Issues of Implied Trust in Ethical Hacking
Abstract-This research delves into the ethical hacking profession, specifically regarding the implied trust issue between these professionals and their organizations. The trust issue relates to placing complete trust on a third party who evaluates the company’s system security levels. These ethical hackers carrying out penetration testing on the systems allow them to obtain complete information on the organization. Therefore, organizations are concerned with finding the black-hat or gray-hat hackers among the ethical hacking professionals who will leak confidential or sensitive information to unauthorized parties. It is recommended that it is currently essential that a unified and compulsory professional code of conduct be developed to apply globally. The unified code will provide mandatory guidelines to be followed by ethical hackers as they interact with their clients’ systems.
Keywords: Ethical Hacking, Professional Ethical Code of Conduct
Ethical hacking has gained considerable fame and popularity in the modern cyber world. The process involves the authorized attempts of gaining unauthorized access to computer systems applications for data. This process has been necessary as it allows system owners to gain access to their compromised networks, take control over their systems, and mitigate further impact caused by the malicious hackers. The main aim of ethical hacking is to identify the system’s vulnerabilities which the malicious hacker could exploit and cause system damage.
Despite the developments that have come with ethical hacking, there have been contentious issues related to the profession. According to Georg et al. (2018), there is a fine line between ethical and malicious hacking. Ethical hackers generally gain access to highly confidential and sensitive information, which puts them in an advantageous position of exploiting these privileges to the client’s detriment. There have been cases of IT professionals misusing these privileges for different benefits. No reason would stop an ethical hacker from doing the same. To this effect, Georg et al. (2018) insist on the need to develop appropriate professional codes that will guide ethical conduct among ethical hackers considering the numerous ethical implications that come from not having these ethical codes. In the last decade, there has been an increase in the number of published articles discussing the implied trust challenge facing the ethical hacking professional as shown in Figure 1.
Figure 1: The number of articles published yearly on ethical hacking and implied trust.
II. DEFINING ETHICAL HACKING
According to Yacoub et al. (2021), ethical hacking is primarily a life cycle consisting of various stages similar to those taken by the typical malicious hacker. The only difference is that the ethical hacker is not focused on causing any harm or damage to the affected system like the black-hat hackers. The phases in this life cycle include reconnaissance, scanning, gaining access, maintaining access, and covering the tracks. Some cases of the ethical hacking cycle would lead to the process following a non-ending loop such that it becomes an essential element of constant risk assessment. The white-hat hacker, the ethical hacker, will go through these phases to identify the vulnerabilities within the system, including any system updates, poor architecture, system misconfigurations, and other weak spots (Georg et al., 2018).
1. Figure 2: A complete methodology of ethical hacking
Table 1: Types of Hackers Depending On their Motives
Types of Hacker Individual Motive
White Hat Hackers These are ethical hackers who break into a system with prior permissions and their motive is to find weaknesses inside the system to protect it from attacks from hackers with malicious intents.
Black Hat Hackers These hackers hack into any system illegally, with the intent to steal sensitive information and harm the system. They are wary of being caught and tend to keep their identities secret.
Grey Hat Hackers These hackers are a blend of both white and black hat hackers. They break into systems for the fun of it illegally, with an intent to find bugs and earn bug bounty money in the process.
Suicide Hacker Suicide hackers work illegally with the motive of bringing down the infrastructures of big organizations. They are not scared of consequences and are rather boastful about their expertise in the field.
These ethical hackers need deep understanding of numerous areas and are not limited to software, hardware, networking and also human behaviors (Engebretson, 2013). The knowledge needed for one to be considered to be a highly effective hacker is so extensive that it can be very difficult to evaluate how effective the ethical hackers actually are. The clients will simply trust that the ethical hacker will professionally carry out their activities while prioritizing the client’s interest. This kind of trust is however very risky since the real world has shown that one cannot trust everybody. Thus, with many organizations not being able to assess the effectiveness of ethical hacking professionals, there is also the need for them to find a way in which their performance can be assessed and monitored (Thomas et al., 2019).
Figure 3: The compulsory skills that ethical hackers should have
The penetration testing that ethical hackers carry out in the systems will permit the ethical hackers to be fully aware of information on the organization (Palmer, 2001). The professional will know the exploitable vulnerabilities within the system and the present security gaps. With this understanding, the professional could easily choose to have the organization not address all these threats for their own malicious benefit. The engagement between the professional and the client will also determine if the ethical hacker could exploit these vulnerabilities to discover the objective for obtaining administrative access, controlling the network, or obtaining confidential and sensitive information. The table below shows the average costs incurred by companies and organizations in the US as a result of hacking.
