil. (2018). The value of online surveys: a look back and a look ahead. Internet Research. 28 (4), pp. 854-887.
Grand Canyon University. (2018). Ethical Considerations. Available: https://cirt.gcu.edu/research/developmentresources/tutorials/ethics. Last accessed 24/12/2018.
InfoSec. (2018). How to become a Ethical Hacker. Available: https://resources.infosecinstitute.com/job-titles/ethical-hacker/#gref. Last accessed 27/12/2018.
LifeWire. (2018). Good Hackers, Bad Hackers: What’s the Difference?.Available: https://www.lifewire.com/hackers-good-or-bad-3481592. Last accessed 28/12/2018.
Majid Yar (2013). Cybercrime and Society. London: Sage Publications.
Office for national statistics. (2018). Internet users, UK: 2018. Available: https://www.ons.gov.uk/businessindustryandtrade/itandinternetindustry/bulletins/internetusers/2018. Last accessed 29/11/2018.
Patrick Nohe. (2018). Cybercrime Statistics . Available: https://www.thesslstore.com/blog/2018-cybercrime-statistics/. Last accessed 29/11/2018.
Prasad, Y. (2018). Exclusive Interview With Ethical Hacker: Tanya Janca. Available: https://www.hackersinterview.com/interview/exclusive-interview-ethical-hacker-tanya-janca/. Last accessed 06/01/2019.
Ralph E. Hanson (2015). Mass Communication: Living in a Media World. 6th ed. USA: Sage Publications. Chapter 10.
Rooth, B. (2017). Can ‘ethical’ hackers be your friend?. Available: https://www.manchestereveningnews.co.uk/business/business-news/can-ethical-hackers-be-friend-13478140. Last accessed 02/01/2019.
Simpson, M. T., Backman, K. and Corley (2010). Hands-On Ethical Hacking and Network Defense (2nd Eds). Massachusetts: Delmar Cengage Learning.
Smith, E. (2016). An interview with an ethical hacker. Available: https://www.raconteur.net/risk-management/an-interview-with-an-ethical-hacker. Last accessed 04/01/2019.
Smith, H. Morrison, H (2018). Ethical Hacking: A Comprehensive Beginner’s Guide to Learn and Master Ethical Hacking. California, USA: CreateSpace Publishing, pp.2-4.
Steven Morgan. (2016). Cybersecurity Unemployment Rate Drops To Zero Percent. Available: https://www.cybersecurityventures.com/cybersecurity-unemployment-rate/. Last accessed 03/12/2018
SurveyHero. (2018). Create your online survey. Available: https://www.surveyhero.com/create-survey?ref=main-menu. Last accessed 10/12/2018.
Towers, L. (2018). Careers of the Future: Ethical Hacker. Available: http://www.insiderguides.com.au/careers-future-ethical-hackers/. Last accessed 29/12/2018.
Venue, C. (2012). A guide to computer hacking including vulnerabilities, hacking tools, cybercrime, hacker ethics such as White Hat, Black Hat, Grey Hat, and more. United States, Webster’s Digital Services.
Whitaker, A. and Newman, D. P. (2005). Penetration Testing and Network Defense. Indiana: Cisco Press.
Williams, K Wooliams, M Spiro, J (2012). Reflective Writing (Pocket Study Skills). UK: Palgrave Macmillan, pp. 79-98.