Penetration testing entails attacking a system to identify and report insecurity, but doing so without harming the system nor encroaching on the dignity of those affected by it. To improve the interaction between penetration testers and their processes and technology, we need to understand the factors that affect decisions they make with ethical import. This paper presents four ethical hazards faced by penetration testers, and three safeguards that address them. We also present preliminary results validating the hazards and safeguards.
J. M. CorbinA. L. Strauss 2008 Basics of qualitative research: techniques and procedures for developing grounded theory 3rd ed. Sage Publications, Inc
S. Faily 2016 May CAIRIS web site. http://cairis.org
S. FailyI. Fléchais 2011 Persona cases: a technique for grounding personas. In Proceedings of the 29th international conference on Human factors in computing systems, CHI ’11 2267 2270 ACM
S. FailyI. Fléchais 2014 Eliciting and Visualising Trust Expectations using Persona Trust Characteristics and Goal Models. In Proceedings of the 6th International Workshop on Social Software Engineering, SSE 2014 17 24 ACM
S. FailyC. Iacob 2015 Ben and Matt: Penetration Tester Personas. http://cairis.org/ben_matt
S. FailyJ. McAlaneyC. Iacob 2015 Ethical Dilemmas and Dimensions in Penetration Testing. In Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance 233 242 University of Plymouth
G. Klein 2007 Performing a project premortem. Harvard Business Review 85 9 18 19
L. LiuE. Yu 2004 April Designing information systems in social context: A goal and scenario modelling approach. Information Systems 29 2 187 203
F. MoutonM. M. MalanK. K. KimppaH. Venter 2015 Necessity for ethics in social engineering research. Computers & Security 55 114 127
G. MussbacherS. GhanavatiD. Amyot 2009 Modeling and Analysis of URN Goals and Scenarios with jUCMNav. In Proceedings of the 2009 17th IEEE International Requirements Engineering Conference, RE, RE ’09 Washington, DC, USA 383 384 IEEE Computer Society
S. G. Pendse 2011 Ethical Hazards: A Motive Means, and Opportunity Approach for Curbing Corporate Unethical Behavior Journal of Business Ethics 107 3 265 279