Table 2: The costs resulting from hacking
The primary concern has been that among the many white-hack ethical professionals, there is a possibility of having black-hat or gray-hat hackers that are capable of leaking the confidential information to malicious parties that are either the client’s rivals or cyber-criminal groups without the company’s knowledge (Yaacoub et al., 2021). This would cause an extensively greater damage, implications, and severe effects at the detriment of the client. As shown in the figure below, the white hackers and the black and gray hackers have different objectives.
Table 3: Comparison between Hackers and Ethical Hackers
Differences Hackers and crackers Ethical hackers
Measures Offensive Defensive
Attacks Harmful Simulated
Vulnerabilities Exploited Identified
Tools used Same tools Same tools
Purpose of usage Malicious Non malicious
Organizations Attacking Protecting
Security evaluation Failed attempts Pen testing
Security Breach Enhancement
Figure 4: Illustration of white hat hackers’ activities
Table 4: Illustration of the tests carried out by the ethical hackers
The table below illustrates a meta-ethical view of ethical hacking.
Table 5: A meta-ethical view of ethical hacking
III. THE IMPLIED TRUST ISSUE WITH ETHICAL HACKING
Generally, ethical hacking is an honorable profession, with organizations recognizing these professionals’ need to assess how secure their systems are. Through ethical hacking, organizations can identify the vulnerabilities that could be exploited to the detriment of their systems and information. The hacking activities require highly skilled professionals meaning that giving them access to one’s networks means that they will have superior intelligence over the client. These ethical hackers may misuse the privilege of being trusted with these systems. Trust continues to be an issue among organizations that seek the services of ethical hackers. Currently, these organizations allow ethical hacking in their systems while holding onto the belief that they can trust these professionals to act as per the interests of their clients. Nevertheless, reality has proven that these engagements cannot solely be based on trust but rather on establishing respective ethical codes that articulate how these professionals are expected to conduct themselves.
The trust issue between the clients and ethical hackers is a massive challenge for professionals. Yaacoub et al. (2021), state that the trust issues are fundamentally related to placing complete trust on a third party who evaluates the company’s system security levels. These ethical hackers carrying out penetration testing on the systems allow them to obtain complete information on the organization. This will include the vulnerabilities that could be exploited and the present security gaps. Therefore, organizations are concerned with finding the black-hat or gray-hat hackers among the ethical hacking professionals who will leak confidential or sensitive information to unauthorized parties. Organizations understand that if this information is obtained by a malicious third party, including its competition or cybercriminals, then the information will be used to the detriment of their operations in the market.. This would result in considerable damage, implications, severe repercussions, and similar issues. Undoubtedly, organizations will find it challenging to engage with ethical hackers despite their importance in identifying and removing security vulnerabilities within their systems.
Georg et al. (2018) pointed out that the high demand for ethical hacking as part of the multilayered security programs in conjunction with the access to sensitive and confidential information given to these ethical conducts is necessary to appropriate ethical code is expected of these professionals. However, this is already hindered because there is no fully integrated professional, ethical code of conduct that ethical hackers could refer to in terms of learning what is expected of them. Georg et al. (2019) did discuss various existing codes of conduct that different professionals currently refer to. These included the Australian Computer Society Code of Ethics, the Crest Code of Ethics, and the E-Council Code of Ethics. The problem with these codes is that they are only compulsory for the members certified by particular bodies. The other professionals who choose to heed to them are doing so voluntarily.
Jamil and Khan (2011) presented a new perspective in this matter of trusting ethical hacking by questioning whether giving this kind of authority is trusting the potential enemy. The researchers stated that the technological aspects in organizations are growing rapidly such that all data will be made electronic. Thus, ethical hackers can and may use their ability to attempt and avoid paying for items by just manipulation systems. They could use their power to aid themselves without being caught at the expense of others. It is possible for any ethical hacker to be a black hat if they choose to (Jamil & Khan, 2011). Therefore, the concern will still remain when these skilled professionals could use their abilities at the expense of the other party. Organizations are evidently putting too much trust in a potential enemy who could find the systems’ vulnerabilities and attack the organizations. Furthermore, if these organizations fail to ascertain whether these ethical hackers have been professional, do they accept liability for any adverse effects that could occur after the penetration tests were done and the systems were deemed to be protected fully. This shows a regulatory gap that is yet to be provided where a unified regulatory approach could provide guidelines to such concerns.
Additionally, the security certifications available are still limited in having an advertised code of ethics for the professionals. Therefore, a security certification such as Offensive Security, which provides extensive training and certification on ethical hacking, will have no code of ethics for the professionals raising concerns on the moral guide for these candidates. The ethical hacking profession is bound to make considerable progress in being certified when a mandatory, uniformed ethical code is developed and reinforced by ethical hackers and cyber security professionals. This code will need to be mandatory and have substantial oversight, as demonstrated by the ethics committed by ISACA. They look into the issues which are in contention with the ethical codes. A combination of regulations and licensing from the government and respective arthritis will play a considerable role in ensuring that the code is implemented accordingly.
It is important to note that hackers are a unique set of professionals who work based on a silently agreed code that guides their activities. According to Levy (2010), the ‘hacker ethic’ comprises a series of values and beliefs held by hackers in general. Their work is done when they obtain unlimited access to computers and anything that allows thinking and learning, the information needs to be free, there is distrust in authority for promoting decentralization, and the hackers will need to be judged by their hacking activities and not the typical criteria of considering one’s education, age or even race. The same sentiments on the work ethics of hackers were reflected by Himanen (2001), whose work is focused on their will to contribute to essential projects even in their free time and the belief in the privacy and freedom of information. Himanen (2001) identified similar themes relating to hacker ethics specifically, decentralization, free speech, opposition to censorship, personal privacy, and the freedom to be surveyed. According to Jaquet-Chiffelle et al. (2020), from the 1960s to the 2010s, there has been a shift in the nature of hacking incentives: that is from the ideological incentives to the economic ones. This shift has happened because of the development of the Internet, e-commerce and the increasing economic weight of freely shared information, freely shared information in conjunction with the many of the initial ideological ethical values conflicting with economic-related ethical values especially protection of information ownership. These scholars emphasize that any hacker now has a sense of curiosity, is thirsty for knowledge, and loves exploring the systems. This understanding means that any hacker is now less limited on what they choose to do as they interact with the systems.
Figure 5: Shift in the hackers’ incentives
Jaquet-Chiffelle et al. (2020) articulated the ethical perspective to look into the implied trust issue. The authors noted that the way in which the ‘ethical hacking’ term has been used seems to take up the assumptions that its aim is finding the solution that is able toi balance the values, specifically, ethical hacking will give the highest priority to refraining from acting in a way that is against the company’s interests or acting within the boundaries in which the professional has consented to and fulfilling the client’s expectations in a manner that still preserves the white hacker’s reputation for trust purposes, it would seem that these conditions will never be in conflict practically. Generally, the so-called ‘ethical hacker’ enjoys the contractual freedom of acting in a manner that may be illegal if they have acted within the consent of the client. The ethical hacker would have acted in a trustworthy manner because he or she has acted conscientiously towards the trust placed on him by the client (Caldwell, 2011). However, it is prudent to acknowledge that the ethical hacker will face situations that entail a trade-off between preserving trust in oneself and the white hat hackers in general or achieving the ethical values directly. Notably, it is prudent to note that this trade off will be solved distinctively depending on the legal frameworks governing where the white hat hacker is operating (Jaquet-Chiffelle et al., 2020). One fundamental example to be considered is when an ethical hacker is operating in a jurisdiction where one is allowed to violate a confidentiality agreement. in case he or she identifies serious crimes. Thus, if the hacker takes up the individual choice to act against the client’s interests by revealing proof of the illegal crimes; which are strongly unethical and illegal behavior, the hacker will not have undermined trust. Indeed, trust primarily depends on rational expectations. One could claim that the company could not rationally expect the hacker to protect their interest especially when the law has enacted these prohibitions. However, it is evident that this kind of legal framework would make some entities to less depend on white hat hackers in enhancing their cybersecurity levels. Some of them could even choose to have the cybersecurity risk run in their systems instead of availing legal opportunities to third parties toi reveal their strongly unethical and illegal activities. Undoubtedly, This ethical problem cannot be solved by simply prescribing absolute respect of the law of a country
Dunn (2020) would hence assert that the reconciliation of hacker ethics with conventional IT professional ethics is necessary. This reconciliation will not mean forcing the dilution or abandonment of hacker beliefs but rather ensuring that they function appropriately within the work environment. The reconciliation and merging of these two will subsequently pave the way for the professionals in the information security industry and further innovation in the information security profession.
IV. A UNIFIED AND MANDATORY ETHICAL CODE OF CONDUCT FOR ETHICAL HACKERS
Georg et al. (2018) indicated that the need for a unified and mandatory ethical code for professional conduct for ethical hackers arises from the fact that these professionals are engaging with multi-national organizations working within different jurisdictions. These multi-nations need to ensure that their systems have attained the highest security levels regardless of how stringent or lenient the regulatory jurisdiction is. A unified code will help ensure that all professionals can follow the particular guidelines globally, and it will apply to all cybersecurity professionals. Additionally, this unified code and the relevant regulations implemented will benefit the profession in handling various issues. The unification guided by one regulated professional organization will allow the professionals to explore various issues related to insurance, standards, and discipline, which are compulsory.
However, Georg et al.’s research would indicate that this development process should be both strict and accessible. Numerous smaller security films could be sensitive to cost. Therefore, it is essential to ensure that a particular minimum standard of skills and ethical conduct is attained in the evening. All organizations and individuals wishing to join the practice should not be limited to attaining these compulsory levels due to substantial resources. The study indicated that the CREST code has tried to avail minimum standards for the professionals while also providing confidence levels. It is only limited in terms of the significant costs involved, which should be avoided in the unified code of conduct to be developed.
According to Thomas (2020), ethical hackers need to understand their obligation to their clients if they are to handle the implied trust challenge. Their obligation is to ensure that information obtained during their hacking engagements is used ethically. Evidence of a successful breach will often be considered proof of successful test results. This evidence is valuable in ensuring their report’s integrity which will be used in case of any disputes (Thomas et al., 2019). Adopting a unified and mandatory code of conduct will have these professionals working to meet their ethical obligations. A unified code will establish broader applicability among the professionals. Subsequently, its implementation will also need a professional body that oversees the application of the professional code of conduct. This body will ensure that the insurance level is held, the requirements relating to the minimum levels of competence and certification are upheld, and the licensing requirements are met. Individuals who do not need the rules will attract disciplinary action such as suspension or even expulsion from engaging in their professional hacking activities. Ethical hackers are bound to benefit considerably from having a unified and mandatory professional code of conduct.
Ethical hacking is now an essential part of security strategies taken up by organizations as they focus on ensuring that their systems are entirely void of any exploitable system vulnerabilities. However, engaging with ethical hackers creates a trust challenge whereby a third party gives full access to one’s systems and information. It is possible that they could exploit this privilege for their benefit to the detriment of clients. Notably, there is a possibility of the clients to carry out higher level forms of phishing attacks against the ethical hackers. These evaluations will ascertain whether the professionals will be finding what they should and will ensure that they are responding accordingly to the knowledge they seemed to have obtained during the attack. However developing the current codes of this profession in different jurisdictions need to be implemented to mitigate the risk of this implied trust issues. As Georg et al. (2018) emphasized, a unified and mandatory professional code of conduct for ethical hackers is necessary to handle this challenge globally.
I would like to express my very great appreciation to my Project’s Instructor for his valuable and constructive suggestions during the planning and development of this research work. His willingness to give his time so generously has been very much appreciated.
 J.-P. A. Yaacoub, H. N. Noura, O. Salman, and A. Chehab, “A Survey On Ethical Hacking: Issues And ChallengeS,” 2020.
 G. Thomas, “Issues Of Professionalism Concerning The Ethical Hacking Of Law Firms,” dissertation, 2020.
 G. Thomas, O. Burmeister, and G. Low, “The importance of ethical conduct by penetration testers in the age of breach disclosure laws.,” Australasian Journal of Information Systems, vol. 23, 2019.
 N. Dunn, “Ethics In Security Testing,” NCC Group. 2018.
 P. Himanen, The Hacker Ethic and the Spirit of the Information Age . 2001.
 S. Levy, Hackers: Heroes of the Computer Revolution. 2010.
 T. Georg, B. Oliver, and L. Gregory, “Issues of implied trust in ethical hacking,” The ORBIT Journal, vol. 2, no. 1, pp. 1–19, 2018.
 P. Engebretson, “The basics of hacking and penetration testing: ethical hacking and penetration testing made easy,” Elsevier, 2013.
 D. Jamil & M. N. A. Khan, “Is ethical hacking ethical?” International Journal of Engineering Science and Technology, 2011.
 D.O. Jaquet-Chiffelle and M. Loi, “Ethical and unethical hacking. In The ethics of cybersecurity,” . Springer, 2020.
 C.C. Palmer,”Ethical hacking.” IBM Systems Journal 40, no. 3, 2001.
 T, Caldwell, “Ethical hackers: putting on the white hat,” Network Security, 2011.